pl4nty
commented
1 year ago In the meantime, could an AAD P2 license check be added? It's listed as required in the docs
Closed schrolla closed 1 month ago
pl4nty
commented
1 year ago In the meantime, could an AAD P2 license check be added? It's listed as required in the docs
schrolla
commented
8 months ago Look to assign someone to review and explore this further and decompose into a workable story.
schrolla
commented
6 months ago Changing to blocked pending notification that MSGraph API supports query of this property. Will relook in future to validate if it is still blocked.
schrolla
commented
1 month ago @tkol2022 Check with Microsoft to see if there is an API endpoint to query for this information.
tkol2022
commented
1 month ago Received a response from Microsoft that there is currently no API to retrieve the list of users that get the "Users at risk detected alerts" emails. Therefore we cannot code any updates to ScubaGear at this time.
Azure AD Secure Configuration Baseline Item MS.AAD.2.2v1 states, A notification SHOULD be sent to the administrator when high-risk users are detected.
Previous work shows that there is not currently an MS Graph API endpoint to validate the notification settings. Additionally, the implementation guidance further clarifies that settings should "configure Azure AD Identity Protection to email the security operations team/administrator when a user account is determined to be high risk so that they can review and respond to threats." As such, an automated implementation should include a way for an agency to indicate who the security operations team or administrator to be notified is in order to indicate compliance with the baseline. Otherwise, even with notification configured it isn't clear that the recipients are valid and correct.
This item is blocked until either Microsoft Graph API and associated Graph Powershell SDK adds support to query these settings OR an alternative automated mechanism can be discovered or developed to retrieve these settings for automated evaluation.