ad_guest_user_reviewed_monthlyad_manual_controlapimanagement_service_client_certificate_enabledapimanagement_service_with_virtual_networkapp_configuration_encryption_enabledapp_configuration_private_link_usedapp_configuration_sku_standardapp_service_environment_internal_encryption_enabledapplication_gateway_waf_enabledappservice_api_app_client_certificates_onappservice_api_app_cors_no_starappservice_api_app_ftps_enabledappservice_api_app_latest_tls_versionappservice_api_app_remote_debugging_disabledappservice_api_app_use_httpsappservice_api_app_uses_managed_identityappservice_authentication_enabledappservice_ftp_deployment_disabledappservice_function_app_authentication_onappservice_function_app_client_certificates_onappservice_function_app_cors_no_starappservice_function_app_ftps_enabledappservice_function_app_latest_http_versionappservice_function_app_latest_java_versionappservice_function_app_latest_python_versionappservice_function_app_latest_tls_versionappservice_function_app_only_https_accessibleappservice_function_app_remote_debugging_disabledappservice_function_app_restrict_public_accesappservice_function_app_uses_managed_identityappservice_plan_minimum_skuappservice_web_app_always_onappservice_web_app_client_certificates_onappservice_web_app_cors_no_starappservice_web_app_diagnostic_logs_enabledappservice_web_app_failed_request_tracing_enabledappservice_web_app_ftps_enabledappservice_web_app_health_check_enabledappservice_web_app_http_logs_enabledappservice_web_app_incoming_client_cert_onappservice_web_app_latest_dotnet_framework_versionappservice_web_app_latest_http_versionappservice_web_app_latest_java_versionappservice_web_app_latest_php_versionappservice_web_app_latest_python_versionappservice_web_app_latest_tls_versionappservice_web_app_register_with_active_directory_enabledappservice_web_app_remote_debugging_disabledappservice_web_app_slot_use_httpsappservice_web_app_use_httpsappservice_web_app_use_virtual_service_endpointappservice_web_app_uses_managed_identityappservice_web_app_worker_more_than_onearc_compute_machine_linux_log_analytics_agent_installedarc_compute_machine_windows_log_analytics_agent_installedautomation_account_variable_encryption_enabledbatch_account_encrypted_with_cmkbatch_account_identity_provider_enabledbatch_account_logging_enabledcognitive_account_encrypted_with_cmkcognitive_account_private_link_usedcognitive_account_public_network_access_disabledcognitive_account_restrict_public_accesscognitive_service_local_auth_disabledcompute_disk_access_uses_private_linkcompute_disk_unattached_encrypted_with_cmkcompute_os_and_data_disk_encrypted_with_cmkcompute_os_and_data_disk_encrypted_with_cmk_and_platform_managedcompute_unattached_disk_encrypted_with_cmkcompute_vm_account_with_password_linuxcompute_vm_and_sacle_set_encryption_at_host_enabledcompute_vm_attached_with_networkcompute_vm_data_and_os_disk_uses_managed_diskcompute_vm_disaster_recovery_enabledcompute_vm_guest_configuration_installedcompute_vm_guest_configuration_installed_linuxcompute_vm_guest_configuration_installed_windowscompute_vm_guest_configuration_with_no_managed_identitycompute_vm_guest_configuration_with_system_assigned_managed_identitycompute_vm_guest_configuration_with_user_and_system_assigned_managed_identitycompute_vm_jit_access_protectedcompute_vm_log_analytics_agent_installedcompute_vm_log_analytics_agent_installed_windowscompute_vm_malware_agent_automatic_upgrade_enabledcompute_vm_malware_agent_installedcompute_vm_max_password_age_70_days_windowscompute_vm_meet_security_baseline_requirements_linuxcompute_vm_meet_security_baseline_requirements_windowscompute_vm_min_password_age_1_day_windowscompute_vm_min_password_length_14_windowscompute_vm_network_traffic_data_collection_linux_agent_installedcompute_vm_network_traffic_data_collection_windows_agent_installedcompute_vm_password_complexity_setting_enabled_windowscompute_vm_passwords_stored_using_reversible_encryption_windowscompute_vm_remote_access_restrictedcompute_vm_remote_access_restricted_all_portscompute_vm_restrict_previous_24_passwords_resuse_windowscompute_vm_restrict_remote_connection_from_accounts_without_password_linuxcompute_vm_scale_set_automatic_upgrade_enabledcompute_vm_scale_set_boot_diagnostics_enabledcompute_vm_scale_set_log_analytics_agent_installedcompute_vm_scale_set_logging_enabledcompute_vm_scale_set_ssh_key_authentication_linuxcompute_vm_scale_set_uses_managed_diskscompute_vm_secure_communication_protocols_configuredcompute_vm_ssh_key_authentication_linuxcompute_vm_system_updates_installedcompute_vm_tcp_udp_access_restricted_internetcompute_vm_uses_azure_resource_managercompute_vm_utilizing_managed_diskcompute_vm_vulnerability_assessment_solution_enabledcompute_vm_windows_defender_exploit_guard_enabledcontainer_instance_container_group_encrypted_using_cmkcontainer_instance_container_group_identity_provider_enabledcontainer_instance_container_group_in_virtual_networkcontainer_instance_container_group_secured_environment_variablecontainer_registry_admin_user_disabledcontainer_registry_encrypted_with_cmkcontainer_registry_geo_replication_enabledcontainer_registry_public_network_access_disabledcontainer_registry_quarantine_policy_enabledcontainer_registry_restrict_public_accesscontainer_registry_retention_policy_enabledcontainer_registry_trust_policy_enabledcontainer_registry_use_virtual_service_endpointcontainer_registry_uses_private_linkcosmosdb_account_encryption_at_rest_using_cmkcosmosdb_account_key_based_metadata_write_access_disabledcosmosdb_account_uses_aad_and_rbaccosmosdb_account_uses_private_linkcosmosdb_account_virtual_network_filter_enabledcosmosdb_account_with_firewall_rulescosmosdb_use_virtual_service_endpointdata_factory_encrypted_with_cmkdata_factory_public_network_access_disableddata_factory_uses_git_repositorydata_factory_uses_private_linkdatabox_edge_device_double_encryption_enableddatalake_analytics_account_logging_enableddatalake_store_account_encryption_enableddatalake_store_account_logging_enabledeventgrid_domain_identity_provider_enabledeventgrid_domain_private_link_usedeventgrid_domain_restrict_public_accesseventgrid_topic_identity_provider_enabledeventgrid_topic_local_auth_enabledeventgrid_topic_private_link_usedeventhub_namespace_cmk_encryption_enabledeventhub_namespace_logging_enabledeventhub_namespace_private_link_usedeventhub_namespace_use_virtual_service_endpointfrontdoor_waf_enabledhdinsight_cluster_encrypted_at_rest_with_cmkhdinsight_cluster_encryption_at_host_enabledhdinsight_cluster_encryption_in_transit_enabledhealthcare_fhir_azure_api_encrypted_at_rest_with_cmkhealthcare_fhir_uses_private_linkhpc_cache_encrypted_with_cmkiam_conditional_access_mfa_enablediam_conditional_access_mfa_enabled_for_administratorsiam_deprecated_accountiam_deprecated_account_with_owner_rolesiam_external_user_with_owner_roleiam_external_user_with_read_permissioniam_external_user_with_write_permissioniam_global_administrator_max_5iam_no_custom_roleiam_no_custom_subscription_owner_roles_creatediam_subscription_owner_max_3iam_subscription_owner_more_than_1iam_subscriptions_with_custom_roles_no_overly_permissiveiam_user_consent_to_apps_accessing_data_on_their_behalf_disablediam_user_no_built