Resource Type: Azure > Active Directory > Directory
Azure Active Directory.
Resource Context
Directory is a part of the Active Directory service.
Each Directory lives under a Turbot.
Controls
The primary controls for Azure > Active Directory > Directory are:
It is also targeted by these controls:
- Azure > Active Directory > Application > Discovery
- Azure > Active Directory > Custom Domain > Discovery
- Azure > Active Directory > Group > Discovery
- Azure > Active Directory > Service Principal > Discovery
- Azure > Active Directory > User > Discovery
- Azure > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.06 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.08 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.11 Ensure that 'Users can register applications' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.13 Ensure that 'Members can invite' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.14 Ensure that 'Guests can invite' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.16 Ensure that 'Self-service group management enabled' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.17 Ensure that 'Users can create security groups' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.18 Ensure that 'Users who can manage security groups' is set to 'None' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.21 Ensure that 'Enable "All Users" group' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.01 - Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.02 - Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.05 - Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.06 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.07 - Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.08 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.09 - Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.10 - Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.11 - Ensure that 'Users can register applications' is set to 'No' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.12 - Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.13 - Ensure that 'Members can invite' is set to 'No' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.14 - Ensure that 'Guests can invite' is set to 'No' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.15 - Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.16 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.17 - Ensure that 'Users can create security groups' is set to 'No' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.18 - Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.19 - Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.20 - Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)
- Azure > CIS v1.2 > 1 - Identity and Access Management > 1.22 - Ensure Security Defaults is enabled on Azure Active Directory (Not Scored)
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 Ensure That 'Number of methods required to reset' is set to '2'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure `User consent for applications` is set to `Do not allow user consent`
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
- Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
- Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
- Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
- Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
- Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure `User consent for applications` is set to `Do not allow user consent`
- Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
- Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
- Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment
- Azure > Turbot > Directory Event Poller
Quick Actions
Category
In Your Workspace
- Controls by Resource Type report
- Policy Settings by Resource Type report
- Resources by Resource Type report
Developers
- tmod:@turbot/azure-activedirectory#/resource/types/directory
- tmod:@turbot/turbot#/resource/categories/managementTools
- turbot graphql resource --id "tmod:@turbot/azure-activedirectory#/resource/types/directory"
Get Resource- select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/azure-activedirectory#/resource/types/directory';
- select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/azure-activedirectory#/resource/types/directory"';
- select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/azure-activedirectory#/resource/types/directory' and notification_type in ('resource_updated', 'resource_created');
Get ResourceGet Policy Settings (By Resource ID)Get Resource Notification
Resource Type URI
Category URI
GraphQL
CLI
Steampipe Query