Sample-Reports/IndividualReports/AADReport.json
[
{ "ReportSummary": { "Failures": 11, "Errors": 0, "Passes": 11, "Warnings": 3, "Manual": 5, "Date": "12/18/2024 09:40:27 Central Standard Time", "Omits": 0 }, "Results": [ { "GroupName": "Legacy Authentication", "GroupNumber": "1", "GroupReferenceURL": "https://github.com/cisagov/ScubaGear/blob/v1.5.0/PowerShell/ScubaGear/baselines/aad.md#1-legacy-authentication", "Controls": [ { "Control ID": "MS.AAD.1.1v1", "Requirement": "Legacy authentication SHALL be blocked.", "Result": "Pass", "Criticality": "Shall", "Details": "1 conditional access policy(s) found that meet(s) all requirements:<br/>MS.AAD.1.1v1 Legacy authentication SHALL be blocked. <a href='#caps'>View all CA policies</a>." } ] }, { "GroupName": "Risk Based Policies", "GroupNumber": "2", "GroupReferenceURL": "https://github.com/cisagov/ScubaGear/blob/v1.5.0/PowerShell/ScubaGear/baselines/aad.md#2-risk-based-policies", "Controls": [ { "Control ID": "MS.AAD.2.1v1", "Requirement": "Users detected as high risk SHALL be blocked.", "Result": "Pass", "Criticality": "Shall", "Details": "1 conditional access policy(s) found that meet(s) all requirements:<br/>MS.AAD.2.1v1 Users detected as high risk SHALL be blocked. <a href='#caps'>View all CA policies</a>." }, { "Control ID": "MS.AAD.2.2v1", "Requirement": "A notification SHOULD be sent to the administrator when high-risk users are detected.", "Result": "N/A", "Criticality": "Should/Not-Implemented", "Details": "This product does not currently have the capability to check compliance for this policy. See <a href=\"https://github.com/cisagov/ScubaGear/blob/v1.5.0/PowerShell/ScubaGear/baselines/aad.md#msaad22v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check" }, { "Control ID": "MS.AAD.2.3v1", "Requirement": "Sign-ins detected as high risk SHALL be blocked.", "Result": "Pass", "Criticality": "Shall", "Details": "1 conditional access policy(s) found that meet(s) all requirements:<br/>MS.AAD.2.3v1 Sign-ins detected as high risk SHALL be blocked. <a href='#caps'>View all CA policies</a>." } ] }, { "GroupName": "Strong Authentication and a Secure Registration Process", "GroupNumber": "3", "GroupReferenceURL": "https://github.com/cisagov/ScubaGear/blob/v1.5.0/PowerShell/ScubaGear/baselines/aad.md#3-strong-authentication-and-a-secure-registration-process", "Controls": [ { "Control ID": "MS.AAD.3.1v1", "Requirement": "Phishing-resistant MFA SHALL be enforced for all users.", "Result": "Fail", "Criticality": "Shall", "Details": "0 conditional access policy(s) found that meet(s) all requirements. <a href='#caps'>View all CA policies</a>." }, { "Control ID": "MS.AAD.3.2v1", "Requirement": "If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.", "Result": "Pass", "Criticality": "Shall", "Details": "1 conditional access policy(s) found that meet(s) all requirements:<br/>MS.AAD.3.2v1 If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users. <a href='#caps'>View all CA policies</a>." }, { "Control ID": "MS.AAD.3.3v1", "Requirement": "If phishing-resistant MFA has not been enforced and Microsoft Authenticator is enabled, it SHALL be configured to show login context information.", "Result": "Pass", "Criticality": "Shall", "Details": "Requirement met" }, { "Control ID": "MS.AAD.3.4v1", "Requirement": "The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.", "Result": "Fail", "Criticality": "Shall", "Details": "Requirement not met" }, { "Control ID": "MS.AAD.3.5v1", "Requirement": "The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.", "Result": "N/A", "Criticality": "Shall/Not-Implemented", "Details": "This policy is only applicable if the tenant has their Manage Migration feature set to Migration Complete. See <a href=\"https://github.com/cisagov/ScubaGear/blob/v1.5.0/PowerShell/ScubaGear/baselines/aad.md#msaad34v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for more info" }, { "Control ID": "MS.AAD.3.6v1", "Requirement": "Phishing-resistant MFA SHALL be required for highly privileged roles.", "Result": "Fail", "Criticality": "Shall", "Details": "0 conditional access policy(s) found that meet(s) all requirements. <a href='#caps'>View all CA policies</a>." }, { "Control ID": "MS.AAD.3.7v1", "Requirement": "Managed devices SHOULD be required for authentication.", "Result": "Warning", "Criticality": "Should", "Details": "0 conditional access policy(s) found that meet(s) all requirements. <a href='#caps'>View all CA policies</a>." }, { "Control ID": "MS.AAD.3.8v1", "Requirement": "Managed Devices SHOULD be required to register MFA.", "Result": "Warning", "Criticality": "Should", "Details": "0 conditional access policy(s) found that meet(s) all requirements. <a href='#caps'>View all CA policies</a>." } ] }, { "GroupName": "Centralized Log Collection", "GroupNumber": "4", "GroupReferenceURL": "https://github.com/cisagov/ScubaGear/blob/v1.5.0/PowerShell/ScubaGear/baselines/aad.md#4-centralized-log-collection", "Controls": [ { "Control ID": "MS.AAD.4.1v1", "Requirement": "Security logs SHALL be sent to the agency's security operations center for monitoring.", "Result": "N/A", "Criticality": "Shall/Not-Implemented", "Details": "This product does not currently have the capability to check compliance for this policy. See <a href=\"https://github.com/cisagov/ScubaGear/blob/v1.5.0/PowerShell/ScubaGear/baselines/aad.md#msaad41v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check" } ] }, { "GroupName": "Application Registration and Consent", "GroupNumber": "5", "GroupReferenceURL": "https://github.com/cisagov/ScubaGear/blob/v1.5.0/PowerShell/ScubaGear/baselines/aad.md#5-application-registration-and-consent", "Controls": [ { "Control ID": "MS.AAD.5.1v1", "Requirement": "Only administrators SHALL be allowed to register applications.", "Result": "Pass", "Criticality": "Shall", "Details": "0 authorization policies found that allow non-admin users to register third-party applications" }, { "Control ID": "MS.AAD.5.2v1", "Requirement": "Only administrators SHALL be allowed to consent to applications.", "Result": "Fail", "Criticality": "Shall", "Details": "1 authorization policies found that allow non-admin users to consent to third-party applications:<br/>authorizationPolicy" }, { "Control ID": "MS.AAD.5.3v1", "Requirement": "An admin consent workflow SHALL be configured for applications.", "Result": "Fail", "Criticality": "Shall", "Details": "Requirement not met" }, { "Control ID": "MS.AAD.5.4v1", "Requirement": "Group owners SHALL NOT be allowed to consent to applications.", "Result": "N/A", "Criticality": "Shall/Not-Implemented", "Details": "This configuration setting has been deprecated and we are in the process of removing it from the baseline." } ] }, { "GroupName": "Passwords", "GroupNumber": "6", "GroupReferenceURL": "https://github.com/cisagov/ScubaGear/blob/v1.5.0/PowerShell/ScubaGear/baselines/aad.md#6-passwords", "Controls": [ { "Control ID": "MS.AAD.6.1v1", "Requirement": "User passwords SHALL NOT expire.", "Result": "Fail", "Criticality": "Shall", "Details": "Requirement not met" } ] }, { "GroupName": "Highly Privileged User Access", "GroupNumber": "7", "GroupReferenceURL": "https://github.com/cisagov/ScubaGear/blob/v1.5.0/PowerShell/ScubaGear/baselines/aad.md#7-highly-privileged-user-access", "Controls": [ { "Control ID": "MS.AAD.7.1v1", "Requirement": "A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role.", "Result": "Pass", "Criticality": "Shall", "Details": "2 global admin(s) found:<br/>Jane Doe, John Public" }, { "Control ID": "MS.AAD.7.2v1", "Requirement": "Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator.", "Result": "Fail", "Criticality": "Shall", "Details": "Requirement not met: Least Privilege Score = 2 (should be 1 or less)" }, { "Control ID": "MS.AAD.7.3v1", "Requirement": "Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.", "Result": "Pass", "Criticality": "Shall", "Details": "0 admin(s) that are not cloud-only found" }, { "Control ID": "MS.AAD.7.4v1", "Requirement": "Permanent active role assignments SHALL NOT be allowed for highly privileged roles.", "Result": "Fail", "Criticality": "Shall", "Details": "6 role(s) that contain users with permanent active assignment:<br/>Application Administrator, Exchange Administrator, Global Administrator, Privileged Role Administrator, SharePoint Administrator, User Administrator" }, { "Control ID": "MS.AAD.7.5v1", "Requirement": "Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.", "Result": "Fail", "Criticality": "Shall", "Details": "4 role(s) assigned to users outside of PIM:<br/>Global Administrator, Privileged Role Administrator, SharePoint Administrator, User Administrator" }, { "Control ID": "MS.AAD.7.6v1", "Requirement": "Activation of the Global Administrator role SHALL require approval.", "Result": "Fail", "Criticality": "Shall", "Details": "1 role(s) or group(s) allowing activation without approval found:<br/>Global Administrator(Directory Role)" }, { "Control ID": "MS.AAD.7.7v1", "Requirement": "Eligible and Active highly privileged role assignments SHALL trigger an alert.", "Result": "Fail", "Criticality": "Shall", "Details": "6 role(s) or group(s) without notification e-mail configured for role assignments found:<br/>Cloud Application Administrator(Directory Role), Exchange Administrator(Directory Role), Global Administrator(Directory Role), Hybrid Identity Administrator(Directory Role), Privileged Role Administrator(Directory Role), SharePoint Administrator(Directory Role)" }, { "Control ID": "MS.AAD.7.8v1", "Requirement": "User activation of the Global Administrator role SHALL trigger an alert.", "Result": "Pass", "Criticality": "Shall", "Details": "0 role(s) or group(s) without notification e-mail configured for Global Administrator activations found" }, { "Control ID": "MS.AAD.7.9v1", "Requirement": "User activation of other highly privileged roles SHOULD trigger an alert.", "Result": "Warning", "Criticality": "Should", "Details": "5 role(s) or group(s) without notification e-mail configured for role activations found:<br/>Cloud Application Administrator(Directory Role), Exchange Administrator(Directory Role), Hybrid Identity Administrator(Directory Role), Privileged Role Administrator(Directory Role), SharePoint Administrator(Directory Role)" } ] }, { "GroupName": "Guest User Access", "GroupNumber": "8", "GroupReferenceURL": "https://github.com/cisagov/ScubaGear/blob/v1.5.0/PowerShell/ScubaGear/baselines/aad.md#8-guest-user-access", "Controls": [ { "Control ID": "MS.AAD.8.1v1", "Requirement": "Guest users SHOULD have limited or restricted access to Microsoft Entra ID directory objects.", "Result": "Pass", "Criticality": "Should", "Details": "Permission level set to \"Limited access\" (authorizationPolicy)" }, { "Control ID": "MS.AAD.8.2v1", "Requirement": "Only users with the Guest Inviter role SHOULD be able to invite guest users.", "Result": "Pass", "Criticality": "Should", "Details": "Permission level set to \"adminsAndGuestInviters\" (authorizationPolicy)" }, { "Control ID": "MS.AAD.8.3v1", "Requirement": "Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.", "Result": "N/A", "Criticality": "Should/Not-Implemented", "Details": "This product does not currently have the capability to check compliance for this policy. See <a href=\"https://github.com/cisagov/ScubaGear/blob/v1.5.0/PowerShell/ScubaGear/baselines/aad.md#msaad83v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check" } ] } ], "MetaData": { "Tenant Display Name": "tqhjy", "Report Date": "12/18/2024 09:40:27 Central Standard Time", "Baseline Version": "1", "Module Version": "1.5.0" } } ] |