Policy: Azure > CIS v3.0 > 02 - Identity
This section covers security best practice recommendations for products in the Azure Identity services category.
Azure Product Category Page: https://azure.microsoft.com/en-us/products/category/identity Many of the recommendations from this section are marked as "Manual" while the existing Azure CLI and Azure AD PowerShell support through the Azure AD Graph are being deprecated. It is now recommended to use the new Microsoft Graph PowerShell in replacement of Azure AD Graph for PowerShell and API level access. From a security posture standpoint, these recommendations are still very important and should not be discounted because they are "Manual." As automation capability is developed for this Benchmark, the related recommendations will be updated with the respective audit and remediation steps and changed to an "automated" assessment status.
If any problems are encountered running Azure CLI or PowerShell methodologies, please refer to the Introduction section of this Benchmark where you will find additional detail on permission and required cmdlets.
Targets
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Related Policies
- 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
- 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis
- 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
- 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
- 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
- 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
- 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
- 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
- 02.12 - Ensure `User consent for applications` is set to `Do not allow user consent`
- 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
- 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
- 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
- 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
- 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
- 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
- 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
- 02.23 - Ensure That No Custom Subscription Administrator Roles Exist
- 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
- 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
- 02.26 - Ensure fewer than 5 users have global administrator assignment
- 02.01 - Security Defaults (Per-User MFA)
- 02.02 - Conditional Access
- Maximum Attestation Duration
Controls
Setting this policy configures these controls:
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
- Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis
- Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
- Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
- Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
- Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
- Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure `User consent for applications` is set to `Do not allow user consent`
- Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
- Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
- Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist
- Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
- Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
- Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment
Policy Specification
Schema Type | |
|---|---|
Default | |
Valid Values [YAML] |
|
Examples [YAML] |
|
Category
In Your Workspace
Developers
- tmod:@turbot/cis#/control/categories/cis
- tmod:@turbot/azure-cisv3-0#/policy/types/s02
- turbot graphql policy-type --id "tmod:@turbot/azure-cisv3-0#/policy/types/s02"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv3-0#/policy/types/s02"
Get Policy TypeGet Policy Settings
Category URI
Policy Type URI
GraphQL
CLI