Skip to main content

๐Ÿ’ผ 1 Identity and Access Management

  • Contextual name: ๐Ÿ’ผ 1 Identity and Access Management
  • ID: /frameworks/cis-azure-v1.1.0/01
  • Located in: ๐Ÿ’ผ CIS Azure v1.1.0

Descriptionโ€‹

This section covers security recommendations that to follow to set identity and access management policies on an Azure Subscription. Identity and Access Management policies are the first step towards a defense-in-depth approach to securing an Azure Cloud Platform environment.

Most of the recommendations from this section are marked as "Not Scored" because of the lack of "Azure native CLI and API support" to perform the respective audits. However, from a security posture standpoint, these recommendations are important. According to the last communication with the Microsoft Support team regarding "Azure native CLI and API support", Microsoft teams are working to enhance "Microsoft graph API" to support all these "Azure AD" functionalities. Once we get this capability through "Microsoft Graph API", we will update the involved recommendations with the respective audit and remediation steps to make them as scored.

Similarโ€‹

  • Internal
    • ID: dec-b-3e3f8f62

Sub Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlags
๐Ÿ’ผ 1.1 Ensure that multi-factor authentication is enabled for all privileged users
๐Ÿ’ผ 1.2 Ensure that multi-factor authentication is enabled for all non-privileged users
๐Ÿ’ผ 1.3 Ensure that there are no guest users
๐Ÿ’ผ 1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'
๐Ÿ’ผ 1.5 Ensure that 'Number of methods required to reset' is set to '2'
๐Ÿ’ผ 1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0"
๐Ÿ’ผ 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes'
๐Ÿ’ผ 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
๐Ÿ’ผ 1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'
๐Ÿ’ผ 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'
๐Ÿ’ผ 1.11 Ensure that 'Users can register applications' is set to 'No'
๐Ÿ’ผ 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes'
๐Ÿ’ผ 1.13 Ensure that 'Members can invite' is set to 'No'
๐Ÿ’ผ 1.14 Ensure that 'Guests can invite' is set to 'No'
๐Ÿ’ผ 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'
๐Ÿ’ผ 1.16 Ensure that 'Self-service group management enabled' is set to 'No'
๐Ÿ’ผ 1.17 Ensure that 'Users can create security groups' is set to 'No'
๐Ÿ’ผ 1.18 Ensure that 'Users who can manage security groups' is set to 'None'
๐Ÿ’ผ 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No'
๐Ÿ’ผ 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None'
๐Ÿ’ผ 1.21 Ensure that 'Enable "All Users" group' is set to 'Yes'
๐Ÿ’ผ 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'
๐Ÿ’ผ 1.23 Ensure that no custom subscription owner roles are created