rules/findings/m365/sharepoint_online/policies/spo-reauthentication-with-verification-code-disabled.json
|
{
"args": [ ], "provider": "Microsoft365", "serviceType": "SharePoint Online", "serviceName": "Microsoft 365", "displayName": "Ensure reauthentication with verification code is restricted", "description": "\r\n\t\tThis setting configures if guests who use a verification code to access the site or links are required to reauthenticate after a set number of days. \r\n\t\tThe recommended state is 15 or less. \r\n ", "rationale": "By increasing the frequency of times guests need to reauthenticate this ensures guest user access to data is not prolonged beyond an acceptable amount of time.", "impact": "Guests who use Microsoft 365 in their organization can sign in using their work or school account to access the site or document. After the one-time passcode for verification has been entered for the first time, guests will authenticate with their work or school account and have a guest account created in the host\u0027s organization.", "remediation": { "text": "\r\n\t\t###### To remediate using the UI: \r\n\t\t1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint \r\n\t\t2. Click to expand Policies \u003e Sharing. \r\n\t\t3. Scroll to and expand More external sharing settings. \r\n\t\t4. Set People who use a verification code must reauthenticate after this many days to 15 or less. \r\n\t", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-US/sharepoint/what-s-new-in-sharing-in-targeted-release?WT.mc_id=365AdminCSH_spo", "https://learn.microsoft.com/en-US/sharepoint/turn-external-sharing-on-or-off?WT.mc_id=365AdminCSH_spo#change-the-organization-level-external-sharing-setting", "https://learn.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "6.1.0", "reference": "7.2.10", "profile": [ "E3 Level 1", "E5 Level 1" ] } ], "level": "medium", "tags": [ ], "rule": { "path": "o365_spo_tenant_admin_details", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "EmailAttestationRequired", "eq", "False" ], [ "EmailAttestationReAuthDays", "lt", "15" ] ], "operator": "or" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "RootSiteUrl": "Root Site", "EmailAttestationRequired": "Email attestation required", "EmailAttestationReAuthDays": "Email attestation re-auth days" }, "expandObject": null }, "table": "default", "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ "RootSiteUrl" ], "message": "Ensure reauthentication with verification code is restricted for {RootSiteUrl}", "defaultMessage": null }, "properties": { "resourceName": "RootSiteUrl", "resourceId": "_ObjectIdentity_", "resourceType": "SPOTenantAdmin" }, "onlyStatus": false } }, "idSuffix": "spo_reauthentication_with_verification_code_not_enabled", "notes": [ ], "categories": [ ], "immutable_properties": [ "_ObjectType_", "_ObjectIdentity_", "RootSiteUrl" ], "id": "microsoft365_2195" } |