├── .gitattributes ├── .github ├── PULL_REQUEST_TEMPLATE.md ├── workflows │ ├── sync-labels.yml │ ├── add-issue-to-project.yml │ └── stale.yml └── ISSUE_TEMPLATE │ ├── feature_request.md │ ├── bug_report.md │ └── config.yml ├── cis_v150 ├── docs │ ├── cis_v150_1_1.md │ ├── cis_v150_5.md │ ├── cis_v150_2.md │ ├── cis_v150_1.md │ ├── cis_v150_2_1.md │ ├── cis_v150_5_14.md │ ├── cis_v150_2_2.md │ ├── cis_v150_1_1_4.md │ ├── cis_v150_5_9.md │ ├── cis_v150_5_3.md │ ├── cis_v150_5_1.md │ ├── cis_v150_1_1_11.md │ ├── cis_v150_1_1_5.md │ ├── cis_v150_1_1_8.md │ ├── cis_v150_1_4.md │ ├── cis_v150_1_1_2.md │ ├── cis_v150_1_1_12.md │ ├── cis_v150_2_7.md │ └── cis_v150_1_1_9.md └── cis.pp ├── powerpipe.ppvars.example ├── cis_v140 ├── docs │ ├── cis_v140_1_1.md │ ├── cis_v140_5.md │ ├── cis_v140_2.md │ ├── cis_v140_1.md │ ├── cis_v140_2_1.md │ ├── cis_v140_5_15.md │ ├── cis_v140_2_2.md │ ├── cis_v140_1_1_4.md │ ├── cis_v140_5_1.md │ ├── cis_v140_1_1_5.md │ ├── cis_v140_5_10.md │ ├── cis_v140_5_3.md │ ├── cis_v140_1_1_12.md │ ├── cis_v140_1_1_11.md │ ├── cis_v140_1_5.md │ ├── cis_v140_1_1_8.md │ ├── cis_v140_2_7.md │ ├── cis_v140_1_1_9.md │ └── cis_v140_1_1_2.md └── cis.pp ├── docs ├── microsoft365_compliance_dashboard.png ├── microsoft365_compliance_cis_v300_dashboard.png └── microsoft365_compliance_cis_v300_terminal.png ├── cis_v300 ├── docs │ ├── cis_v300_1.md │ ├── cis_v300_5.md │ ├── cis_v300_2.md │ ├── cis_v300_3.md │ ├── cis_v300_5_1_2_2.md │ ├── cis_v300_5_2_6_1.md │ ├── cis_v300_5_2_4_1.md │ ├── cis_v300_1_1_4.md │ ├── cis_v300_5_1_5_2.md │ ├── cis_v300_3_1_1.md │ ├── cis_v300_1_3_3.md │ ├── cis_v300_1_1_3.md │ ├── cis_v300_2_3_1.md │ ├── cis_v300_5_2_2_2.md │ ├── cis_v300_1_3_1.md │ └── cis_v300_1_2_1.md ├── cis.pp ├── section_2.pp └── section_3.pp ├── cis_v500 ├── docs │ ├── cis_v500_5.md │ ├── cis_v500_1.md │ ├── cis_v500_3.md │ ├── cis_v500_7.md │ ├── cis_v500_5_1_5_1.md │ ├── cis_v500_5_2_4_1.md │ ├── cis_v500_1_2_1.md │ ├── cis_v500_1_1_1.md │ ├── cis_v500_3_1_1.md │ ├── cis_v500_7_2_5.md │ ├── cis_v500_5_2_2_2.md │ ├── cis_v500_5_1_2_2.md │ ├── cis_v500_7_2_6.md │ ├── cis_v500_1_3_3.md │ ├── cis_v500_5_2_3_4.md │ ├── cis_v500_5_2_2_12.md │ ├── cis_v500_1_1_3.md │ ├── cis_v500_5_2_2_8.md │ ├── cis_v500_5_2_3_1.md │ ├── cis_v500_5_3_2.md │ ├── cis_v500_5_2_2_6.md │ ├── cis_v500_1_3_1.md │ ├── cis_v500_5_1_5_2.md │ ├── cis_v500_5_2_2_7.md │ ├── cis_v500_7_2_3.md │ ├── cis_v500_5_1_3_1.md │ └── cis_v500_5_2_2_11.md ├── cis.pp └── section_3.pp ├── cis_v600 ├── docs │ ├── cis_v600_1.md │ ├── cis_v600_5.md │ ├── cis_v600_3.md │ ├── cis_v600_7.md │ ├── cis_v600_5_1_4_3.md │ ├── cis_v600_5_1_4_2.md │ ├── cis_v600_5_1_4_4.md │ ├── cis_v600_5_1_4_5.md │ ├── cis_v600_5_1_4_1.md │ ├── cis_v600_5_1_5_1.md │ ├── cis_v600_5_2_4_1.md │ ├── cis_v600_1_2_1.md │ ├── cis_v600_1_1_1.md │ ├── cis_v600_5_1_4_6.md │ ├── cis_v600_7_2_5.md │ ├── cis_v600_5_1_2_2.md │ ├── cis_v600_5_2_2_2.md │ ├── cis_v600_5_1_3_2.md │ ├── cis_v600_1_3_3.md │ ├── cis_v600_5_2_3_4.md │ ├── cis_v600_3_1_1.md │ ├── cis_v600_7_2_6.md │ ├── cis_v600_5_2_2_12.md │ ├── cis_v600_1_1_3.md │ ├── cis_v600_5_2_2_8.md │ ├── cis_v600_5_2_3_1.md │ ├── cis_v600_5_3_2.md │ ├── cis_v600_5_2_2_6.md │ ├── cis_v600_5_1_5_2.md │ ├── cis_v600_1_3_1.md │ ├── cis_v600_5_2_2_7.md │ ├── cis_v600_5_2_3_5.md │ ├── cis_v600_7_2_3.md │ ├── cis_v600_5_1_3_1.md │ ├── cis_v600_5_2_3_7.md │ └── cis_v600_5_2_2_11.md ├── cis.pp └── section_3.pp ├── cis_v400 ├── docs │ ├── cis_v400_5.md │ ├── cis_v400_1.md │ ├── cis_v400_3.md │ ├── cis_v400_5_2_4_1.md │ ├── cis_v400_5_1_2_2.md │ ├── cis_v400_1_3_3.md │ ├── cis_v400_3_1_1.md │ ├── cis_v400_1_1_3.md │ ├── cis_v400_1_3_1.md │ ├── cis_v400_5_2_2_2.md │ ├── cis_v400_1_2_1.md │ └── cis_v400_5_1_5_2.md ├── cis.pp └── section_3.pp ├── cis_v200 ├── docs │ ├── cis_v200_5.md │ ├── cis_v200_2.md │ ├── cis_v200_1.md │ ├── cis_v200_1_1.md │ ├── cis_v200_2_2.md │ ├── cis_v200_5_4.md │ ├── cis_v200_1_1_8.md │ ├── cis_v200_2_7.md │ ├── cis_v200_5_15.md │ ├── cis_v200_5_2.md │ ├── cis_v200_2_3.md │ ├── cis_v200_1_1_7.md │ ├── cis_v200_5_10.md │ ├── cis_v200_1_1_13.md │ ├── cis_v200_1_1_14.md │ ├── cis_v200_1_1_4.md │ ├── cis_v200_1_4.md │ ├── cis_v200_1_1_1.md │ ├── cis_v200_1_1_16.md │ └── cis_v200_2_1.md └── cis.pp ├── .gitignore ├── query ├── securitydefaultspolicy.pp ├── adminconsentrequestpolicy.pp ├── mycalendar.pp ├── signinreport.pp ├── authorizationpolicy.pp ├── directorysetting.pp ├── directoryauditreport.pp └── group.pp ├── mod.pp └── variables.pp /.gitattributes: -------------------------------------------------------------------------------- 1 | **/*.sp linguist-language=HCL 2 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ### Checklist 2 | - [ ] Issue(s) linked 3 | -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_1_1.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This section covers recommendations for Azure Active Directory (AAD) as the underlying AuthN / AuthZ for SaaS. -------------------------------------------------------------------------------- /powerpipe.ppvars.example: -------------------------------------------------------------------------------- 1 | # Dimensions 2 | # Available dimensions: "connection_name", "tenant_id" 3 | common_dimensions = ["tenant_id"] 4 | tag_dimensions = [] -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_1_1.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This section covers recommendations for Azure Active Directory (AAD) as the underlying AuthN / AuthZ for SaaS. 4 | -------------------------------------------------------------------------------- /docs/microsoft365_compliance_dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/turbot/steampipe-mod-microsoft365-compliance/HEAD/docs/microsoft365_compliance_dashboard.png -------------------------------------------------------------------------------- /docs/microsoft365_compliance_cis_v300_dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/turbot/steampipe-mod-microsoft365-compliance/HEAD/docs/microsoft365_compliance_cis_v300_dashboard.png -------------------------------------------------------------------------------- /docs/microsoft365_compliance_cis_v300_terminal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/turbot/steampipe-mod-microsoft365-compliance/HEAD/docs/microsoft365_compliance_cis_v300_terminal.png -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_1.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | The Microsoft 365 admin center is the primary landing page for everything 365 related and contains navigational links to all the other admin centers. https://admin.microsoft.com/. -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | Microsoft Entra, also known as Identity, contains settings related to identity, conditional access, and was formerly named Azure AD. Direct link: https://entra.microsoft.com/. 4 | -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_5.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | Microsoft Entra, also known as Identity, contains settings related to identity, conditional access, and was formerly named Azure AD. 4 | 5 | Direct link: https://entra.microsoft.com/. -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_1.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | The Microsoft 365 admin center is the primary landing page for everything 365 related and contains navigational links to all the other admin centers. 4 | 5 | https://admin.microsoft.com/ -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | Microsoft Entra, also known as Identity, contains settings related to identity, conditional access, and was formerly named Azure AD. 4 | 5 | Direct link: https://entra.microsoft.com/. 6 | -------------------------------------------------------------------------------- /.github/workflows/sync-labels.yml: -------------------------------------------------------------------------------- 1 | name: Sync Labels 2 | on: 3 | schedule: 4 | - cron: "30 22 * * 1" 5 | workflow_dispatch: 6 | 7 | jobs: 8 | sync_labels_workflow: 9 | uses: turbot/steampipe-workflows/.github/workflows/sync-labels.yml@main -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_2.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | Microsoft 365 Defender, also known as Security, contains settings relating to policies, rules, security that are common to many Microsoft 365 applications. 4 | 5 | Direct link: https://security.microsoft.com/. -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_3.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | Microsoft Purview, also known as Compliance, contains settings related to all things compliance, data governance, information protection and risk management. 4 | 5 | Direct link: https://compliance.microsoft.com/ -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_5.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This section covers recommendations for Microsoft 365 data management. This section provides prescriptive guidance for establishing a secure configuration posture for your data against data spillage and exfiltration. -------------------------------------------------------------------------------- /cis_v400/docs/cis_v400_5.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | Microsoft Entra, also known as Identity, contains settings related to identity, conditional access, and was formerly named Azure AD. 4 | 5 | Direct link: [https://entra.microsoft.com/](https://entra.microsoft.com/) 6 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_5.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This section covers recommendations for Microsoft 365 data management. This section provides prescriptive guidance for establishing a secure configuration posture for your data against data spillage and exfiltration. 4 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_5.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This section covers recommendations for Microsoft 365 data management. This section provides prescriptive guidance for establishing a secure configuration posture for your data against data spillage and exfiltration. 4 | -------------------------------------------------------------------------------- /cis_v400/docs/cis_v400_1.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | The Microsoft 365 admin center is the primary landing page for everything 365 related and contains navigational links to all the other admin centers. 4 | 5 | [https://admin.microsoft.com/](https://admin.microsoft.com/) 6 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_1.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | The Microsoft 365 admin center is the primary landing page for everything 365 related and contains navigational links to all the other admin centers. 4 | 5 | [https://admin.microsoft.com/](https://admin.microsoft.com/) 6 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_3.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | Microsoft Purview, also known as Compliance, contains settings related to all things compliance, data governance, information protection and risk management. 4 | 5 | Direct link: https://compliance.microsoft.com/ 6 | 7 | -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_2.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This section covers recommendations for application permissions integrated with Microsoft 365. This section provides prescriptive guidance for establishing a secure configuration posture for third party integrated applications. -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_2.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This section covers recommendations for application permissions integrated with Microsoft 365. This section provides prescriptive guidance for establishing a secure configuration posture for third party integrated applications. 4 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_2.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This section covers recommendations for application permissions integrated with Microsoft 365. This section provides prescriptive guidance for establishing a secure configuration posture for third party integrated applications. 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.exe~ 4 | *.dll 5 | *.so 6 | *.dylib 7 | 8 | # Swap files 9 | *.swp 10 | 11 | # Steampipe variable files 12 | *.spvars 13 | *.auto.spvars 14 | 15 | # Powerpipe variable files 16 | *.ppvars 17 | *.auto.ppvars 18 | -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_1.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This section covers recommendations to set authentication and account management policies for Microsoft 365. This section provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running. -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_1.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This section covers recommendations to set authentication and account management policies for Microsoft 365. This section provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running. 4 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_1.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This section covers recommendations to set authentication and account management policies for Microsoft 365. This section provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running. 4 | -------------------------------------------------------------------------------- /cis_v400/docs/cis_v400_3.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | Microsoft Purview, also known as Compliance, contains settings related to all things compliance, data governance, information protection and risk management. 4 | 5 | Direct link: [https://compliance.microsoft.com/](https://compliance.microsoft.com/) 6 | -------------------------------------------------------------------------------- /.github/workflows/add-issue-to-project.yml: -------------------------------------------------------------------------------- 1 | name: Assign Issue to Project 2 | 3 | on: 4 | issues: 5 | types: [opened] 6 | 7 | jobs: 8 | add-to-project: 9 | uses: turbot/steampipe-workflows/.github/workflows/assign-issue-to-project.yml@main 10 | with: 11 | issue_number: ${{ github.event.issue.number }} 12 | repository: ${{ github.repository }} 13 | secrets: inherit 14 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_1_1.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This section contains recommendations for Azure Active Directory (AAD), a cloud- based identity management service that underpins Microsoft 365. These recommendations focus on strengthening the foundational AAD settings, given that all Microsoft 365 tenants are accompanied by default AAD configurations. 4 | 5 | For in-depth coverage of Azure, please refer to the CIS Microsoft Azure Benchmarks. -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_3.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | Microsoft Purview provides a unified data governance solution that helps manage and govern your organization's data across Microsoft 365, Azure, and other cloud services. The Microsoft Purview compliance portal provides tools for audit logging, data classification, retention policies, and compliance management. 4 | 5 | [https://compliance.microsoft.com/](https://compliance.microsoft.com/) 6 | 7 | -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | name: Stale Issues and PRs 2 | on: 3 | schedule: 4 | - cron: "30 23 * * *" 5 | workflow_dispatch: 6 | inputs: 7 | dryRun: 8 | description: Set to true for a dry run 9 | required: false 10 | default: "false" 11 | type: string 12 | 13 | jobs: 14 | stale_workflow: 15 | uses: turbot/steampipe-workflows/.github/workflows/stale.yml@main 16 | with: 17 | dryRun: ${{ github.event.inputs.dryRun }} -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_7.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | The SharePoint admin center contains settings related to SharePoint and OneDrive. UI Direct link: https://admin.microsoft.com/sharepoint 4 | 5 | The PowerShell module most used in this section is Microsoft.Online.SharePoint.PowerShell and uses Connect-SPOService -Url https://contoso-admin.sharepoint.com as the connection cmdlet (replacing tenant name with your value). 6 | 7 | The latest version of the module can be downloaded here: https://www.powershellgallery.com/packages/Microsoft.Online.SharePoint.PowerShell/ 8 | -------------------------------------------------------------------------------- /query/securitydefaultspolicy.pp: -------------------------------------------------------------------------------- 1 | query "azuread_security_default_disabled" { 2 | sql = <<-EOQ 3 | select 4 | tenant_id || '/' || id as resource, 5 | case 6 | when not is_enabled then 'ok' 7 | else 'alarm' 8 | end as status, 9 | case 10 | when not is_enabled then tenant_id || ' has security defaults disabled.' 11 | else tenant_id || ' has security defaults enabled.' 12 | end as reason 13 | ${local.common_dimensions_sql} 14 | from 15 | azuread_security_defaults_policy; 16 | EOQ 17 | } -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_7.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | The SharePoint admin center contains settings related to SharePoint and OneDrive. 4 | 5 | UI Direct link: https://admin.microsoft.com/sharepoint 6 | 7 | The PowerShell module most used in this section is Microsoft.Online.SharePoint.PowerShell and uses Connect-SPOService -Url https://contoso-admin.sharepoint.com as the connection cmdlet (replacing tenant name with your value). 8 | 9 | The latest version of the module can be downloaded here: https://www.powershellgallery.com/packages/Microsoft.Online.SharePoint.PowerShell/ 10 | -------------------------------------------------------------------------------- /query/adminconsentrequestpolicy.pp: -------------------------------------------------------------------------------- 1 | query "azuread_admin_consent_workflow_enabled" { 2 | sql = <<-EOQ 3 | select 4 | tenant_id || '/adminConsentRequestPolicy' as resource, 5 | case 6 | when is_enabled then 'ok' 7 | else 'alarm' 8 | end as status, 9 | case 10 | when is_enabled then tenant_id || ' has Admin Consent Workflow enabled.' 11 | else tenant_id || ' has Admin Consent Workflow disabled.' 12 | end as reason 13 | ${local.common_dimensions_sql} 14 | from 15 | azuread_admin_consent_request_policy; 16 | EOQ 17 | } -------------------------------------------------------------------------------- /query/mycalendar.pp: -------------------------------------------------------------------------------- 1 | query "microsoft365_calendar_sharing_disabled" { 2 | sql = <<-EOQ 3 | select 4 | id as resource, 5 | case 6 | when permissions @> '[{"isInsideOrganization":true}]' then 'ok' 7 | else 'alarm' 8 | end as status, 9 | case 10 | when permissions @> '[{"isInsideOrganization":true}]' then title || ' details sharing with external users disabled.' 11 | else title || ' details sharing with external users enabled.' 12 | end as reason 13 | ${local.common_dimensions_sql} 14 | from 15 | microsoft365_my_calendar; 16 | EOQ 17 | } -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_1_4_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | This setting controls whether the Global Administrator role is automatically added to the local administrators group on a device during the Microsoft Entra join process. 4 | 5 | The recommended state is `No`. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Entra ID` > `Devices` select `Device settings`. 13 | 3. Set `Global administrator role is added as local administrator on the device during Microsoft Entra join (Preview)` to `No`. 14 | 15 | ### Default Value 16 | 17 | Yes. -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /cis_v140/cis.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | cis_v140_common_tags = merge(local.microsoft365_compliance_common_tags, { 3 | cis = "true" 4 | cis_version = "v1.4.0" 5 | }) 6 | } 7 | 8 | benchmark "cis_v140" { 9 | title = "Microsoft 365 CIS v1.4.0" 10 | description = "The CIS Microsoft 365 Security Configuration Benchmark provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS." 11 | documentation = file("./cis_v140/docs/cis_overview.md") 12 | 13 | children = [ 14 | benchmark.cis_v140_1, 15 | benchmark.cis_v140_2, 16 | benchmark.cis_v140_5 17 | ] 18 | 19 | tags = merge(local.cis_v140_common_tags, { 20 | type = "Benchmark" 21 | }) 22 | } 23 | -------------------------------------------------------------------------------- /cis_v150/cis.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | cis_v150_common_tags = merge(local.microsoft365_compliance_common_tags, { 3 | cis = "true" 4 | cis_version = "v1.5.0" 5 | }) 6 | } 7 | 8 | benchmark "cis_v150" { 9 | title = "Microsoft 365 CIS v1.5.0" 10 | description = "The CIS Microsoft 365 Security Configuration Benchmark provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS." 11 | documentation = file("./cis_v150/docs/cis_overview.md") 12 | 13 | children = [ 14 | benchmark.cis_v150_1, 15 | benchmark.cis_v150_2, 16 | benchmark.cis_v150_5 17 | ] 18 | 19 | tags = merge(local.cis_v150_common_tags, { 20 | type = "Benchmark" 21 | }) 22 | } 23 | -------------------------------------------------------------------------------- /cis_v200/cis.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | cis_v200_common_tags = merge(local.microsoft365_compliance_common_tags, { 3 | cis = "true" 4 | cis_version = "v2.0.0" 5 | }) 6 | } 7 | 8 | benchmark "cis_v200" { 9 | title = "Microsoft 365 CIS v2.0.0" 10 | description = "The CIS Microsoft 365 Security Configuration Benchmark provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS." 11 | documentation = file("./cis_v200/docs/cis_overview.md") 12 | 13 | children = [ 14 | benchmark.cis_v200_1, 15 | benchmark.cis_v200_2, 16 | benchmark.cis_v200_5 17 | ] 18 | 19 | tags = merge(local.cis_v200_common_tags, { 20 | type = "Benchmark" 21 | }) 22 | } 23 | -------------------------------------------------------------------------------- /cis_v400/cis.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | cis_v400_common_tags = merge(local.microsoft365_compliance_common_tags, { 3 | cis = "true" 4 | cis_version = "v4.0.0" 5 | }) 6 | } 7 | 8 | benchmark "cis_v400" { 9 | title = "Microsoft 365 CIS v4.0.0" 10 | description = "The CIS Microsoft 365 Security Configuration Benchmark provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS." 11 | documentation = file("./cis_v400/docs/cis_overview.md") 12 | 13 | children = [ 14 | benchmark.cis_v400_1, 15 | benchmark.cis_v400_3, 16 | benchmark.cis_v400_5 17 | ] 18 | 19 | tags = merge(local.cis_v400_common_tags, { 20 | type = "Benchmark" 21 | }) 22 | } 23 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_1_4_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | This setting defines the maximum number of Microsoft Entra joined or registered devices that a user can have in Microsoft Entra ID. Once this limit is reached, no additional devices can be added until existing ones are removed. Values above 100 are automatically capped at 100. 4 | 5 | The recommended state is `20` or less. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Entra ID` > `Devices` select `Device settings`. 