Table: azuread_authorization_policy - Query Azure Active Directory Authorization Policies using SQL
Azure Active Directory (Azure AD) Authorization Policy is a feature of Microsoft Azure that defines how resources in your organization are accessed. It provides a centralized way to manage authorization settings, control access, and enforce security configurations across your Azure resources. Azure AD Authorization Policy enables you to manage and secure access to your resources effectively.
Table Usage Guide
The azuread_authorization_policy
table provides insights into authorization policies within Azure Active Directory. As a security administrator, explore policy-specific details through this table, including policy settings, associated metadata, and security configurations. Utilize it to uncover information about policies, such as those with specific access controls, the enforcement of security configurations, and the verification of authorization settings.
Examples
Basic info
Analyze the settings to understand the display name, ID, and invite permissions for a given Azure AD authorization policy. This can be useful for auditing and managing access controls within your Azure environment.
select display_name, id, allow_invites_fromfrom azuread_authorization_policy;
select display_name, id, allow_invites_fromfrom azuread_authorization_policy;
Check if user consent to apps accessing company data on their behalf is not allowed
Determine the areas in which users have not granted permission for apps to access company data on their behalf. This can be useful to maintain data privacy and prevent unauthorized access.
select display_name, id, default_user_role_permissionsfrom azuread_authorization_policywhere default_user_role_permissions ->> 'permissionGrantPoliciesAssigned' = '[]';
select display_name, id, default_user_role_permissionsfrom azuread_authorization_policywhere json_extract( default_user_role_permissions, '$.permissionGrantPoliciesAssigned' ) = '[]';
Check if all members are allowed to invite external users to the organization
Determine if your organization's settings permit all members to invite external users. This is useful for assessing the openness of your organization's communication and collaboration policies.
select display_name, id, default_user_role_permissionsfrom azuread_authorization_policywhere allow_invites_from = 'everyone';
select display_name, id, default_user_role_permissionsfrom azuread_authorization_policywhere allow_invites_from = 'everyone';
Check if email validation is not required to join the tenant
Determine if your organization's settings allow users to join without verifying their email first. This could be a potential security risk, as it may enable unauthorized individuals to gain access to your system.
select display_name, id, default_user_role_permissionsfrom azuread_authorization_policywhere not allowed_email_verified_users_to_join_organization;
select display_name, id, default_user_role_permissionsfrom azuread_authorization_policywhere not allowed_email_verified_users_to_join_organization;
Control examples
- All Controls > Active Directory > Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- All Controls > Active Directory > Ensure that 'Users Can Create Tenants' is set to 'No'
- All Controls > Active Directory > Ensure that 'Users Can Register Applications' is set to 'No'
- CIS v1.4.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.4 Ensure self-service password reset is enabled
- CIS v1.4.0 > 2 Application Permissions > 2.1 Ensure third party integrated applications are not allowed
- CIS v1.4.0 > 2 Application Permissions > 2.6 Ensure user consent to apps accessing company data on their behalf is not allowed
- CIS v1.5.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.4 Ensure self-service password reset is enabled
- CIS v1.5.0 > 1 Identity and Access Management > 1.14 Ensure That ‘Users Can Register Applications’ Is Set to ‘No’
- CIS v1.5.0 > 1 Identity and Access Management > 1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- CIS v1.5.0 > 2 Application Permissions > 2.1 Ensure third party integrated applications are not allowed
- CIS v1.5.0 > 2 Application Permissions > 2.6 Ensure user consent to apps accessing company data on their behalf is not allowed
- CIS v2.0.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.8 Ensure 'Self service password reset enabled' is set to 'All'
- CIS v2.0.0 > 1 Identity and Access Management > 1.14 Ensure That 'Users Can Register Applications' Is Set to 'No'
- CIS v2.0.0 > 1 Identity and Access Management > 1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- CIS v2.0.0 > 2 Application Permissions > 2.2 Ensure third party integrated applications are not allowed
- CIS v2.0.0 > 2 Application Permissions > 2.7 Ensure user consent to apps accessing company data on their behalf is not allowed
- CIS v2.1.0 > 1 Identity and Access Management > 1.13 Ensure That 'Users Can Register Applications' Is Set to 'No'
- CIS v2.1.0 > 1 Identity and Access Management > 1.18 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- CIS v3.0.0 > 2 Identity > 2.14 Ensure That 'Users Can Register Applications' Is Set to 'No'
- CIS v3.0.0 > 2 Identity > 2.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- CIS v3.0.0 > 5 Microsoft Entra admin center > 5.1 Identity > 5.1.2 Users > 5.1.2.2 Ensure third party integrated applications are not allowed
- CIS v3.0.0 > 5 Microsoft Entra admin center > 5.1 Identity > 5.1.5 Applications > 5.1.5.2 Ensure user consent to apps accessing company data on their behalf is not allowed
- CIS v3.0.0 > 5 Microsoft Entra admin center > 5.2 Protection > 5.2.4 Password reset > 5.2.4.1 Ensure 'Self service password reset enabled' is set to 'All'
Schema for azuread_authorization_policy
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
allow_invites_from | text | Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. | |
allowed_email_verified_users_to_join_organization | boolean | Indicates whether a user can join the tenant by email validation. | |
allowed_to_sign_up_email_based_subscriptions | boolean | Indicates whether users can sign up for email based subscriptions. | |
allowed_to_use_sspr | boolean | Indicates whether the Self-Serve Password Reset feature can be used by users on the tenant. | |
block_msol_powershell | boolean | To disable the use of MSOL PowerShell set this property to true. This will also disable user-based access to the legacy service endpoint used by MSOL PowerShell. This does not affect Azure AD Connect or Microsoft Graph. | |
default_user_role_permissions | jsonb | Specifies certain customizable permissions for default user role. | |
description | text | Description of this policy. | |
display_name | text | Display name for this policy. | |
guest_user_role_id | text | Represents role templateId for the role that should be granted to guest user. | |
id | text | ID of the authorization policy. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
tenant_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Tenant ID where the resource is located. |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azuread
You can pass the configuration to the command with the --config
argument:
steampipe_export_azuread --config '<your_config>' azuread_authorization_policy