_in_contributor_roleiam_user_not_allowed_to_create_security_groupiam_user_not_allowed_to_create_tenantsiam_user_not_allowed_to_register_applicationiot_hub_logging_enablediot_hub_private_link_usedkeyvault_firewall_enabledkeyvault_key_expiration_setkeyvault_logging_enabledkeyvault_managed_hms_logging_enabledkeyvault_managed_hms_purge_protection_enabledkeyvault_purge_protection_enabledkeyvault_rbac_enabledkeyvault_secret_expiration_setkeyvault_soft_delete_enabledkeyvault_vault_private_link_usedkeyvault_vault_public_network_access_disabledkeyvault_vault_recoverablekeyvault_vault_use_virtual_service_endpointkeyvault_with_non_rbac_key_expiration_setkeyvault_with_non_rbac_secret_expiration_setkeyvault_with_rbac_key_expiration_setkeyvault_with_rbac_secret_expiration_setkubernetes_cluster_add_on_azure_policy_enabledkubernetes_cluster_addon_azure_policy_enabledkubernetes_cluster_authorized_ip_range_definedkubernetes_cluster_http_application_routing_disabledkubernetes_cluster_key_vault_secret_rotation_enabledkubernetes_cluster_logging_enabledkubernetes_cluster_max_pod_50kubernetes_cluster_network_plugin_azurekubernetes_cluster_network_policy_enabledkubernetes_cluster_node_restrict_public_accesskubernetes_cluster_os_and_data_disks_encrypted_with_cmkkubernetes_cluster_restrict_public_accesskubernetes_cluster_sku_standardkubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_hostkubernetes_cluster_upgrade_channelkubernetes_cluster_upgraded_with_non_vulnerable_versionkubernetes_instance_rbac_enabledkusto_cluster_disk_encryption_enabledkusto_cluster_double_encryption_enabledkusto_cluster_encrypted_at_rest_with_cmkkusto_cluster_sku_with_slalogic_app_workflow_logging_enabledmachine_learning_workspace_encrypted_with_cmkmanual_controlmanual_control_hipaamariadb_server_geo_redundant_backup_enabledmariadb_server_private_link_usedmariadb_server_public_network_access_disabledmariadb_server_ssl_enabledmonitor_application_insights_configuredmonitor_diagnostic_settings_captures_proper_categoriesmonitor_log_alert_create_policy_assignmentmonitor_log_alert_create_update_nsgmonitor_log_alert_create_update_nsg_rulemonitor_log_alert_create_update_public_ip_addressmonitor_log_alert_create_update_security_solutionmonitor_log_alert_create_update_sql_servers_firewall_rulemonitor_log_alert_delete_nsgmonitor_log_alert_delete_nsg_rulemonitor_log_alert_delete_policy_assignmentmonitor_log_alert_delete_public_ip_addressmonitor_log_alert_delete_security_solutionmonitor_log_alert_delete_sql_servers_firewall_rulemonitor_log_alert_for_administrative_operationsmonitor_log_alert_sql_firewall_rulemonitor_log_profile_enabled_for_all_categoriesmonitor_log_profile_enabled_for_all_regionsmonitor_log_profile_retention_365_daysmonitor_logs_storage_container_insights_activity_logs_encrypted_with_byokmonitor_logs_storage_container_insights_activity_logs_not_public_accessiblemonitor_logs_storage_container_insights_operational_logs_encrypted_with_byokmonitor_logs_storage_container_insights_operational_logs_not_public_accessiblemssql_managed_instance_encryption_at_rest_using_cmkmssql_managed_instance_vulnerability_assessment_enabledmysql_db_server_geo_redundant_backup_enabledmysql_server_audit_logging_enabledmysql_server_audit_logging_events_connection_setmysql_server_encrypted_at_rest_using_cmkmysql_server_infrastructure_encryption_enabledmysql_server_min_tls_1_2mysql_server_private_link_usedmysql_server_public_network_access_disabledmysql_ssl_enablednetwork_bastion_host_min_1network_ddos_enablednetwork_interface_ip_forwarding_disablednetwork_lb_diagnostics_logs_enablednetwork_lb_no_basic