13 | 3. Set `Maximum number of devices per user` to `20 (Recommended)` or less. 14 | 15 | ### Default Value 16 | 17 | 50 18 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **Powerpipe version (`powerpipe -v`)** 14 | Example: v0.3.0 15 | 16 | **Steampipe version (`steampipe -v`)** 17 | Example: v0.3.0 18 | 19 | **Plugin version (`steampipe plugin list`)** 20 | Example: v0.5.0 21 | 22 | **To reproduce** 23 | Steps to reproduce the behavior (please include relevant code and/or commands). 24 | 25 | **Expected behavior** 26 | A clear and concise description of what you expected to happen. 27 | 28 | **Additional context** 29 | Add any other context about the problem here. 30 | -------------------------------------------------------------------------------- /cis_v300/cis.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | cis_v300_common_tags = merge(local.microsoft365_compliance_common_tags, { 3 | cis = "true" 4 | cis_version = "v3.0.0" 5 | }) 6 | } 7 | 8 | benchmark "cis_v300" { 9 | title = "Microsoft 365 CIS v3.0.0" 10 | description = "The CIS Microsoft 365 Security Configuration Benchmark provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS." 11 | documentation = file("./cis_v300/docs/cis_overview.md") 12 | 13 | children = [ 14 | benchmark.cis_v300_1, 15 | benchmark.cis_v300_2, 16 | benchmark.cis_v300_3, 17 | benchmark.cis_v300_5 18 | ] 19 | 20 | tags = merge(local.cis_v300_common_tags, { 21 | type = "Benchmark" 22 | }) 23 | } 24 | -------------------------------------------------------------------------------- /cis_v500/cis.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | cis_v500_common_tags = merge(local.microsoft365_compliance_common_tags, { 3 | cis = "true" 4 | cis_version = "v5.0.0" 5 | }) 6 | } 7 | 8 | benchmark "cis_v500" { 9 | title = "Microsoft 365 CIS v5.0.0" 10 | description = "The CIS Microsoft 365 Security Configuration Benchmark provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS." 11 | documentation = file("./cis_v500/docs/cis_overview.md") 12 | 13 | children = [ 14 | benchmark.cis_v500_1, 15 | benchmark.cis_v500_3, 16 | benchmark.cis_v500_5, 17 | benchmark.cis_v500_7 18 | ] 19 | 20 | tags = merge(local.cis_v500_common_tags, { 21 | type = "Benchmark" 22 | }) 23 | } 24 | 25 | -------------------------------------------------------------------------------- /cis_v600/cis.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | cis_v600_common_tags = merge(local.microsoft365_compliance_common_tags, { 3 | cis = "true" 4 | cis_version = "v6.0.0" 5 | }) 6 | } 7 | 8 | benchmark "cis_v600" { 9 | title = "Microsoft 365 CIS v6.0.0" 10 | description = "The CIS Microsoft 365 Security Configuration Benchmark provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS." 11 | documentation = file("./cis_v600/docs/cis_overview.md") 12 | 13 | children = [ 14 | benchmark.cis_v600_1, 15 | benchmark.cis_v600_3, 16 | benchmark.cis_v600_5, 17 | benchmark.cis_v600_7 18 | ] 19 | 20 | tags = merge(local.cis_v600_common_tags, { 21 | type = "Benchmark" 22 | }) 23 | } 24 | 25 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_1_4_4.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | This setting determines if the Microsoft Entra user registering their device as Microsoft Entra join be added to the local administrators group. This setting applies only once during the actual registration of the device as Microsoft Entra join. 4 | 5 | The recommended state is `Selected` or `None`. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Entra ID` > `Devices` select `Device settings`. 13 | 3. Set `Registering user is added as local administrator on the device during Microsoft Entra join (Preview)` to `Selected` (and add members) or `None`. 14 | 15 | ### Default Value 16 | 17 | All. 18 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_1_4_5.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Local Administrator Password Solution (LAPS) is the management of local account passwords on Windows devices. LAPS provides a solution to securely manage and retrieve the built-in local admin password. With cloud version of LAPS, customers can enable storing and rotation of local admin passwords for both Microsoft Entra and Microsoft Entra hybrid join devices. 4 | 5 | The recommended state is `Yes`. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Entra ID` > `Devices` select `Device settings`. 13 | 3. Set `Enable Microsoft Entra Local Administrator Password Solution (LAPS)` to `Yes`. 14 | 15 | ### Default Value 16 | 17 | No. 18 | -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_2_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Do not allow third party integrated applications to connect to your services. 4 | 5 | You should not allow third party integrated applications to connect to your services unless there is a very clear value and you have robust security controls in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account. 6 | 7 | ## Remediation 8 | 9 | To prohibit third party integrated applications, use the Microsoft 365 Admin Center: 10 | 11 | 1. Select `Admin Centers` and `Azure Active Directory`. 12 | 2. Select `Users` from the Azure navigation pane. 13 | 3. Select `Users settings`. 14 | 4. Set `App registrations` is set to `No`. 15 | 5. Click Save. 16 | 17 | **Default Value:** Yes -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_2_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Do not allow third party integrated applications to connect to your services. 4 | 5 | You should not allow third party integrated applications to connect to your services unless there is a very clear value and you have robust security controls in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account. 6 | 7 | ## Remediation 8 | 9 | To prohibit third party integrated applications, use the Microsoft 365 Admin Center: 10 | 11 | 1. Select `Admin Centers` and `Azure Active Directory`. 12 | 2. Select `Users` from the Azure navigation pane. 13 | 3. Select `Users settings`. 14 | 4. Set `App registrations` is set to `No`. 15 | 5. Click `Save`. 16 | 17 | **Default Value:** Yes 18 | -------------------------------------------------------------------------------- /query/signinreport.pp: -------------------------------------------------------------------------------- 1 | query "azuread_risky_sign_ins_report" { 2 | sql = <<-EOQ 3 | with risky_sign_ins_report as ( 4 | select 5 | id, 6 | tenant_id, 7 | _ctx, 8 | risk_level_aggregated 9 | from 10 | azuread_sign_in_report 11 | where 12 | risk_level_aggregated = 'high' 13 | and created_date_time::timestamp >= (current_date - interval '7' day) 14 | ) 15 | select 16 | tenant_id as resource, 17 | 'info' as status, 18 | case 19 | when count(*) < 1 then tenant_id || ' has no risky sign-ins reported in last week.' 20 | else tenant_id || ' has ' || count(*) || ' risky sign-ins reported in last week.' 21 | end as reason 22 | ${local.common_dimensions_sql} 23 | from 24 | risky_sign_ins_report 25 | group by 26 | tenant_id, 27 | _ctx; 28 | EOQ 29 | } -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_5_1_2_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | App registrations allows users to register custom-developed applications for use within the directory. 4 | 5 | Third party integrated applications connection to services should be disabled, unless there is a very clear value and robust security controls are in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account. 6 | 7 | ## Remediation 8 | 9 | To prohibit third party integrated applications: 10 | 11 | 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/. 12 | 2. Click to expand `Identity` > `Users` select `Users settings.` 13 | 3. Set `Users can register applications` to `No.` 14 | 4. Click Save. 15 | 16 | ### Default Value 17 | 18 | Yes (Users can register applications.) -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | contact_links: 3 | - name: Questions 4 | url: https://turbot.com/community/join 5 | about: GitHub issues in this repository are only intended for bug reports and feature requests. Other issues will be closed. Please ask and answer questions through the Steampipe Slack community. 6 | - name: Powerpipe CLI Bug Reports and Feature Requests 7 | url: https://github.com/turbot/powerpipe/issues/new/choose 8 | about: Powerpipe CLI has its own codebase. Bug reports and feature requests for those pieces of functionality should be directed to that repository. 9 | - name: Steampipe CLI Bug Reports and Feature Requests 10 | url: https://github.com/turbot/steampipe/issues/new/choose 11 | about: Steampipe CLI has its own codebase. Bug reports and feature requests for those pieces of functionality should be directed to that repository. -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_2_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | App registrations allows users to register custom-developed applications for use within the directory. 4 | 5 | Third party integrated applications connection to services should be disabled, unless there is a very clear value and robust security controls are in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account. 6 | 7 | ## Remediation 8 | 9 | To prohibit third party integrated applications: 10 | 11 | 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/. 12 | 2. Click to expand `Azure Active Directory` > `Users` select `Users settings`. 13 | 3. Select `App registrations` setting highlighted to `No`. 14 | 4. Click Save. 15 | 16 | **Default Value:** Yes (Users can register applications.) 17 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_1_4_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | This setting enables you to select the users who can register their devices as Microsoft Entra joined devices. 4 | 5 | The recommended state is `Selected` or `None`. 6 | 7 | **Note:** This setting is applicable only to Microsoft Entra join on Windows 10 or newer. This setting doesn't apply to Microsoft Entra hybrid joined devices, Microsoft Entra joined VMs in Azure, or Microsoft Entra joined devices that use Windows Autopilot self-deployment mode because these methods work in a userless context. 8 | 9 | ## Remediation 10 | 11 | **To remediate using the UI:** 12 | 13 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 14 | 2. Click to expand `Entra ID` > `Devices` select `Device settings`. 15 | 3. Set `Users may join devices to Microsoft Entra` to `Selected` (and add members) or `None`. 16 | 17 | ### Default Value 18 | 19 | All. 20 | 21 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_1_5_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Control when end users and group owners are allowed to grant consent to applications, and when they will be required to request administrator review and approval. Allowing users to grant apps access to data helps them acquire useful applications and be productive but can represent a risk in some situations if it's not monitored and controlled carefully. 4 | 5 | ## Remediation 6 | 7 | **To remediate using the UI:** 8 | 9 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 10 | 2. Click to expand `Entra ID` and select `Enterprise apps`. 11 | 3. Under `Security` select `Consent and permissions` > `User consent settings`. 12 | 4. Under `User consent for applications` select `Do not allow user consent`. 13 | 5. Click the `Save` option at the top of the window. 14 | 15 | ### Default Value 16 | 17 | UI - `Allow user consent for apps`. 18 | 19 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_1_5_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Control when end users and group owners are allowed to grant consent to applications, and when they will be required to request administrator review and approval. Allowing users to grant apps access to data helps them acquire useful applications and be productive but can represent a risk in some situations if it's not monitored and controlled carefully. 4 | 5 | ## Remediation 6 | 7 | **To remediate using the UI:** 8 | 9 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 10 | 2. Click to expand `Identity` > `Applications` select `Enterprise applications`. 11 | 3. Under `Security` select `Consent and permissions > User consent settings.` 12 | 4. Under `User consent for applications` select `Do not allow user consent`. 13 | 5. Click the `Save` option at the top of the window. 14 | 15 | ### Default Value 16 | 17 | UI - `Allow user consent for apps` -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_2_4_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enabling self-service password reset allows users to reset their own passwords in Entra ID. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed 4 | 5 | **Note:** Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Entra ID tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Protection` > `Password reset` select `Properties`. 13 | 3. Set `Self service password reset enabled` to `All`. 14 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_2_4_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enabling self-service password reset allows users to reset their own passwords in Entra ID. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. 4 | 5 | **Note:** Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Entra ID tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Entra ID` > `Password reset` select `Properties`. 13 | 3. Set `Self service password reset enabled` to `All`. 14 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_5_15.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Guest users can be set up for those users not in your tenant to still be granted access to resources. It is important to maintain visibility for what guest users are established in the tenant. 4 | 5 | Periodic review of guest users ensures proper access to resources in your tenant. 6 | 7 | ## Remediation 8 | 9 | To view guest users, use the Microsoft 365 Admin Center: 10 | 11 | 1. Log in as an `administrator`. 12 | 2. Navigate to the `Users` and `Guest Users`. 13 | 3. Review the list of users. 14 | 15 | To verify Microsoft 365 audit log search is enabled, use the Microsoft Online PowerShell Module: 16 | 17 | 1. Run Microsoft Online PowerShell Module. 18 | 2. Connect using `Connect-MSOnline`. 19 | 3. Run the following PowerShell command: 20 | 21 | ```bash 22 | Get-MsolUser -all | Where-Object {$_.UserType -ne "Member"} | Select-Object UserPrincipalName, UserType, CreatedDate 23 | ``` 24 | 25 | 4. Review the list of users. 26 | -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_5_14.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Guest users can be set up for those users not in your tenant to still be granted access to resources. It is important to maintain visibility for what guest users are established in the tenant. 4 | 5 | Periodic review of guest users ensures proper access to resources in your tenant. 6 | 7 | ## Remediation 8 | 9 | **To view guest users, use the Microsoft 365 Admin Center:** 10 | 11 | 1. Log in as an administrator. 12 | 2. Navigate to the `Users` and `Guest Users`. 13 | 3. Review the list of users. 14 | 15 | **To verify Microsoft 365 audit log search is enabled, use the Microsoft Online PowerShell Module:** 16 | 17 | 1. Run Microsoft Online PowerShell Module. 18 | 2. Connect using `Connect-MsolService`. 19 | 3. Run the following PowerShell command: 20 | 21 | ```bash 22 | Get-MsolUser -all |Where-Object {$_.UserType -ne "Member"} |Select-ObjectUserPrincipalName, UserType, CreatedDate 23 | ``` 24 | 25 | 4. Review the list of users. -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_1_2_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different group types this recommendation concerns Microsoft 365 Groups. 4 | 5 | In the Administration panel, when a group is created, the default privacy value is "Public". 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft 365 admin center` [https://admin.microsoft.com](https://admin.microsoft.com). 12 | 2. Click to expand `Teams & groups` select `Active teams & groups`. 13 | 3. On the **Active teams and groups page**, select the group's name that is public. 14 | 4. On the popup **groups name page**, Select `Settings`. 15 | 5. Under Privacy, select `Private`. 16 | 17 | ### Default Value 18 | 19 | Public when created from the Administration portal; private otherwise. 20 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_1_2_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different group types this recommendation concerns Microsoft 365 Groups. 4 | 5 | In the Administration panel, when a group is created, the default privacy value is "Public". 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft 365 admin center` [https://admin.microsoft.com](https://admin.microsoft.com). 12 | 2. Click to expand `Teams & groups` select `Active teams & groups`. 13 | 3. On the **Active teams and groups page**, select the group's name that is public. 14 | 4. On the popup **groups name page**, Select `Settings`. 15 | 5. Under Privacy, select `Private`. 16 | 17 | ### Default Value 18 | 19 | Public when created from the Administration portal; private otherwise. 20 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_1_1_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for administrative tasks and care should be taken, in the case of a hybrid environment, to keep administrative accounts separate from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, SharePoint, etc.) and only access to perform tasks as needed for administrative purposes. 4 | 5 | Ensure administrative accounts are not `On-premises sync enabled`. 6 | 7 | ## Remediation 8 | 9 | Remediation will require first identifying the privileged accounts that are synced from on-premises and then creating a new cloud-only account for that user. Once a replacement account is established, the hybrid account should have its role reduced to that of a nonprivileged user or removed depending on the need. 10 | 11 | ### Default Value 12 | 13 | N/A -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_1_1_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for administrative tasks and care should be taken, in the case of a hybrid environment, to keep administrative accounts separate from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, SharePoint, etc.) and only access to perform tasks as needed for administrative purposes. 4 | 5 | Ensure administrative accounts are not `On-premises sync enabled`. 6 | 7 | ## Remediation 8 | 9 | Remediation will require first identifying the privileged accounts that are synced from onpremises and then creating a new cloud-only account for that user. Once a replacement account is established, the hybrid account should have its role reduced to that of a nonprivileged user or removed depending on the need. 10 | 11 | ### Default Value 12 | 13 | N/A 14 | -------------------------------------------------------------------------------- /mod.pp: -------------------------------------------------------------------------------- 1 | mod "microsoft365_compliance" { 2 | # Hub metadata 3 | title = "Microsoft 365 Compliance" 4 | description = "Run individual configuration, compliance and security controls or full CIS compliance benchmarks across all of your Microsoft 365 tenants using Powerpipe and Steampipe." 5 | color = "#00A4EF" 6 | documentation = file("./docs/index.md") 7 | icon = "/images/mods/turbot/mircosoft365-compliance.svg" 8 | categories = ["microsoft365", "cis", "compliance", "security"] 9 | 10 | opengraph { 11 | title = "Powerpipe Mod for Microsoft 365 Compliance" 12 | description = "Run individual configuration, compliance and security controls or full CIS compliance benchmarks across all of your Microsoft 365 tenants using Powerpipe and Steampipe." 13 | image = "/images/mods/turbot/mircosoft365-compliance-social-graphic.png" 14 | } 15 | 16 | require { 17 | plugin "azuread" { 18 | min_version = "1.9.0" 19 | } 20 | plugin "microsoft365" { 21 | min_version = "1.2.0" 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_5_4.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have: 4 | 5 | - successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords 6 | - signed in to tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network) 7 | - successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions 8 | 9 | Reviewing this report on a regular basis allows for identification and remediation of compromised accounts. 10 | 11 | ## Remediation 12 | 13 | To review the Azure AD 'Risky sign-ins' report: 14 | 15 | 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/. 16 | 2. Click to expand `Protect & secure` select `Risky activities`. 17 | 3. Under `Report` click on `Risky sign-ins`. 18 | 4. Review by `Risk level (aggregate)`. 19 | -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_5_2_6_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | This report contains records of accounts that have had activity that could indicate they 4 | are compromised, such as accounts that have: 5 | 6 | - successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords 7 | - signed in to tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network) 8 | - successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions 9 | 10 | Reviewing this report on a regular basis allows for identification and remediation of compromised accounts. 11 | 12 | ## Remediation 13 | 14 | To review the Azure AD 'Risky sign-ins' report: 15 | 16 | 1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com. 17 | 2. Click expand `Protection` select `Risky activities.` 18 | 3. Under `Report` click on `Risky sign-ins.` 19 | 4. Review by `Risk level (aggregate).` -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_5_2_4_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enabling self-service password reset allows users to reset their own passwords in Azure AD. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. 4 | 5 | **Note:** Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Azure AD tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default. 6 | 7 | Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords. 8 | 9 | ## Remediation 10 | 11 | To enable self-service password reset: 12 | 13 | 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/. 14 | 2. Click to expand `Protection` > `Password reset` select `Properties.` 15 | 3. Set `Self service password reset enabled` to `All.` -------------------------------------------------------------------------------- /cis_v400/docs/cis_v400_5_2_4_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enabling self-service password reset allows users to reset their own passwords in Entra ID. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. 4 | 5 | **Note:** Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Entra ID tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default. 6 | 7 | Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords. 8 | 9 | ## Remediation 10 | 11 | **To remediate using the UI:** 12 | 13 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 14 | 2. Click to expand `Protection` > `Password reset` select `Properties`. 15 | 3. Set `Self service password reset enabled` to `All`. 16 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_1_4_6.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | This setting determines if users can self-service recover their BitLocker key(s). 'Yes' restricts non-admin users from being able to see the BitLocker key(s) for their owned devices if there are any. 'No' allows all users to recover their BitLocker key(s). 4 | 5 | The recommended state is `Yes`. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Entra ID` > `Devices` select `Device settings`. 13 | 3. Set `Restrict users from recovering the BitLocker key(s) for their owned devices` to `Yes`. 14 | 15 | **To remediate using PowerShell:** 16 | 17 | 1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"`. 18 | 2. Run the following: 19 | 20 | ```bash 21 | $params = @{ 22 | defaultUserRolePermissions = @{ 23 | AllowedToReadBitlockerKeysForOwnedDevice = $false 24 | } 25 | } 26 | Update-MgPolicyAuthorizationPolicy -BodyParameter $params 27 | ``` 28 | 29 | ### Default Value 30 | 31 | No. 32 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_3_1_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 180 days by default. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365. 4 | 5 | ## Remediation 6 | 7 | **To remediate using the UI:** 8 | 9 | 1. Navigate to `Microsoft Purview` [https://compliance.microsoft.com](https://compliance.microsoft.com). 10 | 2. Select `Solutions` and then `Audit` to open the audit search. 11 | 3. Click blue bar `Start recording user and admin activity.` 12 | 4. Click `Yes` on the dialog box to confirm. 13 | 14 | **To remediate using PowerShell:** 15 | 16 | 1. Connect to Exchange Online using `Connect-ExchangeOnline`. 17 | 2. Run the following PowerShell command: 18 | 19 | ```bash 20 | Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true 21 | ``` 22 | 23 | ### Default Value 24 | 25 | 180 days 26 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_1_1_8.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enabling self-service password reset allows users to reset their own passwords in Azure AD. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. 4 | 5 | **NOTE:** Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Azure AD tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default. 6 | 7 | Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords. 8 | 9 | ## Remediation 10 | 11 | To enable self-service password reset: 12 | 13 | 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/. 14 | 2. Click to expand `Azure Active Directory` > `Users` select `All users`. 15 | 3. Under Manage, select `Password reset`. 16 | 4. Set `Self service password reset enabled` to `All`. 17 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_7_2_5.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties. 4 | 5 | Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `SharePoint admin center` [https://admin.microsoft.com/sharepoint](https://admin.microsoft.com/sharepoint). 12 | 2. Click to expand `Policies` then select `Sharing`. 13 | 3. Expand `More external sharing settings`, uncheck `Allow guests to share items they don't own.` 14 | 5. Click `Save`. 15 | 16 | **To remediate using PowerShell:** 17 | 18 | 1. Connect to SharePoint Online service using `Connect-SPOService.` 19 | 2. Run the following SharePoint Online PowerShell command: 20 | 21 | ```bash 22 | Set-SPOTenant -PreventExternalUsersFromResharing $True 23 | ``` 24 | 25 | ### Default Value 26 | 27 | Checked (False) 28 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_7_2_5.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties. 4 | 5 | Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `SharePoint admin center` [https://admin.microsoft.com/sharepoint](https://admin.microsoft.com/sharepoint). 12 | 2. Click to expand `Policies` then select `Sharing`. 13 | 3. Expand `More external sharing settings`, uncheck `Allow guests to share items they don't own.` 14 | 4. Click `Save`. 15 | 16 | **To remediate using PowerShell:** 17 | 18 | 1. Connect to SharePoint Online service using `Connect-SPOService`. 19 | 2. Run the following SharePoint Online PowerShell command: 20 | 21 | ```bash 22 | Set-SPOTenant -PreventExternalUsersFromResharing $True 23 | ``` 24 | 25 | ### Default Value 26 | 27 | Checked (False). 28 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_2_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | You should not allow your users to share the full details of their calendars with external users. 4 | 5 | Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. 6 | 7 | ## Remediation 8 | 9 | To disable calendar details sharing with external users, use the Microsoft 365 Admin Center: 10 | 11 | 1. Select `Admin Center` and Click to expand `Settings`. 12 | 2. Click `Org settings`. 13 | 3. Click `Calendar`. 14 | 4. Uncheck `Let your users share their calendars with people outside of your organization who have Office 365 or Exchange`. 15 | 5. Click `Save`. 16 | 17 | To disabled calendar details sharing with external users policy, use the Exchange Online PowerShell Module: 18 | 19 | 1. Connect to Exchange Online using `Connect-ExchangeOnline`. 20 | 2. Run the following Exchange Online PowerShell command: 21 | 22 | ```bash 23 | Set-SharingPolicy -Identity "Name of the policy" -Enabled $False 24 | ``` 25 | 26 | **Default Value:** On 27 | -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_2_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | You should not allow your users to share the full details of their calendars with external users. 4 | 5 | Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. 6 | 7 | ## Remediation 8 | 9 | **To disable calendar details sharing with external users, use the Microsoft 365 Admin Center:** 10 | 11 | 1. Select `Admin Center` and Click to expand `Settings`. 12 | 2. Click `Org settings`. 13 | 3. Click `Calendar`. 14 | 4. Uncheck `Let your users share their calendars with people outside of your organization who have Office 365 or Exchange`. 15 | 5. Click `Save`. 16 | 17 | **To disable calendar details sharing with external users policy, use the Exchange Online PowerShell Module:** 18 | 19 | 1. Connect to Exchange Online using `Connect-ExchangeOnline`. 20 | 2. Run the following Exchange Online PowerShell command: 21 | 22 | ```bash 23 | Set-SharingPolicy -Identity "Name of the policy" -Enabled $False 24 | ``` 25 | 26 | **Default Value:** On -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_1_1_4.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Guest users can be set up for those users not in the organization to still be granted access to resources. It is important to maintain visibility for what guest users are established in the tenant. 4 | 5 | Ensure Guest Users are reviewed no less frequently than biweekly. 6 | 7 | **Note:** With the E5 license an access review can be configured to review guest accounts automatically on a reoccurring basis. This is the preferred method if the licensing is available. 8 | 9 | ## Remediation 10 | 11 | To review guest users in the UI: 12 | 13 | 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com/. 14 | 2. Click to expand `Users` and select `Guest Users.` 15 | 3. Review the list of users. 16 | 17 | To verify Microsoft 365 audit log search is enabled using Microsoft Graph PowerShell: 18 | 19 | 1. Connect using `Connect-MgGraph -Scopes "User.Read.All"` 20 | 2. Run the following PowerShell command: 21 | 22 | ```bash 23 | Get-MgUser -All -Property UserType,UserPrincipalName | Where {$_.UserType -ne "Member"} | Format-Table UserPrincipalName, UserType 24 | ``` 25 | 26 | 3. Review the list of users. If nothing is returned then there are no guest users. -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_2_2_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator. 4 | 5 | ## Remediation 6 | 7 | **To remediate using the UI:** 8 | 9 | 1. Navigate to the `Microsoft Entra admin center` [https://entra.microsoft.com](https://entra.microsoft.com). 10 | 2. Click expand `Protection` > `Conditional Access` select `Policies`. 11 | 3. Click `New policy`. 12 | - Under `Users` include `All users` (and do not exclude any user). 13 | - Under `Target resources` include `All cloud apps` and do not create any exclusions. 14 | - Under `Grant` select `Grant Access` and check `Require multifactor authentication`. 15 | - Click `Select` at the bottom of the pane. 16 | 4. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it. 17 | 5. Click `Create`. 18 | 19 | **Note:** Break-glass accounts should be excluded from all Conditional Access policies. 20 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_1_1_4.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enabling self-service password reset allows users to reset their own passwords in Azure AD. When your users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. As of August 2020 combined registration is enabled by default. 4 | 5 | Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords. Combined registration should be enabled if not already, as of August of 2020 combined registration is automatic for new tenants therefor users will not need to register for password reset separately from multi-factor authentication. 6 | 7 | ## Remediation 8 | 9 | To enable self-service password reset, use the Microsoft 365 Admin Center: 10 | 11 | 1. Under `Admin centers` choose `Azure Active Directory`. 12 | 2. Choose `Users` from the left hand navigation. 13 | 3. Choose `Password reset`. 14 | 4. On the Properties page, select `All` under `Self service password reset enabled`. 15 | 5. Select `Save`. 16 | -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_1_1_4.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enabling self-service password reset allows users to reset their own passwords in Azure AD. When your users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. As of August 2020 combined registration is enabled by default. 4 | 5 | Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords. Combined registration should be enabled if not already, as of August of 2020 combined registration is automatic for new tenants therefor users will not need to register for password reset separately from multi-factor authentication. 6 | 7 | ## Remediation 8 | 9 | **To enable self-service password reset, use the Microsoft 365 Admin Center:** 10 | 11 | 1. Under `Admin centers` choose `Azure Active Directory`. 12 | 2. Choose `Users` from the left hand navigation. 13 | 3. Choose `Password reset`. 14 | 4. On the Properties page, select `All` under `Self service password reset enabled`. 15 | 5. Select `Save`. -------------------------------------------------------------------------------- /cis_v400/docs/cis_v400_5_1_2_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | App registration allows users to register custom-developed applications for use within the directory. 4 | 5 | Third-party integrated applications connection to services should be disabled unless there is a very clear value and robust security controls are in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Identity` > `Users` select `Users settings`. 13 | 3. Set `Users can register applications` to `No`. 14 | 4. Click Save. 15 | 16 | **To remediate using PowerShell:** 17 | 18 | 1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"`. 19 | 2. Run the following commands: 20 | 21 | ```bash 22 | $param = @{ AllowedToCreateApps = "$false" } 23 | Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param 24 | ``` 25 | 26 | ### Default Value 27 | 28 | Yes (Users can register applications.). 29 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_1_2_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | App registration allows users to register custom-developed applications for use within the directory. 4 | 5 | Third-party integrated applications connection to services should be disabled unless there is a very clear value and robust security controls are in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Identity` > `Users` select `User settings`. 13 | 3. Set `Users can register applications` to `No`. 14 | 4. Click `Save`. 15 | 16 | **To remediate using PowerShell:** 17 | 18 | 1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"` 19 | 2. Run the following commands: 20 | 21 | ```bash 22 | $param = @{ AllowedToCreateApps = "$false" } 23 | Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param 24 | ``` 25 | 26 | ### Default Value 27 | 28 | Yes (Users can register applications.) 29 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_1_2_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | App registration allows users to register custom-developed applications for use within the directory. 4 | 5 | Third-party integrated applications connection to services should be disabled unless there is a very clear value and robust security controls are in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Identity` > `Users` select `User settings`. 13 | 3. Set `Users can register applications` to `No`. 14 | 4. Click `Save`. 15 | 16 | **To remediate using PowerShell:** 17 | 18 | 1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"`. 19 | 2. Run the following commands: 20 | 21 | ```bash 22 | $param = @{ AllowedToCreateApps = "$false" } 23 | Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param 24 | ``` 25 | 26 | ### Default Value 27 | 28 | Yes (Users can register applications). 29 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_5_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | When audit log search in the Microsoft 365 Security & Compliance Center is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365. 4 | 5 | Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. 6 | 7 | ## Remediation 8 | 9 | To enable Microsoft 365 audit log search, use the Microsoft 365 Admin Center: 10 | 11 | 1. Log in as an administrator. 12 | 2. Navigate to the `Office 365 security & compliance center` by going to https://protection.office.com. 13 | 3. In the Security & Compliance Center, expand `Search` then select `Audit log search`. 14 | 4. Click Start `recording user and admin activities` next to the information warning at the top. 15 | 6. Click `Yes` on the dialog box to confirm. 16 | 17 | **NOTE:** Remediation via PowerShell is only supported in on-premises Exchange environments. 18 | 19 | **Default Value:** Disabled. 20 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_2_2_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator. 4 | 5 | ## Remediation 6 | 7 | **To remediate using the UI:** 8 | 9 | 1. Navigate to the `Microsoft Entra admin center` [https://entra.microsoft.com](https://entra.microsoft.com). 10 | 2. Click expand `Protection` > `Conditional Access` select `Policies`. 11 | 3. Click `New policy`. 12 | - Under `Users` include `All users`. 13 | - Under `Target resources` include `All resources (formerly 'All cloud apps')` and do not create any exclusions. 14 | - Under `Grant` select `Grant Access` and check either `Require multifactor authentication` or `Require authentication strength`. 15 | - Click `Select` at the bottom of the pane. 16 | 4. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it. 17 | 5. Click `Create`. 18 | 19 | **Note:** Break-glass accounts should be excluded from all Conditional Access policies. 20 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_1_3_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | This setting allows users in the organization to create new security groups and add members to these groups in the Azure portal, API, or PowerShell. These new groups also show up in the Access Panel for all other users. If the policy setting on the group allows it, other users can create requests to join these groups. 4 | 5 | The recommended state is `Users can create security groups in Azure portals, API or PowerShell` set to `No`. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Entra ID` > `Groups` select `General`. 13 | 3. Set `Users can create security groups in Azure portals, API or PowerShell` to `No`. 14 | 15 | **To remediate using PowerShell:** 16 | 17 | 1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"`. 18 | 2. Run the following commands: 19 | 20 | ```bash 21 | $params = @{ 22 | defaultUserRolePermissions = @{ 23 | AllowedToCreateSecurityGroups = $false 24 | } 25 | } 26 | Update-MgPolicyAuthorizationPolicy -BodyParameter $params 27 | ``` 28 | 29 | ### Default Value 30 | 31 | AllowedToCreateSecurityGroups : True. 32 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_7_2_6.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. 4 | 5 | Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that users can share documents with will reduce that surface area. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `SharePoint admin center` [https://admin.microsoft.com/sharepoint](https://admin.microsoft.com/sharepoint). 12 | 2. Expand `Policies` then click `Sharing`. 13 | 3. Expand `More external sharing settings` and check `Limit external sharing by domain.` 14 | 4. Select `Add domains` to add a list of approved domains. 15 | 5. Click `Save` at the bottom of the page. 16 | 17 | **To remediate using PowerShell:** 18 | 19 | 1. Connect to SharePoint Online using `Connect-SPOService.` 20 | 2. Run the following PowerShell command: 21 | 22 | ```bash 23 | Set-SPOTenant -SharingDomainRestrictionMode AllowList - 24 | SharingAllowedDomainList "domain1.com domain2.com" 25 | ``` 26 | 27 | ### Default Value 28 | 29 | Limit external sharing by domain is unchecked 30 | SharingDomainRestrictionMode: None 31 | SharingDomainRestrictionMode: `` 32 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_1_1_5.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enable Azure Active Directory Password Protection to Active Directory to protect against the use of common passwords. 4 | 5 | Azure Active Directory protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment. 6 | 7 | ## Remediation 8 | 9 | To setup Azure Active Directory Password Protection, use the following steps: 10 | 11 | 1. Download and install the `Azure AD Password Proxies` and `DC Agents` from the following location: https://www.microsoft.com/download/details.aspx?id=57071. 12 | 2. After the installation is complete, login to `https://admin.microsoft.com` as a `Global Administrator`. 13 | 3. Go to `Admin centers` and click on `Azure Active Directory`. 14 | 4. Select `Azure Active Directory` then `Security` on the left side navigation followed by `Authentication methods`. 15 | 5. Select `Password protection` and toggle `Enable password protection on Windows Server Active Directory` to `Yes` and `Mode` to `Enforced`. 16 | 6. Click `Save` at the top of the right pane. 17 | -------------------------------------------------------------------------------- /cis_v400/docs/cis_v400_1_3_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | External calendar sharing allows an administrator to enable the ability for users to share calendars with anyone outside of the organization. Outside users will be sent a URL that can be used to view the calendar. 4 | 5 | Attackers often spend time learning about organizations before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft 365 admin center` [https://admin.microsoft.com](https://admin.microsoft.com). 12 | 2. Click to expand `Settings` select `Org settings`. 13 | 3. In the `Services` section click `Calendar`. 14 | 4. Uncheck `Let your users share their calendars with people outside of your organization who have Office 365 or Exchange`. 15 | 5. Click `Save`. 16 | 17 | **To remediate using PowerShell:** 18 | 19 | 1. Connect to Exchange Online using `Connect-ExchangeOnline`. 20 | 2. Run the following Exchange Online PowerShell command: 21 | 22 | ```bash 23 | Set-SharingPolicy -Identity "Default Sharing Policy" -Enabled $False 24 | ``` 25 | 26 | ### Default Value 27 | 28 | Enabled (True). 29 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_1_3_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | External calendar sharing allows an administrator to enable the ability for users to share calendars with anyone outside of the organization. Outside users will be sent a URL that can be used to view the calendar. 4 | 5 | Attackers often spend time learning about organizations before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft 365 admin center` [https://admin.microsoft.com](https://admin.microsoft.com). 12 | 2. Click to expand `Settings` select `Org settings`. 13 | 3. In the `Services` section click `Calendar`. 14 | 4. Uncheck `Let your users share their calendars with people outside of your organization who have Office 365 or Exchange`. 15 | 5. Click `Save`. 16 | 17 | **To remediate using PowerShell:** 18 | 19 | 1. Connect to Exchange Online using `Connect-ExchangeOnline`. 20 | 2. Run the following Exchange Online PowerShell command: 21 | 22 | ```bash 23 | Set-SharingPolicy -Identity "Default Sharing Policy" -Enabled $False 24 | ``` 25 | 26 | ### Default Value 27 | 28 | Enabled (True). 29 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_2_7.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Control when end users and group owners are allowed to grant consent to applications, and when they will be required to request administrator review and approval. Allowing users to grant apps access to data helps them acquire useful applications and be productive, but can represent a risk in some situations if it's not monitored and controlled carefully. 4 | 5 | Attackers commonly use custom applications to trick users into granting them access to company data. Disabling future user consent operations setting mitigates this risk, and helps to reduce the threat-surface. If user consent is disabled, previous consent grants will still be honored but all future consent operations must be performed by an administrator. 6 | 7 | ## Remediation 8 | 9 | To prohibit user consent to apps accessing company data on their behalf 10 | 11 | 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/. 12 | 2. Click to expand `Azure Active Directory` > `Applications` select `Enterprise applications`. 13 | 3. Under `Security` select `Consent and permissions`. 14 | 4. Under `User consent for applications` select `Do not allow user consent`. 15 | 5. Click the `Save` option at the top of the window. 16 | 17 | 18 | **Default Value:** UI - Allow user consent for apps. 19 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_5_15.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Guest users can be set up for those users not in the organization to still be granted access to resources. It is important to maintain visibility for what guest users are established in the tenant. 4 | 5 | Ensure Guest Users are reviewed no less frequently than biweekly. 6 | 7 | **NOTE:** With the E5 license an access review can be configured to review guest accounts automatically on a reoccurring basis. This is the preferred method if the licensing is available. 8 | 9 | Periodic review of guest users ensures proper access to resources. 10 | 11 | ## Remediation 12 | 13 | To review guest users in the UI: 14 | 15 | 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com/. 16 | 2. Click to expand `Users` and select `Guest Users`. 17 | 3. Review the list of users. 18 | 19 | To verify Microsoft 365 audit log search is enabled using Microsoft Graph PowerShell: 20 | 21 | 1. Connect using `Connect-MgGraph -Scopes` "`User.Read.All`" 22 | 2. Run the following PowerShell command: 23 | 24 | ```bash 25 | Get-MgUser -All -Property UserType,UserPrincipalName | 26 | Where {$_.UserType -ne "Member"} | 27 | Format-Table UserPrincipalName, UserType 28 | ``` 29 | 30 | 3. Review the list of users. If nothing is returned then there are no guest users. 31 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_2_3_4.