diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 20a6cca48a..8048b34f28 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427) - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408) - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609) +- Update M365 Entra ID service metadata to new format [(#9682)](https://github.com/prowler-cloud/prowler/pull/9682) + --- diff --git a/prowler/providers/m365/services/entra/entra_admin_consent_workflow_enabled/entra_admin_consent_workflow_enabled.metadata.json b/prowler/providers/m365/services/entra/entra_admin_consent_workflow_enabled/entra_admin_consent_workflow_enabled.metadata.json index d66e31c1b6..0fbc04eb01 100644 --- a/prowler/providers/m365/services/entra/entra_admin_consent_workflow_enabled/entra_admin_consent_workflow_enabled.metadata.json +++ b/prowler/providers/m365/services/entra/entra_admin_consent_workflow_enabled/entra_admin_consent_workflow_enabled.metadata.json @@ -1,29 +1,40 @@ { "Provider": "m365", "CheckID": "entra_admin_consent_workflow_enabled", - "CheckTitle": "Ensure the admin consent workflow is enabled.", + "CheckTitle": "Microsoft Entra admin consent workflow is enabled", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Organization Settings", - "Description": "Ensure that the admin consent workflow is enabled in Microsoft Entra to allow users to request admin approval for applications requiring consent.", - "Risk": "If the admin consent workflow is not enabled, users may be blocked from accessing applications that require admin consent, leading to potential work disruptions or unauthorized workarounds.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow", + "ResourceType": "", + "Description": "Microsoft Entra **admin consent workflow** is evaluated to confirm an approval path exists for app permission requests. The check looks for the workflow being enabled and, when present, whether **reviewer notifications** are configured.", + "Risk": "Without an approval workflow, app access decisions lack controlled review. This can force permissive settings or push users to shadow IT, enabling **consent phishing** and excessive Graph permissions that jeopardize **confidentiality** and **integrity**, or block required apps, affecting **availability**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.plexhosted.com/post/complete-setup-how-to-enable-admin-consent-workflow-and-stop-unapproved-app-access-in-microsoft-ent", + "https://learn.microsoft.com/en-NZ/entra/identity/enterprise-apps/user-admin-consent-overview", + "https://entra.microsoft.com/.", + "https://www.cloudcoffee.ch/microsoft-azure/microsoft-entra-id-admin-consent-workflow/", + "https://support.atlassian.com/jira/kb/need-admin-approval-message-when-trying-to-connect-email-accounts-in-jsm-cloud/", + "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow", + "https://global-sharepoint.com/sharepoint/admin-consent-approval-workflow/", + "https://www.linkedin.com/pulse/how-manage-users-consent-applications-within-azure-ad-entra-id-alcpf" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "Update-MgPolicyAdminConsentRequestPolicy -IsEnabled:$true", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Identity > Applications and select Enterprise applications. 3. Under Security, select Consent and permissions. 4. Under Manage, select Admin consent settings. 5. Set 'Users can request admin consent to apps they are unable to consent to' to 'Yes'. 6. Configure the reviewers and email notifications settings. 7. Click Save.", + "Other": "1. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com) as a Global Administrator\n2. Go to Entra ID > Enterprise applications > Consent and permissions > Admin consent settings\n3. Set \"Users can request admin consent to apps they are unable to consent to\" to Yes\n4. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Enable the admin consent workflow in Microsoft Entra to securely manage application consent requests.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow" + "Text": "Enable the **admin consent workflow** (`Users can request admin consent to apps they are unable to consent to`) and assign least-privileged reviewers; enable notifications and expiry. Combine with restrictive **user consent** policies, permission classifications, and periodic reviews. Apply **least privilege** and **separation of duties**.", + "Url": "https://hub.prowler.com/check/entra_admin_consent_workflow_enabled" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_admin_portals_access_restriction/entra_admin_portals_access_restriction.metadata.json b/prowler/providers/m365/services/entra/entra_admin_portals_access_restriction/entra_admin_portals_access_restriction.metadata.json index 01fee17d74..3fa760ee1a 100644 --- a/prowler/providers/m365/services/entra/entra_admin_portals_access_restriction/entra_admin_portals_access_restriction.metadata.json +++ b/prowler/providers/m365/services/entra/entra_admin_portals_access_restriction/entra_admin_portals_access_restriction.metadata.json @@ -1,35 +1,45 @@ { "Provider": "m365", "CheckID": "entra_admin_portals_access_restriction", - "CheckTitle": "Ensure that only administrative roles have access to Microsoft Admin Portals", - "CheckAliases": [ - "entra_admin_portals_role_limited_access" - ], + "CheckTitle": "Microsoft admin portals are accessible only to administrative roles", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", - "ResourceType": "Conditional Access Policy", - "Description": "Ensure that only administrative roles have access to Microsoft Admin Portals to prevent unauthorized changes, privilege escalation, and security misconfigurations.", - "Risk": "Allowing non-administrative users to access Microsoft Admin Portals increases the risk of unauthorized changes, privilege escalation, and potential security misconfigurations. Attackers could exploit these privileges to manipulate settings, disable security features, or access sensitive data.", - "RelatedUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide", + "Severity": "medium", + "ResourceType": "", + "Description": "Conditional Access restricts `MicrosoftAdminPortals` by targeting admin portals, including all users, excluding administrative roles, and applying a **block** decision. The assessment determines whether an active policy enforces this restriction rather than only reporting.", + "Risk": "Absent this control, non-admin identities can reach admin portals, jeopardizing **integrity** (unauthorized tenant changes), **confidentiality** (exposure of settings and data), and **availability** (disabling services). Threats include privilege escalation, weakening policies, and creating persistence.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.triskelelabs.com/blog/microsoft-entra-conditional-access-policies", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview", + "https://feedback.azure.com/d365community/idea/215d9249-99a9-ee11-92bc-000d3ae54955", + "https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/conditional-access/concept-conditional-access-policy-common.md", + "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps", + "https://entra.microsoft.com." + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "New-MgIdentityConditionalAccessPolicy -BodyParameter @{displayName=\"\";state=\"enabled\";conditions=@{users=@{includeUsers=@(\"All\");excludeRoles=@(\"62e90394-69f5-4237-9190-012177145e10\")};applications=@{includeApplications=@(\"MicrosoftAdminPortals\")}};grantControls=@{builtInControls=@(\"block\")}}", "NativeIaC": "", - "Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Click New Policy. Under Users include All Users. Under Users select Exclude and check Directory roles and select only administrative roles and a group of PIM eligible users. Under Target resources select Cloud apps and Select apps then select the Microsoft Admin Portals app. Confirm by clicking Select. Under Grant select Block access and click Select. 4. Under Enable policy set it to Report Only until the organization is ready to enable it. 5. Click Create.", - "Terraform": "" + "Other": "1. Go to Microsoft Entra admin center > Protection > Conditional Access > Policies > New policy\n2. Users: Include = All users; Exclude = Directory roles, select all administrative roles\n3. Target resources: Cloud apps > Select apps > choose Microsoft Admin Portals > Select\n4. Grant: Block access > Select\n5. Enable policy: On > Create", + "Terraform": "```hcl\nresource \"azuread_conditional_access_policy\" \"\" {\n display_name = \"\"\n state = \"enabled\" # Critical: policy must be enabled to PASS\n\n conditions {\n users {\n include_users = [\"All\"] # Critical: include all users\n exclude_roles = [\"62e90394-69f5-4237-9190-012177145e10\"] # Critical: exclude admin role(s) so only admins can access\n }\n applications {\n included_applications = [\"MicrosoftAdminPortals\"] # Critical: target Microsoft Admin Portals\n }\n }\n\n grant_controls {\n built_in_controls = [\"block\"] # Critical: block non-excluded users\n }\n}\n```" }, "Recommendation": { - "Text": "Enforce Conditional Access policies to restrict Microsoft Admin Portals to predefined administrative roles. Ensure that only necessary users have access to these portals, applying the principle of least privilege and conducting periodic access reviews to maintain security compliance.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview" + "Text": "Enforce **least privilege** with Conditional Access that blocks `MicrosoftAdminPortals` for everyone except approved admin roles. Add **defense in depth**: require strong MFA/authentication strength, compliant devices, and trusted locations; use JIT via PIM. Review role assignments and policies routinely.", + "Url": "https://hub.prowler.com/check/entra_admin_portals_access_restriction" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], "RelatedTo": [], - "Notes": "" + "Notes": "", + "CheckAliases": [ + "entra_admin_portals_role_limited_access" + ] } diff --git a/prowler/providers/m365/services/entra/entra_admin_users_cloud_only/entra_admin_users_cloud_only.metadata.json b/prowler/providers/m365/services/entra/entra_admin_users_cloud_only/entra_admin_users_cloud_only.metadata.json index 3e04a213dc..c0b3c62925 100644 --- a/prowler/providers/m365/services/entra/entra_admin_users_cloud_only/entra_admin_users_cloud_only.metadata.json +++ b/prowler/providers/m365/services/entra/entra_admin_users_cloud_only/entra_admin_users_cloud_only.metadata.json @@ -1,30 +1,34 @@ { "Provider": "m365", "CheckID": "entra_admin_users_cloud_only", - "CheckTitle": "Ensure all Microsoft 365 administrative users are cloud-only", + "CheckTitle": "All Microsoft 365 users with administrative roles are cloud-only accounts", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Administrative User", - "Description": "This check verifies that all Microsoft 365 administrative users are cloud-only, not synchronized from an on-premises directory, by querying administrative users and checking their synchronization status.", - "Risk": "On-premises synchronized administrative users increase the attack surface and compromise the security posture of the cloud environment. Compromise of on-premises systems could lead to unauthorized access to Microsoft 365 administrative functionalities.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#9-use-cloud-native-accounts-for-microsoft-entra-roles", + "ResourceType": "", + "Description": "**Microsoft Entra administrative users** are evaluated to confirm they are **cloud-only accounts**, with no on-premises directory synchronization for any user holding privileged roles.", + "Risk": "**On-premises-synced privileged accounts** extend the cloud trust boundary to AD. If AD or the sync channel is compromised, attackers can:\n- **Escalate** into Entra roles\n- Alter tenant settings and access data\n- Maintain **persistence** via on-prem credentials\n\nThis harms **confidentiality** and **integrity** and complicates recovery.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#9-use-cloud-native-accounts-for-microsoft-entra-roles" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId -DirectoryObjectId ", "NativeIaC": "", - "Other": "1. Identify on-premises synchronized administrative users using Microsoft Entra Connect or equivalent tools. 