Resource Type: Azure > Active Directory > Directory

Resource Context

Directory is a part of the Active Directory service.

Each Directory lives under a Turbot.

Controls

The primary controls for Azure > Active Directory > Directory are:

• CMDB
• Discovery
• ServiceNow

It is also targeted by these controls:

• Azure > Active Directory > Application > Discovery
• Azure > Active Directory > Custom Domain > Discovery
• Azure > Active Directory > Group > Discovery
• Azure > Active Directory > Service Principal > Discovery
• Azure > Active Directory > User > Discovery
• Azure > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.06 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.08 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.11 Ensure that 'Users can register applications' is set to 'No' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.13 Ensure that 'Members can invite' is set to 'No' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.14 Ensure that 'Guests can invite' is set to 'No' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.16 Ensure that 'Self-service group management enabled' is set to 'No' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.17 Ensure that 'Users can create security groups' is set to 'No' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.18 Ensure that 'Users who can manage security groups' is set to 'None' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.21 Ensure that 'Enable "All Users" group' is set to 'Yes' (Not Scored)
• Azure > CIS v1 > 1 Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.01 - Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.02 - Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.05 - Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.06 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.07 - Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.08 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.09 - Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.10 - Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.11 - Ensure that 'Users can register applications' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.12 - Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.13 - Ensure that 'Members can invite' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.14 - Ensure that 'Guests can invite' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.15 - Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.16 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.17 - Ensure that 'Users can create security groups' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.18 - Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.19 - Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.20 - Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.22 - Ensure Security Defaults is enabled on Azure Active Directory (Not Scored)
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 Ensure That 'Number of methods required to reset' is set to '2'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure `User consent for applications` is set to `Do not allow user consent`
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
• Azure > Turbot > Directory Event Poller

Category

• Management Tools

In Your Workspace

• Controls by Resource Type report
• Policy Settings by Resource Type report
• Resources by Resource Type report

Developers

Resource Type URI

tmod:@turbot/azure-activedirectory#/resource/types/directory

Category URI

tmod:@turbot/turbot#/resource/categories/managementTools

GraphQL

query resource(id: "tmod:@turbot/azure-activedirectory#/resource/types/directory") { … }

query resourceActivities(filter: "resourceId:'tmod:@turbot/azure-activedirectory#/resource/types/directory'") { … }

mutation createResource(input: { … })

mutation updateResource(input: { … })

CLI

Get Resource

turbot graphql resource --id "tmod:@turbot/azure-activedirectory#/resource/types/directory"

Steampipe Query

Get Resource

select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/azure-activedirectory#/resource/types/directory';

Get Policy Settings (By Resource ID)

select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/azure-activedirectory#/resource/types/directory"';

Get Resource Notification

select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/azure-activedirectory#/resource/types/directory' and notification_type in ('resource_updated', 'resource_created');