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft defines Multifactor authentication capable as being registered and enabled for a strong authentication method. The method must also be allowed by the authentication methods policy. 4 | 5 | Ensure all member users are MFA capable. 6 | 7 | ## Remediation 8 | 9 | Remediation steps will depend on the status of the personnel in question or configuration of Conditional Access policies and will not be covered in detail. Administrators should review each user identified on a case-by-case basis using the conditions below. 10 | 11 | **User has never signed on:** 12 | 13 | - Employment status should be reviewed, and appropriate action taken on the user account's roles, licensing and enablement. 14 | 15 | **Conditional Access policy applicability:** 16 | 17 | - Ensure a CA policy is in place requiring all users to use MFA. 18 | - Ensure the user is not excluded from the CA MFA policy. 19 | - Ensure the policy's state is set to `On`. 20 | - Use `What if` to determine applicable CA policies. (Protection > Conditional Access > Policies) 21 | - Review the user account in Sign-in logs. Under the `Activity Details` pane click the `Conditional Access` tab to view applied policies.` 22 | 23 | **Note:** Conditional Access is covered step by step in section 5.2.2 24 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_1_3_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | External calendar sharing allows an administrator to enable the ability for users to share calendars with anyone outside of the organization. Outside users will be sent a URL that can be used to view the calendar. 4 | 5 | Attackers often spend time learning about organizations before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft 365 admin center` [https://admin.microsoft.com](https://admin.microsoft.com). 12 | 2. Click to expand `Settings` select `Org settings`. 13 | 3. In the `Services` section click `Calendar`. 14 | 4. Uncheck `Let your users share their calendars with people outside of your organization who have Office 365 or Exchange`. 15 | 5. Click `Save`. 16 | 17 | **To remediate using PowerShell:** 18 | 19 | 1. Connect to Exchange Online using `Connect-ExchangeOnline`. 20 | 2. Run the following Exchange Online PowerShell command: 21 | 22 | ```bash 23 | Set-SharingPolicy -Identity "Default Sharing Policy" -Enabled $False 24 | ``` 25 | 26 | ### Default Value 27 | 28 | Enabled (True). 29 | 30 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_2_3_4.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft defines Multifactor authentication capable as being registered and enabled for a strong authentication method. The method must also be allowed by the authentication methods policy. 4 | 5 | Ensure all member users are `MFA capable`. 6 | 7 | ## Remediation 8 | 9 | Remediation steps will depend on the status of the personnel in question or configuration of Conditional Access policies and will not be covered in detail. Administrators should review each user identified on a case-by-case basis using the conditions below. 10 | 11 | **User has never signed on:** 12 | 13 | - Employment status should be reviewed, and appropriate action taken on the user account's roles, licensing and enablement. 14 | 15 | **Conditional Access policy applicability:** 16 | 17 | - Ensure a CA policy is in place requiring all users to use MFA. 18 | - Ensure the user is not excluded from the CA MFA policy. 19 | - Ensure the policy's state is set to `On`. 20 | - Use `What if` to determine applicable CA policies. (Protection > Conditional Access > Policies) 21 | - Review the user account in `Sign-in logs`. Under the `Activity Details` pane click the `Conditional Access` tab to view applied policies. 22 | 23 | **Note:** Conditional Access is covered step by step in section 5.2.2. -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_5_1_5_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Control when end users and group owners are allowed to grant consent to applications, and when they will be required to request administrator review and approval. Allowing users to grant apps access to data helps them acquire useful applications and be productive but can represent a risk in some situations if it's not monitored and controlled carefully. 4 | 5 | Attackers commonly use custom applications to trick users into granting them access to company data. Disabling future user consent operations setting mitigates this risk, and helps to reduce the threat-surface. If user consent is disabled previous consent grants will still be honored but all future consent operations must be performed by an administrator. 6 | 7 | ## Remediation 8 | 9 | To prohibit user consent to apps accessing company data on their behalf: 10 | 11 | 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/. 12 | 2. Click to expand `Identity` > `Applications` select `Enterprise applications.` 13 | 3. Under `Security` select `Consent and permissions` > `User consent settings.` 14 | 4. Under `User consent for applications` select `Do not allow user consent.` 15 | 5. Click the `Save` option at the top of the window. 16 | 17 | ### Default Value 18 | 19 | UI - `Allow user consent for apps.` -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_5_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 90 days. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365. 4 | 5 | Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights. 6 | 7 | ## Remediation 8 | 9 | To enable Microsoft 365 audit log search: 10 | 11 | 1. Navigate to `Microsoft Purview` https://compliance.microsoft.com. 12 | 2. Select `Audit` to open the audit search. 13 | 3. Click `Start recording user and admin activity` next to the information warning at the top. 14 | 4. Click `Yes` on the dialog box to confirm. 15 | 16 | To enable Microsoft 365 audit log search using PowerShell: 17 | 18 | 1. Connect to Exchange Online using Connect-ExchangeOnline. 19 | 2. Run the following PowerShell command: 20 | 21 | ```bash 22 | Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true 23 | ``` 24 | -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_3_1_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 90 days. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365. 4 | 5 | Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights. 6 | 7 | ## Remediation 8 | 9 | To enable Microsoft 365 audit log search: 10 | 11 | 1. Navigate to `Microsoft Purview` https://compliance.microsoft.com. 12 | 2. Select `Audit` to open the audit search. 13 | 3. Click `Start recording user and admin activity` next to the information warning at the top. 14 | 4. Click `Yes` on the dialog box to confirm. 15 | 16 | 17 | To enable Microsoft 365 audit log search using PowerShell: 18 | 19 | 1. Connect to Exchange Online using `Connect-ExchangeOnline.` 20 | 2. Run the following PowerShell command: 21 | 22 | ```bash 23 | Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true 24 | ``` -------------------------------------------------------------------------------- /cis_v400/docs/cis_v400_3_1_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 90 days. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365. 4 | 5 | Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Purview` [https://compliance.microsoft.com](https://compliance.microsoft.com). 12 | 2. Select `Audit` to open the audit search. 13 | 3. Click `Start recording user and admin activity` next to the information warning at the top. 14 | 4. Click `Yes` on the dialog box to confirm. 15 | 16 | **To remediate using PowerShell:** 17 | 18 | 1. Connect to Exchange Online using `Connect-ExchangeOnline`. 19 | 2. Run the following PowerShell command: 20 | 21 | ```bash 22 | Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true 23 | ``` 24 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_5_10.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The Account Provisioning Activity report details any account provisioning that was attempted by an external application. 4 | 5 | If you don't usually use a third party provider to manage accounts, any entry on the list is likely illicit. If you do, this is a great way to monitor transaction volumes and look for new or unusual third party applications that are managing users. If you see something unusual, contact the provider to determine if the action is legitimate. 6 | 7 | ## Remediation 8 | 9 | To review the report, use the Microsoft 365 Admin Center: 10 | 11 | 1. Go to `Security`. 12 | 2. Click on `Audit` then select `Search`. 13 | 3. Set `Activities` to `Added user` for `Activities`. 14 | 4. Set `Start Date` and `End Date`. 15 | 5. Click `Search`. 16 | 6. Review. 17 | 18 | To review Account Provisioning Activity report, use the Exchange Online PowerShell Module: 19 | 20 | 1. Connect to Exchange Online service using `Connect-EXOPSSession`. 21 | 2. Run the following Exchange Online PowerShell command: 22 | 23 | ```bash 24 | $startDate = ((Get-date).AddDays(-7)).ToShortDateString() 25 | $endDate = (Get-date).ToShortDateString() 26 | 27 | Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate | Where-Object { $_.Operations -eq "add user." } 28 | ``` 29 | 30 | 3. Review the output. 31 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_5_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have: -successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords -signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network) -successful signins from users where two signins appeared to originate from different regions and the time between signins makes it impossible for the user to have traveled between those regions 4 | 5 | Reviewing this report on a regular basis allows for identification and remediation of compromised accounts. 6 | 7 | ## Remediation 8 | 9 | To review the report, perform the following steps using the Azure Portal: 10 | 11 | 1. Go to [portal.azure.com](https://portal.azure.com/). 12 | 2. Click `Azure Active Directory`. 13 | 3. Under `Manage` click on `Security`. 14 | 4. Under `Report` click on `Risky sign-ins`. 15 | 5. Review by `Risk level (aggregate)`. 16 | 17 | To get risky sign-ins event report programmatically, use following graph API: 18 | 19 | ```bash 20 | https://graph.microsoft.com/beta/identityRiskEvents?$filter=riskEventDateTimegt < 7 days older datetime > and riskEventStatus eq 'active' 21 | ``` 22 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_2_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | External calendar sharing allows an administrator to enable the ability for users to share calendars with anyone outside of the organization. Outside users will be sent a URL that can be used to view the calendar. 4 | 5 | Attackers often spend time learning about organizations before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. 6 | 7 | ## Remediation 8 | 9 | To disable calendar details sharing with external users: 10 | 11 | 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com. 12 | 2. Click to expand `Settings` select `Org settings`. 13 | 3. In the `Services` section click `Calendar`. 14 | 4. Uncheck `Let your users share their calendars with people outside of your organization who have Office 365 or Exchange`. 15 | 5. Click `Save`. 16 | 17 | To disable calendar details sharing with external users policy, use the Exchange Online PowerShell Module: 18 | 19 | 1. Connect to Exchange Online using `Connect-ExchangeOnline`. 20 | 2. Run the following Exchange Online PowerShell command: 21 | 22 | ```bash 23 | Set-SharingPolicy -Identity "Name of the policy" -Enabled $False 24 | ``` 25 | 26 | **Default Value:** On. 27 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_3_1_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 180 days by default. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365. 4 | 5 | Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to [Microsoft Purview](https://purview.microsoft.com/). 12 | 2. Select `Solutions` and then `Audit` to open the audit search. 13 | 3. Click blue bar `Start recording user and admin activity.` 14 | 4. Click `Yes` on the dialog box to confirm. 15 | 16 | **To remediate using PowerShell:** 17 | 18 | 1. Connect to Exchange Online using `Connect-ExchangeOnline`. 19 | 2. Run the following PowerShell command: 20 | 21 | ```bash 22 | Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true 23 | ``` 24 | 25 | ### Default Value 26 | 27 | 180 days. 28 | -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_5_9.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The Account Provisioning Activity report details any account provisioning that was attempted by an external application. 4 | 5 | If you don't usually use a third party provider to manage accounts, any entry on the list is likely illicit. If you do, this is a great way to monitor transaction volumes and look for new or unusual third party applications that are managing users. If you see something unusual, contact the provider to determine if the action is legitimate. 6 | 7 | ## Remediation 8 | 9 | **To review the report, use the Microsoft 365 Admin Center:** 10 | 11 | 1. Go to `Security`. 12 | 2. Click on `Audit` then select `Search`. 13 | 3. Set `Activities` to `Added user` for `User administration activities`. 14 | 4. Set `Start Date` and `End Date`. 15 | 5. Click `Search`. 16 | 6. Review. 17 | 18 | **To review Account Provisioning Activity report, use the Exchange Online PowerShell Module:** 19 | 20 | 1. Connect to Exchange Online service using `Connect-EXOPSSession`. 21 | 2. Run the following Exchange Online PowerShell command: 22 | 23 | ```bash 24 | $startDate = ((Get-date).AddDays(-7)).ToShortDateString() 25 | $endDate = (Get-date).ToShortDateString() 26 | 27 | Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate | Where-Object { $_.Operations -eq "add user." } 28 | ``` 29 | 30 | 3. Review the output. -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_1_3_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | External calendar sharing allows an administrator to enable the ability for users to share calendars with anyone outside of the organization. Outside users will be sent a URL that can be used to view the calendar. 4 | 5 | Attackers often spend time learning about organizations before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. 6 | 7 | ## Remediation 8 | 9 | To disable calendar details sharing with external users: 10 | 11 | 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com. 12 | 2. Click to expand `Settings` select `Org settings.` 13 | 3. In the `Services` section click `Calendar.` 14 | 4. Uncheck `Let your users share their calendars with people outside of your organization who have Office 365 or Exchange.` 15 | 5. Click `Save.` 16 | 17 | To disable calendar details sharing with external users policy, use the Exchange Online PowerShell Module: 18 | 19 | 1. Connect to Exchange Online using `Connect-ExchangeOnline.` 20 | 2. Run the following Exchange Online PowerShell command: 21 | 22 | ```bash 23 | Set-SharingPolicy -Identity "Name of the policy" -Enabled $False 24 | ``` 25 | 26 | ### Default Value 27 | 28 | Enabled (True). -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_5_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have: 4 | - successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords 5 | - signed in to your tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network) 6 | - successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions 7 | 8 | Reviewing this report on a regular basis allows for identification and remediation of compromised accounts. 9 | 10 | ## Remediation 11 | 12 | **To review the report, perform the following steps using the Azure Portal:** 13 | 14 | 1. Go to [portal.azure.com](https://portal.azure.com/). 15 | 2. Click `Azure Active Directory`. 16 | 3. Under `Manage` click on `Security`. 17 | 4. Under `Report` click on `Risky sign-ins`. 18 | 5. Review by `Risk level (aggregate)`. 19 | 20 | **To get risky sign-ins event report programmatically, use following graph API:** 21 | 22 | ```bash 23 | https://graph.microsoft.com/beta/identityRiskEvents?$filter=riskEventDateTime gt < 7 days older datetime > and riskEventStatus eq 'active' 24 | ``` -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_5_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | When audit log search in the Microsoft Purview compliance portal is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365. 4 | 5 | Enabling Microsoft Purview audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. 6 | 7 | ## Remediation 8 | 9 | **To enable Microsoft 365 audit log search, use the Microsoft 365 Admin Center:** 10 | 11 | 1. Log in as an administrator. 12 | 2. Navigate to the `Microsoft Purview compliance portal` by going to https://compliance.office.com. 13 | 3. Under Solutions, select `Audit`. 14 | 4. Click `Start recording user and admin activity` next to the information warning at the top. 15 | 6. Click `Yes` on the dialog box to confirm. 16 | 17 | **To enable Microsoft 365 audit log search via Exchange Online PowerShell:** 18 | 19 | 1. Connect to Exchange Online using Connect-ExchangeOnline. 20 | 2. Run the following PowerShell command: 21 | 22 | ```bash 23 | Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true 24 | ``` 25 | 26 | **Default Value:** Disabled. -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_7_2_6.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The external sharing features of SharePoint and OneDrive let users in the organization share content with people outside the organization (such as partners, vendors, clients, or customers). It can also be used to share between licensed users on multiple Microsoft 365 subscriptions if your organization has more than one subscription. 4 | 5 | The recommended state is `Limit external sharing by domain > Allow only specific domains.` 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `SharePoint admin center` [https://admin.microsoft.com/sharepoint](https://admin.microsoft.com/sharepoint). 12 | 2. Expand `Policies` then click `Sharing`. 13 | 3. Expand `More external sharing settings` and check `Limit external sharing by domain.` 14 | 4. Select `Add domains` to add a list of approved domains. 15 | 5. Click `Save` at the bottom of the page. 16 | 17 | **To remediate using PowerShell:** 18 | 19 | 1. Connect to SharePoint Online using `Connect-SPOService`. 20 | 2. Run the following PowerShell command: 21 | 22 | ```bash 23 | Set-SPOTenant -SharingDomainRestrictionMode AllowList -SharingAllowedDomainList "domain1.com domain2.com" 24 | ``` 25 | 26 | ### Default Value 27 | 28 | Limit external sharing by domain is unchecked 29 | SharingDomainRestrictionMode: `None` 30 | SharingDomainRestrictionMode: `` 31 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_1_1_12.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Ensure that only organizationally managed and approved public groups exist. 4 | 5 | In the Microsoft 365 Administration panel, when a group is created, the default privacy value is "Public". Make sure that public groups are willfully created. When a group has a "public" privacy, users may access data related to this group (e.g. SharePoint), through three methods : 6 | 7 | By using the Azure portal, and adding themselves into the public group. In this case, administrators are not notified. By requiring access to the group from the Group application of the Access Panel. This method forces users to send a message to the group owner, but they still have immediately access to the group. By accessing the SharePoint URL. The SharePoint URL is usually guessable, and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access. 8 | 9 | **Note:** Public in this case meaning public to the organization. 10 | 11 | ## Remediation 12 | 13 | In the Microsoft 365 Administration portal, go to: 14 | 15 | 1. Teams & groups. 16 | 2. Active teams & groups. 17 | 3. Select a Public group. 18 | 4. Go to `Settings`. 19 | 5. Set Privacy to `Private`. 20 | 21 | **Default Value:** Public when created from the Administration portal; private otherwise. 22 | -------------------------------------------------------------------------------- /cis_v400/docs/cis_v400_1_1_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant. Ideally global administrators will have no licenses assigned to them. 4 | 5 | If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to the `Microsoft 365 admin center` [https://admin.microsoft.com](https://admin.microsoft.com). 12 | 2. Select `Users` > `Active Users`. 13 | 3. In the `Search` field enter the name of the user to be made a Global Administrator. 14 | 4. To create a new Global Admin: 15 | 1. Select the user's name. 16 | 2. A window will appear to the right. 17 | 3. Select `Manage roles`. 18 | 4. Select `Admin center access`. 19 | 4. Check `Global Administrator`. 20 | 5. Click `Save changes`. 21 | 5. To remove Global Admins: 22 | 1. Select User. 23 | 2. Under `Roles` select `Manage roles`. 24 | 3. De-Select the appropriate role. 25 | 4. Click `Save changes`. 26 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_2_2_12.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The Microsoft identity platform supports the device authorization grant, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. To enable this flow, the device has the user visit a webpage in a browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed. 4 | 5 | The recommended state is to `Block access` for `Device code flow` in Conditional Access. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Protection` > `Conditional Access` select `Policies`. 13 | 3. Create a new policy by selecting `New policy.` 14 | - Under `Users` include `All users.` 15 | - Under `Target resources > Resources (formerly cloud apps)` include `All resources (formerly 'All cloud apps')`. 16 | - Under `Conditions > Authentication flows` set `Configure` is set to `Yes`, select `Device code flow` and click `Save`. 17 | - Under `Grant` select `Block access` and click `Select` 18 | 4. Under `Enable policy` set it to `Report-only` until the organization is ready to enable it. 19 | 5. Click `Create`. 20 | 21 | **Note:** Break-glass accounts should be excluded from all Conditional Access policies. 22 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_2_2_12.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The Microsoft identity platform supports the device authorization grant, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. To enable this flow, the device has the user visit a webpage in a browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed. 4 | 5 | The recommended state is to `Block access` for `Device code flow` in Conditional Access. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click expand `ID Protection` > `Risk-based Conditional Access`. 13 | 3. Create a new policy by selecting `New policy.` 14 | - Under `Users` include `All users.` 15 | - Under `Target resources > Resources (formerly cloud apps)` include `All resources (formerly 'All cloud apps')`. 16 | - Under `Conditions > Authentication flows` set `Configure` is set to `Yes`, select `Device code flow` and click `Save`. 17 | - Under `Grant` select `Block access` and click `Select`. 18 | 4. Under `Enable policy` set it to `Report-only` until the organization is ready to enable it. 19 | 5. Click `Create`. 20 | 21 | **Note:** Break-glass accounts should be excluded from all Conditional Access policies. 