2. Create new cloud-only administrative user with appropriate permissions. 3. Migrate administrative tasks from on-premises synchronized users to the new cloud-only user. 4. Disable or remove the on-premises synchronized administrative users.", + "Other": "1. In the Microsoft Entra admin center, go to Identity > Users. Filter: On-premises sync enabled = Yes. Identify any users with administrative roles. 2. If needed, create a cloud-only admin: Identity > Users > New user > Create user; under Roles, assign the required admin role. 3. Remove admin roles from synchronized users: Identity > Roles & administrators > select the role > Members > select the synchronized user(s) > Remove.", "Terraform": "" }, "Recommendation": { - "Text": "Ensure all Microsoft 365 administrative users are cloud-only to reduce the attack surface and improve security posture.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#9-use-cloud-native-accounts-for-microsoft-entra-roles" + "Text": "Assign Entra roles only to **cloud-native accounts**. Enforce **least privilege**, **MFA**, and **Conditional Access**; use **PIM** for just-in-time elevation. Maintain cloud-only break-glass accounts, perform periodic access reviews, and prohibit synced identities from holding privileged roles for **defense in depth**.", + "Url": "https://hub.prowler.com/check/entra_admin_users_cloud_only" } }, "Categories": [ - "e3" + "identity-access", + "trust-boundaries" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/m365/services/entra/entra_admin_users_mfa_enabled/entra_admin_users_mfa_enabled.metadata.json b/prowler/providers/m365/services/entra/entra_admin_users_mfa_enabled/entra_admin_users_mfa_enabled.metadata.json index 2577857a99..ca1bda5047 100644 --- a/prowler/providers/m365/services/entra/entra_admin_users_mfa_enabled/entra_admin_users_mfa_enabled.metadata.json +++ b/prowler/providers/m365/services/entra/entra_admin_users_mfa_enabled/entra_admin_users_mfa_enabled.metadata.json @@ -1,35 +1,46 @@ { "Provider": "m365", "CheckID": "entra_admin_users_mfa_enabled", - "CheckTitle": "Ensure multifactor authentication is enabled for all users in administrative roles.", - "CheckAliases": [ - "entra_admin_mfa_enabled_for_administrative_roles" - ], + "CheckTitle": "Users in administrative roles require multifactor authentication via a Conditional Access policy for all applications", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Conditional Access Policy", - "Description": "Ensure that multifactor authentication (MFA) is enabled for all users in administrative roles to enhance security and reduce the risk of unauthorized access.", - "Risk": "Without MFA enabled for administrative roles, attackers could compromise privileged accounts with only a single authentication factor, increasing the risk of data breaches and unauthorized access to sensitive resources.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa", + "ResourceType": "", + "Description": "Microsoft Entra Conditional Access policies that enforce **multifactor authentication** for users in **administrative roles** across all resources.\n\nThe assessment identifies at least one active policy that targets admin roles (or all users), includes all applications, and grants access only when `Require multifactor authentication` is satisfied.", + "Risk": "Without enforced **MFA** on privileged accounts, stolen or phished passwords can grant admin access, enabling tenant takeover. Attackers may exfiltrate data, change configurations, consent malicious apps, and disable protections, impacting confidentiality, integrity, and availability.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://janbakker.tech/all-you-need-to-know-about-the-mandatory-multifactor-authentication-for-azure-and-other-administration-portals/", + "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-alt-all-users-compliant-hybrid-or-mfa", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa", + "https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-alt-admin-device-compliand-hybrid", + "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates", + "https://entra.microsoft.com." + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "az rest --method post --url https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies --body '{\"displayName\":\"Require MFA for all users\",\"state\":\"enabled\",\"conditions\":{\"users\":{\"includeUsers\":[\"All\"]},\"applications\":{\"includeApplications\":[\"All\"]}},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"]}}'", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Entra admin center https://entra.microsoft.com. 2. Expand Protection > Conditional Access and select Policies. 3. Click 'New policy' and configure: Users: Select users and groups > Directory roles (include admin roles). Target resources: Include 'All cloud apps' with no exclusions. Grant: Select 'Grant Access' and check 'Require multifactor authentication'. 4. Set policy to 'Report Only' for testing before full enforcement. 5. Click 'Create'.", - "Terraform": "" + "Other": "1. Sign in to Microsoft Entra admin center > Entra ID > Protection > Conditional Access > Policies > New policy\n2. Users: Include > All users\n3. Target resources: Include > All cloud apps (All resources)\n4. Grant: Grant access > Require multifactor authentication > Select\n5. Enable policy: On > Create", + "Terraform": "```hcl\nresource \"azuread_conditional_access_policy\" \"\" {\n display_name = \"Require MFA for all users\"\n state = \"enabled\" # Critical: policy must be enabled to enforce\n\n conditions {\n users {\n include_users = [\"All\"] # Critical: applies to all users, covering all admin roles\n }\n applications {\n included_applications = [\"All\"] # Critical: targets all cloud apps/resources\n }\n }\n\n grant_controls {\n built_in_controls = [\"mfa\"] # Critical: require multifactor authentication\n operator = \"OR\"\n }\n}\n```" }, "Recommendation": { - "Text": "Enable MFA for all users in administrative roles using a Conditional Access policy in Microsoft Entra.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa" + "Text": "Require **MFA** for all administrative roles with Conditional Access scoped to `All cloud apps` to avoid gaps. Prefer **phishing-resistant** methods (FIDO2, passkeys, Authenticator). Apply least privilege, limit exclusions, protect break-glass accounts, monitor sign-ins, and verify policies actively enforce, not just report.", + "Url": "https://hub.prowler.com/check/entra_admin_users_mfa_enabled" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], "RelatedTo": [], - "Notes": "" + "Notes": "", + "CheckAliases": [ + "entra_admin_mfa_enabled_for_administrative_roles" + ] } diff --git a/prowler/providers/m365/services/entra/entra_admin_users_phishing_resistant_mfa_enabled/entra_admin_users_phishing_resistant_mfa_enabled.metadata.json b/prowler/providers/m365/services/entra/entra_admin_users_phishing_resistant_mfa_enabled/entra_admin_users_phishing_resistant_mfa_enabled.metadata.json index c7272fbc81..9215e6afa5 100644 --- a/prowler/providers/m365/services/entra/entra_admin_users_phishing_resistant_mfa_enabled/entra_admin_users_phishing_resistant_mfa_enabled.metadata.json +++ b/prowler/providers/m365/services/entra/entra_admin_users_phishing_resistant_mfa_enabled/entra_admin_users_phishing_resistant_mfa_enabled.metadata.json @@ -1,29 +1,40 @@ { "Provider": "m365", "CheckID": "entra_admin_users_phishing_resistant_mfa_enabled", - "CheckTitle": "Ensure phishing-resistant MFA strength is required for all administrator accounts", + "CheckTitle": "At least one Conditional Access policy requires phishing-resistant MFA strength for administrator roles", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Conditional Access Policy", - "Description": "This check verifies that phishing-resistant MFA strength is required for all administrator accounts. Phishing-resistant MFA includes authentication methods that are resistant to phishing attacks and MFA fatigue attacks compared to weaker methods like SMS or push notifications.", - "Risk": "Administrators using weaker MFA methods, such as SMS or push notifications, are vulnerable to phishing attacks and MFA fatigue attacks. Attackers can intercept codes or trick users into approving fraudulent authentication requests, leading to unauthorized access to critical systems.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-admin-phish-resistant-mfa", + "ResourceType": "", + "Description": "Conditional Access for administrator roles requires **phishing-resistant MFA** authentication strength on `All` applications. Disabled policies are ignored; report-only policies aren't considered. Policies with custom strengths require review to confirm they are truly **phishing-resistant**.", + "Risk": "Without phishing-resistant MFA on admin accounts, attackers can:\n- Bypass OTP/push via **AiTM phishing**\n- Abuse **MFA fatigue** to gain sessions\n- Perform **tenant takeover**, alter policies, and exfiltrate data\n\nThis harms confidentiality, configuration integrity, and service availability.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://oxfordcomputergroup.com/resources/microsoft-conditional-access-authentication-strength/", + "https://blog.admindroid.com/use-phishing-resistant-mfa-to-implement-stronger-mfa-authentication/", + "https://blog.nviso.eu/2024/03/18/top-things-that-you-might-not-be-doing-yet-in-entra-conditional-access-advanced-edition/comment-page-1/", + "https://entra.microsoft.com.", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-admin-phish-resistant-mfa#create-a-conditional-access-policy", + "https://docs.azure.cn/en-us/entra/identity/conditional-access/policy-guests-mfa-strength", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-admin-phish-resistant-mfa", + "https://mobile-jon.com/2024/09/09/the-magnificent-8-conditional-access-policies-of-microsoft-entra/" + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Click New policy. Under Users include Select users and groups and check Directory roles. At a minimum, include the directory roles listed below in this section of the document. Under Target resources include All cloud apps and do not create any exclusions. Under Grant select Grant Access and check Require authentication strength and set Phishing-resistant MFA in the dropdown box. Click Select. 4. Under Enable policy set it to Report Only until the organization is ready to enable it. 5. Click Create.", + "Other": "1. Sign in to Microsoft Entra admin center (https://entra.microsoft.com)\n2. Go to Entra ID > Conditional Access > Policies > New policy\n3. Users > Include > Directory roles > select Global Administrator (or the admin roles you require)\n4. Target resources > Resources (cloud apps) > Include > All cloud apps; ensure Exclude is empty\n5. Grant > Grant access > Require authentication strength > select Phishing-resistant MFA > Select\n6. Enable policy: On\n7. Click Create", "Terraform": "" }, "Recommendation": { - "Text": "Require phishing-resistant MFA strength for all administrator accounts through Conditional Access policies. Enforce the use of FIDO2 security keys, Windows Hello for Business, or certificate-based authentication. Ensure administrators are pre-registered for these methods before enforcement to prevent lockouts. Maintain a break-glass account exempt from this policy for emergency access.