azuread_account_provisioning_activity_report_reviewedazuread_admin_consent_workflow_enabledazuread_admin_user_mfa_enabledazuread_all_user_mfa_enabledazuread_audit_log_search_enabledazuread_authorization_policy_accessing_company_data_not_allowedazuread_global_admin_range_restrictedazuread_group_not_publicazuread_guest_user_infoazuread_legacy_authentication_disabledazuread_microsoft_azure_management_limited_to_administrative_rolesazuread_password_protection_enabledazuread_risky_sign_ins_reportazuread_security_default_disabledazuread_signin_frequency_policyazuread_signin_risk_policyazuread_third_party_application_not_allowedazuread_user_password_not_set_to_expireazuread_user_risk_policyazuread_user_sspr_enabledmicrosoft365_calendar_sharing_disabled
Query: azuread_signin_frequency_policy
Usage
powerpipe query microsoft365_compliance.query.azuread_signin_frequency_policy
SQL
with users_having_admin_roles as ( select array_agg(role_template_id) as rid from azuread_directory_role where display_name like '%Administrator'),signin_frequency_enabled as ( select tenant_id, count(p.*) from azuread_conditional_access_policy as p, users_having_admin_roles as a where (p.users -> 'includeRoles') :: jsonb ?| (a.rid) and (p.sign_in_frequency -> 'isEnabled') :: bool and (p.persistent_browser -> 'isEnabled') :: bool and p.persistent_browser ->> 'mode' = 'never' and p.applications -> 'includeApplications' ? & array [ 'All' ] and jsonb_array_length(p.applications -> 'excludeApplications') = 0 and jsonb_array_length(p.built_in_controls) = 1 and p.built_in_controls ? & array [ 'mfa' ] and state = 'enabled' group by tenant_id),tenant_list as ( select distinct on (tenant_id) tenant_id, _ctx from azuread_user)select tenant_id as resource, case when ( select count from signin_frequency_enabled where tenant_id = t.tenant_id ) > 0 then 'ok' else 'alarm' end as status, case when ( select count from signin_frequency_enabled where tenant_id = t.tenant_id ) > 0 then tenant_id || ' has sign-in frequency policy enabled.' else tenant_id || ' has sign-in frequency policy disabled.' end as reason, t.tenant_id as tenant_idfrom tenant_list as t;
Controls
The query is being used by the following controls:
- 1.1.15 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- 1.1.15 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- 1.1.3 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- 5.2.2.4 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users