Policy: Azure > CIS v1 > 1 Identity and Access Management

covers security recommendations that to follow to set identity and access management policies on an Azure Subscription.

Resource Types

This policy targets the following resource types:

Azure > Subscription

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v1

1.01 Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)
1.02 Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)
1.03 Ensure that there are no guest users (Scored)
1.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
1.05 Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)
1.06 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)
1.07 Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)
1.08 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)
1.09 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)
1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)
1.11 Ensure that 'Users can register applications' is set to 'No' (Not Scored)
1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)
1.13 Ensure that 'Members can invite' is set to 'No' (Not Scored)
1.14 Ensure that 'Guests can invite' is set to 'No' (Not Scored)
1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)
1.16 Ensure that 'Self-service group management enabled' is set to 'No' (Not Scored)
1.17 Ensure that 'Users can create security groups' is set to 'No' (Not Scored)
1.18 Ensure that 'Users who can manage security groups' is set to 'None' (Not Scored)
1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)
1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' (Not Scored)
1.21 Ensure that 'Enable "All Users" group' is set to 'Yes' (Not Scored)
1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)
1.23 Ensure that no custom subscription owner roles are created (Scored)

Controls

Policy Specification

Schema Type	`string`
Default	`Skip`
Valid Values [YAML]	`Skip`
Examples [YAML]	`Skip`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/azure-cisv1#/policy/types/s01

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv1#/policy/types/s01") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv1#/policy/types/s01'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv1#/policy/types/s01'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv1#/policy/types/s01"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv1#/policy/types/s01"