_skunetwork_network_peering_connectednetwork_public_ip_no_basic_skunetwork_security_group_diagnostic_setting_deployednetwork_security_group_https_access_restrictednetwork_security_group_not_configured_gateway_subnetsnetwork_security_group_outbound_access_restrictednetwork_security_group_rdp_access_restrictednetwork_security_group_remote_access_restrictednetwork_security_group_restrict_inbound_icmp_portnetwork_security_group_restrict_inbound_tcp_port_135network_security_group_restrict_inbound_tcp_port_1433network_security_group_restrict_inbound_tcp_port_20network_security_group_restrict_inbound_tcp_port_21network_security_group_restrict_inbound_tcp_port_23network_security_group_restrict_inbound_tcp_port_25network_security_group_restrict_inbound_tcp_port_3306network_security_group_restrict_inbound_tcp_port_4333network_security_group_restrict_inbound_tcp_port_445network_security_group_restrict_inbound_tcp_port_53network_security_group_restrict_inbound_tcp_port_5432network_security_group_restrict_inbound_tcp_port_5500network_security_group_restrict_inbound_tcp_port_5900network_security_group_restrict_inbound_udp_port_137network_security_group_restrict_inbound_udp_port_138network_security_group_restrict_inbound_udp_port_1434network_security_group_restrict_inbound_udp_port_445network_security_group_restrict_inbound_udp_port_53network_security_group_ssh_access_restrictednetwork_security_group_subnet_associatednetwork_security_group_udp_service_restrictednetwork_sg_flowlog_enablednetwork_sg_flowlog_retention_period_greater_than_90network_virtual_network_gateway_no_basic_skunetwork_watcher_enablednetwork_watcher_in_regions_with_virtual_networkpostgres_db_server_allow_access_to_azure_services_disabledpostgres_db_server_connection_throttling_onpostgres_db_server_geo_redundant_backup_enabledpostgres_db_server_latest_tls_versionpostgres_db_server_log_checkpoints_onpostgres_db_server_log_connections_onpostgres_db_server_log_disconnections_onpostgres_db_server_log_retention_days_3postgres_server_private_link_usedpostgres_sql_server_encrypted_at_rest_using_cmkpostgres_sql_ssl_enabledpostgresql_server_infrastructure_encryption_enabledpostgresql_server_public_network_access_disabledrecovery_service_vault_uses_managed_identityredis_cache_in_virtual_networkredis_cache_min_tls_1_2redis_cache_no_basic_skuredis_cache_ssl_enabledredis_cache_uses_private_linksearch_service_logging_enabledsearch_service_public_network_access_disabledsearch_service_replica_count_3search_service_uses_managed_identitysearch_service_uses_private_linksearch_service_uses_sku_supporting_private_linksecuritycenter_additional_email_configuredsecuritycenter_asc_default_setting_not_disabledsecuritycenter_automatic_provisioning_monitoring_agent_onsecuritycenter_azure_defender_on_for_appservicesecuritycenter_azure_defender_on_for_containerregistrysecuritycenter_azure_defender_on_for_containerssecuritycenter_azure_defender_on_for_cosmosdbsecuritycenter_azure_defender_on_for_databasesecuritycenter_azure_defender_on_for_dnssecuritycenter_azure_defender_on_for_k8ssecuritycenter_azure_defender_on_for_keyvaultsecuritycenter_azure_defender_on_for_opensource_relational_dbsecuritycenter_azure_defender_on_for_resource_managersecuritycenter_azure_defender_on_for_serversecuritycenter_azure_defender_on_for_sqldbsecuritycenter_azure_defender_on_for_sqlservervmsecuritycenter_azure_defender_on_for_storagesecuritycenter_container_image_scan_enabledsecuritycenter_email_configuredsecuritycenter_mcas_integrationsecuritycenter_notify_alerts_configuredsecuritycenter_pricing_standardsecuritycenter_security_alerts