Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
Azure
Loading policies...

Policy: Azure > CIS v4.0 > 06 - Identity Services

This section covers security best practice recommendations for products in the Microsoft Entra ID (formerly Azure Active Directory) and Azure Identity services category.

Azure Product Category Page: https://azure.microsoft.com/en-us/products/category/identity

Many of the recommendations from this section are marked as "Manual" while the existing Azure CLI and Azure AD PowerShell support through the Azure AD Graph are being deprecated. It is now recommended to use the new Microsoft Graph PowerShell in replacement of Azure AD Graph for PowerShell and API level access. From a security posture standpoint, these recommendations are still very important and should not be discounted because they are "Manual." As automation capability is developed for this Benchmark, the related recommendations will be updated with the respective audit and remediation steps and changed to an "automated" assessment status.

If any problems are encountered running Azure CLI or PowerShell methodologies, please refer to the Introduction section of this Benchmark where you will find additional detail on permission and required cmdlets.

Targets

This policy targets the following resource types:

  • Azure > Active Directory > Directory
  • Azure > Subscription
  • Azure > Tenant

Primary Policy

This policy is used with the following primary policy:

  • Azure > CIS v4.0

Related Policies

  • 06.04 - Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
  • 06.05 - Ensure 'Number of methods required to reset' is set to '2'
  • 06.06 - Ensure account 'Lockout threshold' is less than or equal to '10'
  • 06.07 - Ensure 'Lockout duration in seconds' is greater than or equal to '60'
  • 06.08 - Ensure 'Custom banned password list' is set to 'Enforce'
  • 06.09 - Ensure 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
  • 06.10 - Ensure 'Notify users on password resets?' is set to 'Yes'
  • 06.11 - Ensure 'Notify all admins when other admins reset their password?' is set to 'Yes'
  • 06.12 - Ensure 'User consent for applications' is set to 'Do not allow user consent'
  • 06.13 - Ensure user consent is 'Allow for verified publishers only'
  • 06.14 - Ensure 'Users can register applications' is set to 'No'
  • 06.15 - Ensure 'Guest users access restrictions' is properly configured
  • 06.16 - Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
  • 06.17 - Ensure 'Restrict access to Microsoft Entra admin center' is set to 'Yes'
  • 06.18 - Ensure 'Restrict user ability to access groups features' is set to 'Yes'
  • 06.19 - Ensure 'Users can create security groups' is set to 'No'
  • 06.20 - Ensure 'Owners can manage group membership requests in My Groups' is set to 'No'
  • 06.21 - Ensure 'Users can create M365 groups in Azure portals, API or PowerShell' is set to 'No'
  • 06.22 - Ensure 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
  • 06.23 - Ensure no custom subscription administrator roles exist
  • 06.24 - Ensure custom role is assigned permissions for administering resource locks
  • 06.25 - Ensure 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
  • 06.26 - Ensure fewer than 5 users have global administrator assignment
  • 06.01 - Security Defaults (Per-User MFA)
  • 06.02 - Conditional Access
  • 06.03 - Periodic Identity Reviews
  • Maximum Attestation Duration

Controls

Setting this policy configures these controls:

  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.01 - Ensure that 'trusted locations' are defined
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.03 - Ensure that an exclusionary device code flow policy is considered
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.04 - Ensure that a multifactor authentication policy exists for all users
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.05 - Ensure that multifactor authentication is required for risky sign-ins
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.06 - Ensure that multifactor authentication is required for Windows Azure Service Management API
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.07 - Ensure that multifactor authentication is required to access Microsoft Admin Portals
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.01 - Ensure that Azure admin accounts are not used for daily operations
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.02 - Ensure that guest users are reviewed on a regular basis
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.03 - Ensure that use of the 'User Access Administrator' role is restricted
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed
  • Azure > CIS v4.0 > 06 - Identity Services > 06.04 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.05 - Ensure that 'Number of methods required to reset' is set to '2'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.06 - Ensure that account 'Lockout threshold' is less than or equal to '10'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.08 - Ensure that a 'Custom banned password list' is set to 'Enforce'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.11 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.12 - Ensure that 'User consent for applications' is set to 'Do not allow user consent'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.13 - Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.14 - Ensure that 'Users can register applications' is set to 'No'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.15 - Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.17 - Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.18 - Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.23 - Ensure that no custom subscription administrator roles exist
  • Azure > CIS v4.0 > 06 - Identity Services > 06.24 - Ensure that a custom role is assigned permissions for administering resource locks
  • Azure > CIS v4.0 > 06 - Identity Services > 06.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.26 - Ensure fewer than 5 users have global administrator assignment

Policy Specification

Schema Type
string
Default
Per Azure > CIS v4.0
Valid Values [YAML]
  • Per Azure > CIS v4.0

  • Skip

  • Check: All CIS Benchmarks except attestations

  • Check: All CIS Benchmarks
Examples [YAML]
  • Skip

Category

  • CIS

In Your Workspace

  • Policy Settings by Type report

Developers

    Category URI
    • tmod:@turbot/cis#/control/categories/cis
    • Policy Type URI
    • tmod:@turbot/azure-cisv4-0#/policy/types/s06
    • GraphQL
    • query policyType(id: "tmod:@turbot/azure-cisv4-0#/policy/types/s06") { … }
    • query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv4-0#/policy/types/s06'") { … }
    • query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv4-0#/policy/types/s06'") { … }
    • CLI
    • Get Policy Type
    • turbot graphql policy-type --id "tmod:@turbot/azure-cisv4-0#/policy/types/s06"
      • Get Policy Settings
    • turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv4-0#/policy/types/s06"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
50
Mods
207
Resource Types
3,612
Policies
1,957
Controls
103
Quick Actions
114
IAM