TEST NAME

Ensure Azure Cloud Budget Alerts are configured

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure more than one Subscription Owners are assigned

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Tags are configured on the Resources

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure to remove Custom Owner Roles from Subscriptions

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure no Subscription Administrator Custom Role are not configured

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Basic and Consumption SKU Should are not be Used in Production

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Not Allowed Resource Types Policy Assignment is in Use

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Resource Locking Administrator Role is configured

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Azure Administrative Units are used

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Security Defaults is enabled

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Normal Azure Users do not have Permissions to provide unrestricted user Consent

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Conditional Access Policy with signin user-risk location as Factor

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

AAD Connect sync account password reset

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Guest users are restricted

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Conditional Access Policy that does not require MFA when sign-in risk has been identified

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Number Matching enabled in MFA

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure On-Prem AD Users are not Privileged Users in Azure Entra ID

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Azure Guests cannot invite other Guests

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure non-Admins cannot register custom applications

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure no Guest Accounts in Azure Privileged groups

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure no Guest accounts that are inactive for more than 45 days

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Conditional Access Policy that does not require a password change from high risk users

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Synced AAD Users not privileged Users in Azure

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure No Private IP Addresses in Conditional Access policies

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure AD privileged users are not synced to AAD

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure no more than 5 Global Administrators

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure privileged accounts have MFA Configured

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Conditional Access policy with Continuous Access Evaluation disabled

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure user are configured with MFA

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Conditional Access Policy that disables admin token persistence

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Guest invites not accepted in last 30 days are identified

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure SSO computer account with latest password

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure RBCD is not applied to AZUREADSSOACC account

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra

Description

Item does not meet all the requirements as per test.
Restrict non-privileged users from signing into the Azure Active Directory portal.

Note: This recommendation only affects access to the Azure AD web portal. It does not prevent privileged users from using other methods such as Rest API or PowerShell to obtain information. Those channels are addressed elsewhere in this document.
The Azure AD administrative (AAD) portal contains sensitive data and permission settings, which are still enforced based on the users role. However, an end user may inadvertently change properties or account settings that could result in increased administrative overhead. Additionally, a compromised end user account could be used by a malicious attacker as a means to gather additional information and escalate an attack.

Note: Users will still be able to sign into Azure Active directory admin center but will be unable to see directory information.

Recommendation and Steps

Ensure access to the Azure AD portal is restricted:

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/
2. Click to expand Identity> Users > User settings.
3. Set Restrict access to Microsoft Entra ID administration portal to Yes then Save.

Associated Objects

Affected Objects

TEST NAME

Ensure Phishing-resistant MFA strength is required for Administrators

Description

Item does not meet all the requirements as per test.
Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. But to access a non-sensitive resource, they can allow less secure multifactor authentication (MFA) combinations, such as password + SMS.

Microsoft has 3 built-in authentication strengths. MFA strength, password less MFA strength, and Phishing-resistant MFA strength. Ensure administrator roles are using a CA policy with Phishing-resistant MFA strength.

Administrators can then enroll using one of 3 methods:

- FIDO2 Security Key
- Windows Hello for Business
- Certificate-based authentication (Multi-Factor)

NOTE: Additional steps to configure methods such as FIDO2 keys are not covered here but can be found in related MS articles in the references section. The Conditional Access policy only ensures 1 of the 3 methods is used.

WARNING: Administrators should be pre-registered for a strong authentication mechanism before this Conditional Access Policy is enforced. Additionally, as stated elsewhere in the CIS Benchmark a break-glass administrator account should be excluded from this policy to ensure unfettered access in the case of an emergency.
Sophisticated attacks targeting MFA are more prevalent as the use of it becomes more widespread. These 3 methods are considered phishing-resistant as they remove passwords from the login workflow. It also ensures that public/private key exchange can only happen between the devices and a registered provider which prevents login to fake or phishing websites.
If administrators are not pre-registered for a strong authentication method prior to a conditional access policy is created, then a condition could occur where a user can not register for strong authentication because they don't meet the conditional access policy requirements and therefore are prevented from signing in.

Recommendation and Steps

To create a phishing-resistant MFA CA policy for users in administrative roles: 

1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
2. Click expand Protection > Conditional Access select Policies.
3. Click New policy.
4. Go to Users > Users and groups > Include > Select users and groups > Directory roles
5. Add at least the Directory roles listed after these steps.
6. Select Cloud apps or actions > All cloud apps (and don't exclude any apps). 
7. Grant > Grant Access with Require authentication strength (Preview): Phishing-resistant MFA
8. Click Select
9. Set Enable policy to Report-only and click Create

At minimum these directory roles should be included for the policy:

- Application administrator
- Authentication administrator
- Billing administrator
- Cloud application administrator
- Conditional Access administrator
- Exchange administrator
- Global administrator
- Global reader
- Helpdesk administrator
- Password administrator
- Privileged authentication administrator
- Privileged role administrator
- Security administrator
- SharePoint administrator
- User administrator

WARNING: Ensure administrators are pre-registered with strong authentication before enforcing the policy. After which the policy must be set to On.

Associated Objects

Affected Objects

TEST NAME

Ensure custom banned passwords lists are used

Description

Item does not meet all the requirements as per test.
With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support business and security needs, custom banned password lists can be defined. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.

A custom banned password list should include some of the following examples:

- Brand names
- Product names
- Locations, such as company headquarters
- Company-specific internal terms
- Abbreviations that have specific company meaning
Creating a new password can be difficult regardless of ones technical background. It is common to look around ones environment for suggestions when building a password, however, this may include picking words specific to the organization as inspiration for a password. An adversary may employ what is called a mangler to create permutations of these specific words in an attempt to crack passwords or hashes making it easier to reach their goal.
If a custom banned password list includes too many common dictionary words, or short words that are part of compound words, then perfectly secure passwords may be blocked. The organization should consider a balance between security and usability when creating a list.

Recommendation and Steps

Create a custom banned password list:

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/
2. Click to expand Protection > Authentication methods
3. Select Password protection
4. Set Enforce custom list to Yes
5. In Custom banned password list create a list using suggestions outlined in this document.
6. Click Save

NOTE: Below is a list of examples that can be used as a starting place. The references section contains more suggestions.

- Brand names
- Product names
- Locations, such as company headquarters
- Company-specific internal terms
- Abbreviations that have specific company meaning

Associated Objects

Affected Objects

TEST NAME

Ensure Restrict non-admin users from creating tenants is set to Yes

Description

Item does not meet all the requirements as per test.
Non-privileged users can create tenants in the Azure AD and Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category DirectoryManagement and activity Create Company. Anyone who creates a tenant becomes the Global Administrator of that tenant. The newly created tenant doesn't inherit any settings or configurations.
Restricting tenant creation prevents unauthorized or uncontrolled deployment of resources and ensures that the organization retains control over its infrastructure. User generation of shadow IT could lead to multiple, disjointed environments that can make it difficult for IT to manage and secure the organizations data, especially if other users in the organization began using these tenants for business purposes under the misunderstanding that they were secured by the organizations security team.
Non-admin users will need to contact I.T. if they have a valid reason to create a tenant.

Recommendation and Steps

Restrict access to the Azure AD portal:

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/
2. Click to expand Identity> Users > User settings.
3. Set Restrict non-admin users from creating tenants to Yes then Save.

To remediate using PowerShell:

1. Connect to Microsoft Graph using Connect-MgGraph -Scopes 
2. Run the following commands.


# Create hashtable and update the auth policy
$params = @{ AllowedToCreateTenants = $false }
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $params

Associated Objects

Affected Objects

TEST NAME

Ensure a dynamic group for guest users is created

Description

Item does not meet all the requirements as per test.
A dynamic group is a dynamic configuration of security group membership for Azure Active Directory. Administrators can set rules to populate groups that are created in Azure AD based on user attributes (such as userType, department, or country/region). Members can be automatically added to or removed from a security group based on their attributes.