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-admin-phish-resistant-mfa#create-a-conditional-access-policy" + "Text": "Require `Phishing-resistant MFA` via Conditional Access for all privileged roles and `All resources`. Favor **FIDO2**, **Windows Hello for Business**, or **certificate-based auth**. Apply **least privilege**, use **PIM** for step-up on role activation, test in report-only, and keep a monitored break-glass account.", + "Url": "https://hub.prowler.com/check/entra_admin_users_phishing_resistant_mfa_enabled" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_admin_users_sign_in_frequency_enabled/entra_admin_users_sign_in_frequency_enabled.metadata.json b/prowler/providers/m365/services/entra/entra_admin_users_sign_in_frequency_enabled/entra_admin_users_sign_in_frequency_enabled.metadata.json index 3a872b2768..2a82d5c26c 100644 --- a/prowler/providers/m365/services/entra/entra_admin_users_sign_in_frequency_enabled/entra_admin_users_sign_in_frequency_enabled.metadata.json +++ b/prowler/providers/m365/services/entra/entra_admin_users_sign_in_frequency_enabled/entra_admin_users_sign_in_frequency_enabled.metadata.json @@ -1,29 +1,35 @@ { "Provider": "m365", "CheckID": "entra_admin_users_sign_in_frequency_enabled", - "CheckTitle": "Ensure Sign-in frequency periodic reauthentication is enabled and properly configured.", + "CheckTitle": "Admin users have sign-in frequency enforced by Conditional Access at or below the recommended interval", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Conditional Access Policy", - "Description": "Ensure Sign-in frequency periodic reauthentication is enabled and properly configured to reduce the risk of unauthorized access and session hijacking.", - "Risk": "Allowing persistent browser sessions and long sign-in frequencies for administrative users increases the risk of unauthorized access. Attackers could exploit session persistence to maintain access to an admin account without reauthentication, increasing the likelihood of account compromise, especially in cases of credential theft or session hijacking.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session#sign-in-frequency", + "ResourceType": "", + "Description": "**Conditional Access** evaluates whether admin roles are covered by policies that enforce a defined **sign-in frequency** and **non-persistent browser sessions** across *all cloud apps*. It looks for reauthentication set to a time interval or `Every time`, persistent browser set to `never`, and policies that are enforced rather than report-only or disabled.", + "Risk": "Lax reauthentication and persistent sessions let admin tokens live too long, enabling **session hijacking**, **token replay**, and access after **credential theft**. Attackers can modify configurations, elevate privileges, and exfiltrate data, threatening **confidentiality** and **integrity** and increasing risk of **tenant takeover**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://entra.microsoft.com/.", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-session-lifetime#user-sign-in-frequency", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session#sign-in-frequency" + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Protection > Conditional Access Select Policies. 3. Click New policy. Under Users include, select users and groups and check Directory roles. At a minimum, include the directory roles listed below in this section of the document. Under Target resources, include All cloud apps and do not create any exclusions. Under Grant, select Grant Access and check Require multifactor authentication. Under Session, select Sign-in frequency, select Periodic reauthentication, and set it to 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours. Check Persistent browser session, then select Never persistent in the drop-down menu. 4. Under Enable policy, set it to Report Only until the organization is ready to enable it.", - "Terraform": "" + "Other": "1. Go to Microsoft Entra admin center (https://entra.microsoft.com/)\n2. Navigate to Protection > Conditional Access > Policies > New policy\n3. Users > Include > Select users and groups > Directory roles: select admin roles (e.g., Global Administrator)\n4. Target resources (Cloud apps): Select All cloud apps\n5. Session:\n - Enable Sign-in frequency and set to Every time OR set 4 hours (or less)\n - Set Persistent browser session to Never persistent\n6. Enable policy: On, then Create", + "Terraform": "```hcl\nresource \"azuread_conditional_access_policy\" \"\" {\n display_name = \"\"\n state = \"enabled\" # Critical: must be enabled (not report-only) to enforce\n\n conditions {\n users {\n included_roles = [\"\"] # Critical: target admin directory roles (e.g., Global Administrator)\n }\n applications {\n included_applications = [\"All\"] # Critical: apply to all cloud apps\n }\n }\n\n session_controls {\n sign_in_frequency = 4 # Critical: enforce reauth at or below 4 hours\n sign_in_frequency_interval = \"hours\" # Critical: time-based frequency in hours\n persistent_browser_mode = \"never\" # Critical: enforce non-persistent browser sessions\n }\n}\n```" }, "Recommendation": { - "Text": "Enforce a sign-in frequency limit of no more than 4 hours for E3 tenants (or 24 hours for E5 with Privileged Identity Management) and set browser sessions to Never persistent. This ensures that administrative users are regularly reauthenticated, reducing the risk of prolonged unauthorized access and mitigating session hijacking threats.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-session-lifetime#user-sign-in-frequency" + "Text": "Use **Conditional Access** for admin roles to:\n- Enforce short sign-in frequency (e.g., `4` hours, or `Every time` for critical actions)\n- Set persistent browser to `never`\n- Cover all apps and run in enforce mode\n\nPair with **least privilege**, **MFA**, **PIM**, and **token protection** to reduce session abuse.", + "Url": "https://hub.prowler.com/check/entra_admin_users_sign_in_frequency_enabled" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_dynamic_group_for_guests_created/entra_dynamic_group_for_guests_created.metadata.json b/prowler/providers/m365/services/entra/entra_dynamic_group_for_guests_created/entra_dynamic_group_for_guests_created.metadata.json index b9cabe1238..3ad7c6234d 100644 --- a/prowler/providers/m365/services/entra/entra_dynamic_group_for_guests_created/entra_dynamic_group_for_guests_created.metadata.json +++ b/prowler/providers/m365/services/entra/entra_dynamic_group_for_guests_created/entra_dynamic_group_for_guests_created.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "entra_dynamic_group_for_guests_created", - "CheckTitle": "Ensure a dynamic group for guest users is created.", + "CheckTitle": "A dynamic membership group for guest users exists in Microsoft Entra", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "medium", - "ResourceType": "Group Settings", - "Description": "Ensure that a dynamic group is created for guest users in Microsoft Entra to enforce conditional access policies and security controls automatically.", - "Risk": "Without a dynamic group for guest users, administrators may need to manually manage access controls, leading to potential security gaps and inconsistent policy enforcement.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/users/groups-create-rule", + "Severity": "low", + "ResourceType": "", + "Description": "**Microsoft Entra groups** are evaluated for **dynamic membership** that includes only users with `userType -eq \"Guest\"`.\n\nThe finding indicates whether a guest-targeted dynamic group exists to centrally scope policies and governance.", + "Risk": "Without a dedicated dynamic guest group, guests may evade consistent **Conditional Access** and least-privilege controls. This threatens **confidentiality** via excess data access, weakens **integrity** through unauthorized changes, and leaves stale external accounts that enable lateral movement.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://entra.microsoft.com/.", + "https://learn.microsoft.com/en-us/entra/identity/users/groups-create-rule" + ], "Remediation": { "Code": { "CLI": "New-MgGroup -DisplayName 'Dynamic Guest Users' -MailNickname 'DynGuestUsers' -MailEnabled $false -SecurityEnabled $true -GroupTypes 'DynamicMembership' -MembershipRule '(user.userType -eq \"Guest\")' -MembershipRuleProcessingState 'On'", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Identity > Groups and select All groups. 3. Select 'New group' and configure: Group type: Security, Membership type: Dynamic User. 4. Add dynamic query with rule: (user.userType -eq 'Guest'). 5. Click Save.", - "Terraform": "" + "Other": "1. Sign in to Microsoft Entra admin center (https://entra.microsoft.com/)\n2. Go to Identity > Groups > All groups > New group\n3. Set Group type: Security; Membership type: Dynamic User\n4. Click Add dynamic query and set the rule: user.userType -eq \"Guest\"; click Save\n5. Click Create", + "Terraform": "```hcl\nresource \"azuread_group\" \"example\" {\n display_name = \"\"\n security_enabled = true\n\n dynamic_membership {\n enabled = true # critical: enables dynamic membership\n rule = \"user.userType -eq \\\"Guest\\\"\" # critical: includes only guest users\n }\n}\n```" }, "Recommendation": { - "Text": "Create a dynamic group for guest users to automate policy enforcement and access control.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/users/groups-create-rule" + "Text": "Establish a **dynamic group** limited to users with `userType -eq \"Guest\"` and use it to scope **Conditional Access**, least-privilege roles, and access reviews.\n\nSegment guests by risk into separate groups, enforce lifecycle policies, and regularly audit membership and policy coverage.", + "Url": "https://hub.prowler.com/check/entra_dynamic_group_for_guests_created" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_identity_protection_sign_in_risk_enabled/entra_identity_protection_sign_in_risk_enabled.metadata.json b/prowler/providers/m365/services/entra/entra_identity_protection_sign_in_risk_enabled/entra_identity_protection_sign_in_risk_enabled.metadata.json index 17e90eadda..18cbbde369 100644 --- a/prowler/providers/m365/services/entra/entra_identity_protection_sign_in_risk_enabled/entra_identity_protection_sign_in_risk_enabled.metadata.json +++ b/prowler/providers/m365/services/entra/entra_identity_protection_sign_in_risk_enabled/entra_identity_protection_sign_in_risk_enabled.metadata.json @@ -1,29 +1,40 @@ { "Provider": "m365", "CheckID": "entra_identity_protection_sign_in_risk_enabled", - "CheckTitle": "Ensure that Identity Protection sign-in risk policies are enabled", + "CheckTitle": "At least one Conditional Access Identity Protection sign-in risk policy protects against high and medium risk sign-ins", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "medium", - "ResourceType": "Conditional Access Policy", - "Description": "Ensure that Identity Protection sign-in risk policies are enabled to detect and respond to suspicious high and medium risk login attempts in real time.", - "Risk": "Without Identity Protection sign-in risk policies enabled, suspicious sign-in attempts may go unnoticed, allowing attackers to access accounts using stolen or compromised credentials. This increases the risk of unauthorized access, data breaches, and privilege escalation.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview", + "Severity": "high", + "ResourceType": "", + "Description": "**Microsoft Entra Conditional Access** has a sign-in risk-based Identity Protection policy that targets `All users` and `All cloud apps`, evaluates `Medium` and `High` sign-in risk, requires **MFA**, sets `sign-in frequency: every time`, and is actively enforced *not report-only*.", + "Risk": "Without this policy, risky authentications using stolen or replayed credentials may proceed without step-up verification, enabling account takeover. Attackers can establish persistent sessions, exfiltrate data, change configurations, and move laterally-eroding confidentiality and integrity and potentially impacting availability through privilege abuse.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.sikich.com/insight/how-to-use-microsoft-entra-to-identify-risky-user-sign-ins/", + "https://www.plexhosted.com/post/how-to-configure-microsoft-entra-id-protection-risk-based-access-policies", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview", + "https://azure.microsofts.workers.dev/en-us/entra/identity/authentication/tutorial-risk-based-sspr-mfa", + "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies", + "https://blog.admindroid.com/risk-based-conditional-access-policies-in-microsoft-entra-id/", + "https://redcanary.com/blog/security-operations/getting-started-with-conditional-access/", + "https://entra.microsoft.com." + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "New-MgIdentityConditionalAccessPolicy -BodyParameter @{displayName='';state='enabled';conditions=@{users=@{includeUsers=@('All')};applications=@{includeApplications=@('All')};signInRiskLevels=@('medium','high')};grantControls=@{operator='OR';builtInControls=@('mfa')};sessionControls=@{signInFrequency=@{isEnabled=$true;frequencyInterval='everyTime'}}}", "NativeIaC": "", - "Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. 4. Set the following conditions within the policy. Under Users or workload identities choose All users. Under Cloud apps or actions choose All cloud apps. Under Conditions choose Sign-in risk then Yes and check the risk level boxes High and Medium. Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication. Under Session select Sign-in Frequency and set to Every time. Click Select. 5. Under Enable policy set it to Report Only until the organization is ready to enable it. 6. Click Create.", - "Terraform": "" + "Other": "1. Sign in to Microsoft Entra admin center (entra.microsoft.com)\n2. Go to Entra ID > Protection > Conditional Access > Policies > New policy\n3. Users: select All users\n4. Target resources: select All resources (All cloud apps)\n5. Conditions > Sign-in risk: set to Yes, select Medium and High\n6. Grant > Grant access: select Require multifactor authentication\n7. Session > Sign-in frequency: set to Every time\n8. Enable policy: On\n9. Create the policy", + "Terraform": "```hcl\nresource \"azuread_conditional_access_policy\" \"\" {\n display_name = \"\"\n state = \"enabled\" # Critical: enforce policy\n\n conditions {\n users {\n include_users = [\"All\"] # Critical: apply to all users\n }\n applications {\n include_applications = [\"All\"] # Critical: apply to all apps\n }\n sign_in_risk_levels = [\"medium\", \"high\"] # Critical: protect Medium and High sign-in risks\n client_app_types = [\"all\"]\n }\n\n grant_controls {\n operator = \"OR\"\n built_in_controls = [\"mfa\"] # Critical: require MFA\n }\n\n session_controls {\n sign_in_frequency_interval = \"everyTime\" # Critical: require reauth every time\n }\n}\n```" }, "Recommendation": { - "Text": "Enable Identity Protection sign-in risk policies to detect and respond to suspicious login attempts in real time. Configure Conditional Access to require MFA for risky sign-ins and ensure all users are enrolled in MFA to prevent account lockouts. Regularly review sign-in risk reports to identify and mitigate potential security threats.", - "Url": "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies" + "Text": "Adopt a **risk-based Conditional Access** policy for sign-in risk that applies broadly and enforces **MFA** with `every-time` reauthentication for `Medium` and `High` risk. Align with **Zero Trust** and **least privilege**: ensure MFA enrollment, exclude emergency accounts, validate in report-only, then enforce and regularly review risky sign-in reports.", + "Url": "https://hub.prowler.com/check/entra_identity_protection_sign_in_risk_enabled" } }, "Categories": [ + "identity-access", "e5" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_identity_protection_user_risk_enabled/entra_identity_protection_user_risk_enabled.metadata.json b/prowler/providers/m365/services/entra/entra_identity_protection_user_risk_enabled/entra_identity_protection_user_risk_enabled.metadata.json index ed630e4739..ed496483dc 100644 --- a/prowler/providers/m365/services/entra/entra_identity_protection_user_risk_enabled/entra_identity_protection_user_risk_enabled.metadata.json +++ b/prowler/providers/m365/services/entra/entra_identity_protection_user_risk_enabled/entra_identity_protection_user_risk_enabled.metadata.json @@ -1,29 +1,40 @@ { "Provider": "m365", "CheckID": "entra_identity_protection_user_risk_enabled", - "CheckTitle": "Ensure that Identity Protection user risk policies are enabled", + "CheckTitle": "At least one Conditional Access policy enforces Identity Protection user risk for high-risk users", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "medium", - "ResourceType": "Conditional Access Policy", - "Description": "Ensure that Identity Protection user risk policies are enabled to detect and respond to high risk potential account compromises.", - "Risk": "Without Identity Protection user risk policies enabled, compromised accounts may go undetected, allowing attackers to exploit breached credentials and gain unauthorized access. The absence of automated responses to user risk levels increases the likelihood of security incidents, such as data breaches or privilege escalation.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview", + "Severity": "high", + "ResourceType": "", + "Description": "**Microsoft Entra Conditional Access** has a **user risk-based policy** that targets `All` users and `All` applications, evaluates `High` user risk, and actively enforces controls requiring both **multifactor authentication** and a **secure password change** with an `AND` condition.", + "Risk": "Without an active `High` user-risk policy that forces **MFA** and secure password reset, compromised identities can persist, enabling data exfiltration, tampering, and privilege escalation. Report-only mode or narrow scope leaves gaps, undermining confidentiality and integrity across resources.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-risk-based-sspr-mfa?WT.mc_id=M365-MVP-6771", + "https://derkvanderwoude.medium.com/microsoft-managed-risk-remediation-93dc55c9fa47", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview", + "https://www.linkedin.com/pulse/safeguarding-your-digital-identity-mitigating-risky-users-nosrati-1j1rf", + "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies", + "https://github.com/MicrosoftLearning/AZ500-AzureSecurityTechnologies/blob/master/Instructions/Archived_Labs/LAB_02_MFAConditionalAccessandMicrosoftEntraIDProtection.md", + "https://blog.admindroid.com/top-5-microsoft-entra-id-secure-score-recommendations-to-boost-your-security/", + "https://entra.microsoft.com." + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. 4. Set the following conditions within the policy: Under Users or workload identities choose All users. Under Cloud apps or actions choose All cloud apps. Under Conditions choose User risk then Yes and select the user risk level High. Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication and Require password change. Under Session ensure Sign-in frequency is set to Every time. Click Select. 5. Under Enable policy set it to Report Only until the organization is ready to enable it. 6. Click Create.", - "Terraform": "" + "Other": "1. Sign in to the Microsoft Entra admin center and go to Protection > Conditional Access > Policies\n2. Click New policy\n3. Users or workload identities: select All users\n4. Target resources (Cloud apps): select All cloud apps\n5. Conditions > User risk: set Configure to Yes and select High\n6. Access controls > Grant: select Grant access, then check Require multifactor authentication and Require password change; set Require all selected controls\n7. Enable policy: On, then click Create", + "Terraform": "```hcl\nresource \"azuread_conditional_access_policy\" \"\" {\n display_name = \"\"\n state = \"enabled\"\n\n conditions {\n client_app_types = [\"all\"]\n users {\n include_users = [\"All\"] # Critical: targets all users\n }\n applications {\n included_applications = [\"All\"] # Critical: applies to all cloud apps\n }\n user_risk_levels = [\"high\"] # Critical: enforces on high user risk\n }\n\n grant_controls {\n operator = \"AND\" # Critical: require all selected controls\n built_in_controls = [\"mfa\", \"passwordChange\"] # Critical: require MFA and password change\n }\n}\n```" }, "Recommendation": { - "Text": "Enable Identity Protection user risk policies to detect and respond to potential account compromises. Configure Conditional Access policies to enforce MFA or password resets when a high user risk level is detected. Regularly review the Risky Users section to assess potential threats before enforcing strict access controls.", - "Url": "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies" + "Text": "Adopt **least privilege** by enabling an active user-risk policy that:\n- covers `All` users and apps (exclude only break-glass)\n- triggers on `High` user risk\n- requires **MFA** and a **secure password change** together\n- reauthenticates risky sessions\n\nPair with sign-in risk policies, ensure MFA registration, and review risky-user reports to validate effectiveness.", + "Url": "https://hub.prowler.com/check/entra_identity_protection_user_risk_enabled" } }, "Categories": [ + "identity-access", "e5" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_intune_enrollment_sign_in_frequency_every_time/entra_intune_enrollment_sign_in_frequency_every_time.metadata.json b/prowler/providers/m365/services/entra/entra_intune_enrollment_sign_in_frequency_every_time/entra_intune_enrollment_sign_in_frequency_every_time.metadata.json index 0d15f1f8d7..d1ddd615ef 100644 --- a/prowler/providers/m365/services/entra/entra_intune_enrollment_sign_in_frequency_every_time/entra_intune_enrollment_sign_in_frequency_every_time.metadata.json +++ b/prowler/providers/m365/services/entra/entra_intune_enrollment_sign_in_frequency_every_time/entra_intune_enrollment_sign_in_frequency_every_time.metadata.json @@ -1,29 +1,40 @@ { "Provider": "m365", "CheckID": "entra_intune_enrollment_sign_in_frequency_every_time", - "CheckTitle": "Ensure sign-in frequency for Intune Enrollment is set to every time", + "CheckTitle": "Conditional Access enforces Every Time sign-in frequency for Intune Enrollment", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Conditional Access Policy", - "Description": "Ensure that Conditional Access policies enforce sign-in frequency to Every time for Microsoft Intune Enrollment Application.", - "Risk": "If not enforced, attackers with compromised credentials may enroll a new device into Intune and gain persistent and elevated access through a bypass of compliance-based Conditional Access rules.", - "RelatedUrl": "https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/deployment-guide-enrollment", + "ResourceType": "", + "Description": "**Conditional Access** for **Microsoft Intune Enrollment** enforces the session control **sign-in frequency** set to `Every time` for all users.\n\nThis evaluates whether an active policy targets the Intune Enrollment app and requires reauthentication on each enrollment attempt.", + "Risk": "Absent `Every time` reauth at enrollment, attackers with stolen or replayed credentials can enroll rogue devices and obtain compliant access.\n\nImpacts:\n- Confidentiality: data exposure from unauthorized devices\n- Integrity: untrusted endpoints modifying resources\n- Availability: persistence via device-based access paths", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/deployment-guide-enrollment", + "https://mobile-jon.com/2024/09/09/the-magnificent-8-conditional-access-policies-of-microsoft-entra/", + "https://redmondmag.com/Articles/2024/02/27/Microsoft-Conditional-Access-Reauthentications.aspx", + "https://petri.com/microsoft-conditional-access-policy-reauthentication/", + "https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/conditional-access/concept-session-lifetime.md", + "https://www.tbone.se/2022/05/13/conditional-access-can-now-require-reauthentication-every-time/", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session#sign-in-frequency", + "https://entra.microsoft.com." + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "az rest --method POST --url https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies --headers 'Content-Type=application/json' --body '{\"displayName\":\"Intune Enrollment - Every time\",\"state\":\"enabled\",\"conditions\":{\"users\":{\"includeUsers\":[\"All\"]},\"applications\":{\"includeApplications\":[\"d4ebce55-015a-49b5-a083-c84d1797ae8c\"]}},\"sessionControls\":{\"signInFrequency\":{\"isEnabled\":true,\"type\":\"everyTime\"}}}'", "NativeIaC": "", - "Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. o Under Users include All users. o Under Target resources select Resources (formerly cloud apps), choose Select resources and add Microsoft Intune Enrollment to the list. o Under Grant select Grant access. o Check either Require multifactor authentication or Require authentication strength. o Under Session check Sign-in frequency and select Every time. 4. Under Enable policy set it to Report-only until the organization is ready to enable it. 5. Click Create", - "Terraform": "" + "Other": "1. Sign in to Microsoft Entra admin center (entra.microsoft.com)\n2. Go to Protection > Conditional Access > Policies > New policy\n3. Users > Include: select All users\n4. Target resources (Resources/Cloud apps) > Select resources: choose Microsoft Intune Enrollment\n5. Session > Sign-in frequency: select Every time\n6. Enable policy: On\n7. Create the policy", + "Terraform": "```hcl\nresource \"azuread_conditional_access_policy\" \"\" {\n display_name = \"\"\n state = \"enabled\"\n\n conditions {\n users {\n include_users = [\"All\"] # critical: include all users\n }\n applications {\n include_applications = [\"d4ebce55-015a-49b5-a083-c84d1797ae8c\"] # critical: target Microsoft Intune Enrollment app\n }\n }\n\n session_controls {\n sign_in_frequency {\n is_enabled = true # critical: enable sign-in frequency control\n type = \"everyTime\" # critical: require reauthentication every time\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Configure a Conditional Access policy that targets Microsoft Intune Enrollment and enforces sign-in frequency to 'Every time'. This ensures that users must reauthenticate for each Intune enrollment action, reducing the risk of unauthorized device enrollment using compromised credentials. Note: Microsoft accounts for a five-minute clock skew when 'every time' is selected, ensuring users are not prompted more frequently than once every five minutes.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session#sign-in-frequency" + "Text": "Implement a **Conditional Access** policy on the **Intune Enrollment** app that sets sign-in frequency to `Every time` and applies broadly.\n\nCombine with **MFA** and device **compliance** requirements, use **least privilege** exclusions sparingly, and monitor sign-in/audit logs to strengthen **defense in depth**.", + "Url": "https://hub.prowler.com/check/entra_intune_enrollment_sign_in_frequency_every_time" } }, "Categories": [ + "identity-access", "e3", "e5" ], diff --git a/prowler/providers/m365/services/entra/entra_legacy_authentication_blocked/entra_legacy_authentication_blocked.metadata.json b/prowler/providers/m365/services/entra/entra_legacy_authentication_blocked/entra_legacy_authentication_blocked.metadata.json index 9c7541dfda..fc73e726aa 100644 --- a/prowler/providers/m365/services/entra/entra_legacy_authentication_blocked/entra_legacy_authentication_blocked.metadata.json +++ b/prowler/providers/m365/services/entra/entra_legacy_authentication_blocked/entra_legacy_authentication_blocked.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "entra_legacy_authentication_blocked", - "CheckTitle": "Ensure that Conditional Access policy blocks legacy authentication", + "CheckTitle": "At least one Conditional Access policy blocks legacy authentication", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "critical", - "ResourceType": "Conditional Access Policy", - "Description": "Ensure that Conditional Access policy blocks legacy authentication in Microsoft Entra ID to enforce modern authentication methods and protect against credential-stuffing and brute-force attacks.", - "Risk": "Legacy authentication protocols do not support MFA, making them vulnerable to credential-stuffing and brute-force attacks. Attackers commonly exploit these protocols to bypass security controls and gain unauthorized access.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-legacy-authentication", + "ResourceType": "", + "Description": "**Microsoft Entra Conditional Access** has an active policy that blocks **legacy authentication** for `All users` and `All cloud apps` by targeting legacy client app types (e.g., Exchange ActiveSync, other basic-auth clients) and enforcing `Block` access.", + "Risk": "Allowing legacy authentication enables password spray and credential stuffing that bypass **MFA**, leading to account takeover. Compromised sessions threaten **confidentiality** (mail, files), **integrity** (settings, data changes), and **availability**, and enable **lateral movement** across Microsoft 365.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-legacy-authentication", + "https://entra.microsoft.com." + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "az rest --method post --url https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies --body '{\"displayName\":\"\",\"state\":\"enabled\",\"conditions\":{\"users\":{\"includeUsers\":[\"All\"]},\"applications\":{\"includeApplications\":[\"All\"]},\"clientAppTypes\":[\"exchangeActiveSync\",\"other\"]},\"grantControls\":{\"builtInControls\":[\"block\"],\"operator\":\"OR\"}}'", "NativeIaC": "", - "Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. Under Users include All users. Under Target resources include All cloud apps and do not create any exclusions. Under Conditions select Client apps and check the boxes for Exchange ActiveSync clients and Other clients. Under Grant select Block Access. Click Select. 4. Set the policy On and click Create.", - "Terraform": "" + "Other": "1. Go to Microsoft Entra admin center > Protection > Conditional Access > Policies\n2. Click New policy\n3. Users: Include > All users\n4. Target resources (cloud apps): Include > All apps\n5. Conditions > Client apps: Configure = Yes; select only Exchange ActiveSync clients and Other clients\n6. Grant > Block access > Select\n7. Enable policy: On, then Create", + "Terraform": "```hcl\nresource \"azuread_conditional_access_policy\" \"\" {\n display_name = \"\"\n state = \"enabled\" # critical: enforce the policy\n\n conditions {\n users {\n include_users = [\"All\"] # critical: include all users\n }\n applications {\n include_applications = [\"All\"] # critical: include all cloud apps\n }\n client_app_types = [\"exchangeActiveSync\", \"other\"] # critical: target legacy auth clients\n }\n\n grant_controls {\n built_in_controls = [\"block\"] # critical: block access\n }\n}\n```" }, "Recommendation": { - "Text": "Enforce Conditional Access policies to block legacy authentication across all users in Microsoft Entra ID. Ensure all applications and devices use modern authentication methods such as OAuth 2.0. For necessary exceptions (e.g., multifunction printers), configure secure alternatives following Microsoft's mail flow best practices.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-legacy-authentication" + "Text": "Enforce a tenant-wide policy to **block legacy authentication** for `All users` and `All cloud apps`, targeting legacy client app types. Migrate apps and devices to **modern authentication**. Keep minimal, monitored exclusions for break-glass/service accounts, prefer **managed identities**, and apply **zero trust** and **least privilege**.", + "Url": "https://hub.prowler.com/check/entra_legacy_authentication_blocked" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_managed_device_required_for_authentication/entra_managed_device_required_for_authentication.metadata.json b/prowler/providers/m365/services/entra/entra_managed_device_required_for_authentication/entra_managed_device_required_for_authentication.metadata.json index 70d1b60333..a4439437bd 100644 --- a/prowler/providers/m365/services/entra/entra_managed_device_required_for_authentication/entra_managed_device_required_for_authentication.metadata.json +++ b/prowler/providers/m365/services/entra/entra_managed_device_required_for_authentication/entra_managed_device_required_for_authentication.metadata.json @@ -1,29 +1,35 @@ { "Provider": "m365", "CheckID": "entra_managed_device_required_for_authentication", - "CheckTitle": "Ensure that only managed devices are required for authentication", + "CheckTitle": "Conditional Access policies require authentication from a managed device for all users and applications", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "critical", - "ResourceType": "Conditional Access Policy", - "Description": "Ensure that only managed devices are required for authentication to reduce the risk of unauthorized access from unsecured or unmanaged devices.", - "Risk": "Allowing authentication from unmanaged devices increases the attack surface, as these devices may lack security controls, endpoint detection, and compliance policies. Attackers could leverage compromised credentials from unsecured devices to gain unauthorized access to corporate resources.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview", + "Severity": "high", + "ResourceType": "", + "Description": "**Microsoft Entra Conditional Access** evaluates whether an enabled policy targeting `all users` and `all applications` includes grant controls that require a **managed device** (hybrid domain-joined) with **multifactor authentication** during sign-in.", + "Risk": "Sign-ins from **unmanaged devices** erode confidentiality and integrity: compromised hosts can steal tokens, hijack sessions, and exfiltrate data. With leaked credentials, attackers bypass endpoint controls, gain persistent access, and move laterally to alter resources.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview", + "https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune", + "https://entra.microsoft.com." + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "New-MgIdentityConditionalAccessPolicy -DisplayName \"\" -State \"enabled\" -Conditions @{ Users=@{ IncludeUsers=@(\"All\") }; Applications=@{ IncludeApplications=@(\"All\") } } -GrantControls @{ Operator=\"OR\"; BuiltInControls=@(\"mfa\",\"domainJoinedDevice\") }", "NativeIaC": "", - "Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. Under Users include All users. Under Target resources include All cloud apps. Under Grant select Grant access. Check Require multifactor authentication and Require Microsoft Entra hybrid joined device. Choose Require one of the selected controls and click Select at the bottom. 4. Under Enable policy set it to Report Only until the organization is ready to enable it. 5. Click Create.", - "Terraform": "" + "Other": "1. In Microsoft Entra admin center, go to Entra ID > Security > Conditional Access > Policies\n2. Select New policy\n3. Users: Include > All users\n4. Target resources: Include > All cloud apps\n5. Grant: Select Grant access, check Require multifactor authentication and Require Microsoft Entra hybrid joined device, then choose Require one of the selected controls\n6. Enable policy: On\n7. Create to save", + "Terraform": "```hcl\nresource \"azuread_conditional_access_policy\" \"example\" {\n display_name = \"\"\n state = \"enabled\" # Critical: must be enabled (not report-only) to enforce\n\n conditions {\n users {\n include_users = [\"All\"] # Critical: target all users\n }\n applications {\n include_applications = [\"All\"] # Critical: target all cloud apps\n }\n }\n\n grant_controls {\n operator = \"OR\" # Critical: require one of the selected controls\n built_in_controls = [\"mfa\", \"domainJoinedDevice\"] # Critical: MFA or Microsoft Entra hybrid joined device\n }\n}\n```" }, "Recommendation": { - "Text": "Enforce Conditional Access policies requiring authentication only from managed devices. Configure policies to allow access only from Entra hybrid joined or Intune-compliant devices. This ensures that only secure, policy-enforced endpoints can access corporate resources, reducing the risk of credential theft and unauthorized access.", - "Url": "https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune" + "Text": "Enforce **Conditional Access** to allow only **managed devices** (Entra hybrid joined or Intune-compliant) and require **MFA**, aligning with **Zero Trust** and **least privilege**. Apply to all users and apps, limit exclusions to break-glass accounts, and regularly review device compliance to prevent access from unknown endpoints.", + "Url": "https://hub.prowler.com/check/entra_managed_device_required_for_authentication" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_managed_device_required_for_mfa_registration/entra_managed_device_required_for_mfa_registration.metadata.json b/prowler/providers/m365/services/entra/entra_managed_device_required_for_mfa_registration/entra_managed_device_required_for_mfa_registration.metadata.json index cba39dd796..a94c3b71bb 100644 --- a/prowler/providers/m365/services/entra/entra_managed_device_required_for_mfa_registration/entra_managed_device_required_for_mfa_registration.metadata.json +++ b/prowler/providers/m365/services/entra/entra_managed_device_required_for_mfa_registration/entra_managed_device_required_for_mfa_registration.metadata.json @@ -1,29 +1,35 @@ { "Provider": "m365", "CheckID": "entra_managed_device_required_for_mfa_registration", - "CheckTitle": "Ensure that only managed devices are required for MFA registration", + "CheckTitle": "Tenant has a Conditional Access policy that requires a managed device for MFA registration for all users", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "critical", - "ResourceType": "Conditional Access Policy", - "Description": "Ensure that only managed devices are required for MFA registration. This ensures that users enroll MFA using secure, organization-controlled devices.", - "Risk": "If users are allowed to register MFA on unmanaged or potentially compromised devices, attackers with stolen credentials may register their own MFA methods, effectively locking out legitimate users and taking over accounts. This increases the risk of unauthorized access, data breaches, and privilege escalation.