Policy: Azure > CIS v1.2 > 1 - Identity and Access Management

Covers security recommendations that to follow to set identity and access management policies on an Azure Subscription.

Resource Types

This policy targets the following resource types:

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v1.2

1.01 - Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)
1.02 - Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)
1.03 - Ensure guest users are reviewed on a monthly basis (Scored)
1.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
1.05 - Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)
1.06 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)
1.07 - Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)
1.08 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)
1.09 - Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)
1.10 - Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)
1.11 - Ensure that 'Users can register applications' is set to 'No' (Not Scored)
1.12 - Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)
1.13 - Ensure that 'Members can invite' is set to 'No' (Not Scored)
1.14 - Ensure that 'Guests can invite' is set to 'No' (Not Scored)
1.15 - Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)
1.16 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' (Not Scored)
1.17 - Ensure that 'Users can create security groups' is set to 'No' (Not Scored)
1.18 - Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Not Scored)
1.19 - Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)
1.20 - Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)
1.21 - Ensure that no custom subscription owner roles are created (Scored)
1.22 - Ensure Security Defaults is enabled on Azure Active Directory (Not Scored)
1.23 - Ensure Custom Role is assigned for Administering Resource Locks (Not Scored)
Maximum Attestation Duration

Controls

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v1.2`
Valid Values [YAML]	`Per Azure > CIS v1.2` `Skip` `Check: Level 1 (Scored)` `Check: Level 1 (Scored & Not Scored)` `Check: Level 1 & Level 2 (Scored)` `Check: Level 1 & Level 2 (Scored & Not Scored)`
Examples [YAML]	`Skip`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/azure-cisv1-2#/policy/types/s01

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv1-2#/policy/types/s01") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv1-2#/policy/types/s01'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv1-2#/policy/types/s01'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv1-2#/policy/types/s01"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv1-2#/policy/types/s01"