22 | 23 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_1_1_7.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant. Ideally global administrators will have no licenses assigned to them. 4 | 5 | If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker. 6 | 7 | ## Remediation 8 | 9 | To correct the number of global tenant administrators: 10 | 11 | 1. Navigate to the `Microsoft 365 admin center` https://admin.microsoft.com 12 | 2. Select `Users` > `Active Users`. 13 | 3. In the `Search` field enter the name of the user to be made a Global Administrator. 14 | 4. To create a new Global Admin: 15 | 1. Select the user's name. 16 | 2. A window will appear to the right. 17 | 3. Select `Manage roles`. 18 | 4. Select `Admin center access`. 19 | 5. Check `Global Administrator`. 20 | 6. Click `Save changes`. 21 | 5. To remove Global Admins: 22 | 1. Select User. 23 | 2. Under `Roles` select `Manage roles`. 24 | 3. De-Select the appropriate role. 25 | 4. Click `Save changes`. 26 | -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_1_1_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant. Ideally global administrators will have no licenses assigned to them. 4 | 5 | If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker. 6 | 7 | ## Remediation 8 | 9 | To correct the number of global tenant administrators: 10 | 11 | 1. Navigate to the `Microsoft 365 admin center` https://admin.microsoft.com. 12 | 2. Select `Users` > `Active Users.` 13 | 3. In the `Search` field enter the name of the user to be made a Global Administrator. 14 | 4. To create a new Global Admin: 15 | 1. Select the user's name. 16 | 2. A window will appear to the right. 17 | 3. Select `Manage roles.` 18 | 4. Select `Admin center access.` 19 | 5. Check `Global Administrator.` 20 | 6. Click `Save changes.` 21 | 5. To remove Global Admins: 22 | 1. Select User. 23 | 2. Under `Roles` select `Manage roles.` 24 | 3. De-Select the appropriate role. 25 | 4. Click `Save changes.` -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_2_3_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The Account Provisioning Activity report details any account provisioning that was attempted by an external application. 4 | 5 | If the organization doesn't usually use a third party provider to manage accounts, any entry on the list is likely illicit. However, if the organization uses a third party provider, it is recommended to monitor transaction volumes and look for new or unusual third party applications that may be managing users. If anything unusual is observed, the provider should be contacted to determine the legitimacy of the action. 6 | 7 | ## Remediation 8 | 9 | To review the Account Provisioning Activity report: 10 | 11 | 1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com. 12 | 2. Click on `Audit.` 13 | 3. Set `Activities` to `Added user` for `User administration activities.` 14 | 4. Set `Start Date` and `End Date.` 15 | 5. Click `Search.` 16 | 6. Review. 17 | 18 | To review Account Provisioning Activity report using PowerShell: 19 | 20 | 1. Connect to Exchange Online using `Connect-ExchangeOnline.` 21 | 2. Run the following Exchange Online PowerShell command: 22 | 23 | ```bash 24 | $startDate = ((Get-date).AddDays(-7)).ToShortDateString() 25 | $endDate = (Get-date).ToShortDateString() 26 | Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate | Where-Object 27 | { $_.Operations -eq "add user." } 28 | ``` 29 | 3. Review the output. -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_5_10.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The Account Provisioning Activity report details any account provisioning that was attempted by an external application. 4 | 5 | If the organization doesn't usually use a third party provider to manage accounts, any entry on the list is likely illicit. However, if the organization uses a third party provider, it is recommended to monitor transaction volumes and look for new or unusual third party applications that may be managing users. If anything unusual is observed, the provider should be contacted to determine the legitimacy of the action. 6 | 7 | ## Remediation 8 | 9 | To review the Account Provisioning Activity report: 10 | 11 | 1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com. 12 | 2. Click on `Audit`. 13 | 3. Set `Activities` to `Added user` for `User administration activities`. 14 | 4. Set `Start Date` and `End Date`. 15 | 5. Click `Search`. 16 | 6. Review. 17 | 18 | To review Account Provisioning Activity report using Power 19 | 20 | 1. Connect to Exchange Online using `Connect-ExchangeOnline`. 21 | 2. Run the following Exchange Online PowerShell command: 22 | 23 | ```bash 24 | $startDate = ((Get-date).AddDays(-7)).ToShortDateString() 25 | $endDate = (Get-date).ToShortDateString() 26 | 27 | Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate | Where-Object { $_.Operations -eq "add user." } 28 | ``` 29 | 30 | 3. Review the output. 31 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_1_1_11.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. The use of security defaults however will prohibit custom settings which are being set with more advanced settings from this benchmark. 4 | 5 | Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example doing the following: 6 | - Requiring all users and admins to register for MFA. 7 | - Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks. 8 | - Disabling authentication from legacy authentication clients, which can’t do MFA. 9 | 10 | ## Remediation 11 | 12 | To disable security defaults in your directory: 13 | 14 | 1. Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator. 15 | 2. Browse to `Azure Active Directory` > `Properties`. 16 | 3. Select `Manage security defaults`. 17 | 4. Set the Enable security defaults toggle to `No`. 18 | 5. Select `Save`. 19 | -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_1_1_11.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. 4 | 5 | Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. 6 | 7 | The use of security defaults however will prohibit custom settings which are being set with more advanced settings from this benchmark. 8 | 9 | Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. 10 | 11 | For example doing the following: 12 | 13 | - Requiring all users and admins to register for MFA. 14 | - Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks. 15 | - Disabling authentication from legacy authentication clients, which can’t do MFA. 16 | 17 | ## Remediation 18 | 19 | To disable security defaults in your directory: 20 | 21 | 1. Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator. 22 | 2. Browse to Azure Active Directory > Properties. 23 | 3. Select `Manage security defaults`. 24 | 4. Set the Enable security defaults toggle to `No`. 25 | 5. Select Save. -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_1_1_5.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enable Azure Active Directory Password Protection to Active Directory to protect against the use of common passwords. 4 | 5 | **Note:** This recommendation applies to Hybrid deployments only, and will have no impact unless working with on-premises Active Directory. 6 | 7 | Azure Active Directory protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment. 8 | 9 | ## Remediation 10 | 11 | **To setup Azure Active Directory Password Protection, use the following steps:** 12 | 13 | 1. Download and install the `Azure AD Password Proxies` and `DC Agents` from the following location: https://www.microsoft.com/download/details.aspx?id=57071. 14 | 2. After the installation is complete, login to `https://admin.microsoft.com` as a `Global Administrator`. 15 | 3. Go to `Admin centers` and click on `Azure Active Directory`. 16 | 4. Select `Azure Active Directory` then `Security` on the left side navigation followed by `Authentication methods`. 17 | 5. Select `Password protection` and toggle `Enable password protection on Windows Server Active Directory` to `Yes` and `Mode` to `Enforced`. 18 | 6. Click Save at the top of the right pane. 19 | 20 | **Default Value:** Enabled / Enforced. -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_1_1_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Between two and four global administrators should be designated in the tenant. Ideally, these accounts will not have licenses assigned to them which supports additional controls found in this benchmark. 4 | 5 | If there is only one global administrator, they could perform malicious activities without being detected by another admin. Designating multiple global administrators eliminates this risk and ensures redundancy if the sole remaining global administrator leaves the organization. 6 | 7 | However, to minimize the attack surface, there should be no more than four global admins set for any tenant. A large number of global admins increases the likelihood of a successful account breach by an external attacker. 8 | 9 | ## Remediation 10 | 11 | **To remediate using the UI:** 12 | 13 | 1. Navigate to the `Microsoft 365 admin center` [https://admin.microsoft.com](https://admin.microsoft.com). 14 | 2. Select `Users` > `Active Users`. 15 | 3. In the `Search` field enter the name of the user to be made a Global Administrator. 16 | 4. To create a new Global Admin: 17 | 1. Select the user's name. 18 | 2. A window will appear to the right. 19 | 3. Select `Manage roles`. 20 | 4. Select `Admin center access`. 21 | 5. Check `Global Administrator`. 22 | 6. Click `Save changes`. 23 | 5. To remove Global Admins: 24 | 1. Select User. 25 | 2. Under `Roles` select `Manage roles`. 26 | 3. Deselect `Global Administrator`. 27 | 4. Click `Save changes`. 28 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_1_1_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Between two and four global administrators should be designated in the tenant. Ideally, these accounts will not have licenses assigned to them which supports additional controls found in this benchmark. 4 | 5 | If there is only one global administrator, they could perform malicious activities without being detected by another admin. Designating multiple global administrators eliminates this risk and ensures redundancy if the sole remaining global administrator leaves the organization. 6 | 7 | However, to minimize the attack surface, there should be no more than four global admins set for any tenant. A large number of global admins increases the likelihood of a successful account breach by an external attacker. 8 | 9 | ## Remediation 10 | 11 | **To remediate using the UI:** 12 | 13 | 1. Navigate to the `Microsoft 365 admin center` [https://admin.microsoft.com](https://admin.microsoft.com). 14 | 2. Select `Users` > `Active Users`. 15 | 3. In the `Search` field enter the name of the user to be made a Global Administrator. 16 | 4. To create a new Global Admin: 17 | 1. Select the user's name. 18 | 2. A window will appear to the right. 19 | 3. Select `Manage roles`. 20 | 4. Select `Admin center access`. 21 | 5. Check `Global Administrator`. 22 | 6. Click `Save changes`. 23 | 5. To remove Global Admins: 24 | 1. Select User. 25 | 2. Under `Roles` select `Manage roles`. 26 | 3. Deselect `Global Administrator`. 27 | 4. Click `Save changes`. 28 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_1_5.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Review the password expiration policy, to ensure that user passwords in Office 365 are not set to expire. 4 | 5 | NIST has updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD. 6 | 7 | ## Remediation 8 | 9 | To set Office 365 Passwords to Expire, use the Microsoft 365 Admin Center: 10 | 11 | 1. Expand `Settings` then select the `Org Settings` subcategory. 12 | 2. Click on `Security & privacy`. 13 | 3. Select `Password expiration policy`. 14 | 4. If the `Set user passwords to expire after a number of days` box is checked, uncheck it. 15 | 5. Click `Save`. 16 | 17 | To set Office 365 Passwords Are Not Set to Expire, use the Microsoft Online PowerShell Module: 18 | 19 | 1. Connect to Microsoft Online service using `Connect-MSOLService`. 20 | 2. Run the following Microsoft Online PowerShell command: 21 | 22 | ```bash 23 | Set-MsolPasswordPolicy -ValidityPeriod 2147483647 -DomainName - NotificationDays 30 24 | ``` 25 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_1_1_13.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. 4 | 5 | Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication. 6 | 7 | ## Remediation 8 | 9 | To configure a Sign-In risk policy, use the following steps: 10 | 11 | 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/. 12 | 2. Browse to `Azure Active Directory` > `Protect & secure` > `Conditional Access`. 13 | 3. Create a new policy by selecting `New policy`. 14 | 4. Set the following conditions within the policy. 15 | - Under `Users or workload identities` choose `All users`. 16 | - Under `Cloud apps or actions` choose `All cloud apps`. 17 | - Under `Conditions` choose `Sign-in risk` then Yes in the right pane followed by the appropriate level. 18 | - Under `Access Controls` select `Grant` then in the right pane click `Grant access` then select `Require muilti-factor authentication`. 19 | 5. Click `Select` 20 | 6. You may opt to begin in a state of `Report Only` as you step through implementation however, the policy will need to be set to `On` to be in effect. 21 | 7. Click `Create`. 22 | 23 | **NOTE:** For more information regarding risk levels refer to [Microsoft's Identity Protection & Risk Doc](https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks). 24 | -------------------------------------------------------------------------------- /query/authorizationpolicy.pp: -------------------------------------------------------------------------------- 1 | query "azuread_authorization_policy_accessing_company_data_not_allowed" { 2 | sql = <<-EOQ 3 | select 4 | tenant_id || '/' || id as resource, 5 | case 6 | when jsonb_array_length(default_user_role_permissions -> 'permissionGrantPoliciesAssigned') = 0 then 'ok' 7 | else 'alarm' 8 | end as status, 9 | case 10 | when jsonb_array_length(default_user_role_permissions -> 'permissionGrantPoliciesAssigned') = 0 then tenant_id || ' which is ' || lower(split_part(description, '.', 1)) || ' does not have Permission Grant Policies assigned.' 11 | else tenant_id || ' which is ' || lower(split_part(description, '.', 1)) || ' have Permission Grant Policies assigned.' 12 | end as reason 13 | ${local.common_dimensions_sql} 14 | from 15 | azuread_authorization_policy; 16 | EOQ 17 | } 18 | 19 | query "azuread_third_party_application_not_allowed" { 20 | sql = <<-EOQ 21 | select 22 | tenant_id || '/' || id as resource, 23 | case 24 | when not (default_user_role_permissions -> 'allowedToCreateApps')::bool then 'ok' 25 | else 'alarm' 26 | end as status, 27 | case 28 | when not (default_user_role_permissions -> 'allowedToCreateApps')::bool then tenant_id || ' has third party integrated applications not allowed.' 29 | else tenant_id || ' has third party integrated applications allowed.' 30 | end as reason 31 | ${local.common_dimensions_sql} 32 | from 33 | azuread_authorization_policy; 34 | EOQ 35 | } 36 | -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_5_2_2_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator. 4 | 5 | Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. 6 | 7 | ## Remediation 8 | 9 | To enable multifactor authentication for all users: 10 | 11 | 1. Navigate to `the Microsoft Entra admin center` https://entra.microsoft.com. 12 | 2. Click expand `Protection` > `Conditional Access` select `Policies.` 13 | 3. Click `New policy.` 14 | 4. Go to `Assignments` > `Users and groups` > `Include` > select `All users` (and do not exclude any user). 15 | 5. Select `Cloud apps or actions` > `All cloud apps` (and don't exclude any apps). 16 | 6. `Access Controls` > `Grant` > `Require multi-factor authentication` (and nothing else). 17 | 7. Leave all other conditions blank. 18 | 8. Make sure the policy is Enabled/On. 19 | 9. Create. 20 | 21 | ### Default Value 22 | 23 | Disabled. -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_2_2_8.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft Entra ID Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. 4 | 5 | **Note:** While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the "legacy method" for the following benefits: 6 | - Enhanced diagnostic data 7 | - Report-only mode integration 8 | - Graph API support 9 | - Use more Conditional Access attributes like sign-in frequency in the policy 10 | 11 | ## Remediation 12 | 13 | **To remediate using the UI:** 14 | 15 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 16 | 2. Click expand `ID Protection` > `Risk-based Conditional Access`. 17 | 3. Create a new policy by selecting `New policy.` 18 | 4. Set the following conditions within the policy. 19 | - Under `Users` include `All users.` 20 | - Under `Target resources` include `All resources (formerly 'All cloud apps')` and do not set any exclusions. 21 | - Under `Conditions` choose `Sign-in risk` values of `High` and `Medium` and click `Done`. 22 | - Under `Grant` choose `Block access` and click `Select`. 23 | 5. Under `Enable policy` set it to `Report-only` until the organization is ready to enable it. 24 | 6. Click `Create`. 25 | 26 | **Note:** Break-glass accounts should be excluded from all Conditional Access policies. 27 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_2_3_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft provides supporting settings to enhance the configuration of the Microsoft Authenticator application. These settings provide users with additional information and context when they receive MFA passwordless and push requests, including the geographic location of the request, the requesting application, and a requirement for number matching. 4 | 5 | Ensure the following are `Enabled`. 6 | 7 | - `Require number matching for push notifications` 8 | - `Show application name in push and passwordless notifications` 9 | - `Show geographic location in push and passwordless notifications` 10 | 11 | ## Remediation 12 | 13 | **To remediate using the UI:** 14 | 15 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 16 | 2. Click to expand `Entra ID` > `Authentication methods` select `Policies`. 17 | 3. Select `Microsoft Authenticator`. 18 | 4. Under `Enable and Target` ensure the setting is set to `Enable`. 19 | 5. Select `Configure`. 20 | 6. Set the following Microsoft Authenticator settings: 21 | - `Require number matching for push notifications` Status is set to `Enabled`, Target `All users`. 22 | - `Show application name in push and passwordless notifications` is set to `Enabled`, Target `All users`. 23 | - `Show geographic location in push and passwordless notifications` is set to `Enabled`, Target `All users`. 24 | 25 | **Note:** Valid groups such as break glass accounts can be excluded per organization policy. 26 | 27 | ### Default Value 28 | 29 | Microsoft-managed. 30 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_2_2_8.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft Entra ID Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. 4 | 5 | **Note:** While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the "legacy method" for the following benefits: 6 | 7 | - Enhanced diagnostic data 8 | - Report-only mode integration 9 | - Graph API support 10 | - Use more Conditional Access attributes like sign-in frequency in the policy 11 | 12 | ## Remediation 13 | 14 | **To remediate using the UI:** 15 | 16 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 17 | 2. Click to expand `Protection` > `Conditional Access` select `Policies`. 18 | 3. Create a new policy by selecting `New policy.` 19 | 4. Set the following conditions within the policy. 20 | - Under `Users` include `All users.` 21 | - Under `Target resources` include `All resources (formerly 'All cloud apps')` and do not set any exclusions. 22 | - Under `Conditions` choose `Sign-in risk` values of `High` and `Medium` and click `Done`. 23 | - Under `Grant` choose `Block access` and click `Select`. 24 | 5. Under `Enable policy` set it to `Report-only` until the organization is ready to enable it. 25 | 6. Click `Create`. 26 | 27 | **Note:** Break-glass accounts should be excluded from all Conditional Access policies. 28 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_2_3_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft provides supporting settings to enhance the configuration of the Microsoft Authenticator application. These settings provide users with additional information and context when they receive MFA passwordless and push requests, including the geographic location of the request, the requesting application, and a requirement for number matching. 4 | 5 | Ensure the following are `Enabled`. 6 | 7 | - `Require number matching for push notifications` 8 | - `Show application name in push and passwordless notifications` 9 | - `Show geographic location in push and passwordless notifications` 10 | 11 | ## Remediation 12 | 13 | **To remediate using the UI:** 14 | 15 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 16 | 2. Click to expand `Protection` > `Authentication` methods select `Policies`. 17 | 3. Select `Microsoft Authenticator`. 18 | 4. Under `Enable and Target` ensure the setting is set to `Enable`. 19 | 5. Select `Configure`. 20 | 6. Set the following Microsoft Authenticator settings: 21 | - `Require number matching for push notifications` Status is set to `Enabled`, Target `All users` 22 | - `Show application name in push and passwordless notifications` is set to `Enabled`, Target `All users` 23 | - `Show geographic location in push and passwordless notifications` is set to `Enabled`, Target `All users`. 24 | 25 | **Note:** Valid groups such as break glass accounts can be excluded per organization policy. 26 | 27 | ### Default Value 28 | 29 | Microsoft-managed -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_3_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization. 4 | 5 | Ensure `Access reviews` for Guest Users are configured to be performed no less frequently than `monthly`. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Identity Governance` and select `Access reviews`. 13 | 3. Click `New access review`. 14 | 4. `Select what to review` choose `Teams + Groups`. 15 | 5. `Review Scope` set to `All Microsoft 365 groups with guest users`, do not exclude groups. 16 | 6. `Scope` set to `Guest users only` then click `Next: Reviews`. 17 | 7. `Select reviewers` an appropriate user that is NOT the guest user themselves. 18 | 8. `Duration (in days)` at most `3.` 19 | 9. `Review recurrence` is `Monthly` or more frequent. 20 | 10. End is set to `Never`, then click `Next: Settings.` 21 | 11. Check `Auto apply results to resource`. 22 | 12. Set `If reviewers don't respond` to `Remove access.` 23 | 13. Check the following: `Justification required, E-mail notifications, Reminders.` 24 | 14. Click `Next: Review + Create` and finally click `Create`. 25 | 26 | ### Default Value 27 | 28 | By default access reviews are not configured. 29 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_3_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization. 4 | 5 | Ensure `Access reviews` for Guest Users are configured to be performed no less frequently than `monthly`. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Identity Governance` and select `Access reviews`. 13 | 3. Click `New access review`. 14 | 4. `Select what to review` choose `Teams + Groups`. 15 | 5. `Review Scope` set to `All Microsoft 365 groups with guest users`, do not exclude groups. 16 | 6. `Scope` set to `Guest users only` then click `Next: Reviews`. 17 | 7. `Select reviewers` an appropriate user that is NOT the guest user themselves. 18 | 8. `Duration (in days)` at most `3.` 19 | 9. `Review recurrence` is `Monthly` or more frequent. 20 | 10. End is set to `Never`, then click `Next: Settings.` 21 | 11. Check `Auto apply results to resource`. 22 | 12. Set `If reviewers don't respond` to `Remove access.` 23 | 13. Check the following: `Justification required, E-mail notifications, Reminders.` 24 | 14. Click `Next: Review + Create` and finally click `Create`. 25 | 26 | ### Default Value 27 | 28 | By default access reviews are not configured. 29 | 30 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_1_1_14.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. 4 | 5 | With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. Administrators can configure a user risk conditional access policy to automatically respond to a specific user risk level. 6 | 7 | ## Remediation 8 | 9 | To configure a User risk policy, use the following steps: 10 | 11 | 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/. 12 | 2. Click to expand `Azure Active Directory` > `Protect & secure` select `Conditional Access`. 13 | 3. On the Conditional Access page, create a new policy by selecting `New policy`. 14 | 4. Set the following conditions within the policy: 15 | - Under `Users or workload identities` choose `All users`. 16 | - Under `Cloud apps or actions` choose `All cloud apps`. 17 | - Under `Conditions` choose `User risk` then `Yes` in the right pane followed by the appropriate level. 18 | - Under `Access Controls` select `Grant` then in the right pane click `Grant access` then select `Require password change`. 19 | 5. Click `Select`. 20 | 6. You may opt to begin in a state of `Report Only` as you step through implementation however, the policy will need to be set to `On` to be in effect. 21 | 7. Click `Create`. 22 | 23 | **NOTE:** For more information regarding risk levels refer to [Microsoft's Identity Protection & Risk Doc](https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks). 24 | -------------------------------------------------------------------------------- /cis_v300/section_2.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | cis_v300_2_common_tags = merge(local.cis_v300_common_tags, { 3 | cis_section_id = "2" 4 | }) 5 | } 6 | 7 | locals { 8 | cis_v300_2_3common_tags = merge(local.cis_v300_2_common_tags, { 9 | cis_section_id = "2.3" 10 | }) 11 | } 12 | 13 | benchmark "cis_v300_2" { 14 | title = "2 Microsoft 365 Defender" 15 | documentation = file("./cis_v300/docs/cis_v300_2.md") 16 | children = [ 17 | benchmark.cis_v300_2_3 18 | ] 19 | 20 | tags = merge(local.cis_v300_2_common_tags, { 21 | type = "Benchmark" 22 | service = "Azure/ActiveDirectory" 23 | }) 24 | } 25 | 26 | benchmark "cis_v300_2_3" { 27 | title = "2.3 Audit" 28 | children = [ 29 | control.cis_v300_2_3_1 30 | ] 31 | 32 | tags = merge(local.cis_v300_2_3common_tags, { 33 | type = "Benchmark" 34 | service = "Azure/ActiveDirectory" 35 | }) 36 | } 37 | 38 | control "cis_v300_2_3_1" { 39 | title = "2.3.1 Ensure the Account Provisioning Activity report is reviewed at least weekly" 40 | description = "The Account Provisioning Activity report details any account provisioning that was attempted by an external application." 41 | query = query.azuread_account_provisioning_activity_report_reviewed 42 | documentation = file("./cis_v300/docs/cis_v300_2_3_1.md") 43 | 44 | tags = merge(local.cis_v300_2_3common_tags, { 45 | cis_item_id = "2.3.1" 46 | cis_level = "1" 47 | cis_type = "manual" 48 | microsoft_365_license = "E3" 49 | service = "Azure/ActiveDirectory" 50 | }) 51 | } 52 | 53 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_1_1_4.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator. 4 | 5 | Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. 6 | 7 | ## Remediation 8 | 9 | To enable multifactor authentication for all users: 10 | 11 | 1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com. 12 | 2. Click expand `Azure Active Directory` > `Applications` select `Enterprise Applications`. 13 | 3. Under `Security`, select `Conditional Access`. 14 | 4. Click `New policy`. 15 | 5. Go to `Assignments` > `Users and groups` > `Include` > select `All users` (and do not exclude any user). 16 | 6. Select `Cloud apps or actions` > `All cloud apps` (and don't exclude any apps). 17 | 7. `Access Controls` > `Grant` > `Require multi-factor authentication` (and nothing else). 18 | 8. Leave all other conditions blank. 19 | 9. Make sure the policy is Enabled/On. 20 | 10. Create. 21 | 22 | **Default Value:** Disabled. 23 | -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_1_1_8.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. 4 | 5 | Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication. 6 | 7 | ## Remediation 8 | 9 | **To configure a Sign-In risk policy, use the following steps:** 10 | 11 | 1. Log in to `https://admin.microsoft.com` as a `Global Administrator`. 12 | 2. Go to `Admin centers` and click on `Azure Active Directory`. 13 | 3. Select `Azure Active Directory` then `Security`. 14 | 4. Select `Conditional Access`. 15 | 5. Create a new policy by selecting `New policy`. 16 | 6. Set the following conditions within the policy. 17 | - Under `Users or workload identities` choose `All users`. 18 | - Under `Cloud apps or actions` choose `All cloud apps`. 19 | - Under `Conditions` choose `Sign-in risk` then `Yes` in the right pane followed by the appropriate level. 20 | - Under `Access Controls` select `Grant` then in the right pane click `Grant access` then select `Require muilti-factor authentication`. 21 | 7. Click `Select`. 22 | 8. You may opt to begin in a state of `Report Only` as you step through implementation however, the policy will need to be set to `On` to be in effect. 23 | 9. Click `Create`. 24 | 25 | **NOTE:** For more information regarding risk levels refer to [Microsoft's Identity Protection & Risk Doc](https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks). -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_1_1_8.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. 4 | 5 | Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication. 6 | 7 | ## Remediation 8 | 9 | To configure a Sign-In risk policy, use the following steps: 10 | 11 | 1. Log in to `https://admin.microsoft.com` as a `Global Administrator`. 12 | 2. Go to `Admin centers` and click on `Azure Active Directory`. 13 | 3. Select `Azure Active Directory` then `Security`. 14 | 4. Select `Conditional Access`. 15 | 5. Create a new policy by selecting `New policy`. 16 | 6. Set the following conditions within the policy. 17 | - Under `Users or workload identities` choose `All users`. 18 | - Under `Cloud apps or actions` choose `All cloud apps`. 19 | - Under `Conditions` choose `Sign-in risk` then `Yes` in the right pane followed by the appropriate level. 20 | - Under `Access Controls` select `Grant` then in the right pane click `Grant access` then select `Require muilti-factor authentication`. 21 | 7. Click `Select`. 22 | 8. You may opt to begin in a state of `Report Only` as you step through implementation however, the policy will need to be set to `On` to be in effect. 23 | 9. Click `Create`. 24 | 25 | **NOTE:** For more information regarding risk levels refer to [Microsoft's Identity Protection & Risk Doc](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks). 26 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_2_2_6.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft Entra ID Protection user risk policies detect the probability that a user account has been compromised. 4 | 5 | **Note:** While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the "legacy method" for the following benefits: 6 | 7 | - Enhanced diagnostic data 8 | - Report-only mode integration 9 | - Graph API support 10 | - Use more Conditional Access attributes like sign-in frequency in the policy 11 | 12 | ## Remediation 13 | 14 | **To remediate using the UI:** 15 | 16 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 17 | 2. Click to expand `Protection` > `Conditional Access` select `Policies`. 18 | 3. Create a new policy by selecting `New policy`. 19 | 4. Set the following conditions within the policy: 20 | - Under `Users` choose `All users`. 21 | - Under `Target resources` choose `All resources (formerly 'All cloud apps')`. 22 | - Under `Conditions` choose `User risk` then `Yes` and select the user risk level `High`. 23 | - Under `Grant` select `Grant access` then check `Require multifactor authentication` or `Require authentication strength`. Finally check `Require password change.` 24 | - Under `Session` set `Sign-in frequency` to `Every time.` 25 | - Click `Select`. 26 | 5. Under `Enable policy` set it to `Report-only` until the organization is ready to enable it. 27 | 6. Click `Create` or `Save`. 28 | 29 | **Note:** Break-glass accounts should be excluded from all Conditional Access policies. -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_1_4.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or not passwords expire at all. 4 | 5 | Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD. 6 | 7 | ## Remediation 8 | 9 | **To set Office 365 Passwords to Expire, use the Microsoft 365 Admin Center:** 10 | 11 | 1. Expand `Settings` then select the `Org Settings` subcategory. 12 | 2. Click on `Security & privacy`. 13 | 3. Select `Password expiration policy`. 14 | 4. If the `Set passwords to never expire (recommended)` box is unchecked, check it. 15 | 5. Click `Save`. 16 | 17 | **To set Office 365 Passwords Are Not Set to Expire, use the Microsoft Online PowerShell Module:** 18 | 19 | 1. Connect to Microsoft Online service using `Connect-MSOLService`. 20 | 2. Run the following Microsoft Online PowerShell command: 21 | 22 | ```bash 23 | Set-MsolPasswordPolicy -ValidityPeriod 2147483647 -DomainName -NotificationDays 30 24 | ``` 25 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_2_2_6.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft Entra ID Protection user risk policies detect the probability that a user account has been compromised. 4 | 5 | **Note:** While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the "legacy method" for the following benefits: 6 | 7 | - Enhanced diagnostic data 8 | - Report-only mode integration 9 | - Graph API support 10 | - Use more Conditional Access attributes like sign-in frequency in the policy 11 | 12 | ## Remediation 13 | 14 | **To remediate using the UI:** 15 | 16 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 17 | 2. Click expand `ID Protection` > `Risk-based Conditional Access`. 18 | 3. Create a new policy by selecting `New policy`. 19 | 4. Set the following conditions within the policy: 20 | - Under `Users` choose `All users`. 21 | - Under `Target resources` choose `All resources (formerly 'All cloud apps')`. 22 | - Under `Conditions` choose `User risk` then `Yes` and select the user risk level `High`. 23 | - Under `Grant` select `Grant access` then check `Require multifactor authentication` or `Require authentication strength`. Finally check `Require password change.` 24 | - Under `Session` set `Sign-in frequency` to `Every time.` 25 | - Click `Select`. 26 | 5. Under `Enable policy` set it to `Report-only` until the organization is ready to enable it. 27 | 6. Click `Create` or `Save`. 28 | 29 | **Note:** Break-glass accounts should be excluded from all Conditional Access policies. 30 | 31 | -------------------------------------------------------------------------------- /query/directorysetting.pp: -------------------------------------------------------------------------------- 1 | query "azuread_password_protection_enabled" { 2 | sql = <<-EOQ 3 | with enable_banned_password_check_on_premises_settings as ( 4 | select 5 | tenant_id, 6 | id 7 | from 8 | azuread_directory_setting 9 | where 10 | display_name = 'Password Rule Settings' 11 | and (name = 'EnableBannedPasswordCheckOnPremises' and value = 'True') 12 | ), banned_password_check_on_premise_mode_settings as ( 13 | select 14 | tenant_id, 15 | id 16 | from 17 | azuread_directory_setting 18 | where 19 | display_name = 'Password Rule Settings' 20 | and (name = 'BannedPasswordCheckOnPremisesMode' and value = 'Enforce') 21 | ), 22 | tenant_list as ( 23 | select 24 | distinct on (tenant_id) tenant_id, 25 | _ctx 26 | from 27 | azuread_user 28 | ) 29 | select 30 | t.tenant_id as resource, 31 | case 32 | when (e.tenant_id is not null) and (b.tenant_id is not null) then 'ok' 33 | else 'alarm' 34 | end as status, 35 | case 36 | when (e.tenant_id is not null) and (b.tenant_id is not null) then t.tenant_id || ' has password protection enabled.' 37 | else t.tenant_id || ' has password protection disabled.' 38 | end as reason 39 | ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} 40 | from 41 | tenant_list as t 42 | left join enable_banned_password_check_on_premises_settings as e on e.tenant_id = t.tenant_id 43 | left join banned_password_check_on_premise_mode_settings as b on b.tenant_id = t.tenant_id; 44 | EOQ 45 | } -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_1_1_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator. 4 | 5 | Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. 6 | 7 | ## Remediation 8 | 9 | **To enable multifactor authentication for all users, use the Microsoft 365 Admin Center:** 10 | 11 | 1. Log in to `https://admin.microsoft.com` as a `Global Administrator`. 12 | 2. Go to `Admin centers` and click on `Azure Active Directory`. 13 | 3. Select `Enterprise applications` then, under `Security`, select `Conditional Access`. 14 | 4. Click `New policy`. 15 | 5. Go to `Assignments` > `Users and groups` > `Include` > select `All users` (and do not exclude any user). 16 | 6. Select `Cloud apps or actions` > `All cloud apps` (and don't exclude any apps). 17 | 7. `Access Controls` > `Grant` > `Require multi-factor authentication` (and nothing else). 18 | 8. Leave all other conditions blank. 19 | 9. Make sure the policy is Enabled/On. 20 | 10. Create. 21 | 22 | **Default Value:** Disabled. -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_1_4.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or not passwords expire at all. 4 | 5 | Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD. 6 | 7 | ## Remediation 8 | 9 | To set Office 365 passwords are set to never expire: 10 | 11 | 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com. 12 | 2. Click to expand `Settings` select `Org Settings`. 13 | 3. Click on `Security & privacy`. 14 | 4. Check the `Set passwords to never expire (recommended)` box. 15 | 5. Click `Save`. 16 | 17 | To set Office 365 Passwords Are Not Set to Expire, use the Microsoft Graph PowerShell module: 18 | 19 | 1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes` "`Domain.ReadWrite.All`". 20 | 2. Run the following Microsoft Graph PowerShell command: 21 | 22 | ```bash 23 | Update-MgDomain -DomainId -PasswordValidityPeriodInDays 2147483647 -PasswordNotificationWindowInDays 30 24 | ``` 25 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_1_5_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action. 4 | 5 | ## Remediation 6 | 7 | **To remediate using the UI:** 8 | 9 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 10 | 2. Click to expand `Entra ID` and select `Enterprise apps`. 11 | 3. Under Security select `Consent and permissions`. 12 | 4. Under Manage select `Admin consent settings`. 13 | 5. Set `Users can request admin consent to apps they are unable to consent to to Yes` under `Admin consent requests`. 14 | 6. Under the `Reviewers` choose the Roles and Groups that will review user generated app consent requests. 15 | 7. Set `Selected users will receive email notifications for requests` to `Yes`. 16 | 8. Select `Save` at the top of the window. 17 | 18 | **To remediate using PowerShell:** 19 | 20 | The admin consent workflow configuration is currently only available through the Microsoft Entra admin center UI. 21 | 22 | ### Default Value 23 | 24 | - `Users can request admin consent to apps they are unable to consent to`: `No` 25 | - `Selected users to review admin consent requests`: `None` 26 | - `Selected users will receive email notifications for requests`: `Yes` 27 | - `Selected users will receive request expiration reminders`: `Yes` 28 | - `Consent request expires after (days)`: `30` 29 | -------------------------------------------------------------------------------- /cis_v400/docs/cis_v400_1_3_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or whether passwords expire at all. 4 | 5 | Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Entra ID. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft 365 admin center` [https://admin.microsoft.com](https://admin.microsoft.com). 12 | 2. Click to expand `Settings` select `Org Settings`. 13 | 3. Click on `Security & privacy`. 14 | 4. Check the `Set passwords to never expire (recommended)` box. 15 | 5. Click `Save`. 16 | 17 | **To remediate using PowerShell:** 18 | 19 | 1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes "Domain.ReadWrite.All"`. 20 | 2. Run the following Microsoft Graph PowerShell command: 21 | 22 | ```bash 23 | Update-MgDomain -DomainId -PasswordValidityPeriodInDays 2147483647 24 | ``` 25 | 26 | ### Default Value 27 | 28 | If the property is not set, a default value of 90 days will be used. 29 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_1_3_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or whether passwords expire at all. 4 | 5 | Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Entra ID. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft 365 admin center` [https://admin.microsoft.com](https://admin.microsoft.com). 12 | 2. Click to expand `Settings` select `Org Settings`. 13 | 3. Click on `Security & privacy`. 14 | 4. Check the `Set passwords to never expire (recommended)` box. 15 | 5. Click `Save`. 16 | 17 | **To remediate using PowerShell:** 18 | 19 | 1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes "Domain.ReadWrite.All"`. 20 | 2. Run the following Microsoft Graph PowerShell command: 21 | 22 | ```bash 23 | Update-MgDomain -DomainId -PasswordValidityPeriodInDays 2147483647 24 | ``` 25 | 26 | ### Default Value 27 | 28 | If the property is not set, a default value of 90 days will be used. 29 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_1_3_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or not passwords expire at all. 4 | 5 | Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Entra ID. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft 365 admin center` [https://admin.microsoft.com](https://admin.microsoft.com). 12 | 2. Click to expand `Settings` select `Org Settings`. 13 | 3. Click on `Security & privacy`. 14 | 4. Check the `Set passwords to never expire (recommended)` box. 15 | 5. Click `Save`. 16 | 17 | **To remediate using PowerShell:** 18 | 19 | 1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes "Domain.ReadWrite.All"`. 20 | 2. Run the following Microsoft Graph PowerShell command: 21 | 22 | ```bash 23 | Update-MgDomain -DomainId -PasswordValidityPeriodInDays 2147483647 24 | ``` 25 | 26 | ### Default Value 27 | 28 | If the property is not set, a default value of 90 days will be used. 29 | -------------------------------------------------------------------------------- /query/directoryauditreport.pp: -------------------------------------------------------------------------------- 1 | query "azuread_account_provisioning_activity_report_reviewed" { 2 | sql = <<-EOQ 3 | select 4 | id as resource, 5 | 'info' as status, 6 | case 7 | when (initiated_by -> 'user') is not null then initiated_by -> 'user' ->> 'userPrincipalName' || ' was added on ' || date_trunc('day', activity_Date_Time)::date 8 | when (initiated_by -> 'app') is not null then initiated_by -> 'app' ->> 'displayName' || ' was added on ' || date_trunc('day', activity_Date_Time)::date || '.' 9 | end as reason 10 | ${local.common_dimensions_sql} 11 | from 12 | azuread_directory_audit_report 13 | where 14 | activity_display_name = 'Add user'; 15 | EOQ 16 | } 17 | 18 | query "azuread_audit_log_search_enabled" { 19 | sql = <<-EOQ 20 | with audit_count as ( 21 | select 22 | tenant_id, 23 | count(id) 24 | from 25 | azuread_directory_audit_report 26 | group by 27 | tenant_id 28 | ), 29 | tenant_list as ( 30 | select 31 | distinct on (tenant_id) tenant_id, 32 | _ctx 33 | from 34 | azuread_user 35 | ) 36 | select 37 | t.tenant_id as resource, 38 | case 39 | when a.count > 0 then 'ok' 40 | else 'alarm' 41 | end as status, 42 | case 43 | when a.count > 0 then t.tenant_id || ' has audit log search enabled.' 44 | else t.tenant_id || ' has audit log search disabled.' 45 | end as reason 46 | ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} 47 | from 48 | tenant_list as t 49 | left join audit_count as a on t.tenant_id = a.tenant_id; 50 | EOQ 51 | } -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_1_5_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action. 4 | 5 | ## Remediation 6 | 7 | **To remediate using the UI:** 8 | 9 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 10 | 2. Click to expand `Identity` > `Applications` select `Enterprise applications`. 11 | 3. Under `Security` select `Consent and permissions`. 12 | 4. Under `Manage` select `Admin consent settings`. 13 | 5. Set `Users can request admin consent to apps they are unable to consent to` to `Yes` under `Admin consent requests`. 14 | 6. Under the `Reviewers` choose the Roles and Groups that will review user generated app consent requests. 15 | 7. Set `Selected users will receive email notifications for requests` to `Yes`. 16 | 8. Select `Save` at the top of the window. 17 | 18 | **To remediate using PowerShell:** 19 | 20 | The admin consent workflow configuration is currently only available through the Microsoft Entra admin center UI. 21 | 22 | ### Default Value 23 | 24 | - `Users can request admin consent to apps they are unable to consent to`: `No` 25 | - `Selected users to review admin consent requests`: `None` 26 | - `Selected users will receive email notifications for requests`: `Yes` 27 | - `Selected users will receive request expiration reminders`: `Yes` 28 | - `Consent request expires after (days)`: `30` 29 | -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_1_1_12.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different types of group types this recommendation is concerned with Microsoft 365 Groups. 4 | 5 | In the Administration panel, when a group is created, the default privacy value is "Public". 6 | 7 | Ensure that only organizationally managed and approved public groups exist. When a group has a "public" privacy, users may access data related to this group (e.g. SharePoint), through three methods: 8 | 9 | - By using the Azure portal, and adding themselves into the public group. 10 | - By requesting access to the group from the Group application of the Access Panel. 