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview", + "Severity": "high", + "ResourceType": "", + "Description": "Microsoft Entra **Conditional Access** evaluates whether **MFA registration** is restricted to organization-managed devices. It looks for policies that target the security info registration action for all users and require a **managed (compliant or hybrid-joined) device** when registering authentication methods.", + "Risk": "Allowing **MFA enrollment** from unmanaged or compromised devices enables attackers with stolen passwords to add their own factors, causing **account takeover** and potential lockout of the legitimate user.\n\nThis jeopardizes **confidentiality** (data access), **integrity** (unauthorized changes), and **availability** (user access disruption).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-registration", + "https://entra.microsoft.com." + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "New-MgIdentityConditionalAccessPolicy -BodyParameter @{displayName=\"\";state=\"enabled\";conditions=@{users=@{includeUsers=@(\"All\")};applications=@{includeUserActions=@(\"urn:user:registersecurityinfo\")}};grantControls=@{operator=\"OR\";builtInControls=@(\"mfa\",\"domainJoinedDevice\")}}", "NativeIaC": "", - "Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. Under Users include All users. Under Target resources select User actions and check Register security information. Under Grant select Grant access. Check Require multifactor authentication and Require Microsoft Entra hybrid joined device. Choose Require one of the selected controls and click Select at the bottom. 4. Under Enable policy set it to Report Only until the organization is ready to enable it. 5. Click Create.", - "Terraform": "" + "Other": "1. Go to Microsoft Entra admin center > Protection > Conditional Access > Policies\n2. Click New policy\n3. Users: Include > All users\n4. Target resources: User actions > check Register security information\n5. Grant: Grant access > check Require multifactor authentication and Require Microsoft Entra hybrid joined device > select Require one of the selected controls\n6. Enable policy: On\n7. Click Create", + "Terraform": "```hcl\nresource \"azuread_conditional_access_policy\" \"\" {\n display_name = \"\"\n state = \"enabled\" # Critical: policy must be enforced (not report-only)\n\n conditions {\n users {\n include_users = [\"All\"] # Critical: applies to all users\n }\n applications {\n include_user_actions = [\"urn:user:registersecurityinfo\"] # Critical: targets security info (MFA) registration\n }\n }\n\n grant_controls {\n operator = \"OR\" # Critical: required by the check logic\n built_in_controls = [\"mfa\", \"domainJoinedDevice\"] # Critical: require MFA or hybrid joined device\n }\n}\n```" }, "Recommendation": { - "Text": "Enforce MFA registration only from managed devices by requiring compliance through Intune or Entra hybrid join. This ensures that users enroll MFA using secure, organization-controlled devices.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-registration" + "Text": "Enforce **MFA registration** only from **managed devices** using Conditional Access. Apply the policy broadly, with minimal exclusions for break-glass accounts.\n\nAlign with **Zero Trust** and **least privilege** by requiring devices be compliant or hybrid-joined, monitoring enrollment activity, and regularly reviewing policies to prevent bypass and abuse.", + "Url": "https://hub.prowler.com/check/entra_managed_device_required_for_mfa_registration" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_password_hash_sync_enabled/entra_password_hash_sync_enabled.metadata.json b/prowler/providers/m365/services/entra/entra_password_hash_sync_enabled/entra_password_hash_sync_enabled.metadata.json index ab07066e4c..0269e5de1b 100644 --- a/prowler/providers/m365/services/entra/entra_password_hash_sync_enabled/entra_password_hash_sync_enabled.metadata.json +++ b/prowler/providers/m365/services/entra/entra_password_hash_sync_enabled/entra_password_hash_sync_enabled.metadata.json @@ -1,30 +1,35 @@ { "Provider": "m365", "CheckID": "entra_password_hash_sync_enabled", - "CheckTitle": "Ensure that password hash sync is enabled for hybrid deployments.", + "CheckTitle": "Microsoft Entra organization has password hash synchronization enabled for hybrid deployments", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "Organization Settings", - "Description": "Ensure that password hash synchronization is enabled in hybrid Microsoft Entra deployments to facilitate seamless authentication and leaked credential protection.", - "Risk": "If password hash synchronization is not enabled, users may need to maintain multiple passwords, increasing security risks. Additionally, leaked credential detection for hybrid accounts would not be available, reducing the organization's ability to prevent account compromises.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs", + "ResourceType": "", + "Description": "Hybrid Microsoft Entra tenants use **password hash synchronization** to replicate on-premises Active Directory password hashes to Entra for cloud authentication.\n\n*Applies to hybrid sync scenarios, not fully federated domains.*", + "Risk": "Without **password hash synchronization**, hybrid accounts lose **leaked credential detection** and cloud risk-based protections, weakening confidentiality. Authentication remains tied to on-prem services, reducing availability during outages. Users may reuse passwords across systems, increasing **credential stuffing** exposure.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs", + "https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization", + "https://www.youtube.com/watch?v=GrYxD6KaBCQ" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "Set-ADSyncAADCompanyFeature -PasswordHashSync $true", "NativeIaC": "", - "Other": "1. Log in to the on-premises server hosting Microsoft Entra Connect. 2. Open Azure AD Connect and click Configure. 3. Select 'Customize synchronization options' and click Next. 4. Provide admin credentials. 5. On the Optional features screen, check 'Password hash synchronization' and click Next. 6. Click Configure and wait for the process to complete.", + "Other": "1. Sign in to the on-premises server running Microsoft Entra (Azure AD) Connect\n2. Open Azure AD Connect and select Configure\n3. Choose Customize synchronization options and click Next\n4. Sign in with a Global Administrator account\n5. On Optional features, check Password hash synchronization\n6. Click Configure and wait for completion", "Terraform": "" }, "Recommendation": { - "Text": "Enable password hash synchronization in Microsoft Entra Connect to streamline authentication and enhance security monitoring.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs" + "Text": "Enable **password hash synchronization** for hybrid identities and keep it active even alongside federation as a resilient fallback. Combine with **MFA**, **Conditional Access**, and strong password policy enforcement for **defense in depth**. Apply **least privilege** and monitor sign-in risk to prevent account compromise.", + "Url": "https://hub.prowler.com/check/entra_password_hash_sync_enabled" } }, "Categories": [ - "e3" + "identity-access" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/m365/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants.metadata.json b/prowler/providers/m365/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants.metadata.json index b60aee0f5e..a7163f2174 100644 --- a/prowler/providers/m365/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants.metadata.json +++ b/prowler/providers/m365/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants.metadata.json @@ -1,29 +1,35 @@ { "Provider": "m365", "CheckID": "entra_policy_ensure_default_user_cannot_create_tenants", - "CheckTitle": "Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'", + "CheckTitle": "Tenant restricts non-admin users from creating tenants", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", - "ResourceType": "Authorization Policy", - "Description": "Require administrators or appropriately delegated users to create new tenants.", - "Risk": "It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users are able to do so.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions", + "Severity": "medium", + "ResourceType": "", + "Description": "Microsoft Entra authorization policy defines default user permissions, including whether **non-admin users** are `allowed_to_create_tenants`. This evaluates if tenant creation is disabled for default users via `default_user_role_permissions`.", + "Risk": "Allowing default users to create tenants spawns unmanaged shadow tenants. Creators become **Global Administrator**, enabling escalation from compromised accounts and sidestepping governance. This degrades **confidentiality** and **integrity**, widens the **attack surface**, and introduces hidden costs.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://entra.microsoft.com", + "https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions", + "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#tenant-creator" + ], "Remediation": { "Code": { - "CLI": "Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{ AllowedToCreateTenants = $false }", + "CLI": "Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId authorizationPolicy -DefaultUserRolePermissions @{ AllowedToCreateTenants = $false }", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Entra admin center https://entra.microsoft.com 2. Click to expand Identity > Users > User settings 3. Set 'Restrict non-admin users from creating tenants' to 'Yes' then 'Save'", + "Other": "1. Go to Microsoft Entra admin center: https://entra.microsoft.com\n2. Navigate to Identity > Users > User settings\n3. Set \"Restrict non-admin users from creating tenants\" to Yes\n4. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Enforcing this setting will ensure that only authorized users are able to create new tenants.