Control: Azure > CIS v1.2 > 1 - Identity and Access Management

Covers security recommendations that to follow to set identity and access management policies on an Azure Subscription.

Primary Policies

The following policies can be used to configure this control:

1 - Identity and Access Management > 1.01 - Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)
1 - Identity and Access Management > 1.01 - Ensure that multi-factor authentication is enabled for all privileged users (Not Scored) > Attestation
1 - Identity and Access Management > 1.02 - Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)
1 - Identity and Access Management > 1.02 - Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored) > Attestation
1 - Identity and Access Management > 1.03 - Ensure guest users are reviewed on a monthly basis (Scored)
1 - Identity and Access Management > 1.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
1 - Identity and Access Management > 1.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored) > Attestation
1 - Identity and Access Management > 1.05 - Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)
1 - Identity and Access Management > 1.05 - Ensure that 'Number of methods required to reset' is set to '2' (Not Scored) > Attestation
1 - Identity and Access Management > 1.06 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)
1 - Identity and Access Management > 1.06 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored) > Attestation
1 - Identity and Access Management > 1.07 - Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)
1 - Identity and Access Management > 1.07 - Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored) > Attestation
1 - Identity and Access Management > 1.08 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)
1 - Identity and Access Management > 1.08 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored) > Attestation
1 - Identity and Access Management > 1.09 - Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)
1 - Identity and Access Management > 1.09 - Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored) > Attestation
1 - Identity and Access Management > 1.10 - Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)
1 - Identity and Access Management > 1.10 - Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored) > Attestation
1 - Identity and Access Management > 1.11 - Ensure that 'Users can register applications' is set to 'No' (Not Scored)
1 - Identity and Access Management > 1.11 - Ensure that 'Users can register applications' is set to 'No' (Not Scored) > Attestation
1 - Identity and Access Management > 1.12 - Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)
1 - Identity and Access Management > 1.12 - Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored) > Attestation
1 - Identity and Access Management > 1.13 - Ensure that 'Members can invite' is set to 'No' (Not Scored)
1 - Identity and Access Management > 1.13 - Ensure that 'Members can invite' is set to 'No' (Not Scored) > Attestation
1 - Identity and Access Management > 1.14 - Ensure that 'Guests can invite' is set to 'No' (Not Scored)
1 - Identity and Access Management > 1.14 - Ensure that 'Guests can invite' is set to 'No' (Not Scored) > Attestation
1 - Identity and Access Management > 1.15 - Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)
1 - Identity and Access Management > 1.15 - Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored) > Attestation
1 - Identity and Access Management > 1.16 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' (Not Scored)
1 - Identity and Access Management > 1.16 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' (Not Scored) > Attestation
1 - Identity and Access Management > 1.17 - Ensure that 'Users can create security groups' is set to 'No' (Not Scored)
1 - Identity and Access Management > 1.17 - Ensure that 'Users can create security groups' is set to 'No' (Not Scored) > Attestation
1 - Identity and Access Management > 1.18 - Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Not Scored)
1 - Identity and Access Management > 1.18 - Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Not Scored) > Attestation
1 - Identity and Access Management > 1.19 - Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)
1 - Identity and Access Management > 1.19 - Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored) > Attestation
1 - Identity and Access Management > 1.20 - Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)
1 - Identity and Access Management > 1.20 - Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored) > Attestation
1 - Identity and Access Management > 1.21 - Ensure that no custom subscription owner roles are created (Scored)
1 - Identity and Access Management > 1.22 - Ensure Security Defaults is enabled on Azure Active Directory (Not Scored)
1 - Identity and Access Management > 1.22 - Ensure Security Defaults is enabled on Azure Active Directory (Not Scored) > Attestation
1 - Identity and Access Management > 1.23 - Ensure Custom Role is assigned for Administering Resource Locks (Not Scored)
1 - Identity and Access Management > 1.23 - Ensure Custom Role is assigned for Administering Resource Locks (Not Scored) > Attestation
1 - Identity and Access Management
1 - Identity and Access Management > Maximum Attestation Duration

In Your Workspace

Developers

Control Type URI

tmod:@turbot/azure-cisv1-2#/control/types/s01

Category URI

tmod:@turbot/cis#/control/categories/cis

GraphQL

query controlType(id: "tmod:@turbot/azure-cisv1-2#/control/types/s01") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/azure-cisv1-2#/control/types/s01'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv1-2#/control/types/s01"