Policy: Azure > CIS v2.0 > 01 - Identity and Access Management > Maximum Attestation Duration

Targets

This policy targets the following resource types:

• Azure > Active Directory > Directory
• Azure > Subscription
• Azure > Tenant

Primary Policy

This policy is used with the following primary policy:

• Azure > CIS v2.0 > 01 - Identity and Access Management

Controls

Setting this policy configures these controls:

• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 Ensure That 'Number of methods required to reset' is set to '2'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure `User consent for applications` is set to `Do not allow user consent`
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'

Policy Specification

string

Per Azure > CIS v2.0 > Maximum Attestation Duration

Category

• CIS

In Your Workspace

• Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/azure-cisv2-0#/policy/types/s01Attestation

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv2-0#/policy/types/s01Attestation") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv2-0#/policy/types/s01Attestation'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv2-0#/policy/types/s01Attestation'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv2-0#/policy/types/s01Attestation"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv2-0#/policy/types/s01Attestation"