11 | - By accessing the SharePoint URL. 12 | 13 | Administrators are notified when a user uses the Azure Portal. Requesting access to the group forces users to send a message to the group owner, but they still have immediately access to the group. The SharePoint URL is usually guessable, and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access. 14 | 15 | **Note:** Public in this case meaning public to the identities within organization. 16 | 17 | ## Remediation 18 | 19 | In the Microsoft 365 Administration portal, go to: 20 | 21 | 1. Teams & groups. 22 | 2. Active teams & groups. 23 | 3. Select a Public group. 24 | 4. Go to 'Settings'. 25 | 5. Set Privacy to 'Private'. 26 | 27 | **Default Value:** Public when create from the Administration portal; private otherwise. -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_2_7.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Without an admin consent workflow (Preview), a user in a tenant where user consent is disabled will be blocked when they try to access any app that requires permissions to access organizational data. The user sees a generic error message that says they're unauthorized to access the app and they should ask their admin for help. 4 | 5 | The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action. 6 | 7 | ## Remediation 8 | 9 | **To enable the admin consent workflow (Preview), use the Microsoft 365 Admin Center:** 10 | 11 | 1. Select `Admin Centers` and `Azure Active Directory`. 12 | 2. Select `Enterprise applications` from the Azure Navigation pane. 13 | 3. Under `Manage` select `Users settings`. 14 | 4. Set `Users can request admin consent to apps they are unable to consent to` to `Yes` under `Admin consent requests`. 15 | 5. Under the `Reviewers` choose the Roles, Groups that you would like to review user generated app consent requests. 16 | 6. Select `Save` at the top of the window. 17 | 18 | **Default Value:** 19 | 20 | - Users can request admin consent to apps they are unable to consent to: No. 21 | - Selected users to review admin consent requests: None. 22 | - Selected users will receive email notifications for requests: Yes. 23 | - Selected users will receive request expiration reminders: Yes. 24 | - Consent request expires after (days): 30 -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_2_2_7.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft Entra ID Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. 4 | 5 | **Note:** While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the "legacy method" for the following benefits: 6 | 7 | - Enhanced diagnostic data 8 | - Report-only mode integration 9 | - Graph API support 10 | - Use more Conditional Access attributes like sign-in frequency in the policy 11 | 12 | ## Remediation 13 | 14 | **To configure a Sign-In risk policy, use the following steps:** 15 | 16 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 17 | 2. Click to expand `Protection` > `Conditional Access` select `Policies`. 18 | 3. Create a new policy by selecting `New policy.` 19 | 4. Set the following conditions within the policy. 20 | - Under `Users` choose `All users.` 21 | - Under `Target resources` choose `All resources (formerly 'All cloud apps').` 22 | - Under `Conditions` choose `Sign-in risk` then `Yes` and check the risk level boxes `High` and `Medium`. 23 | - Under `Grant` click `Grant access` then select `Require multifactor authentication.` 24 | - Under `Session` select `Sign-in Frequency` and set to `Every time.` 25 | - Click `Select`. 26 | 5. Under `Enable policy` set it to `Report-only` until the organization is ready to enable it. 27 | 6. Click `Create`. 28 | 29 | **Note:** Break-glass accounts should be excluded from all Conditional Access policies. -------------------------------------------------------------------------------- /query/group.pp: -------------------------------------------------------------------------------- 1 | query "azuread_group_not_public" { 2 | sql = <<-EOQ 3 | select 4 | id as resource, 5 | case 6 | when visibility = 'Public' then 'alarm' 7 | else 'ok' 8 | end status, 9 | case 10 | when visibility = 'Public' then title || ' is public.' 11 | else title || ' is not public.' 12 | end reason 13 | ${local.tag_dimensions_sql} 14 | ${local.common_dimensions_sql} 15 | from 16 | azuread_group; 17 | EOQ 18 | } 19 | 20 | query "azuread_dynamic_group_for_guest_user" { 21 | sql = <<-EOQ 22 | with tenant_list as ( 23 | select 24 | distinct on (tenant_id) tenant_id, 25 | _ctx 26 | from 27 | azuread_user 28 | ), dynamic_group_for_guest_user as ( 29 | select 30 | count(*) as dynamic_group_for_guest_user_count, 31 | tenant_id 32 | from 33 | azuread_group 34 | where 35 | membership_rule = '(user.userType -eq "guest")' 36 | and group_types @> '[ "DynamicMembership" ]' 37 | group by 38 | tenant_id, _ctx 39 | ) 40 | select 41 | t.tenant_id as resource, 42 | case 43 | when dynamic_group_for_guest_user_count > 0 then 'ok' 44 | else 'alarm' 45 | end status, 46 | case 47 | when dynamic_group_for_guest_user_count > 0 then t.tenant_id || ' has dynamic group for guest user.' 48 | else t.tenant_id || ' does not have dynamic group for guest user.' 49 | end reason 50 | ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} 51 | from 52 | tenant_list as t 53 | left join dynamic_group_for_guest_user as d on d.tenant_id = t.tenant_id 54 | EOQ 55 | } -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_2_2_7.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft Entra ID Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. 4 | 5 | **Note:** While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the "legacy method" for the following benefits: 6 | 7 | - Enhanced diagnostic data 8 | - Report-only mode integration 9 | - Graph API support 10 | - Use more Conditional Access attributes like sign-in frequency in the policy 11 | 12 | ## Remediation 13 | 14 | **To configure a Sign-In risk policy, use the following steps:** 15 | 16 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 17 | 2. Click expand `ID Protection` > `Risk-based Conditional Access`. 18 | 3. Create a new policy by selecting `New policy.` 19 | 4. Set the following conditions within the policy. 20 | - Under `Users` choose `All users.` 21 | - Under `Target resources` choose `All resources (formerly 'All cloud apps').` 22 | - Under `Conditions` choose `Sign-in risk` then `Yes` and check the risk level boxes `High` and `Medium`. 23 | - Under `Grant` click `Grant access` then select `Require multifactor authentication.` 24 | - Under `Session` select `Sign-in Frequency` and set to `Every time.` 25 | - Click `Select`. 26 | 5. Under `Enable policy` set it to `Report-only` until the organization is ready to enable it. 27 | 6. Click `Create`. 28 | 29 | **Note:** Break-glass accounts should be excluded from all Conditional Access policies. 30 | 31 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_2_7.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Without an admin consent workflow (Preview), a user in a tenant where user consent is disabled will be blocked when they try to access any app that requires permissions to access organizational data. The user sees a generic error message that says they're unauthorized to access the app and they should ask their admin for help. 4 | 5 | The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action. 6 | 7 | ## Remediation 8 | 9 | To enable the admin consent workflow (Preview), use the Microsoft 365 Admin Center: 10 | 11 | 1. Select `Admin Centers` and `Azure Active Directory`. 12 | 2. Select `Enterprise applications` from the Azure Navigation pane. 13 | 3. Under `Manage` select `Users settings`. 14 | 4. Set `Users can request admin consent to apps they are unable to consent to` to `Yes` under `Admin consent requests`. 15 | 5. Under the `Reviewers` choose the Roles, Groups that you would like to review user generated app consent requests. 16 | 6. Select `Save` at the top of the window. 17 | 18 | **Default Value:** 19 | 20 | - Users can request admin consent to apps they are unable to consent to: No. 21 | - Selected users to review admin consent requests: None. 22 | - Selected users will receive email notifications for requests: Yes. 23 | - Selected users will receive request expiration reminders: Yes. 24 | - Consent request expires after (days): 30. 25 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_2_3_5.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Authentication methods support a wide variety of scenarios for signing in to Microsoft 365 resources. Some of these methods are inherently more secure than others but require more investment in time to get users enrolled and operational. 4 | 5 | SMS and Voice Call rely on telephony carrier communication methods to deliver the authenticating factor. 6 | 7 | The recommended state is to Disable these methods: 8 | - SMS 9 | - Voice Call 10 | 11 | ## Remediation 12 | 13 | **To remediate using the UI:** 14 | 15 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 16 | 2. Click to expand `Entra ID` > `Authentication methods`. 17 | 3. Select `Policies`. 18 | 4. Inspect each method that is out of compliance and remediate: 19 | - Click on the method to open it. 20 | - Change the `Enable` toggle to the off position. 21 | - Click `Save`. 22 | 23 | **Note:** If the save button remains greyed out after toggling a method off, then first turn it back on and then change the position of the `Target` selection (all users or select groups). Turn the method off again and save. This was observed to be a bug in the UI at the time this document was published. 24 | 25 | **To remediate using PowerShell:** 26 | 27 | 1. Connect to Graph using `Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod"`. 28 | 2. Run the following to disable all three authentication methods: 29 | 30 | ```bash 31 | $params = @( 32 | @{ Id = "Sms"; State = "disabled" }, 33 | @{ Id = "Voice"; State = "disabled" } 34 | ) 35 | Update-MgPolicyAuthenticationMethodPolicy -AuthenticationMethodConfigurations $params 36 | ``` 37 | 38 | ### Default Value 39 | 40 | - SMS : Disabled 41 | - Voice Call : Disabled -------------------------------------------------------------------------------- /cis_v400/docs/cis_v400_5_2_2_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator. 4 | 5 | Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to the `Microsoft Entra admin center` [https://entra.microsoft.com](https://entra.microsoft.com). 12 | 2. Click expand `Protection` > `Conditional Access` select `Policies`. 13 | 3. Click `New policy`. 14 | - Under `Users` include `All users` (and do not exclude any user). 15 | - Under `Target resources` include `All cloud apps` and do not create any exclusions. 16 | - Under `Grant` select `Grant Access` and check `Require multifactor authentication`. 17 | - Click `Select` at the bottom of the pane. 18 | 4. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it. 19 | 5. Click `Create`. 20 | 21 | **Note:** Report-only is an acceptable first stage when introducing any CA policy. The control, however, is not complete until the policy is on. 22 | 23 | ### Default Value 24 | 25 | Disabled 26 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_7_2_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The external sharing settings govern sharing for the organization overall. Each site has its own sharing setting that can be set independently, though it must be at the same or more restrictive setting as the organization. 4 | 5 | The new and existing guests option requires people who have received invitations to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or to provide a code to verify their identity. Users can share with guests already in your organization's directory, and they can send invitations to people who will be added to the directory if they sign in. 6 | 7 | The recommended state is `New and existing guests` or less permissive. 8 | 9 | ## Remediation 10 | 11 | **To remediate using the UI:** 12 | 13 | 1. Navigate to `SharePoint admin center` [https://admin.microsoft.com/sharepoint](https://admin.microsoft.com/sharepoint). 14 | 2. Click `Policies` > `Sharing`. 15 | 3. Locate the `External sharing section`. 16 | 4. Under SharePoint, move the slider bar to New and existing guests or a less permissive level. 17 | - OneDrive will also be moved to the same level and can never be more permissive than SharePoint. 18 | 19 | **To remediate using PowerShell:** 20 | 21 | 1. Connect to SharePoint Online using `Connect-SPOService -Url https://[tenant]-admin.sharepoint.com`. 22 | 2. Run the following cmdlet to establish the minimum recommended state: 23 | 24 | ```bash 25 | Set-SPOTenant -SharingCapability ExternalUserSharingOnly 26 | ``` 27 | 28 | **Note:** Other acceptable values for this parameter that are more restrictive include: `Disabled` and `ExistingExternalUserSharingOnly`. 29 | 30 | ### Default Value 31 | 32 | Anyone (ExternalUserAndGuestSharing) 33 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_1_1_9.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. 4 | 5 | With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. As an administrator, you can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state. 6 | 7 | ## Remediation 8 | 9 | To configure a User risk policy, use the following steps: 10 | 11 | 1. Log in to `https://admin.microsoft.com` as a `Global Administrator`. 12 | 2. Go to `Admin centers` and click on `Azure Active Directory`. 13 | 3. Select `Azure Active Directory` then `Security`. 14 | 4. Select `Conditional Access`. 15 | 5. Create a new policy by selecting `New policy`. 16 | 6. Set the following conditions within the policy. 17 | - Under `Users or workload identities` choose `All users`. 18 | - Under `Cloud apps or actions` choose `All cloud apps`. 19 | - Under `Conditions` choose `User risk` then `Yes` in the right pane followed by the appropriate level. 20 | - Under `Access Controls` select `Grant` then in the right pane click `Grant access` then `select Require password change`. 21 | 7. Click `Select`. 22 | 8. You may opt to begin in a state of `Report Only` as you step through implementation however, the policy will need to be set to `On` to be in effect. 23 | 9. Click `Create`. 24 | 25 | **NOTE:** For more information regarding risk levels refer to [Microsoft's Identity Protection & Risk Doc](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks). 26 | -------------------------------------------------------------------------------- /cis_v150/docs/cis_v150_1_1_9.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. 4 | 5 | With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. As an administrator, you can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state. 6 | 7 | ## Remediation 8 | 9 | **To configure a User risk policy, use the following steps:** 10 | 11 | 1. Log in to `https://admin.microsoft.com` as a `Global Administrator`. 12 | 2. Go to `Admin centers` and click on `Azure Active Directory`. 13 | 3. Select `Azure Active Directory` then `Security`. 14 | 4. Select `Conditional Access`. 15 | 5. Create a new policy by selecting `New policy`. 16 | 6. Set the following conditions within the policy. 17 | - Under `Users or workload identities` choose `All users`. 18 | - Under `Cloud apps or actions` choose `All cloud apps`. 19 | - Under `Conditions` choose `User risk` then `Yes` in the right pane followed by the appropriate level. 20 | - Under `Access Controls` select `Grant` then in the right pane click `Grant access` then select `Require password change`. 21 | 7. Click `Select`. 22 | 8. You may opt to begin in a state of `Report Only` as you step through implementation however, the policy will need to be set to `On` to be in effect. 23 | 9. Click `Create`. 24 | 25 | **NOTE:** For more information regarding risk levels refer to [Microsoft's Identity Protection & Risk Doc](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks). -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_7_2_3.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The external sharing settings govern sharing for the organization overall. Each site has its own sharing setting that can be set independently, though it must be at the same or more restrictive setting as the organization. 4 | 5 | The new and existing guests option requires people who have received invitations to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or to provide a code to verify their identity. Users can share with guests already in your organization's directory, and they can send invitations to people who will be added to the directory if they sign in. 6 | 7 | The recommended state is New and existing guests or less permissive. 8 | 9 | ## Remediation 10 | 11 | **To remediate using the UI:** 12 | 13 | 1. Navigate to `SharePoint admin center` [https://admin.microsoft.com/sharepoint](https://admin.microsoft.com/sharepoint). 14 | 2. Click `Policies` > `Sharing`. 15 | 3. Locate the `External sharing section`. 16 | 4. Under SharePoint, move the slider bar to New and existing guests or a less permissive level. 17 | - OneDrive will also be moved to the same level and can never be more permissive than SharePoint. 18 | 19 | **To remediate using PowerShell:** 20 | 21 | 1. Connect to SharePoint Online using `Connect-SPOService -Url https://[tenant]-admin.sharepoint.com`. 22 | 2. Run the following cmdlet to establish the minimum recommended state: 23 | 24 | ```bash 25 | Set-SPOTenant -SharingCapability ExternalUserSharingOnly 26 | ``` 27 | 28 | **Note:** Other acceptable values for this parameter that are more restrictive include: `Disabled` and `ExistingExternalUserSharingOnly`. 29 | 30 | ### Default Value 31 | 32 | Anyone (ExternalUserAndGuestSharing). 33 | 34 | -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_1_3_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or whether passwords expire at all. 4 | 5 | Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD. 6 | 7 | ## Remediation 8 | 9 | To set Office 365 passwords are set to never expire: 10 | 11 | 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com. 12 | 2. Click to expand `Settings` select `Org Settings.` 13 | 3. Click on `Security & privacy.` 14 | 4. Check the `Set passwords to never expire (recommended)` box. 15 | 5. Click `Save.` 16 | 17 | To set Office 365 Passwords Are Not Set to Expire, use the Microsoft Graph PowerShell module: 18 | 19 | 1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes "Domain.ReadWrite.All".` 20 | 2. Run the following Microsoft Graph PowerShell command: 21 | 22 | ```bash 23 | Update-MgDomain -DomainId -PasswordValidityPeriodInDays 2147483647 - 24 | PasswordNotificationWindowInDays 30 25 | ``` 26 | 27 | ### Default Value 28 | 29 | If the property is not set, a default value of 90 days will be used. -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_1_3_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | A dynamic group is a dynamic configuration of security group membership for Microsoft Entra ID. Administrators can set rules to populate groups that are created in Entra ID based on user attributes (such as userType, department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. 4 | 5 | The recommended state is to create a dynamic group that includes guest accounts. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Identity` > `Groups` select `All groups`. 13 | 3. Select `New group` and assign the following values: 14 | - Group type: `Security` 15 | - Microsoft Entra roles can be assigned to the group: No 16 | - Membership type: `Dynamic User` 17 | 4. Select `Add dynamic query.` 18 | 5. Above the `Rule syntax` text box, select `Edit`. 19 | 6. Place the following expression in the box: 20 | 21 | ``` 22 | user.userType -eq "Guest" 23 | ``` 24 | 25 | 7. Select `OK` and `Save` 26 | 27 | **To remediate using PowerShell:** 28 | 29 | 1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "Group.ReadWrite.All"`. 30 | 2. In the script below edit `DisplayName` and `MailNickname` as needed and run: 31 | 32 | ```bash 33 | $params = @{ 34 | DisplayName = "All Guest Users" 35 | Description = "Dynamic group containing all guest users" 36 | MailEnabled = $false 37 | MailNickname = "allguestusers" 38 | SecurityEnabled = $true 39 | GroupTypes = @("DynamicMembership") 40 | MembershipRule = "(user.userType -eq ""Guest"")" 41 | MembershipRuleProcessingState = "On" 42 | } 43 | New-MgGroup @params 44 | ``` 45 | 46 | ### Default Value 47 | 48 | Undefined -------------------------------------------------------------------------------- /cis_v300/section_3.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | cis_v300_3_common_tags = merge(local.cis_v300_common_tags, { 3 | cis_section_id = "3" 4 | }) 5 | } 6 | 7 | locals { 8 | cis_v300_3_1_common_tags = merge(local.cis_v300_3_common_tags, { 9 | cis_section_id = "3.1" 10 | }) 11 | } 12 | 13 | benchmark "cis_v300_3" { 14 | title = "3 Microsoft Purview" 15 | documentation = file("./cis_v300/docs/cis_v300_3.md") 16 | children = [ 17 | benchmark.cis_v300_3_1 18 | ] 19 | 20 | tags = merge(local.cis_v300_3_common_tags, { 21 | type = "Benchmark" 22 | service = "Azure/ActiveDirectory" 23 | }) 24 | } 25 | 26 | benchmark "cis_v300_3_1" { 27 | title = "3.1 Audit" 28 | children = [ 29 | control.cis_v300_3_1_1 30 | ] 31 | 32 | tags = merge(local.cis_v300_3_1_common_tags, { 33 | type = "Benchmark" 34 | service = "Azure/ActiveDirectory" 35 | }) 36 | } 37 | 38 | control "cis_v300_3_1_1" { 39 | title = "3.1.1 Ensure Microsoft 365 audit log search is Enabled" 40 | description = "When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 90 days. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365." 41 | query = query.azuread_audit_log_search_enabled 42 | documentation = file("./cis_v300/docs/cis_v300_3_1_1.md") 43 | 44 | tags = merge(local.cis_v300_3_1_common_tags, { 45 | cis_item_id = "3.1.1" 46 | cis_level = "1" 47 | cis_type = "automated" 48 | microsoft_365_license = "E3" 49 | service = "Azure/ActiveDirectory" 50 | }) 51 | } 52 | -------------------------------------------------------------------------------- /cis_v400/section_3.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | cis_v400_3_common_tags = merge(local.cis_v400_common_tags, { 3 | cis_section_id = "3" 4 | }) 5 | } 6 | 7 | locals { 8 | cis_v400_3_1_common_tags = merge(local.cis_v400_3_common_tags, { 9 | cis_section_id = "3.1" 10 | }) 11 | } 12 | 13 | benchmark "cis_v400_3" { 14 | title = "3 Microsoft Purview" 15 | documentation = file("./cis_v400/docs/cis_v400_3.md") 16 | children = [ 17 | benchmark.cis_v400_3_1 18 | ] 19 | 20 | tags = merge(local.cis_v400_3_common_tags, { 21 | type = "Benchmark" 22 | service = "Azure/ActiveDirectory" 23 | }) 24 | } 25 | 26 | benchmark "cis_v400_3_1" { 27 | title = "3.1 Audit" 28 | children = [ 29 | control.cis_v400_3_1_1 30 | ] 31 | 32 | tags = merge(local.cis_v400_3_1_common_tags, { 33 | type = "Benchmark" 34 | service = "Azure/ActiveDirectory" 35 | }) 36 | } 37 | 38 | control "cis_v400_3_1_1" { 39 | title = "3.1.1 Ensure Microsoft 365 audit log search is Enabled" 40 | description = "When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 90 days. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365." 41 | query = query.azuread_audit_log_search_enabled 42 | documentation = file("./cis_v400/docs/cis_v400_3_1_1.md") 43 | 44 | tags = merge(local.cis_v400_3_1_common_tags, { 45 | cis_item_id = "3.1.1" 46 | cis_level = "1" 47 | cis_type = "automated" 48 | microsoft_365_license = "E3" 49 | service = "Azure/ActiveDirectory" 50 | }) 51 | } 52 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_1_3_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | A dynamic group is a dynamic configuration of security group membership for Microsoft Entra ID. Administrators can set rules to populate groups that are created in Entra ID based on user attributes (such as userType, department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. 4 | 5 | The recommended state is to create a dynamic group that includes guest accounts. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Entra ID` > `Groups` select `All groups`. 13 | 3. Select `New group` and assign the following values: 14 | - Group type: `Security` 15 | - Microsoft Entra roles can be assigned to the group: `No` 16 | - Membership type: `Dynamic User` 17 | 4. Select `Add dynamic query.` 18 | 5. Above the `Rule syntax` text box, select `Edit`. 19 | 6. Place the following expression in the box: 20 | 21 | ``` 22 | (user.userType -eq "Guest") 23 | ``` 24 | 25 | 7. Select `OK` and `Save`. 26 | 27 | **To remediate using PowerShell:** 28 | 29 | 1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "Group.ReadWrite.All"`. 30 | 2. In the script below edit `DisplayName` and `MailNickname` as needed and run: 31 | 32 | ```bash 33 | $params = @{ 34 | DisplayName = "All Guest Users" 35 | Description = "Dynamic group containing all guest users" 36 | MailEnabled = $false 37 | MailNickname = "allguestusers" 38 | SecurityEnabled = $true 39 | GroupTypes = @("DynamicMembership") 40 | MembershipRule = "(user.userType -eq ""Guest"")" 41 | MembershipRuleProcessingState = "On" 42 | } 43 | New-MgGroup @params 44 | ``` 45 | 46 | ### Default Value 47 | 48 | Undefined. 49 | -------------------------------------------------------------------------------- /cis_v500/section_3.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | cis_v500_3_common_tags = merge(local.cis_v500_common_tags, { 3 | cis_section_id = "3" 4 | }) 5 | } 6 | 7 | locals { 8 | cis_v500_3_1_common_tags = merge(local.cis_v500_3_common_tags, { 9 | cis_section_id = "3.1" 10 | }) 11 | } 12 | 13 | benchmark "cis_v500_3" { 14 | title = "3 Microsoft Purview" 15 | documentation = file("./cis_v500/docs/cis_v500_3.md") 16 | children = [ 17 | benchmark.cis_v500_3_1 18 | ] 19 | 20 | tags = merge(local.cis_v500_3_common_tags, { 21 | type = "Benchmark" 22 | service = "Azure/ActiveDirectory" 23 | }) 24 | } 25 | 26 | benchmark "cis_v500_3_1" { 27 | title = "3.1 Audit" 28 | children = [ 29 | control.cis_v500_3_1_1 30 | ] 31 | 32 | tags = merge(local.cis_v500_3_1_common_tags, { 33 | type = "Benchmark" 34 | service = "Azure/ActiveDirectory" 35 | }) 36 | } 37 | 38 | control "cis_v500_3_1_1" { 39 | title = "3.1.1 Ensure Microsoft 365 audit log search is Enabled" 40 | description = "When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 180 days by default. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365." 41 | query = query.azuread_audit_log_search_enabled 42 | documentation = file("./cis_v500/docs/cis_v500_3_1_1.md") 43 | 44 | tags = merge(local.cis_v500_3_1_common_tags, { 45 | cis_item_id = "3.1.1" 46 | cis_level = "1" 47 | cis_type = "automated" 48 | microsoft_365_license = "E3,E5" 49 | service = "Azure/ActiveDirectory" 50 | }) 51 | } 52 | -------------------------------------------------------------------------------- /cis_v600/section_3.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | cis_v600_3_common_tags = merge(local.cis_v600_common_tags, { 3 | cis_section_id = "3" 4 | }) 5 | } 6 | 7 | locals { 8 | cis_v600_3_1_common_tags = merge(local.cis_v600_3_common_tags, { 9 | cis_section_id = "3.1" 10 | }) 11 | } 12 | 13 | benchmark "cis_v600_3" { 14 | title = "3 Microsoft Purview" 15 | documentation = file("./cis_v600/docs/cis_v600_3.md") 16 | children = [ 17 | benchmark.cis_v600_3_1 18 | ] 19 | 20 | tags = merge(local.cis_v600_3_common_tags, { 21 | type = "Benchmark" 22 | service = "Microsoft365/Purview" 23 | }) 24 | } 25 | 26 | benchmark "cis_v600_3_1" { 27 | title = "3.1 Audit" 28 | children = [ 29 | control.cis_v600_3_1_1 30 | ] 31 | 32 | tags = merge(local.cis_v600_3_1_common_tags, { 33 | type = "Benchmark" 34 | service = "Microsoft365/Purview" 35 | }) 36 | } 37 | 38 | control "cis_v600_3_1_1" { 39 | title = "3.1.1 Ensure Microsoft 365 audit log search is Enabled" 40 | description = "When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 180 days by default. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365." 41 | query = query.azuread_audit_log_search_enabled 42 | documentation = file("./cis_v600/docs/cis_v600_3_1_1.md") 43 | 44 | tags = merge(local.cis_v600_3_1_common_tags, { 45 | cis_item_id = "3.1.1" 46 | cis_level = "1" 47 | cis_type = "automated" 48 | microsoft_365_license = "E3,E5" 49 | service = "Microsoft365/Purview" 50 | }) 51 | } 52 | 53 | -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_2_3_7.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Authentication methods support a wide variety of scenarios for signing in to Microsoft 365 resources. Some of these methods are inherently more secure than others but require more investment in time to get users enrolled and operational. 4 | 5 | The email one-time passcode feature is a way to authenticate B2B collaboration users when they can't be authenticated through other means, such as Microsoft Entra ID, Microsoft account (MSA), or social identity providers. When a B2B guest user tries to redeem your invitation or sign in to your shared resources, they can request a temporary passcode, which is sent to their email address. Then they enter this passcode to continue signing in. 6 | 7 | The recommended state is to `Disable` email OTP. 8 | 9 | ## Remediation 10 | 11 | **To remediate using the UI:** 12 | 13 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 14 | 2. Click to expand `Entra ID` > `Authentication methods`. 15 | 3. Select `Policies`. 16 | 4. Click on `Email OTP`. 17 | 5. Change the `Enable` toggle to the off position. 18 | 6. Click `Save`. 19 | 20 | **Note:** If the save button remains greyed out after toggling a method off, then first turn it back on and then change the position of the `Target` selection (all users or select groups). Turn the method off again and save. This was observed to be a bug in the UI at the time this document was published. 21 | 22 | **To remediate using PowerShell:** 23 | 24 | 1. Connect to Graph using `Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod"`. 25 | 2. Run the following: 26 | 27 | ```bash 28 | $params = @(@{ Id = "Email"; State = "disabled" }) 29 | Update-MgPolicyAuthenticationMethodPolicy -AuthenticationMethodConfigurations $params 30 | ``` 31 | 32 | ### Default Value 33 | 34 | Email OTP : Enabled. 35 | -------------------------------------------------------------------------------- /cis_v140/docs/cis_v140_1_1_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator. 4 | 5 | Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. 6 | 7 | ## Remediation 8 | 9 | To enable multifactor authentication for all users, use the Microsoft 365 Admin Center: 10 | 11 | 1. Log in to `https://admin.microsoft.com` as a `Global Administrator`. 12 | 2. Go to `Admin centers` and click on `Azure Active Directory`. 13 | 3. Select `Enterprise applications` then, under `Security`, select `Conditional Access`. 14 | 4. Click `New policy`. 15 | 5. Select `Cloud apps or actions` > `All cloud apps` (and don't exclude any apps). 16 | 6. Go to `Assignments` > `Users and groups` > `Include` > select `All users` (and do not exclude any user). 17 | 7. `Access Controls` > `Grant` > `Require multi-factor authentication` (and nothing else). 18 | 8. `Conditions` > `Client Apps` > `Configure` (Yes) > Explicitly select `Browser`, `Mobile apps` and `desktop clients`, `Modern authentication clients`, `Exchange ActiveSync clients`, and `Other clients`. 19 | 9. Leave all other conditions blank. 20 | 10. Make sure the policy is enabled. 21 | 11. `Create`. 22 | 23 | **Default Value:** Disabled. 24 | -------------------------------------------------------------------------------- /cis_v500/docs/cis_v500_5_2_2_11.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. The Microsoft Entra ID default configuration for user sign-in frequency is a rolling window of 90 days. 4 | 5 | The recommended state is a `Sign-in frequency` of `Every time` for `Microsoft Intune Enrollment`. 6 | 7 | **Note:** Microsoft accounts for a five-minute clock skew when 'every time' is selected in a conditional access policy, ensuring that users are not prompted more frequently than once every five minutes. 8 | 9 | ## Remediation 10 | 11 | **To remediate using the UI:** 12 | 13 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 14 | 2. Click to expand `Protection` > `Conditional Access` select `Policies`. 15 | 3. Create a new policy by selecting `New policy.` 16 | - Under `Users` include `All users.` 17 | - Under `Target resources` select `Resources (formerly cloud apps)`, choose `Select resource`s and add `Microsoft Intune Enrollment` to the list. 18 | - Under `Grant` select `Grant access.` 19 | - Check either `Require multifactor authentication` or `Require authentication strength.` 20 | - Under `Session` check `Sign-in frequency` and select `Every time`. 21 | 4. Under `Enable policy` set it to `Report-only` until the organization is ready to enable it. 22 | 5. Click `Create`. 23 | 24 | **Note:** If the Microsoft Intune Enrollment cloud app isn't available then it must be created. To add the app for new tenants, a Microsoft Entra administrator must create a service principal object, with app ID d4ebce55-015a-49b5-a083-c84d1797ae8c, in PowerShell or Microsoft Graph. 25 | 26 | **Note:** Break-glass accounts should be excluded from all Conditional Access policies. 27 | 28 | ### Default Value 29 | 30 | Sign-in frequency defaults to 90 days. -------------------------------------------------------------------------------- /cis_v600/docs/cis_v600_5_2_2_11.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. The Microsoft Entra ID default configuration for user sign-in frequency is a rolling window of 90 days. 4 | 5 | The recommended state is a `Sign-in frequency` of `Every time` for `Microsoft Intune Enrollment`. 6 | 7 | **Note:** Microsoft accounts for a five-minute clock skew when 'every time' is selected in a conditional access policy, ensuring that users are not prompted more frequently than once every five minutes. 8 | 9 | ## Remediation 10 | 11 | **To remediate using the UI:** 12 | 13 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 14 | 2. Click expand `ID Protection` > `Risk-based Conditional Access`. 15 | 3. Create a new policy by selecting `New policy.` 16 | - Under `Users` include `All users.` 17 | - Under `Target resources` select `Resources (formerly cloud apps)`, choose `Select resources` and add `Microsoft Intune Enrollment` to the list. 18 | - Under `Grant` select `Grant access.` 19 | - Check either `Require multifactor authentication` or `Require authentication strength.` 20 | - Under `Session` check `Sign-in frequency` and select `Every time`. 21 | 4. Under `Enable policy` set it to `Report-only` until the organization is ready to enable it. 22 | 5. Click `Create`. 23 | 24 | **Note:** If the Microsoft Intune Enrollment cloud app isn't available then it must be created. To add the app for new tenants, a Microsoft Entra administrator must create a service principal object, with app ID `d4ebce55-015a-49b5-a083-c84d1797ae8c,` in PowerShell or Microsoft Graph. 25 | 26 | **Note:** Break-glass accounts should be excluded from all Conditional Access policies. 27 | 28 | ### Default Value 29 | 30 | Sign-in frequency defaults to 90 days. 31 | 32 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_1_1_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect the organization. Security defaults contain preconfigured security settings for common attacks. 4 | 5 | By default, Microsoft enables security defaults. The goal is to ensure that all organizations have a basic level of security-enabled. The security default setting is manipulated in the Azure Portal. 6 | 7 | The use of security defaults however, will prohibit custom settings which are being set with more advanced settings from this benchmark. 8 | 9 | Security defaults provide secure default settings that are manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. 10 | 11 | For example doing the following: 12 | - Requiring all users and admins to register for MFA. 13 | - Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks. 14 | - Disabling authentication from legacy authentication clients, which can’t do MFA. 15 | 16 | ## Remediation 17 | 18 | To disable security defaults: 19 | 20 | 1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com. 21 | 2. Click to expand `Azure Active Directory` select `Overview`. 22 | 3. Click `Properties`. 23 | 4. Click `Manage security defaults`. 24 | 5. Set the `Security defaults` dropdown to `Disabled`. 25 | 6. Select Save. 26 | 27 | To configure security defaults using Microsoft Graph PowerShell: 28 | 29 | 1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"`. 30 | 2. Run the following Microsoft Graph PowerShell command: 31 | 32 | ```bash 33 | $params = @{ IsEnabled = $false } Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $params 34 | ``` 35 | 36 | **Default Value:** Enabled. 37 | -------------------------------------------------------------------------------- /cis_v300/docs/cis_v300_1_2_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different group types this recommendation concerns Microsoft 365 Groups. 4 | 5 | In the Administration panel, when a group is created, the default privacy value is "Public". 6 | 7 | Ensure that only organizationally managed and approved public groups exist. When a group has a "public" privacy, users may access data related to this group (e.g. SharePoint), through three methods: 8 | - By using the Azure portal, and adding themselves into the public group. 9 | - By requesting access to the group from the Group application of the Access Panel. 10 | - By accessing the SharePoint URL. 11 | 12 | Administrators are notified when a user uses the Azure Portal. Requesting access to the group forces users to send a message to the group owner, but they still have immediate access to the group. The SharePoint URL is usually guessable and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access. 13 | 14 | **Note:** Public in this case means public to the identities within organization. 15 | 16 | ## Remediation 17 | 18 | To enable only organizationally managed/approved public groups exist: 19 | 20 | 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com. 21 | 2. Click to expand `Teams & groups` select `Active teams & groups.` 22 | 3. On the Active teams and groups page, select the group's name that is public. 23 | 4. On the popup groups name page, Select `Settings.` 24 | 5. Under Privacy, select `Private.` 25 | 26 | ### Default Value 27 | 28 | Public when create from the Administration portal; private otherwise. -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_1_1_16.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different types of group types this recommendation is concerned with Microsoft 365 Groups. 4 | 5 | In the Administration panel, when a group is created, the default privacy value is "Public". 6 | 7 | Ensure that only organizationally managed and approved public groups exist. When a group has a "public" privacy, users may access data related to this group (e.g. SharePoint), through three methods: 8 | - By using the Azure portal, and adding themselves into the public group 9 | - By requesting access to the group from the Group application of the Access Panel 10 | - By accessing the SharePoint URL 11 | Administrators are notified when a user uses the Azure Portal. Requesting access to the group forces users to send a message to the group owner, but they still have immediately access to the group. The SharePoint URL is usually guessable, and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access. 12 | 13 | **NOTE:** Public in this case meaning public to the identities within organization. 14 | 15 | ## Remediation 16 | 17 | To enable only organizationally managed/approved public groups exist: 18 | 19 | 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com. 20 | 2. Click to expand `Teams & groups` select `Active teams & groups`.. 21 | 3. On the Active teams and groups page, select the group's name that is public. 22 | 4. On the popup groups name page, Select `Settings`. 23 | 5. Under Privacy, select `Private`. 24 | 25 | **Default Value:** Public when create from the Administration portal; private otherwise. 26 | -------------------------------------------------------------------------------- /cis_v400/docs/cis_v400_1_2_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different group types this recommendation concerns **Microsoft 365 Groups**. 4 | 5 | In the Administration panel, when a group is created, the default privacy value is "Public". 6 | 7 | Ensure that only organizationally managed and approved public groups exist. When a group has a "public" privacy, users may access data related to this group (e.g. SharePoint), through three methods: 8 | 9 | - By using the Azure portal, and adding themselves into the public group 10 | - By requesting access to the group from the Group application of the Access Panel 11 | - By accessing the SharePoint URL 12 | 13 | Administrators are notified when a user uses the Azure Portal. Requesting access to the group forces users to send a message to the group owner, but they still have immediate access to the group. The SharePoint URL is usually guessable and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access. 14 | 15 | **Note:** Public in this case means public to the identities within the organization. 16 | 17 | ## Remediation 18 | 19 | **To remediate using the UI:** 20 | 21 | 1. Navigate to `Microsoft 365 admin center` [https://admin.microsoft.com](https://admin.microsoft.com). 22 | 2. Click to expand `Teams & groups` select `Active teams & groups`.. 23 | 3. On the **Active teams and groups page**, select the group's name that is public. 24 | 4. On the popup **groups name page**, Select `Settings`. 25 | 5. Under Privacy, select `Private`. 26 | 27 | ### Default Value 28 | 29 | Public when created from the Administration portal; private otherwise. 30 | -------------------------------------------------------------------------------- /cis_v200/docs/cis_v200_2_1.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action. 4 | 5 | The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action. 6 | 7 | ## Remediation 8 | 9 | To enable the admin consent workflow, use the Microsoft 365 Admin Center: 10 | 11 | 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/. 12 | 2. Click to expand `Azure Active Directory` > `Applications` select `Enterprise applications`. 13 | 3. Under Security select `Consent and permissions`. 14 | 4. Under Manage select `Admin consent settings`. 15 | 5. Set `Users can request admin consent to apps they are unable to consent to` to `Yes` under `Admin consent requests`. 16 | 6. Under the `Reviewers` choose the Roles and Groups that will review user generated app consent requests. 17 | 7. Set `Selected users will receive email notifications for requests` to `Yes`. 18 | 8. Select `Save` at the top of the window. 19 | 20 | **Default Value:** 21 | - Users can request admin consent to apps they are unable to consent to: No. 22 | - Selected users to review admin consent requests: None. 23 | - Selected users will receive email notifications for requests: Yes. 24 | - Selected users will receive request expiration reminders: Yes. 25 | - Consent request expires after (days): 30. 26 | -------------------------------------------------------------------------------- /cis_v400/docs/cis_v400_5_1_5_2.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action. 4 | 5 | The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action. 6 | 7 | ## Remediation 8 | 9 | **To remediate using the UI:** 10 | 11 | 1. Navigate to `Microsoft Entra admin center` [https://entra.microsoft.com/](https://entra.microsoft.com/). 12 | 2. Click to expand `Identity` > `Applications` select `Enterprise applications`. 13 | 3. Under Security select `Consent and permissions`. 14 | 4. Under Manage select `Admin consent settings`. 15 | 5. Set `Users can request admin consent to apps they are unable to consent to​` to `Yes` under `Admin consent requests`. 16 | 6. Under the `Reviewers` choose the Roles and Groups that will review user generated app consent requests. 17 | 7. Set `Selected users will receive email notifications for requests` to `Yes`. 18 | 8. Select `Save` at the top of the window. 19 | 20 | ### Default Value 21 | 22 | '- `Users can request admin consent to apps they are unable to consent to`: `No` 23 | - `Selected users to review admin consent requests`: `None` 24 | - `Selected users will receive email notifications for requests`: `Yes` 25 | - `Selected users will receive request expiration reminders`: `Yes` 26 | - `Consent request expires after (days)`: `30`. 27 | -------------------------------------------------------------------------------- /variables.pp: -------------------------------------------------------------------------------- 1 | locals { 2 | microsoft365_compliance_common_tags = { 3 | category = "Compliance" 4 | plugin = "microsoft365" 5 | service = "Microsoft365" 6 | } 7 | } 8 | 9 | variable "common_dimensions" { 10 | type = list(string) 11 | description = "A list of common dimensions to add to each control." 12 | # Define which common dimensions should be added to each control. 13 | # - tenant_id 14 | # - connection_name (_ctx ->> 'connection_name') 15 | default = ["tenant_id"] 16 | } 17 | 18 | variable "tag_dimensions" { 19 | type = list(string) 20 | description = "A list of tags to add as dimensions to each control." 21 | # A list of tag names to include as dimensions for resources that support 22 | # tags (e.g. "department", "environment"). Default to empty since tag names are 23 | # a personal choice 24 | default = [] 25 | } 26 | 27 | locals { 28 | # Local internal variable to build the SQL select clause for common 29 | # dimensions using a table name qualifier if required. Do not edit directly. 30 | common_dimensions_qualifier_sql = <<-EOQ 31 | %{~if contains(var.common_dimensions, "connection_name")}, __QUALIFIER___ctx ->> 'connection_name' as connection_name%{endif~} 32 | %{~if contains(var.common_dimensions, "tenant_id")}, __QUALIFIER__tenant_id as tenant_id%{endif~} 33 | EOQ 34 | 35 | # Local internal variable to build the SQL select clause for tag 36 | # dimensions. Do not edit directly. 37 | tag_dimensions_qualifier_sql = <<-EOQ 38 | %{~for dim in var.tag_dimensions}, __QUALIFIER__tags ->> '${dim}' as "${replace(dim, "\"", "\"\"")}"%{endfor~} 39 | EOQ 40 | } 41 | 42 | locals { 43 | # Local internal variable with the full SQL select clause for common 44 | # dimensions. Do not edit directly. 45 | common_dimensions_sql = replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "") 46 | tag_dimensions_sql = replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "") 47 | } 48 | --------------------------------------------------------------------------------