_to_owner_enabledsecuritycenter_wdatp_integrationservicebus_name_space_private_link_usedservicebus_namespace_azure_ad_authentication_enabledservicebus_namespace_logging_enabledservicebus_namespace_no_overly_permissive_network_accessservicebus_premium_namespace_cmk_encryptedservicebus_use_virtual_service_endpointservicefabric_cluster_active_directory_authentication_enabledservicefabric_cluster_protection_level_as_encrypt_and_signsignalr_service_no_free_tier_skusignalr_service_private_link_usedspring_cloud_service_network_injection_enabledsql_database_allow_internet_accesssql_database_long_term_geo_redundant_backup_enabledsql_database_transparent_data_encryption_enabledsql_database_vulnerability_findings_resolvedsql_db_active_directory_admin_configuredsql_db_public_network_access_disabledsql_server_and_databases_va_enabledsql_server_atp_enabledsql_server_auditing_onsql_server_auditing_retention_period_90sql_server_auditing_storage_account_destination_retention_90_dayssql_server_azure_ad_authentication_enabledsql_server_azure_defender_enabledsql_server_tde_protector_cmk_encryptedsql_server_threat_detection_all_enabledsql_server_transparent_data_encryption_enabledsql_server_use_virtual_service_endpointsql_server_uses_private_linksql_server_va_setting_periodic_scan_enabledsql_server_va_setting_reports_notify_adminssql_server_va_setting_scan_reports_configuredstorage_account_blob_containers_public_access_privatestorage_account_blob_service_logging_enabledstorage_account_blobs_logging_enabledstorage_account_block_public_accessstorage_account_containing_vhd_os_disk_cmk_encryptedstorage_account_default_network_access_rule_deniedstorage_account_encryption_at_rest_using_cmkstorage_account_encryption_scopes_encrypted_at_rest_with_cmkstorage_account_geo_redundant_enabledstorage_account_infrastructure_encryption_enabledstorage_account_min_tls_1_2storage_account_queue_services_logging_enabledstorage_account_queues_logging_enabledstorage_account_restrict_network_accessstorage_account_secure_transfer_required_enabledstorage_account_soft_delete_enabledstorage_account_table_service_logging_enabledstorage_account_tables_logging_enabledstorage_account_trusted_microsoft_services_enabledstorage_account_use_virtual_service_endpointstorage_account_uses_azure_resource_managerstorage_account_uses_private_linkstorage_sync_private_link_usedstream_analytics_job_logging_enabledsynapse_workspace_data_exfiltration_protection_enabledsynapse_workspace_encryption_at_rest_using_cmksynapse_workspace_private_link_usedsynapse_workspace_vulnerability_assessment_enabled
Query: iam_external_user_with_write_permission
Usage
powerpipe query azure_compliance.query.iam_external_user_with_write_permission
SQL
with all_write_permission_users as ( select distinct u.display_name, d.role_name, u.account_enabled, u.user_principal_name, d.subscription_id from azuread_user as u left join azure_role_assignment as a on a.principal_id = u.id left join azure_role_definition as d on d.id = a.role_definition_id where d.role_name = any(array [ 'Owner', 'Contributor' ])),distinct_tenant as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select a.user_principal_name as resource, case when a.user_principal_name like '%EXT%' then 'alarm' else 'ok' end as status, case when a.user_principal_name like '%EXT%' then a.display_name || ' is external user with ' || a.role_name || ' role.' else a.display_name || ' is domain user with ' || a.role_name || ' role.' end as reason, t.tenant_idfrom distinct_tenant as t, all_write_permission_users as a;Controls
The query is being used by the following controls: