A notebook (using Polyglot) that codifies the Azure Security Review Checklist and other general security recommendations, like Microsoft Security Benchmarks. It will also include best practices and well architected recommendations.
The notebook approach allows for use of many different languages and frameworks. We can use Microsoft Graph to gain insights into Entra ID (Azure AD), and we can use Azure Resource Graph combined with Azure Powershell or Az cli. But C#, Python, Javascript, etc. is also viable options.
Combined with Markdown, this allows for verbosity to a level that is hard to beat with any other tooling, and insights gained literally with the click of a button.
All code regarding Entra ID has been converted to a Powershell module, published to PSAzureSecurityAssessment.
Also added Write-EntraIdAssessment which will output a Markdown file (and optionally upload to an Azure Storage Account). This even supports multi tenant assessments, supported by New-MultiTenantApplication which can create a multi-tenant application to be used for these types of assessments (or just a single tenant).
These are the controls/checks that are implemented, planned, or work in progress.
- Entra ID (Azure AD) entra-id.ipynb
- Users
- User States
- Disabled Users
- Privileged administration
- Limit the number of Global Administrators to less than 5
- Synchronized accounts
- Use groups for Azure AD role assignments (Work in Progress)
- PIM Alerts
- Recurring access reviews
- Access Reviews: Enabled for all groups
- Apps and Owners Can Change All Group Membership (Work in Progress)
- Avoid standing access for user accounts and permissions (Work in Progress)
- External Identities
- Guest Invite Settings
- Guest User Access Restrictions (Work in Progress)
- User Setting
- User role permissions (Application registration)
- Authentication Methods
- Custom Domains
- Verified Domains
- Enterprise Applications
- User Consent for Apps
- Group Owner Consent (Work in Progress)
- Application Owners
- Applications with privileged app role assignments
- Conditional Access Policies
- Block Legacy Protocols
- Require MFA for Administrators
- Require MFA for Azure Management
- Restricted Locations
- Require devices to be marked as compliant
- Protected Actions
- Break Glass/Emergency Accounts (Work in Progress)
- Password Reset
- Self-service password reset policy requirement (Work in Progress)
- Re-confirm authentication information (Work in Progress)
- Number of methods required to reset password (Work in Progress)
- Users
- Azure Infrastructure
- Network network.ipynb
- Subnets should have an NSG associated
- NSG Deny All Rule
- Open Management Ports
- NSG Flow Logs
- Network ACLs
- Azure SQL Network ACLs
- App Services app_services.ipynb
- Use HTTPS Only
- Set minimum TLS policy to 1.2
- Turn off remote debugging
- Role Based Access Control (RBAC)
- Privileged Administrator Role Assignments (planned)
- Network network.ipynb
Check out the Demo section for examples.
- VSCode
- Python Extension
- Polyglot Extension
- Anaconda 3
# Install Anaconda 3 using ex. Chocolatey
# from an elevated command prompt
choco install anaconda3
# go drink a coffee - this takes a whileWe need to make sure a few prequisite modules are installed
- Az (Azure Powershell)
- Az.ResourceGraph
- Microsoft.Graph
Note that Microsoft.Graph is a collection of many modules.
If there are multiple of the same modules listed using below code, then you have Microsoft.Graph modules installed in multiple places and possibly multiple different versions.
I would suggest completely uninstalling and then install the necessary modules. Also beware if you are installing to PowerShell Desktop or Core, check $PSVersionTable.
$MGModuleNames = 'Microsoft.Graph.Identity.DirectoryManagement', 'Microsoft.Graph.Authentication', 'Microsoft.Graph.Identity.SignIns', 'Microsoft.Graph.Groups', 'Microsoft.Graph.DirectoryObjects', 'Microsoft.Graph.Users', 'Microsoft.Graph.Applications'
$MGModuleNames | % {Install-Module -Name $_ -Scope AllUsers -Force -Verbose}
# beta modules
$MGModuleNames = 'Microsoft.Graph.Beta.Identity.SignIns', 'Microsoft.Graph.Beta.Identity.Governance', 'Microsoft.Graph.Beta.Applications', 'Microsoft.Graph.Beta.Identity.DirectoryManagement', 'Microsoft.Graph.Beta.DirectoryObjects', 'Microsoft.Graph.Beta.Reports'
$MGModuleNames | % {Install-Module -Name $_ -Scope AllUsers -Force -Verbose -AllowClobber}Note that this installation takes a while to complete.
You can list the modules, versions and their install location using
Get-Module -ListAvailable | Where-Object {$_.Name -like "Microsoft.Graph*"}Beware of having multiple versions or differing versions installed. You can encounter this error Assembly with same name is already loaded if two different modules are loading two different assemblies with the same name but different versions. Avoid this by always using the latest version.
Update all MG modules using
Get-Module -ListAvailable | Where-Object {$_.Name -like "*Microsoft.Graph.*"} | Update-Module -ForceAnd then use MicrosoftGraphPS to remove old versions.
Install-Module -Name MicrosoftGraphPS
# and run
Manage-Version-Microsoft.Graph -CleanupOldMicrosoftGraphVersionsWe will also be using a community module:
Install-Module -Name AzResourceGraphPSand for PS Core only users we need Out-GridView (Windows GUI elements not available in PS Core)
Install-Module Microsoft.PowerShell.ConsoleGuiTools
# And set the alias - note this is just for the session.
Set-Alias -Name Out-GridView -Value Out-ConsoleGridviewThis notebook is not a replacement for Azure Policies. Many of the checks done here is much better to do using Azure Policies (if possible), as these continously evaluate, and can also enforce specific settings.
Limit the number of Global Administrators to less than 5
Limit.the.number.of.Global.Administrators.to.less.than.5.mov
PIM.alerts.mov
user.consent.for.apps.mov
application.owners.mov
block.legacy.protocols.mov
Subnets should have an NSG associated