The recommended state is to create a dynamic group that includes guest accounts.
Dynamic groups allow for an automated method to assign group membership.

Guest user accounts will be automatically added to this group and through this existing conditional access rules, access controls and other security measures will ensure that new guest accounts are restricted in the same manner as existing guest accounts.

Recommendation and Steps

Create a dynamic guest group: 

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
2. Click to expand Identity > Groups select All groups.
3. Select New group and assign the following values:
 - Group type: Security
 - Azure AD Roles can be assigned: No
 - Membership type: Dynamic User
4. Select Add dynamic query.
5. Above the Rule syntax text box, select Edit. 
6. Place the following expression in the box:

(user.userType -eq )

7. Select OK and Save

Using PowerShell:

1. Connect to Microsoft Graph using Connect-MgGraph -Scopes 
2. In the script below edit DisplayName and MailNickname as needed and run:


$params = @{
 DisplayName = 
 MailNickname = 
 MailEnabled = $false
 SecurityEnabled = $true
 GroupTypes = 
 MembershipRule = (user.userType -eq )
 MembershipRuleProcessingState = 
}

New-MgGroup @params

Associated Objects

Affected Objects

TEST NAME

Ensure Microsoft Authenticator is configured to protect against MFA fatigue

Description

Item does not meet all the requirements as per test.
Microsoft has released additional settings to enhance the configuration of the Microsoft Authenticator application. These settings provide additional information and context to users who receive MFA passwordless and push requests, such as geographic location the request came from, the requesting application and requiring a number match.

Ensure the following are Enabled.
- Require number matching for push notifications
- Show application name in push and passwordless notifications
- Show geographic location in push and passwordless notifications

NOTE: On February 27, 2023, Microsoft started enforcing number matching tenant-wide for all users using Microsoft Authenticator.
As the use of strong authentication has become more widespread, attackers have started to exploit the tendency of users to experience. This occurs when users are repeatedly asked to provide additional forms of identification, leading them to eventually approve requests without fully verifying the source. To counteract this, number matching can be employed to ensure the security of the authentication process. With this method, users are prompted to confirm a number displayed on their original device and enter it into the device being used for MFA. Additionally, other information such as geolocation and application details are displayed to enhance the end users awareness. Among these 3 options, number matching provides the strongest net security gain.
Additional interaction will be required by end users using number matching as opposed to simply pressing for login attempts.

Recommendation and Steps

To configure Microsoft Authenticator to protect against MFA fatigue:

1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
2. Click to expand Protection > Authentication methods select Policies.
3. Select Microsoft Authenticator
4. Under Enable and Target ensure the setting is set to Enable.
5. Select Configure
6. Set the following Microsoft Authenticator settings:
 - Require number matching for push notifications Status is set to Enabled, Target All users
 - Show application name in push and passwordless notifications is set to Enabled, Target All users
 - Show geographic location in push and passwordless notifications is set to Enabled, Target All users

Associated Objects

Affected Objects

TEST NAME

Enable Azure AD Identity Protection user risk policies

Description

Azure AD User Risk Policies are not enabled.
When the policy triggers, access to the account will either be blocked, or the user would be required to use multi-factor authentication and change their password. Users who haven't registered MFA on their account will be blocked from accessing it. If account access is blocked, an admin would need to recover the account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the User Risk policy.

Recommendation and Steps

Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised.  With the user risk policy turned on, Azure AD detects the probability that a user account has risky sign-in.

Associated Objects

Affected Objects

TEST NAME

Ensure the admin consent workflow is enabled

Description

Admin Consent workflow is not enabled.
To approve requests a reviewer must be a global administrator, cloud application administrator or application administrator.

Recommendation and Steps

Without an admin consent workflow (Preview), a user in a tenant where user consent is disabled will be blocked when they try to access any app that requires permissions to access organizational data. The user sees a generic error message that says they're unauthorized to access the app and they should ask their admin for help. The admin consent workflow (Preview) gives admins a secure way to grant access to

Associated Objects

Affected Objects

TEST NAME

Ensure Microsoft Azure Management is limited to administrative roles

Description

Item does not meet all the requirements as per test.
The Microsoft Azure Management application governs various Azure services and can be secured through the implementation of a Conditional Access policy. This policy can restrict specific user accounts from accessing the related portals and applications.

When Conditional Access policy is targeted to the Microsoft Azure Management application, within the Conditional Access policy app picker the policy will be enforced for tokens issued to application IDs of a set of services closely bound to the portal.

- Azure Resource Manager
- Azure portal, which also covers the Microsoft Entra admin center
- Azure Data Lake
- Application Insights API
- Log Analytics API

Microsoft Azure Management should be restricted to specific pre-determined administrative roles.

NOTE: Blocking Microsoft Azure Management will prevent non-privileged users from signing into most portals other than Microsoft 365 Defender and Microsoft Purview.
Blocking sign-in to Azure Management applications and portals enhances security of sensitive data by restricting access to privileged users. This mitigates potential exposure due to administrative errors or software vulnerabilities, as well as acting as a defense in depth measure against security breaches.
PIM functionality will be impacted unless non-privileged users are first assigned to a permanent group or role that is excluded from this policy. When attempting to checkout a role in the Entra ID PIM area they will receive the message  

Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted:

Classic deployment model APIs
Azure PowerShell
Azure CLI
Azure DevOps
Azure Data Factory portal
Azure Event Hubs
Azure Service Bus
Azure SQL Database
SQL Managed Instance
Azure Synapse
Visual Studio subscriptions administrator portal
Microsoft IoT Central

Recommendation and Steps

To enable Microsoft Azure Management restrictions:

1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
2. Click expand Protection > Conditional Access select Policies.
3. Click New Policy and then name the policy.
4. Select Users > Include > All Users
5. Select Users > Exclude > Directory roles and select only administrative roles. See audit section for more information.
6. Select Cloud apps or actions > Select apps > Select then click the box next to Microsoft Azure Management.
7. Click Select.
8. Select Grant > Block access and click Select.
9. Ensure Enable Policy is On then click Create.

WARNING: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.

Associated Objects

Affected Objects

TEST NAME

Ensure LinkedIn account connections is disabled

Description

Item does not meet all the requirements as per test.
LinkedIn account connections allow users to connect their Microsoft work or school account with LinkedIn. After a user connects their accounts, information and highlights from LinkedIn are available in some Microsoft apps and services.
Disabling LinkedIn integration prevents potential phishing attacks and risk scenarios where an external party could accidentally disclose sensitive information.
Users will not be able to sync contacts or use LinkedIn integration.

Recommendation and Steps

To disable LinkedIn account connections:

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
2. Click to expand Identity > Users select User settings.
3. Under LinkedIn account connections select No.
4. Click Save.

Associated Objects

Affected Objects

TEST NAME

Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users

Description

Item does not meet all the requirements as per test.
In complex deployments, organizations might have a need to restrict authentication sessions. Conditional Access policies allow for the targeting of specific user accounts. Some scenarios might include:

- Resource access from an unmanaged or shared device
- Access to sensitive information from an external network
- High-privileged users
- Business-critical applications.

Ensure Sign-in frequency does not exceed 4 hours for E3 tenants, or 24 hours for E5 tenants using Privileged Identity Management.

Ensure Persistent browser session is set to Never persist.

NOTE: This CA policy can be added to the previous CA policy in this benchmark 
Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take.
Users with Administrative roles will be prompted at the frequency set for MFA.

Recommendation and Steps

To configure Sign-in frequency and browser sessions persistence for administrative users:

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
2. Click to expand Protection > Conditional Access Select Policies.
3. Click New policy
4. Click Users and groups 
5. Under Include select -Select users and groups- and then select -Directory roles-. 
6. At a minimum, select the roles in the section below.
7. Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don't exclude any apps). 
8. Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else). 
9. Under Session select Sign-in frequency and set to at most 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours.
10. Check Persistent browser session then select Never persistent in the drop-down menu.
11. For Enable Policy select On and click Save

At minimum these directory roles should be included for MFA:

- Application administrator
- Authentication administrator
- Billing administrator
- Cloud application administrator
- Conditional Access administrator
- Exchange administrator
- Global administrator
- Global reader
- Helpdesk administrator
- Password administrator
- Privileged authentication administrator
- Privileged role administrator
- Security administrator
- SharePoint administrator
- User administrator

Associated Objects

Affected Objects

TEST NAME

Enable Conditional Access policies to block legacy authentication

Description

No Conditional Access policies were found.
Enabling this setting will prevent users from connecting with older versions of Office, ActiveSync or using protocols like IMAP, POP or SMTP and may require upgrades to older versions of Office, and use of mobile mail clients that support modern authentication.

Recommendation and Steps

Use Conditional Access to block legacy authentication protocols in Microsoft 365. Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.

Associated Objects

Affected Objects

TEST NAME

Ensure Self service password reset enabled is set to All

Description

Item does not meet all the requirements as per test.
Enabling self-service password reset allows users to reset their own passwords in Azure AD. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. 

NOTE: Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Azure AD tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default.
Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords.
Users will be required to provide additional contact information to enroll in self-service password reset. Additionally, minor user education may be required for users that are used to calling a help desk for assistance with password resets. 

NOTE: This is unavailable if using Azure AD Connect / Sync in a hybrid environment.

Recommendation and Steps

To enable self-service password reset: 

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
2. Click to expand Protection > Password reset select Properties.
3. Set Self service password reset enabled to All

Associated Objects

Affected Objects

TEST NAME

Enable Azure AD Identity Protection sign-in risk policies

Description

Azure AD Identity Protection Sign-In Risk Policies are not configured.
When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.

Recommendation and Steps

Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.

Associated Objects

Affected Objects

TEST NAME

Ensure multifactor authentication is enabled for all users in administrative roles

Description

Item does not meet all the requirements as per test.
Implementation of multifactor authentication for all users in administrative roles will necessitate a change to user routine. All users in administrative roles will be required to enroll in multifactor authentication using using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future access to the environment.

Recommendation and Steps

Enable multifactor authentication for all users who are members of administrative roles in the Microsoft 365 tenant. These include roles such as:

Global Administrator

Billing Administrator

Exchange Administrator

SharePoint Administrator

Password Administrator

Skype for Business Administrator

Service Support Administrator

User Administrator

Dynamics 365 Service Administrator

Power BI Administrator

Associated Objects

Affected Objects

TEST NAME

Ensure multifactor authentication is enabled for all users

Description

Item does not meet all the requirements as per test.
Implementation of multifactor authentication for all users will necessitate a change to user routine. All users will be required to enroll in multifactor authentication using using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future authentication to the environment.

Recommendation and Steps

Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator.

Associated Objects

Affected Objects

TEST NAME

Ensure Azure Pass Through Authentication is Enabled

Description

Item does not meet all the requirements as per test.
Microsoft Entra pass-through authentication allows your users to sign in to both on-premises and cloud-based applications by using the same passwords. Pass-through Authentication signs users in by validating their passwords directly against on-premises Active Directory.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure the Password expiration policy is set to Set passwords to never expire

Description

Item does not meet all the requirements as per test.
Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft's official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire.

Recommendation and Steps

In the Microsoft 365 admin center, go to Settings > Org Settings > Security & privacy > Password expiration policy. Then check the box Set passwords to never expire (recommended). You must be a global admin to edit the password policy. Go to Password expiration policy in Microsoft 365. If your organization has an on-premises implementation, we recommend that you set the status for this action to Resolved through alternate mitigation.

Associated Objects

Affected Objects

TEST NAME

Ensure multifactor authentication is enabled for all users

Description

Item does not meet all the requirements as per test.
Implementation of multifactor authentication for all users will necessitate a change to user routine. All users will be required to enroll in multifactor authentication using using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future authentication to the environment.

Recommendation and Steps

Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator.

Associated Objects

Affected Objects

TEST NAME

Ensure multifactor authentication is enabled for all users in administrative roles

Description

Item does not meet all the requirements as per test.
Implementation of multifactor authentication for all users in administrative roles will necessitate a change to user routine. All users in administrative roles will be required to enroll in multifactor authentication using using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future access to the environment.

Recommendation and Steps

Enable multifactor authentication for all users who are members of administrative roles in the Microsoft 365 tenant. These include roles such as:

Global Administrator

Billing Administrator

Exchange Administrator

SharePoint Administrator

Password Administrator

Skype for Business Administrator

Service Support Administrator

User Administrator

Dynamics 365 Service Administrator

Power BI Administrator

Associated Objects

Affected Objects

TEST NAME

Use least privileged administrative roles

Description

Item does not meet all the requirements as per test.
Please learn more about the Roles and their permissions here: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure to Designate more than one global admin

Description

Item does not meet all the requirements as per test.
The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access.

Recommendation and Steps

More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant. Ideally global administrators will have no licenses assigned to them.

Associated Objects

Affected Objects

TEST NAME

Ensure Privileged Identity Management is used to manage roles

Description

Item does not meet all the requirements as per test.
Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization.

Ensure Access reviews for Guest Users are configured to be performed no less frequently than monthly.
Access to groups and applications for guests can change over time. If a guest users access to a particular folder goes unnoticed, they may unintentionally gain access to sensitive data if a member adds new files or data to the folder or application. Access reviews can help reduce the risks associated with outdated assignments by requiring a member of the organization to conduct the reviews. Furthermore, these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review.
Access reviews that are ignored may cause guest users to lose access to resources temporarily.

Recommendation and Steps

Create an access review for Guest Users:

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/
2. Click to expand Identity Governance and select Access reviews
3. Click New access review.
4. Select what to review choose Teams + Groups.
5. Review Scope set to All Microsoft 365 groups with guest users, do not exclude groups.
6. Scope set to Guest users only then click Next: Reviews.
7. Select reviewer as an appropriate user that is NOT the guest user themselves.
8. Duration (in days) at most 3.
9. Review recurrence is Monthly or more frequent.
10. End is set to Never, then click Next: Settings.
11. Check Auto apply results to resource.
12. Set If reviewers don't respond to Remove access.
13. Check the following: Justification required, E-mail notifications, Reminders.
14. Click Next: Review + Create and finally click Create.

Associated Objects

Affected Objects

TEST NAME

Ensure user consent to apps accessing company data on their behalf is not allowed

Description

Consent to Apps accessing company data on their behalf is not allowed and is not configured.
If user consent is disabled previous consent grants will still be honored but all future consent operations must be performed by an administrator.

Recommendation and Steps

By default, users can consent to applications accessing your organization's data, although only for some permissions. For example, by default a user can consent to allow an app to access their own mailbox or the Teams conversations for a team the user owns but cannot consent to allow an app unattended access to read and write to all SharePoint sites in your organization. Do not allow users to grant consent to apps accessing company data on their behalf. Attackers commonly use custom applications to trick users into granting them access to company data.

Associated Objects

Affected Objects

TEST NAME

Ensure that password hash sync is enabled for hybrid deployments

Description

Password Sync is enabled for hybrid deployments.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Security Defaults is disabled on Azure Active Directory

Description

Security Defaults is disabled in Azure AD.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure third party integrated applications are not allowed

Description

Third party integrated applications are not allowed.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Entra ID P1 or P2 License is Enabled

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Azure Password Hash Synchronization is Enabled

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure no more than 5 Members in each Entra ID Administrative Role

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure password protection is enabled for on-prem Active Directory

Description

Item does not meet all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure Security Defaults is enabled on Microsoft Entra ID

Description

Item does not meet all the requirements as per test.
This recommendation should be implemented initially and then may be overridden by
other service/product specific CIS Benchmarks. Administrators should also be aware
that certain configurations in Microsoft Entra ID may impact other Microsoft services
such as Microsoft 365

Security defaults in Microsoft Entra ID make it easier to be secure and help protect your
organization. Security defaults contain preconfigured security settings for common
attacks.
Security defaults is available to everyone. The goal is to ensure that all organizations
have a basic level of security enabled at no extra cost. You may turn on security
defaults in the Azure portal.

Security defaults provide secure default settings that we manage on behalf of
organizations to keep customers safe until they are ready to manage their own identity
security settings.
For example, doing the following:
? Requiring all users and admins to register for MFA.
? Challenging users with MFA - when necessary, based on factors such as
location, device, role, and task.
? Disabling authentication from legacy authentication clients, which can?t do MFA.

Recommendation and Steps

From Azure Portal
To enable security defaults in your directory:
1. From Azure Home select the Portal Menu.
2. Browse to Microsoft Entra ID > Properties
3. Select Manage security defaults
4. Set the Enable security defaults to Enabled
5. Select Save

Associated Objects

Affected Objects

TEST NAME

Ensure that Multi-Factor Auth Status is Enabled for all Privileged Users

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure that Multi-Factor Auth Status is Enabled for all Non-Privileged Users

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure that Allow users to remember multi-factor authentication on devices they trust is Disabled

Description

Item does not meet all the requirements as per test.
For every login attempt, the user will be required to perform multi-factor authentication.

Ensure that 'Allow users to remember multi-factor
authentication on devices they trust' is Disabled (Manual)

Remembering Multi-Factor Authentication (MFA) for devices and browsers allows users
to have the option to bypass MFA for a set number of days after performing a
successful sign-in using MFA. This can enhance usability by minimizing the number of
times a user may need to perform two-step verification on the same device. However, if
an account or device is compromised, remembering MFA for trusted devices may affect
security. Hence, it is recommended that users not be allowed to bypass MFA.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Select Users
4. Click the Per-user MFA button on the top bar
5. Click on service settings
6. Uncheck the box next to Allow users to remember multi-factor
authentication on devices they trust

Associated Objects

Affected Objects

TEST NAME

Ensure Trusted Locations Are Defined

Description

Item does not meet all the requirements as per test.
When configuring Named locations, the organization can create locations using
Geographical location data or by defining source IP addresses or ranges. Configuring
Named locations using a Country location does not provide the organization the ability
to mark those locations as trusted, and any Conditional Access policy relying on those
Countries location setting will not be able to use the All trusted locations setting
within the Conditional Access policy. They instead will have to rely on the Select
locations setting. This may add additional resource requirements when configuring,
and will require thorough organizational testing.
In general, Conditional Access policies may completely prevent users from
authenticating to Microsoft Entra ID, and thorough testing is recommended. To avoid
complete lockout, a 'Break Glass' account with full Global Administrator rights is
recommended in the event all other administrators are locked out of authenticating to
Microsoft Entra ID. This 'Break Glass' account should be excluded from Conditional
Access Policies and should be configured with the longest pass phrase feasible. This
account should only be used in the event of an emergency and complete administrator
lockout.

Microsoft Entra ID Conditional Access allows an organization to configure Named
locations and configure whether those locations are trusted or untrusted. These
settings provide organizations the means to specify Geographical locations for use in
conditional access policies, or define actual IP addresses and IP ranges and whether or
not those IP addresses and/or ranges are trusted by the organization.

Defining trusted source IP addresses or ranges helps organizations create and enforce
Conditional Access policies around those trusted or untrusted IP addresses and ranges.
Users authenticating from trusted IP addresses and/or ranges may have less access
restrictions or access requirements when compared to users that try to authenticate to
Microsoft Entra ID from untrusted locations or untrusted source IP addresses/ranges.

Recommendation and Steps

From Azure Portal
1. Navigate to the Microsoft Entra ID Conditional Access Blade
2. Click on the Named locations blade
3. Within the Named locations blade, click on IP ranges location
4. Enter a name for this location setting in the Name text box
5. Click on the + sign
6. Add an IP Address Range in CIDR notation inside the text box that appears
7. Click on the Add button
8. Repeat steps 5 through 7 for each IP Range that needs to be added
9. If the information entered are trusted ranges, select the Mark as trusted
location check box
10. Once finished, click on Create

Associated Objects

Affected Objects

TEST NAME

Ensure that an exclusionary Geographic Access Policy is considered

Description

Item does not meet all the requirements as per test.
Microsoft Entra ID P1 or P2 is required. Limiting access geographically will deny access
to users that are traveling or working remotely in a different part of the world. A point-to-
site or site to site tunnel such as a VPN is recommended to address exceptions to
geographic access policies.

CAUTION: If these policies are created without first auditing and testing the result,
misconfiguration can potentially lock out administrators or create undesired access
issues.
Conditional Access Policies can be used to block access from geographic locations that
are deemed out-of-scope for your organization or application. The scope and variables
for this policy should be carefully examined and defined.

Conditional Access, when used as a deny list for the tenant or subscription, is able to
prevent ingress or egress of traffic to countries that are outside of the scope of interest
(e.g.: customers, suppliers) or jurisdiction of an organization. This is an effective way to
prevent unnecessary and long-lasting exposure to international threats such as APTs.

Recommendation and Steps

From Azure Portal
Part 1 of 2 - Create the policy and enable it in Report-only mode.
1. From Azure Home open the portal menu in the top left, and select Microsoft
Entra ID.
2. Scroll down in the menu on the left, and select Security.
3. Select on the left side Conditional Access.
4. Click the + New policy button, then:
5. Provide a name for the policy.
6. Under Assignments, select Users or workload identities then:
o Under Include, select All users
o Under Exclude, check Users and groups and only select emergency
access accounts and service accounts (NOTE: Service accounts are
excluded here because service accounts are non-interactive and cannot
complete MFA)
7. Under Assignments, select Cloud apps or actions then:
o Under Include, select All cloud apps
o Leave Exclude blank unless you have a well defined exception
8. Under Conditions, select Locations then:
o Select Include, then add entries for locations for those that should be
blocked
o Select Exclude, then add entries for those that should be allowed
(IMPORTANT: Ensure that all Trusted Locations are in the Exclude list.)
Page 38
9. Under Access Controls, select Grant and Confirm that Block Access is selected.
10. Set Enable policy to Report-only.
11. Click Create.
NOTE: The policy is not yet 'live,' since Report-only is being used to audit the effect of
the policy.
Part 2 of 2 - Confirm that the policy is not blocking access that should be granted, then
toggle to On.
1. With your policy now in report-only mode, return to the Microsoft Entra blade and
click on Sign-in logs.
2. Review the recent sign-in events - click an event then review the event details
(specifically the Report-only tab) to ensure:
o The sign-in event you're reviewing occurred after turning on the policy in
report-only mode
o The policy name from step 5 above is listed in the Policy Name column
o The Result column for the new policy shows that the policy was Not
applied (indicating the location origin was not blocked)
3. If the above conditions are present, navigate back to the policy name in
Conditional Access and open it.
4. Toggle the policy from Report-only to On.
5. Click Save.

Associated Objects

Affected Objects

TEST NAME

Ensure that A Multi-factor Authentication Policy Exists for All Users

Description

Item does not meet all the requirements as per test.
There is an increased cost, as Conditional Access policies require Microsoft Entra ID P1or P2. Similarly, this may require additional overhead to maintain if users lose access totheir MFA.

For designated users, they will be prompted to use their multi-factor authentication(MFA) process on logins.

Enabling multi-factor authentication is a recommended setting to limit the potential ofaccounts being compromised and limiting access to authenticated personnel.

Recommendation and Steps

From Azure Portal1. From Azure Home open Portal menu in the top left, and select Microsoft EntraID.2. Select Security.3. Select Conditional Access.4. Click + New policy.5. Enter a name for the policy.6. Select Users or workload identities.Page 457. Under Include, select All users.8. Under Exclude, check Users and groups.9. Select users this policy should not apply to and click Select.10. Select Cloud apps or actions.11. Select All cloud apps.12. Select Grant.13. Under Grant access, check Require multifactor authentication and clickSelect.14. Set Enable policy to Report-only.15. Click Create.After testing the policy in report-only mode, update the Enable policy setting fromReport-only to On.

Associated Objects

Affected Objects

TEST NAME

Ensure that Restrict non-admin users from creating tenants is set to Yes

Description

Item does not meet all the requirements as per test.
Enforcing this setting will ensure that only authorized users are able to create new
tenants.

Require administrators or appropriately delegated users to create new tenants.

It is recommended to only allow an administrator to create new tenants. This prevent
users from creating new Microsoft Entra ID or Azure AD B2C tenants and ensures that
only authorized users are able to do so.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Select Users
4. Select User settings
Page 57
5. Set Restrict non-admin users from creating tenants to Yes

Associated Objects

Affected Objects

TEST NAME

Ensure Guest Users Are Reviewed on a Regular Basis

Description

Item does not meet all the requirements as per test.
Before removing guest users, determine their use and scope. Like removing any user,
there may be unforeseen consequences to systems if it is deleted.

Microsoft Entra ID is extended to include Azure AD B2B collaboration, allowing you to
invite people from outside your organization to be guest users in your cloud account and
sign in with their own work, school, or social identities. Guest users allow you to share
your company's applications and services with users from any other organization, while
maintaining control over your own corporate data.
Work with external partners, large or small, even if they don't have Azure AD or an IT
department. A simple invitation and redemption process lets partners use their own
credentials to access your company's resources as a guest user.
Guest users in every subscription should be review on a regular basis to ensure that
inactive and unneeded accounts are removed.

Guest users in the Microsoft Entra ID are generally required for collaboration purposes
in Office 365, and may also be required for Azure functions in enterprises with multiple
Azure tenants. Guest users are typically added outside your employee on-boarding/offboarding process and could potentially be overlooked indefinitely, leading to a potential
vulnerability. To prevent this, guest users should be reviewed on a regular basis. During
this audit, guest users should also be determined to not have administrative privileges.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Select Users
4. Click on Add filter
5. Select User type
6. Select Guest from the Value dropdown
7. Click Apply
8. Delete all Guest users that are no longer required or are inactive

Associated Objects

Affected Objects

TEST NAME

Ensure That Guest users access restrictions is set to Guest user access is restricted to properties and memberships of their own directory objects

Description

Item does not meet all the requirements as per test.
This may create additional requests for permissions to access resources that
administrators will need to approve.
According to https://learn.microsoft.com/en-us/azure/active-directory/enterpriseusers/users-restrict-guest-permissions#services-currently-not-supported
Service without current support might have compatibility issues with the new guest
restriction setting.
? Forms
? Project
? Yammer
? Planner in SharePoint

Limit guest user permissions.

Limiting guest access ensures that guest accounts do not have permission for certain
directory tasks, such as enumerating users, groups or other directory resources, and
cannot be assigned to administrative roles in your directory. Guest access has three
levels of restriction.
1. Guest users have the same access as members (most inclusive),
2. Guest users have limited access to properties and memberships of directory
objects (default value),
3. Guest user access is restricted to properties and memberships of their own
directory objects (most restrictive).
The recommended option is the 3rd, most restrictive: Guest user access is restricted to
their own directory object.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Then External Identities
4. Select External collaboration settings
5. Under Guest user access, change Guest user access restrictions to be Guest
user access is restricted to properties and memberships of their own
directory objects

Associated Objects

Affected Objects

TEST NAME

Ensure That Restrict access to Microsoft Entra admin center is Set to Yes

Description

Item does not meet all the requirements as per test.
All administrative tasks will need to be done by Administrators, causing additional
overhead in management of users and resources.

Restrict access to the Microsoft Entra ID administration center to administrators only.
NOTE: This only affects access to the Entra ID administrator's web portal. This setting
does not prohibit privileged users from using other methods such as Rest API or
Powershell to obtain sensitive information from Microsoft Entra ID.

The Microsoft Entra ID administrative center has sensitive data and permission settings.
All non-administrators should be prohibited from accessing any Microsoft Entra ID data
in the administration center to avoid exposure.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Then Users
4. Select User settings
5. Set Restrict access to Microsoft Entra admin center to Yes

Associated Objects

Affected Objects

TEST NAME

Ensure that Restrict user ability to access groups features in the Access Pane is Set to Yes

Description

Item does not meet all the requirements as per test.
Setting to Yes could create administrative overhead by customers seeking certain group
memberships that will have to be manually managed by administrators with appropriate
permissions.

Restrict access to group web interface in the Access Panel portal.

Self-service group management enables users to create and manage security groups or
Office 365 groups in Microsoft Entra ID. Unless a business requires this day-to-day
delegation for some users, self-service group management should be disabled. Any
user can access the Access Panel, where they can reset their passwords, view their
information, etc. By default, users are also allowed to access the Group feature, which
shows groups, members, related resources (SharePoint URL, Group email address,
Yammer URL, and Teams URL). By setting this feature to 'Yes', users will no longer
have access to the web interface, but still have access to the data using the API. This is
useful to prevent non-technical users from enumerating groups-related information, but
technical users will still be able to access this information using APIs.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Select Groups
Page 93
4. Select General under Settings
5. Ensure that Restrict user ability to access groups features in My Groups
is set to Yes

Associated Objects

Affected Objects

TEST NAME

Ensure a Custom Role is Assigned Permissions for Administering Resource Locks

Description

Item does not meet all the requirements as per test.
By adding this role, specific permissions may be granted for managing just resource
locks rather than needing to provide the wide Owner or User Access Administrator role,
reducing the risk of the user being able to do unintentional damage.

Resource locking is a powerful protection mechanism that can prevent inadvertent
modification/deletion of resources within Azure subscriptions/Resource Groups and is a
recommended NIST configuration.

Given the resource lock functionality is outside of standard Role Based Access
Control(RBAC), it would be prudent to create a resource lock administrator role to
prevent inadvertent unlocking of resources.

Recommendation and Steps

From Azure Portal
1. In the Azure portal, open a subscription or resource group where you want the
custom role to be assigned.
2. Select Access control (IAM).
3. Click Add.
4. Select Add custom role.
5. In the Custom Role Name field enter Resource Lock Administrator.
6. In the Description field enter Can Administer Resource Locks.
Page 106
7. For Baseline permissions select Start from scratch
8. Select next.
9. In the Permissions tab select Add permissions.
10.In the Search for a permission box, type in Microsoft.Authorization/locks to
search for permissions.
11.Select the check box next to the permission Microsoft.Authorization/locks.
12.Select Add.
13.Select Review + create.
14.Select Create.
15.Assign the newly created role to the appropriate user.

Associated Objects

Affected Objects

TEST NAME

Ensure fewer than 5 users have global administrator assignment

Description

Item does not meet all the requirements as per test.
Implementing this recommendation may require changes in administrative workflows or
the redistribution of roles and responsibilities. Adequate training and awareness should
be provided to all Global Administrators.

This recommendation aims to maintain a balance between security and operational
efficiency by ensuring that a minimum of 2 and a maximum of 4 users are assigned the
Global Administrator role in Microsoft Entra ID. Having at least two Global
Administrators ensures redundancy, while limiting the number to four reduces the risk of
excessive privileged access.

The Global Administrator role has extensive privileges across all services in Microsoft
Entra ID. The Global Administrator role should never be used in regular daily activities;
administrators should have a regular user account for daily activities, and a separate
account for administrative responsibilities. Limiting the number of Global Administrators
helps mitigate the risk of unauthorized access, reduces the potential impact of human
error, and aligns with the principle of least privilege to reduce the attack surface of an
Azure tenant. Conversely, having at least two Global Administrators ensures that
administrative functions can be performed without interruption in case of unavailability of
a single admin.

Recommendation and Steps

If more 4 users are assigned:
1. Remove Global Administrator role for users which do not or no longer require the
role.
Page 111
2. Assign Global Administrator role via PIM which can be activated when required.
3. Assign more granular roles to users to conduct their duties.
If only one user is assigned:
1. Provide the Global Administrator role to a trusted user or create a break glass
admin account.

Associated Objects

Affected Objects

TEST NAME

Ensure User consent for applications is set to Do not allow user consent

Description

Item does not meet all the requirements as per test.
Enforcing this setting may create additional requests that administrators need to review.

Require administrators to provide consent for applications before use.

If Microsoft Entra ID is running as an identity provider for third-party applications,
permissions and consent should be limited to administrators or pre-approved. Malicious
applications may attempt to exfiltrate data or abuse privileged user accounts.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Select Enterprise Applications
4. Select Consent and permissions
5. Select User consent settings
Page 74
6. Set User consent for applications to Do not allow user consent
7. Click save

Associated Objects

Affected Objects

TEST NAME

Ensure User consent for applications Is Set To Allow for Verified Publishers

Description

Item does not meet all the requirements as per test.
Enforcing this setting may create additional requests that administrators need to review.

Allow users to provide consent for selected permissions when a request is coming from
a verified publisher.

If Microsoft Entra ID is running as an identity provider for third-party applications,
permissions and consent should be limited to administrators or pre-approved. Malicious
applications may attempt to exfiltrate data or abuse privileged user accounts.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Select Enterprise Applications
Page 76
4. Select Consent and permissions
5. Select User consent settings
6. Under User consent for applications, select Allow user consent for apps
from verified publishers, for selected permissions
7. Select Save

Associated Objects

Affected Objects

TEST NAME

Ensure Multi-factor Authentication is Required for Risky Sign-ins

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure That Users Can Register Applications Is Set to No

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure That No Custom Subscription Administrator Roles Exist

Description

Item has met all the requirements as per test.

Recommendation and Steps

Associated Objects

Affected Objects

TEST NAME

Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups

Description

Item does not meet all the requirements as per test.
There is an increased cost, as Conditional Access policies require Microsoft Entra IDP1. Similarly, MFA may require additional overhead to maintain. There is also apotential scenario in which the multi-factor authentication method can be lost, andadministrative users are no longer able to log in. For this scenario, there should be anemergency access account. Please see References for creating this.

For designated users, they will be prompted to use their multi-factor authentication
(MFA) process on login.

Enabling multi-factor authentication is a recommended setting to limit the use of
Administrative accounts to authenticated personnel.

Recommendation and Steps

From Azure Portal1. From Azure Home open the Portal Menu in top left, and select Microsoft EntraID.2. Select Security.3. Select Conditional Access.4. Click + New policy.Page 425. Enter a name for the policy.6. Select Users or workload identities.7. Check Users and groups.8. Select administrative groups this policy should apply to and click Select.9. Under Exclude, check Users and groups.10. Select users this policy not should apply to and click Select.11. Select Cloud apps or actions.12. Select All cloud apps.13. Select Grant.14. Under Grant access, check Require multifactor authentication and clickSelect.15. Set Enable policy to Report-only.16. Click Create.After testing the policy in report-only mode, update the Enable policy setting fromReport-only to On.

Associated Objects

Affected Objects

TEST NAME

Ensure Multifactor Authentication is Required for Windows Azure Service Management API

Description

Item does not meet all the requirements as per test.
Conditional Access policies require Microsoft Entra ID P1 or P2 licenses. Similarly, theymay require additional overhead to maintain if users lose access to their MFA. Anyusers or groups which are granted an exception to this policy should be carefullytracked, be granted only minimal necessary privileges, and conditional accessexceptions should be regularly reviewed or investigated.

This recommendation ensures that users accessing the Windows Azure ServiceManagement API (i.e. Azure Powershell, Azure CLI, Azure Resource Manager API,etc.) are required to use multifactor authentication (MFA) credentials when accessingresources through the Windows Azure Service Management API.

Administrative access to the Windows Azure Service Management API should besecured with a higher level of scrutiny to authenticating mechanisms. Enablingmultifactor authentication is recommended to reduce the potential for abuse ofAdministrative actions, and to prevent intruders or compromised admin credentials fromchanging administrative settings.IMPORTANT: While this recommendation allows exceptions to specific Users orGroups, they should be very carefully tracked and reviewed for necessity on a regularinterval through an Access Review process. It is important that this rule be built toinclude All Users to ensure that all users not specifically excepted will be required touse MFA to access the Azure Service Management API.

Recommendation and Steps

From Azure Portal1. From the Azure Admin Portal dashboard, open Microsoft Entra ID.2. Click Security in the Entra ID blade.3. Click Conditional Access in the Security blade.4. Click Policies in the Conditional Access blade.5. Click + New policy.6. Enter a name for the policy.7. Click the blue text under Users.8. Under Include, select All users.9. Under Exclude, check Users and groups.10. Select users or groups to be exempted from this policy (e.g. break-glassemergency accounts, and non-interactive service accounts) then click the Selectbutton.11. Click the blue text under Target Resources.12. Under Include, click the Select apps radio button.13. Click the blue text under Select.14. Check the box next to Windows Azure Service Management APIs then click theSelect button.15. Click the blue text under Grant.16. Under Grant access check the box for Require multifactor authenticationthen click the Select button.17. Before creating, set Enable policy to Report-only.18. Click Create.After testing the policy in report-only mode, update the Enable policy setting fromReport-only to On.

Associated Objects

Affected Objects

TEST NAME

Ensure Multifactor Authentication is Required to access Microsoft Admin Portals

Description

Item does not meet all the requirements as per test.
Conditional Access policies require Microsoft Entra ID P1 or P2 licenses. Similarly, they
may require additional overhead to maintain if users lose access to their MFA. Any
users or groups which are granted an exception to this policy should be carefully
tracked, be granted only minimal necessary privileges, and conditional access
exceptions should be reviewed or investigated.

This recommendation ensures that users accessing Microsoft Admin Portals (i.e.Microsoft 365 Admin, Microsoft 365 Defender, Exchange Admin Center, Azure Portal,etc.) are required to use multifactor authentication (MFA) credentials when logging intoan Admin Portal.

Administrative Portals for Microsoft Azure should be secured with a higher level of
scrutiny to authenticating mechanisms. Enabling multifactor authentication is
recommended to reduce the potential for abuse of Administrative actions, and to
prevent intruders or compromised admin credentials from changing administrative
settings.
IMPORTANT: While this recommendation allows exceptions to specific Users or
Groups, they should be very carefully tracked and reviewed for necessity on a regular
interval through an Access Review process. It is important that this rule be built to
include All Users to ensure that all users not specifically excepted will be required to
use MFA to access Admin Portals.

Recommendation and Steps

From Azure Portal
1. From the Azure Admin Portal dashboard, open Microsoft Entra ID.
2. Click Security in the Entra ID blade.
3. Click Conditional Access in the Security blade.
4. Click Policies in the Conditional Access blade.
5. Click + New policy.
6. Enter a name for the policy.
7. Click the blue text under Users.
8. Under Include, select All users.
9. Under Exclude, check Users and groups.
10. Select users or groups to be exempted from this policy (e.g. break-glass
emergency accounts, and non-interactive service accounts) then click the Select
button.
11. Click the blue text under Target Resources.
12. Under Include, click the Select apps radio button.
13. Click the blue text under Select.
14. Check the box next to Microsoft Admin Portals then click the Select button.
15. Click the blue text under Grant.
16. Under Grant access check the box for Require multifactor authentication
then click the Select button.
17. Before creating, set Enable policy to Report-only.
18. Click Create.
After testing the policy in report-only mode, update the Enable policy setting from
Report-only to On.

Associated Objects

Affected Objects

TEST NAME

Ensure That Number of methods required to reset is set to 2

Description

Item does not meet all the requirements as per test.
There may be administrative overhead, as users who lose access to their secondary
authentication methods will need an administrator with permissions to remove it. There
will also need to be organization-wide security policies and training to teach
administrators to verify the identity of the requesting user so that social engineering can
not render this setting useless.

Ensures that two alternate forms of identification are provided before allowing a
password reset.

A Self-service Password Reset (SSPR) through Azure Multi-factor Authentication (MFA)
ensures the user's identity is confirmed using two separate methods of identification.
With multiple methods set, an attacker would have to compromise both methods before
they could maliciously reset a user's password.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Then Users
4. Select Password reset
5. Then Authentication methods
6. Set the Number of methods required to reset to 2

Associated Objects

Affected Objects

TEST NAME

Ensure that a Custom Bad Password List is set to Enforce for your Organization

Description

Item does not meet all the requirements as per test.
Increasing needed password complexity might increase overhead on administration of
user accounts. Licensing requirement for Global Banned Password List and Custom
Banned Password list requires Microsoft Entra ID P1 or P2. On-premises Active
Directory Domain Services users that are not synchronized to Microsoft Entra ID also
benefit from Microsoft Entra ID Password Protection based on existing licensing for
synchronized users.

Microsoft Azure provides a Global Banned Password policy that applies to Azure
administrative and normal user accounts. This is not applied to user accounts that are
synced from an on-premise Active Directory unless Microsoft Entra ID Connect is used
and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see
the list in default values on the specifics of this policy. To further password security, it is
recommended to further define a custom banned password policy.

Enabling this gives your organization further customization on what secure passwords
are allowed. Setting a bad password list enables your organization to fine-tune its
password policy further, depending on your needs. Removing easy-to-guess passwords
increases the security of access to your Azure resources.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Select Security.
4. Under Manage, select Authentication Methods.
5. Select Password Protection.
6. Set the Enforce custom list option to Yes.
7. Double click the custom banned password list to add a string.

Associated Objects

Affected Objects

TEST NAME

Ensure that Number of days before users are asked to reconfirm their authentication information is not set to 0

Description

Item does not meet all the requirements as per test.
Users will be prompted for their multifactor authentication at the duration set here.

Ensure that the number of days before users are asked to re-confirm their
authentication information is not set to 0.

This setting is necessary if you have setup 'Require users to register when signing in
option'. If authentication re-confirmation is disabled, registered users will never be
prompted to re-confirm their existing authentication information. If the authentication
information for a user changes, such as a phone number or email, then the password
reset information for that user reverts to the previously registered authentication
information.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Then Users
4. Select Password reset
5. Then Registration
6. Set the Number of days before users are asked to re-confirm their
authentication information to your organization-defined frequency.

Associated Objects

Affected Objects

TEST NAME

Ensure that Notify users on password resets is set to Yes

Description

Item does not meet all the requirements as per test.
Users will receive emails alerting them to password changes to both their primary and
secondary emails.

Ensure that users are notified on their primary and secondary emails on password
resets.

User notification on password reset is a proactive way of confirming password reset
activity. It helps the user to recognize unauthorized password reset activities.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Select Users
4. Select Password reset
5. Under Manage, select Notifications
6. Set Notify users on password resets? to Yes

Associated Objects

Affected Objects

TEST NAME

Ensure That Notify all admins when other admins reset their password is set to Yes

Description

Item does not meet all the requirements as per test.
All Global Administrators will receive a notification from Azure every time a password is
reset. This is useful for auditing procedures to confirm that there are no out of the
ordinary password resets for Global Administrators. There is additional overhead,
however, in the time required for Global Administrators to audit the notifications. This
setting is only useful if all Global Administrators pay attention to the notifications, and
audit each one.

Ensure that all Global Administrators are notified if any other administrator resets their
password.

Global Administrator accounts are sensitive. Any password reset activity notification,
when sent to all Global Administrators, ensures that all Global administrators can
passively confirm if such a reset is a common pattern within their group. For example, if
all Global Administrators change their password every 30 days, any password reset
activity before that may require administrator(s) to evaluate any unusual activity and
confirm its origin.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
Page 72
3. Select Users
4. Select Password reset
5. Under Manage, select Notifications
6. Set Notify all admins when other admins reset their password? to Yes

Associated Objects

Affected Objects

TEST NAME

Ensure that Users can add gallery apps to My Apps is set to No

Description

Item does not meet all the requirements as per test.
Can cause additional requests to administrators that need to be fulfilled quite often.

Require administrators to provide consent for the apps before use.

Unless Microsoft Entra ID is running as an identity provider for third-party applications,
do not allow users to use their identity outside of your cloud environment. User profiles
contain private information such as phone numbers and email addresses which could
then be sold off to other third parties without requiring any further consent from the user.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Then Enterprise applications
4. Select User settings
5. Set Users can add gallery apps to My Apps to No

Associated Objects

Affected Objects

TEST NAME

Ensure that Guest invite restrictions is set to Only users assigned to specific admin roles can invite guest users

Description

Item does not meet all the requirements as per test.
With the option of Only users assigned to specific admin roles can invite guest
users selected, users with specific admin roles will be in charge of sending invitations to
the external users, requiring additional overhead by them to manage user accounts.
This will mean coordinating with other departments as they are onboarding new users.

Restrict invitations to users with specific administrative roles only.

Restricting invitations to users with specific administrator roles ensures that only
authorized accounts have access to cloud resources. This helps to maintain Need to
Know permissions and prevents inadvertent access to data.
By default the setting Guest invite restrictions is set to Anyone in the
organization can invite guest users including guests and non-admins. This would
allow anyone within the organization to invite guests and non-admins to the tenant,
posing a security risk.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Then External Identities
4. Select External collaboration settings
5. Under Guest invite settings, for Guest invite restrictions, ensure that Only
users assigned to specific admin roles can invite guest users is selected

Associated Objects

Affected Objects

TEST NAME

Ensure that Users can create security groups in Azure portals API or PowerShell is set to No

Description

Item does not meet all the requirements as per test.
Enabling this setting could create a number of requests that would need to be managed
by an administrator.

Restrict security group creation to administrators only.

When creating security groups is enabled, all users in the directory are allowed to
create new security groups and add members to those groups. Unless a business
requires this day-to-day delegation, security group creation should be restricted to
administrators only.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Select Groups
4. Select General under Settings
5. Set Users can create security groups in Azure portals, API or PowerShell
to No

Associated Objects

Affected Objects

TEST NAME

Ensure that Owners can manage group membership requests in the Access Panel is set to No

Description

Item does not meet all the requirements as per test.
Group Membership for user accounts will need to be handled by Admins and cause administrative overhead.

Restrict security group management to administrators only.

Restricting security group management to administrators only prohibits users from
making changes to security groups. This ensures that security groups are appropriately
managed and their management is not delegated to non-administrators.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Then Groups
4. Select General in settings
5. Set Owners can manage group membership requests in the Access Panel to No

Associated Objects

Affected Objects

TEST NAME

Ensure that Users can create Microsoft 365 groups in Azure portals API or PowerShell is set to No

Description

Item does not meet all the requirements as per test.
Enabling this setting could create a number of requests that would need to be managed by an administrator.

Restrict Microsoft 365 group creation to  administrators only.

Restricting Microsoft 365 group creation to administrators only ensures that creation of
Microsoft 365 groups is controlled by the administrator. Appropriate groups should be
created and managed by the administrator and group creation rights should not be
delegated to any other user.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Then Groups
4. Select General in settings
5. Set Users can create Microsoft 365 groups in Azure portals, API or
PowerShell to No

Associated Objects

Affected Objects

TEST NAME

Ensure that Require Multi-Factor Authentication to register or join devices with Microsoft Entra ID is set to Yes

Description

Item does not meet all the requirements as per test.
A slight impact of additional overhead, as Administrators will now have to approve every access to the domain.

Joining or registering devices to Microsoft Entra ID should require Multi-factor
authentication.

Multi-factor authentication is recommended when adding devices to Microsoft Entra ID.
When set to Yes, users who are adding devices from the internet must first use the
second method of authentication before their device is successfully added to the
directory. This ensures that rogue devices are not added to the domain using a
compromised user account. Note: Some Microsoft documentation suggests to use
conditional access policies for joining a domain from certain whitelisted networks or
devices. Even with these in place, using Multi-Factor Authentication is still
recommended, as it creates a process for review before joining the domain.

Recommendation and Steps

From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Microsoft Entra ID
3. Select Devices
4. Select Device settings
Page 101
5. Set Require Multi-Factor Authentication to register or join devices with
Microsoft Entra to Yes

Associated Objects

Affected Objects

TEST NAME

Ensure That Subscription leaving Microsoft Entra ID directory and Subscription entering Microsoft Entra ID directory Is Set To Permit No One

Description

Item does not meet all the requirements as per test.
Subscriptions will need to have these settings turned off to be moved.

Users who are set as subscription owners are able to make administrative changes to
the subscriptions and move them into and out of Microsoft Entra ID.

Permissions to move subscriptions in and out of Microsoft Entra ID directory must only
be given to appropriate administrative personnel. A subscription that is moved into an
Microsoft Entra ID directory may be within a folder to which other users have elevated
permissions. This prevents loss of data or unapproved changes of the objects within by
potential bad actors.

Recommendation and Steps

From Azure Portal
1. From the Azure Portal Home select the portal menu
2. Select Subscriptions
3. In the Advanced options drop-down menu, select Manage Policies
4. Under Subscription leaving Microsoft Entra ID directory and Subscription
entering Microsoft Entra ID directory select Permit no one

Associated Objects

Affected Objects

TEST NAME

Ensure That Microsoft Defender for Servers Is Set to On

Description

Item does not meet all the requirements as per test.
Turning on Microsoft Defender for Servers in Microsoft Defender for Cloud incurs an
additional cost per resource.

Turning on Microsoft Defender for Servers enables threat detection for Servers,
providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft
Defender for Cloud.

Enabling Microsoft Defender for Servers allows for greater defense-in-depth, with threat
detection provided by the Microsoft Security Response Center (MSRC).

Recommendation and Steps

From Azure Portal
1. Go to Microsoft Defender for Cloud
2. Select Environment Settings
3. Click on the subscription name
4. Select Defender plans
5. Set Server Status to On
6. Select Save

Associated Objects

Affected Objects

TEST NAME

Ensure That Microsoft Defender for App Services Is Set To On

Description

Item does not meet all the requirements as per test.
Turning on Microsoft Defender for App Service incurs an additional cost per resource.

Turning on Microsoft Defender for App Service enables threat detection for App Service,
providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft
Defender for Cloud.

Enabling Microsoft Defender for App Service allows for greater defense-in-depth, with
threat detection provided by the Microsoft Security Response Center (MSRC).

Recommendation and Steps

From Azure Portal
1. Go to Microsoft Defender for Cloud
2. Select Environment Settings
3. Click on the subscription name
4. Select Defender plans
5. Set App Service Status to On
6. Select Save

Associated Objects

Affected Objects

TEST NAME

Ensure That Microsoft Defender for -Managed Instance- Azure SQL Databases Is Set To On

Description

Item does not meet all the requirements as per test.
Turning on Microsoft Defender for Azure SQL Databases incurs an additional cost per
resource.

Turning on Microsoft Defender for Azure SQL Databases enables threat detection for
Managed Instance Azure SQL databases, providing threat intelligence, anomaly
detection, and behavior analytics in Microsoft Defender for Cloud.

Enabling Microsoft Defender for Azure SQL Databases allows for greater defense-indepth, includes functionality for discovering and classifying sensitive data, surfacing and
mitigating potential database vulnerabilities, and detecting anomalous activities that
could indicate a threat to your database.

Recommendation and Steps

From Azure Portal
1. Go to Microsoft Defender for Cloud.
2. Select Environment Settings blade.
3. Click on the subscription name.
4. Select the Defender plans blade.
5. Click Select types > in the row for Databases.
6. Set the radio button next to Azure SQL Databases to On.
7. Select Continue.
8. Select Save

Associated Objects

Affected Objects

TEST NAME

Ensure That Microsoft Defender for SQL Servers on Machines Is Set To On

Description

Item does not meet all the requirements as per test.
Turning on Microsoft Defender for SQL servers on machines incurs an additional cost
per resource.

Turning on Microsoft Defender for SQL servers on machines enables threat detection
for SQL servers on machines, providing threat intelligence, anomaly detection, and
behavior analytics in Microsoft Defender for Cloud.

Enabling Microsoft Defender for SQL servers on machines allows for greater defensein-depth, functionality for discovering and classifying sensitive data, surfacing and
mitigating potential database vulnerabilities, and detecting anomalous activities that
could indicate a threat to your database.

Recommendation and Steps

From Azure Portal
1. Go to Microsoft Defender for Cloud.
2. Select Environment Settings blade.
3. Click on the subscription name.
4. Select the Defender plans blade.
5. Click Select types > in the row for Databases.
6. Set the radio button next to SQL servers on machines to On.
7. Select Continue.
8. Select Save.

Associated Objects

Affected Objects

TEST NAME

Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To On

Description

Item does not meet all the requirements as per test.
Turning on Microsoft Defender for Open-source relational databases incurs an
additional cost per resource.

Turning on Microsoft Defender for Open-source relational databases enables threat
detection for Open-source relational databases, providing threat intelligence, anomaly
detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Open-source relational databases allows for greater
defense-in-depth, with threat detection provided by the Microsoft Security Response
Center (MSRC).

Recommendation and Steps

From Azure Portal
1. Go to Microsoft Defender for Cloud.
2. Select Environment Settings blade.
3. Click on the subscription name.
4. Select the Defender plans blade.
5. Click Select types > in the row for Databases.
6. Set the radio button next to Open-source relational databases to On.
7. Select Continue.
8. Select Save.

Associated Objects

Affected Objects

TEST NAME

Ensure That Microsoft Defender for Azure Cosmos DB Is Set To On

Description

Item does not meet all the requirements as per test.
Enabling Microsoft Defender for Azure Cosmos DB requires enabling Microsoft
Defender for your subscription. Both will incur additional charges.

Microsoft Defender for Azure Cosmos DB scans all incoming network requests for
threats to your Azure Cosmos DB resources.

In scanning Azure Cosmos DB requests within a subscription, requests are compared to
a heuristic list of potential security threats. These threats could be a result of a security
breach within your services, thus scanning for them could prevent a potential security
threat from being introduced.

Recommendation and Steps

From Azure Portal
1. Go to Microsoft Defender for Cloud.
2. Select Environment Settings blade.
3. Click on the subscription name.
4. Select the Defender plans blade.
5. On the Database row click on Select types >.
6. Set the radio button next to Azure Cosmos DB to On.
7. Click Continue.
8. Click Save.

Associated Objects

Affected Objects