monkey365

0.95.1

rules/findings/EntraID/General/CIS3.1/eid-password-hash-sync-disabled.json

                                {

  "args": [

  ],

  "provider": "EntraID",

  "serviceType": "General",

  "serviceName": "Microsoft Entra ID",

  "displayName": "Ensure that password hash sync is enabled for hybrid deployments",

  "description": "Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity synchronization. Microsoft Entra ID Connect synchronizes a hash, of the hash, of a user\u0027s password from an on-premises Active Directory instance to a cloud-based Microsoft Entra ID instance.\r\n\t\t\r\n\t\t**Note**: Audit and remediation procedures in this recommendation only apply to Microsoft 365 tenants operating in a hybrid configuration using Microsoft Entra ID Connect sync.",

  "rationale": "Password hash synchronization helps by reducing the number of passwords your users need to maintain to just one and enables leaked credential detection for your hybrid accounts. Leaked credential protection is leveraged through Microsoft Entra ID Identity Protection and is a subset of that feature which can help identity if an organization\u0027s user account passwords have appeared on the dark web or public spaces.\r\n\t\t\r\n\t\tUsing other options for your directory synchronization may be less resislient as Microsoft can still process sign-ins to 365 with Hash Sync even if a network connection to your on-premises environment is not available.",

  "impact": "Compliance or regulatory restrictions may exist, depending on the organization\u0027s business sector, that preclude hashed versions of passwords from being securely transmitted to cloud data centers.",

  "remediation": {

    "text": null,

    "code": {

      "powerShell": null,

      "iac": null,

      "terraform": null,

      "other": null

    }

  },

  "recommendation": null,

  "references": [

    "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises"

  ],

  "compliance": [

    {

      "name": "CIS Microsoft 365 Foundations Benchmark",

      "version": "3.1.0",

      "reference": "5.1.8.1",

      "profile": "E3 Level 1"

    }

  ],

  "level": "medium",

  "tags": [

  ],

  "rule": {

    "path": "aad_connect_info",

    "subPath": null,

    "selectCondition": {

    },

    "query": [

      {

        "filter": [

          {

            "conditions": [

              [

                "ADConnect.dirSyncConfigured",

                "eq",

                "true"

              ],

              [

                "ADConnect.dirSyncEnabled",

                "eq",

                "true"

              ],

              [

                "PasswordSync",

                "ne",

                "true"

              ]

            ],

            "operator": "and"

          }

        ]

      }

    ],

    "shouldExist": null,

    "returnObject": null,

    "removeIfNotExists": null

  },

  "output": {

    "html": {

      "data": {

        "properties": {

        },

        "expandObject": null

      },

      "table": null,

      "decorate": [

      ],

      "emphasis": [

      ],

      "actions": {

        "objectData": {

          "properties": [

            "*"

          ],

          "expandObject": null,

          "limit": null

        },

        "showGoToButton": false,

        "showModalButton": false,

        "directLink": null

      }

    },

    "text": {

      "data": {

        "properties": {

        },

        "expandObject": null

      },

      "status": {

        "keyName": [

        ],

        "message": "Password hash sync is disabled",

        "defaultMessage": null

      },

      "properties": {

        "resourceName": null,

        "resourceId": null,

        "resourceType": null

      },

      "onlyStatus": false

    }

  },

  "idSuffix": "eid_hash_sync_disabled",

  "notes": [

  ],

  "categories": [

  ]

}