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#tenant-creator" + "Text": "Enforce **least privilege**: set `allowed_to_create_tenants=false` so only authorized staff-or those with the **Tenant Creator** role-may create tenants. Use **separation of duties** and **PIM** for just-in-time access, and routinely review audit events (e.g., *Create Company*) to deter and detect misuse.", + "Url": "https://hub.prowler.com/check/entra_policy_ensure_default_user_cannot_create_tenants" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles.metadata.json b/prowler/providers/m365/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles.metadata.json index 60d4da5290..adf9ea0b33 100644 --- a/prowler/providers/m365/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles.metadata.json +++ b/prowler/providers/m365/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles.metadata.json @@ -1,29 +1,38 @@ { "Provider": "m365", "CheckID": "entra_policy_guest_invite_only_for_admin_roles", - "CheckTitle": "Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'", + "CheckTitle": "Entra tenant guest invitations are restricted to specific admin roles or disabled", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "medium", - "ResourceType": "Authorization Policy", - "Description": "Restrict invitations to users with specific administrative roles only.", - "Risk": "Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain 'Need to Know' permissions and prevents inadvertent access to data. By default the setting Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure", + "Severity": "high", + "ResourceType": "", + "Description": "Microsoft Entra authorization policy controls **guest invitations** via `guest_invite_settings`. It should be `adminsAndGuestInviters` or `none`, so only specific **administrative roles** can invite guests-or invitations are disabled.", + "Risk": "Unrestricted invites allow broad creation of external identities. A compromised user can onboard attacker-controlled guests, gaining ongoing access to teams, sites, and apps. This erodes **confidentiality**, enables **privilege abuse**, and complicates revocation and audit.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#guest-inviter", + "https://learn.microsoft.com/en-gb/answers/questions/2007215/entra-id-external-collaboration-setting-guest-nvit", + "https://entra.microsoft.com/.", + "https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure", + "https://learn.microsoft.com/nb-no/Azure/active-directory/external-identities/external-collaboration-settings-configure", + "https://learn.microsoft.com/en-us/microsoft-365/solutions/limit-who-can-invite-guests?view=o365-worldwide" + ], "Remediation": { "Code": { - "CLI": "Update-MgPolicyAuthorizationPolicy -AllowInvitesFrom 'adminsAndGuestInviters'", + "CLI": "Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId authorizationPolicy -AllowInvitesFrom adminsAndGuestInviters", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Expand Identity > External Identities and select External collaboration settings. 3. Under Guest invite settings, set 'Guest invite restrictions' to 'Only users assigned to specific admin roles can invite guest users'. 4. Click Save.", + "Other": "1. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com)\n2. Go to Entra ID > External Identities > External collaboration settings\n3. Under Guest invite settings, select \"Only users assigned to specific admin roles can invite guest users\" (or select \"No one in the organization can invite guest users\" to disable)\n4. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Restrict guest user invitations to only designated administrators or the Guest Inviter role to enhance security.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#guest-inviter" + "Text": "Apply **least privilege**: restrict invites to the **Guest Inviter** or designated admin roles (`adminsAndGuestInviters`), or disable invites (`none`).\n- Require approval and justification\n- Allowlist partner domains and use access reviews\n- Combine with Conditional Access and cross-tenant policies for defense in depth", + "Url": "https://hub.prowler.com/check/entra_policy_guest_invite_only_for_admin_roles" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions.metadata.json b/prowler/providers/m365/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions.metadata.json index 601abf8965..a17d9eac10 100644 --- a/prowler/providers/m365/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions.metadata.json +++ b/prowler/providers/m365/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions.metadata.json @@ -1,30 +1,40 @@ { "Provider": "m365", "CheckID": "entra_policy_guest_users_access_restrictions", - "CheckTitle": "Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'", + "CheckTitle": "Entra authorization policy restricts guest user access to properties and memberships of their own directory objects", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "Authorization Policy", - "Description": "Limit guest user permissions.", - "Risk": "Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction. 1. Guest users have the same access as members (most inclusive), 2. Guest users have limited access to properties and memberships of directory objects (default value), 3. Guest user access is restricted to properties and memberships of their own directory objects (most restrictive). The recommended option is the 3rd, most restrictive: 'Guest user access is restricted to their own directory object'.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/users/users-restrict-guest-permissions", + "ResourceType": "", + "Description": "**Microsoft Entra** authorization policy evaluates **guest user access restrictions** being set to the most restrictive level, where guests can view only their own directory object and related memberships (`Guest user access is restricted to properties and memberships of their own directory objects`).", + "Risk": "Without this restriction, guests can read broader directory metadata and group memberships, enabling reconnaissance that harms **confidentiality**. A compromised guest gains context for phishing and privilege escalation, risking unauthorized changes (**integrity**) and disruption of collaboration spaces (**availability**).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#member-and-guest-users", + "https://www.manageengine.com/microsoft-365-management-reporting/kb/how-to-restrict-guest-access-permissions-in-entra-id.html", + "https://entra.microsoft.com/.", + "https://blog.admindroid.com/guest-user-access-restrictions-in-microsoft-entra-id/", + "https://pizagame.com/api/game-proxy?url=https://learn.microsoft.com/en-us/microsoftteams/guest-experience", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ActiveDirectory/restrict-guest-user-access.html", + "https://learn.microsoft.com/en-us/entra/identity/users/users-restrict-guest-permissions", + "https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/fundamentals/users-default-permissions.md?context=/active-directory/roles/context/ugr-context" + ], "Remediation": { "Code": { - "CLI": "Update-MgPolicyAuthorizationPolicy -GuestUserRoleId ", + "CLI": "Update-MgPolicyAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Expand Identity > External Identities and select External collaboration settings. 3. Under Guest user access, set 'Guest user access restrictions' to either 'Guest users have limited access to properties and memberships of directory objects' or 'Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)'.", - "Terraform": "" + "Other": "1. Sign in to Microsoft Entra admin center (https://entra.microsoft.com)\n2. Go to Identity > External Identities > External collaboration settings\n3. Under Guest user access, select: \"Guest user access is restricted to properties and memberships of their own directory objects\"\n4. Click Save", + "Terraform": "```hcl\nresource \"azuread_authorization_policy\" \"\" {\n guest_user_role_id = \"2af84b1e-32c8-42b7-82bc-daa82404023b\" # Critical: sets guests to the most restrictive role (own objects only)\n}\n```" }, "Recommendation": { - "Text": "Restrict guest user access in Microsoft Entra to limit the exposure of directory objects and reduce security risks.", - "Url": "https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#member-and-guest-users" + "Text": "Set guest access to the most restrictive level (`Guest user access is restricted...`) to enforce **least privilege**.\n- Avoid assigning admin roles to guests\n- Use time-bound access with approvals\n- Apply **Conditional Access** and limit group visibility\n- Run periodic **access reviews** for **defense in depth**", + "Url": "https://hub.prowler.com/check/entra_policy_guest_users_access_restrictions" } }, "Categories": [ - "e3" + "identity-access" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/m365/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps.metadata.json b/prowler/providers/m365/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps.metadata.json index b643fd5b4f..e11b5b2e95 100644 --- a/prowler/providers/m365/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps.metadata.json +++ b/prowler/providers/m365/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps.metadata.json @@ -1,29 +1,40 @@ { "Provider": "m365", "CheckID": "entra_policy_restricts_user_consent_for_apps", - "CheckTitle": "Ensure 'User consent for applications' is set to 'Do not allow user consent'", + "CheckTitle": "'User consent for applications' is set to 'Do not allow user consent'", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Authorization Policy", - "Description": "Require administrators to provide consent for applications before use.", - "Risk": "If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.", - "RelatedUrl": "https://learn.microsoft.com/en-gb/entra/identity/enterprise-apps/configure-user-consent?pivots=portal", + "ResourceType": "", + "Description": "**Microsoft Entra** tenant settings restrict **user consent to applications**, preventing end users from granting delegated permissions to apps on their behalf. Only **administrator-approved** or policy-allowed consents are permitted.", + "Risk": "Allowing end users to grant consent enables **consent phishing** and stealth access to mail, files, and directory data, impacting **confidentiality** and **integrity**. Attackers can obtain long-lived refresh tokens via `offline_access`, persist, and act as the user, evading detection.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-gb/entra/identity/enterprise-apps/configure-user-consent?pivots=portal", + "https://help.otter.ai/hc/en-us/articles/25641965784343-Microsoft-Need-admin-approval-sign-in-issue", + "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent", + "https://stackoverflow.com/questions/78023687/azure-entra-id-authentication-requiring-admin-consent", + "https://www.codetwo.com/kb/resolving-need-admin-approval-error/", + "https://entra.microsoft.com/);", + "https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/enterprise-apps/user-admin-consent-overview.md", + "https://www.linkedin.com/pulse/how-manage-users-consent-applications-within-azure-ad-entra-id-alcpf" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "az rest --method patch --url https://graph.microsoft.com/v1.0/policies/authorizationPolicy/authorizationPolicy --body \"{\\\"defaultUserRolePermissions\\\":{\\\"permissionGrantPoliciesAssigned\\\":[\\\"ManagePermissionGrantsForOwnedResource.DeveloperConsent\\\"]}}\"", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Entra admin center (https://entra.microsoft.com/); 2. Click to expand Identity > Applications and select Enterprise applications; 3. Under Security select Consent and permissions > User consent settings; 4. Under User consent for applications select Do not allow user consent; 5. Click the Save option at the top of the window.", + "Other": "1. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com)\n2. Go to Identity > Applications > Enterprise applications\n3. Select Consent and permissions > User consent settings\n4. Under User consent for applications, select Do not allow user consent\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Disable user consent for applications in the Microsoft Entra admin center. This ensures that end users and group owners cannot grant consent to applications, requiring administrator approval for all future consent operations, thereby reducing the risk of unauthorized access to company data.", - "Url": "https://learn.microsoft.com/en-gb/entra/identity/enterprise-apps/configure-user-consent?pivots=portal" + "Text": "Disable broad user consent and require **admin approval** for app permissions. If consent is needed, allow only **verified publishers** and low-impact scopes via app consent policies, and enable the **admin consent workflow**. Apply **least privilege**, review grants, and revoke unused consents regularly.", + "Url": "https://hub.prowler.com/check/entra_policy_restricts_user_consent_for_apps" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_thirdparty_integrated_apps_not_allowed/entra_thirdparty_integrated_apps_not_allowed.metadata.json b/prowler/providers/m365/services/entra/entra_thirdparty_integrated_apps_not_allowed/entra_thirdparty_integrated_apps_not_allowed.metadata.json index 85309efe5e..9d6518e6ab 100644 --- a/prowler/providers/m365/services/entra/entra_thirdparty_integrated_apps_not_allowed/entra_thirdparty_integrated_apps_not_allowed.metadata.json +++ b/prowler/providers/m365/services/entra/entra_thirdparty_integrated_apps_not_allowed/entra_thirdparty_integrated_apps_not_allowed.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "entra_thirdparty_integrated_apps_not_allowed", - "CheckTitle": "Ensure third party integrated applications are not allowed", + "CheckTitle": "Authorization policy disallows app creation by non-admin users", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "User settings", - "Description": "Require administrators or appropriately delegated users to register third-party applications.", - "Risk": "It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity-platform/how-applications-are-added#who-has-permission-to-add-applications-to-my-microsoft-entra-instance", + "ResourceType": "", + "Description": "**Microsoft Entra authorization policy** restricts registration of **third-party applications**, verifying that **non-admin users** cannot create app registrations and that only administrators or explicitly delegated roles can add integrated apps.", + "Risk": "Allowing users to create apps enables **consent phishing** and uncontrolled **service principals** with long-lived secrets, risking **data exfiltration** via over-privileged API access, **privilege escalation** through abused app permissions, and tenant **persistence**. This degrades confidentiality, integrity, and availability.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-app-roles#restrict-who-can-create-applications", + "https://learn.microsoft.com/en-us/entra/identity-platform/how-applications-are-added#who-has-permission-to-add-applications-to-my-microsoft-entra-instance" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "Invoke-MgGraphRequest -Method PATCH -Uri 'https://graph.microsoft.com/v1.0/policies/authorizationPolicy/authorizationPolicy' -Body '{\"defaultUserRolePermissions\":{\"allowedToCreateApps\":false}}' -ContentType 'application/json'", "NativeIaC": "", - "Other": "1. From Entra select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select User settings 5. Ensure that Users can register applications is set to No", + "Other": "1. Sign in to the Microsoft Entra admin center\n2. Go to Identity > Users > User settings\n3. Set \"Users can register applications\" to \"No\"\n4. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Disable third-party integrated application permissions unless explicitly required. If third-party applications are necessary, implement strict approval processes and security controls to mitigate risks associated with external integrations.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-app-roles#restrict-who-can-create-applications" + "Text": "Restrict app registration to administrators or narrowly scoped delegated roles, following **least privilege** and **separation of duties**. Require **admin consent** and formal review for external integrations, disable broad user consent, and audit app creations and permissions to enforce **defense in depth**.", + "Url": "https://hub.prowler.com/check/entra_thirdparty_integrated_apps_not_allowed" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_users_mfa_capable/entra_users_mfa_capable.metadata.json b/prowler/providers/m365/services/entra/entra_users_mfa_capable/entra_users_mfa_capable.metadata.json index 594138cccc..f04acd4965 100644 --- a/prowler/providers/m365/services/entra/entra_users_mfa_capable/entra_users_mfa_capable.metadata.json +++ b/prowler/providers/m365/services/entra/entra_users_mfa_capable/entra_users_mfa_capable.metadata.json @@ -1,29 +1,36 @@ { "Provider": "m365", "CheckID": "entra_users_mfa_capable", - "CheckTitle": "Ensure all users are MFA capable", + "CheckTitle": "Entra user is MFA capable", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "critical", - "ResourceType": "Conditional Access Policy", - "Description": "Ensure all users are being registered and enabled for multifactor authentication.", - "Risk": "Users who are not MFA capable are more vulnerable to account compromise, as they may rely solely on single-factor authentication (typically a password), which can be easily phished or cracked.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks", + "Severity": "high", + "ResourceType": "", + "Description": "Microsoft Entra users have a registered and enabled **multifactor authentication** method (`MFA capable`). The evaluation targets enabled accounts and identifies those lacking any usable second factor.", + "Risk": "Without **MFA**, accounts are vulnerable to **phishing**, **password spraying**, and credential reuse, enabling takeover. Attackers can access mail and files, change settings, and move laterally, harming **confidentiality**, **integrity**, and **availability** of M365 resources.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userdevicesettings", + "https://www.cisa.gov/resources-tools/services/m365-entra-id", + "https://azure.microsofts.workers.dev/en-us/entra/identity/authentication/howto-mfa-userstates", + "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "New-MgUserAuthenticationPhoneMethod -UserId -PhoneType mobile -PhoneNumber \"+15555550100\"", "NativeIaC": "", - "Other": "Remediation steps will depend on the status of the personnel in question or configuration of Conditional Access policies. Administrators should review each user identified on a case-by-case basis.", + "Other": "1. In the Microsoft Entra admin center, go to Entra ID > Users\n2. Select the user marked as not MFA capable\n3. Select Authentication methods > + Add authentication method\n4. Choose Phone number, enter the number in E.164 format (e.g., +15555550100), and select Add\n5. Repeat for each failing user", "Terraform": "" }, "Recommendation": { - "Text": "Ensure all member users are MFA capable by registering and enabling a strong authentication method that complies with the organization's authentication policy. Regularly review user status to detect gaps in MFA deployment and correct misconfigurations.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks" + "Text": "Enforce **MFA** for all enabled users, prioritizing **phishing-resistant** methods (`FIDO2`/`passkeys`/`CBA`) and limiting `SMS`/`voice`. Apply least privilege and require MFA for privileged roles. Require registration during onboarding and routinely review coverage to sustain defense-in-depth.", + "Url": "https://hub.prowler.com/check/entra_users_mfa_capable" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/entra/entra_users_mfa_enabled/entra_users_mfa_enabled.metadata.json b/prowler/providers/m365/services/entra/entra_users_mfa_enabled/entra_users_mfa_enabled.metadata.json index 5d6aff1529..835bc950e8 100644 --- a/prowler/providers/m365/services/entra/entra_users_mfa_enabled/entra_users_mfa_enabled.metadata.json +++ b/prowler/providers/m365/services/entra/entra_users_mfa_enabled/entra_users_mfa_enabled.metadata.json @@ -1,29 +1,40 @@ { "Provider": "m365", "CheckID": "entra_users_mfa_enabled", - "CheckTitle": "Ensure multifactor authentication is enabled for all users.", + "CheckTitle": "Multifactor authentication is enforced for all users", "CheckType": [], "ServiceName": "entra", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "critical", - "ResourceType": "Conditional Access Policy", - "Description": "Ensure that multifactor authentication (MFA) is enabled for all users to enhance security and reduce the risk of unauthorized access.", - "Risk": "Without multifactor authentication (MFA), users are at a higher risk of account compromise due to credential theft, phishing, or brute-force attacks. A single-factor authentication method, such as passwords, is often insufficient to protect against modern cyber threats.", - "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa", + "ResourceType": "", + "Description": "**Microsoft Entra Conditional Access** has an enforced policy requiring **multifactor authentication** for `All users` across `All cloud apps` *(not just report-only)*.", + "Risk": "Lacking an enforced, tenant-wide **MFA** mandate enables single-factor sign-ins to M365 apps. Stolen or sprayed passwords can yield access, leading to data exfiltration, unauthorized changes, and outages. Report-only or scoped policies leave gaps that undermine confidentiality, integrity, and availability.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.linkedin.com/posts/rafa\u0142-fitt_conditions-in-conditional-access-policy-activity-7328448540760850432-6ker", + "https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-mfa-strength", + "https://docs.azure.cn/en-us/entra/identity/conditional-access/policy-guests-mfa-strength", + "https://blog.admindroid.com/microsoft-security-defaults-vs-conditional-access-policies/", + "https://covene.com/microsoft-entra-id-conditional-access-configuration/", + "https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/conditional-access/policy-all-users-mfa-strength.md", + "https://entra.microsoft.com." + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Click New policy. Under Users include All users (and do not exclude any user). Under Target resources include All cloud apps and do not create any exclusions. Under Grant select Grant Access and check Require multifactor authentication. Click Select at the bottom of the pane. 4. Under Enable policy set it to Report Only until the organization is ready to enable it. 5. Click Create.", - "Terraform": "" + "Other": "1. Sign in to Microsoft Entra admin center (https://entra.microsoft.com)\n2. Go to Protection > Conditional Access > Policies > Create new policy\n3. Users: Include > All users (do not add exclusions)\n4. Target resources: Resources (cloud apps) > Include > All resources (no exclusions)\n5. Access controls: Grant > Grant access > check Require multifactor authentication > Select\n6. Enable policy: On\n7. Create", + "Terraform": "```hcl\nresource \"azuread_conditional_access_policy\" \"\" {\n display_name = \"\"\n state = \"enabled\" # Critical: enforce policy (not report-only)\n\n conditions {\n users {\n included_users = [\"All\"] # Critical: target all users\n }\n applications {\n included_applications = [\"All\"] # Critical: target all cloud apps/resources\n }\n }\n\n grant_controls {\n built_in_controls = [\"mfa\"] # Critical: require multifactor authentication\n }\n}\n```" }, "Recommendation": { - "Text": "Enable multifactor authentication for all users in the Microsoft 365 tenant. Ensure users register at least one strong second-factor authentication method, such as Microsoft Authenticator, SMS codes, or phone calls. Educate users on the importance of MFA and provide clear instructions for enrollment to minimize disruptions.", - "Url": "https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa" + "Text": "Enforce a **Conditional Access** policy requiring **MFA** for `All users` and `All cloud apps`. Exclude only break-glass accounts, favor **phishing-resistant** or authenticator methods, and avoid long-term report-only. Monitor sign-ins, review coverage regularly, and apply **least privilege** and **zero trust** to minimize exceptions.", + "Url": "https://hub.prowler.com/check/entra_users_mfa_enabled" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [],