Src/Compliance/CIS.Azure.json
|
{
"_meta": { "framework": "CIS Microsoft Azure Foundations Benchmark", "version": "5.0.0", "source": "CIS Azure Foundations Benchmark v5.0.0", "reference": "https://www.cisecurity.org/benchmark/azure", "lastReviewed": "2026-03-19", "notes": "CIS Azure Foundations Benchmark v5.0.0 - Section 5 Identity Services (Entra ID). Only controls relevant to Entra ID and not already covered in CIS.M365.json are included. Each check carries a source field for benchmark traceability. Checks with staticStatus=[INFO] require manual verification. L1 = required hygiene, L2 = defence-in-depth." }, "MFA": { "_section": "Identity Services -- Multi-Factor Authentication", "_cisChapter": "5.1", "checks": [ { "id": "CIS-AZ-5.1.1", "CISControl": "5.1.1", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure Security Defaults is enabled in Entra ID", "staticStatus": "[INFO]", "detail": "Verify in Entra ID > Properties that Security Defaults is enabled (if not using Conditional Access). Security Defaults provides baseline MFA for all users. Note: If Conditional Access policies are in use, Security Defaults should be disabled.", "remediation": "Navigate to Entra ID > Properties > Manage Security Defaults and set 'Enable Security Defaults' to Yes, unless Conditional Access policies are actively enforcing equivalent or stronger controls.", "tags": [ "mfa", "security-defaults", "identity", "l1" ] }, { "id": "CIS-AZ-5.1.3", "CISControl": "5.1.3", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure 'Allow users to remember MFA on trusted devices' is disabled", "staticStatus": "[INFO]", "detail": "Verify that 'Allow users to remember multi-factor authentication on devices they trust' is disabled. This setting weakens MFA by allowing bypass on trusted devices.", "remediation": "Navigate to Entra ID > Users > Per-user MFA > Service Settings and ensure 'Allow users to remember multi-factor authentication on devices they trust' is unchecked.", "tags": [ "mfa", "trusted-devices", "identity", "l1" ] } ] }, "ConditionalAccess": { "_section": "Identity Services -- Conditional Access", "_cisChapter": "5.2", "checks": [ { "id": "CIS-AZ-5.2.1", "CISControl": "5.2.1", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure trusted locations are defined in Conditional Access", "staticStatus": "[INFO]", "detail": "Verify in Entra ID > Conditional Access > Named Locations that trusted corporate IP ranges are defined. Named locations enable location-based CA policies and reduce noise from risk alerts.", "remediation": "Navigate to Entra ID > Conditional Access > Named Locations and add all corporate IP ranges as trusted locations. Use these locations in CA policies to scope sign-in risk and block access from unexpected geographies.", "tags": [ "conditional-access", "named-locations", "identity", "l1" ] }, { "id": "CIS-AZ-5.2.2", "CISControl": "5.2.2", "Level": "L2", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Consider implementing a geographic Conditional Access policy", "staticStatus": "[INFO]", "detail": "Consider implementing a CA policy that blocks sign-ins from countries not used by your organisation. Review Entra ID > Conditional Access > Named Locations for country-based locations.", "remediation": "Navigate to Entra ID > Conditional Access and create a Named Location for allowed countries. Create a CA policy targeting All Users, All Cloud Apps, with the condition 'Location > Include > Any location' minus the allowed-countries location, and apply Block as the grant control.", "tags": [ "conditional-access", "geolocation", "identity", "l2" ] }, { "id": "CIS-AZ-5.2.8", "CISControl": "5.2.8", "Level": "L2", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Consider implementing a Token Protection Conditional Access policy", "staticStatus": "[INFO]", "detail": "Consider implementing a Token Protection CA policy to bind tokens to the device they were issued on. Navigate to Entra ID > Conditional Access and create a policy with session control 'Token protection' for privileged roles or sensitive apps.", "remediation": "Navigate to Entra ID > Conditional Access, create a new policy targeting privileged roles or sensitive applications. Under Session controls, enable 'Token protection (preview)'. Apply to compliant or hybrid-joined devices first to avoid user disruption.", "tags": [ "conditional-access", "token-protection", "identity", "l2" ] } ] }, "Roles": { "_section": "Identity Services -- Privileged Roles and Accounts", "_cisChapter": "5.3", "checks": [ { "id": "CIS-AZ-5.3.1", "CISControl": "5.3.1", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure Azure admin accounts are not used for daily operations", "staticStatus": "[INFO]", "detail": "Verify that Global Administrators and Privileged Role Administrators do not use their admin accounts for daily tasks (email, browsing, productivity). Admin accounts should be used exclusively for privileged operations.", "remediation": "Ensure all privileged role holders have a separate standard user account for daily productivity tasks. Admin accounts should have no mailbox, no licence for productivity apps, and should only be used when performing administrative operations.", "tags": [ "roles", "admin-hygiene", "identity", "l1" ] }, { "id": "CIS-AZ-5.3.2", "CISControl": "5.3.2", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure guest users are reviewed regularly", "staticStatus": null, "statusExpression": "if ($GuestCount -eq 0) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{GuestCount} guest user(s) exist in the tenant. Ensure access reviews are configured for guest accounts (see Governance section).", "remediation": "Navigate to Entra ID > Identity Governance > Access Reviews and create a recurring review targeting guest users. Remove guest accounts that no longer require access.", "tags": [ "roles", "guests", "access-reviews", "identity", "l1" ] }, { "id": "CIS-AZ-5.26", "CISControl": "5.26", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure fewer than 5 users are assigned Global Administrator", "staticStatus": null, "statusExpression": "if ($GlobalAdminCount -le 4) { '[OK]' } elseif ($GlobalAdminCount -le 8) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{GlobalAdminCount} Global Administrator(s) assigned. CIS Azure v5 recommends fewer than 5.", "remediation": "Review Entra ID > Roles > Global Administrator. Use Privileged Identity Management to convert standing Global Admin assignments to eligible assignments. Reduce permanent Global Admins to between 2 and 4 break-glass or emergency accounts.", "tags": [ "roles", "global-admin", "least-privilege", "identity", "l1" ] } ] }, "SSPR": { "_section": "Identity Services -- Self-Service Password Reset", "_cisChapter": "5.5", "checks": [ { "id": "CIS-AZ-5.5", "CISControl": "5.5", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure the number of methods required to reset a password is set to 2", "staticStatus": "[INFO]", "detail": "Verify in Entra ID > Security > Password Reset > Authentication Methods that 'Number of methods required to reset' is set to 2. Requiring two methods prevents single point of failure.", "remediation": "Navigate to Entra ID > Security > Password Reset > Authentication Methods and set 'Number of methods required to reset' to 2. Ensure at least two strong authentication methods are enabled for SSPR.", "tags": [ "sspr", "password-reset", "identity", "l1" ] } ] }, "TenantSettings": { "_section": "Identity Services -- Tenant and User Settings", "_cisChapter": "5.4", "checks": [ { "id": "CIS-AZ-5.4", "CISControl": "5.4", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure non-admin users cannot create tenants", "staticStatus": null, "statusExpression": "if (-not $CanCreateTenants) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Tenant creation by non-admins: {CanCreateTenantsState}", "remediation": "Navigate to Entra ID > User Settings and set 'Restrict non-admin users from creating tenants' to Yes.", "tags": [ "tenant-settings", "user-restrictions", "identity", "l1" ] }, { "id": "CIS-AZ-5.6", "CISControl": "5.6", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure the Smart Lockout threshold is set to 10 or fewer", "staticStatus": "[INFO]", "detail": "Verify in Entra ID > Security > Authentication Methods > Password Protection that the Lockout threshold is set to 10 or less. Smart Lockout is always active but the threshold should be tightened.", "remediation": "Navigate to Entra ID > Security > Authentication Methods > Password Protection and set the 'Lockout threshold' to 10 or fewer failed attempts.", "tags": [ "tenant-settings", "smart-lockout", "password-protection", "identity", "l1" ] }, { "id": "CIS-AZ-5.7", "CISControl": "5.7", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure the Smart Lockout duration is set to 60 seconds or more", "staticStatus": "[INFO]", "detail": "Verify in Entra ID > Security > Authentication Methods > Password Protection that the Lockout duration in seconds is 60 or greater.", "remediation": "Navigate to Entra ID > Security > Authentication Methods > Password Protection and set the 'Lockout duration in seconds' to 60 or higher.", "tags": [ "tenant-settings", "smart-lockout", "password-protection", "identity", "l1" ] }, { "id": "CIS-AZ-5.8", "CISControl": "5.8", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure a custom banned password list is enforced", "staticStatus": null, "statusExpression": "if ($CustomBannedPasswordEnabled) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Custom banned passwords: {CustomBannedPasswordState}. Add organisation name, product names, and common local passwords.", "remediation": "Navigate to Entra ID > Security > Authentication Methods > Password Protection, enable 'Enforce custom list', and add the organisation name, common product names, and frequently-used local passwords to the custom banned password list.", "tags": [ "tenant-settings", "password-protection", "banned-passwords", "identity", "l1" ] }, { "id": "CIS-AZ-5.10", "CISControl": "5.10", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure users are notified on their own password resets", "staticStatus": "[INFO]", "detail": "Verify in Entra ID > Security > Password Reset > Notifications that 'Notify users on password resets?' is set to Yes.", "remediation": "Navigate to Entra ID > Security > Password Reset > Notifications and set 'Notify users on password resets?' to Yes.", "tags": [ "tenant-settings", "sspr", "notifications", "identity", "l1" ] }, { "id": "CIS-AZ-5.11", "CISControl": "5.11", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure all admins are notified when other admins reset their password", "staticStatus": "[INFO]", "detail": "Verify in Entra ID > Security > Password Reset > Notifications that 'Notify all admins when other admins reset their password?' is set to Yes.", "remediation": "Navigate to Entra ID > Security > Password Reset > Notifications and set 'Notify all admins when other admins reset their password?' to Yes.", "tags": [ "tenant-settings", "sspr", "notifications", "admin-alerts", "identity", "l1" ] }, { "id": "CIS-AZ-5.12", "CISControl": "5.12", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure user consent for applications is not allowed", "staticStatus": null, "statusExpression": "if ($UserConsentDisabled) { '[OK]' } elseif ($UserConsentVerifiedOnly) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "User consent policy: {UserConsentPolicy}. Set to 'Do not allow user consent' or restrict to verified publishers only.", "remediation": "Navigate to Entra ID > Enterprise Applications > Consent and Permissions > User Consent Settings and set 'User consent for applications' to 'Do not allow user consent'. Configure the admin consent workflow so users can request admin approval.", "tags": [ "tenant-settings", "app-consent", "user-consent", "identity", "l1" ] }, { "id": "CIS-AZ-5.14", "CISControl": "5.14", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure users cannot register applications", "staticStatus": null, "statusExpression": "if (-not $CanRegApps) { '[OK]' } else { '[WARN]' }", "detailTemplate": "App registration by users: {CanRegAppsState}", "remediation": "Navigate to Entra ID > User Settings and set 'Users can register applications' to No.", "tags": [ "tenant-settings", "app-registration", "user-restrictions", "identity", "l1" ] }, { "id": "CIS-AZ-5.15", "CISControl": "5.15", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure guest user access is restricted to their own directory objects", "staticStatus": null, "statusExpression": "if ($GuestAccessLevel -eq 'mostRestrictive') { '[OK]' } elseif ($GuestAccessLevel -eq 'limited') { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "Guest access level: {GuestAccessLevelDesc}. Set to most restrictive so guests see only their own objects.", "remediation": "Navigate to Entra ID > External Identities > External Collaboration Settings and set 'Guest user access' to 'Guest users have no access to Azure AD directory properties and memberships (most restrictive)'.", "tags": [ "tenant-settings", "guest-access", "external-identities", "identity", "l1" ] }, { "id": "CIS-AZ-5.17", "CISControl": "5.17", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure access to the Entra admin center is restricted to admins", "staticStatus": null, "statusExpression": "if ($RestrictAdminPortal) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Entra admin center access: {RestrictAdminPortalState}", "remediation": "Navigate to Entra ID > User Settings and set 'Restrict access to Microsoft Entra admin center' to Yes.", "tags": [ "tenant-settings", "admin-portal", "user-restrictions", "identity", "l1" ] }, { "id": "CIS-AZ-5.19", "CISControl": "5.19", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure users cannot create security groups", "staticStatus": "[INFO]", "detail": "Verify in Entra ID > Groups > General Settings that 'Users can create security groups in Azure portals, API or PowerShell' is set to No.", "remediation": "Navigate to Entra ID > Groups > General Settings and set 'Users can create security groups in Azure portals, API or PowerShell' to No.", "tags": [ "tenant-settings", "groups", "user-restrictions", "identity", "l1" ] }, { "id": "CIS-AZ-5.22", "CISControl": "5.22", "Level": "L1", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure MFA is required for device registration and join", "staticStatus": null, "statusExpression": "if ($MfaRegistrationDevicePolicy) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{MfaRegistrationDevicePolicyDetail}", "remediation": "Navigate to Entra ID > Conditional Access and create or verify a policy that requires MFA when users register or join devices. Target the grant control 'Require multi-factor authentication' with the condition 'User action: Register or join devices'.", "tags": [ "tenant-settings", "device-registration", "mfa", "conditional-access", "identity", "l1" ] } ] }, "AuthMethods": { "_section": "Identity Services -- Authentication Methods", "_cisChapter": "5.28", "checks": [ { "id": "CIS-AZ-5.28", "CISControl": "5.28", "Level": "L2", "source": "CIS Azure Foundations Benchmark v5.0.0", "title": "Ensure passwordless authentication methods are considered", "staticStatus": null, "statusExpression": "if ($Fido2Enabled -or $CbaEnabled) { '[OK]' } else { '[WARN]' }", "detailTemplate": "FIDO2: {Fido2State}. CBA: {CbaState}. Consider enabling passwordless methods (FIDO2, WHfB, CBA) to eliminate password-based attack vectors.", "remediation": "Navigate to Entra ID > Security > Authentication Methods and enable FIDO2 Security Key and/or Certificate-Based Authentication. Deploy Windows Hello for Business via Intune or Group Policy. Update Conditional Access authentication strength policies to require passwordless methods for privileged roles.", "tags": [ "auth-methods", "passwordless", "fido2", "cba", "identity", "l2" ] } ] } } |