steampipe plugin install azuread

Table: azuread_authorization_policy - Query Azure Active Directory Authorization Policies using SQL

Azure Active Directory (Azure AD) Authorization Policy is a feature of Microsoft Azure that defines how resources in your organization are accessed. It provides a centralized way to manage authorization settings, control access, and enforce security configurations across your Azure resources. Azure AD Authorization Policy enables you to manage and secure access to your resources effectively.

Table Usage Guide

The azuread_authorization_policy table provides insights into authorization policies within Azure Active Directory. As a security administrator, explore policy-specific details through this table, including policy settings, associated metadata, and security configurations. Utilize it to uncover information about policies, such as those with specific access controls, the enforcement of security configurations, and the verification of authorization settings.

Examples

Basic info

Analyze the settings to understand the display name, ID, and invite permissions for a given Azure AD authorization policy. This can be useful for auditing and managing access controls within your Azure environment.

select
display_name,
id,
allow_invites_from
from
azuread_authorization_policy;
select
display_name,
id,
allow_invites_from
from
azuread_authorization_policy;

Determine the areas in which users have not granted permission for apps to access company data on their behalf. This can be useful to maintain data privacy and prevent unauthorized access.

select
display_name,
id,
default_user_role_permissions
from
azuread_authorization_policy
where
default_user_role_permissions ->> 'permissionGrantPoliciesAssigned' = '[]';
select
display_name,
id,
default_user_role_permissions
from
azuread_authorization_policy
where
json_extract(
default_user_role_permissions,
'$.permissionGrantPoliciesAssigned'
) = '[]';

Check if all members are allowed to invite external users to the organization

Determine if your organization's settings permit all members to invite external users. This is useful for assessing the openness of your organization's communication and collaboration policies.

select
display_name,
id,
default_user_role_permissions
from
azuread_authorization_policy
where
allow_invites_from = 'everyone';
select
display_name,
id,
default_user_role_permissions
from
azuread_authorization_policy
where
allow_invites_from = 'everyone';

Check if email validation is not required to join the tenant

Determine if your organization's settings allow users to join without verifying their email first. This could be a potential security risk, as it may enable unauthorized individuals to gain access to your system.

select
display_name,
id,
default_user_role_permissions
from
azuread_authorization_policy
where
not allowed_email_verified_users_to_join_organization;
select
display_name,
id,
default_user_role_permissions
from
azuread_authorization_policy
where
not allowed_email_verified_users_to_join_organization;

Control examples

Schema for azuread_authorization_policy

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
allow_invites_fromtextIndicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone.
allowed_email_verified_users_to_join_organizationbooleanIndicates whether a user can join the tenant by email validation.
allowed_to_sign_up_email_based_subscriptionsbooleanIndicates whether users can sign up for email based subscriptions.
allowed_to_use_ssprbooleanIndicates whether the Self-Serve Password Reset feature can be used by users on the tenant.
block_msol_powershellbooleanTo disable the use of MSOL PowerShell set this property to true. This will also disable user-based access to the legacy service endpoint used by MSOL PowerShell. This does not affect Azure AD Connect or Microsoft Graph.
default_user_role_permissionsjsonbSpecifies certain customizable permissions for default user role.
descriptiontextDescription of this policy.
display_nametextDisplay name for this policy.
guest_user_role_idtextRepresents role templateId for the role that should be granted to guest user.
idtextID of the authorization policy.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tenant_idtext=, !=, ~~, ~~*, !~~, !~~*The Azure Tenant ID where the resource is located.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azuread

You can pass the configuration to the command with the --config argument:

steampipe_export_azuread --config '<your_config>' azuread_authorization_policy