Azure Security Review

A notebook (using Polyglot) that codifies the Azure Security Review Checklist and other general security recommendations, like Microsoft Security Benchmarks. It will also include best practices and well architected recommendations.

The notebook approach allows for use of many different languages and frameworks. We can use Microsoft Graph to gain insights into Entra ID (Azure AD), and we can use Azure Resource Graph combined with Azure Powershell or Az cli. But C#, Python, Javascript, etc. is also viable options.

Combined with Markdown, this allows for verbosity to a level that is hard to beat with any other tooling, and insights gained literally with the click of a button.

News

All code regarding Entra ID has been converted to a Powershell module, published to PSAzureSecurityAssessment.

Also added Write-EntraIdAssessment which will output a Markdown file (and optionally upload to an Azure Storage Account). This even supports multi tenant assessments, supported by New-MultiTenantApplication which can create a multi-tenant application to be used for these types of assessments (or just a single tenant).

Notes

These are the controls/checks that are implemented, planned, or work in progress.

Entra ID (Azure AD) entra-id.ipynb
- Users
- User States
- Disabled Users
- Privileged administration
- Limit the number of Global Administrators to less than 5
- Synchronized accounts
- Use groups for Azure AD role assignments (Work in Progress)
- PIM Alerts
- Recurring access reviews
- Access Reviews: Enabled for all groups
- Apps and Owners Can Change All Group Membership (Work in Progress)
- Avoid standing access for user accounts and permissions (Work in Progress)
- External Identities
- Guest Invite Settings
- Guest User Access Restrictions (Work in Progress)
- User Setting
- User role permissions (Application registration)
- Authentication Methods
- Custom Domains
- Verified Domains
- Enterprise Applications
- User Consent for Apps
- Group Owner Consent (Work in Progress)
- Application Owners
- Applications with privileged app role assignments
- Conditional Access Policies
- Block Legacy Protocols
- Require MFA for Administrators
- Require MFA for Azure Management
- Restricted Locations
- Require devices to be marked as compliant
- Protected Actions
- Break Glass/Emergency Accounts (Work in Progress)
- Password Reset
- Self-service password reset policy requirement (Work in Progress)
- Re-confirm authentication information (Work in Progress)
- Number of methods required to reset password (Work in Progress)
Azure Infrastructure
- Network network.ipynb
- Subnets should have an NSG associated
- NSG Deny All Rule
- Open Management Ports
- NSG Flow Logs
- Network ACLs
- Azure SQL Network ACLs
- App Services app_services.ipynb
- Use HTTPS Only
- Set minimum TLS policy to 1.2
- Turn off remote debugging
- Role Based Access Control (RBAC)
- Privileged Administrator Role Assignments (planned)

Check out the Demo section for examples.

Prerequisites

VSCode
Python Extension
Polyglot Extension
Anaconda 3

# Install Anaconda 3 using ex. Chocolatey

# from an elevated command prompt
choco install anaconda3
# go drink a coffee - this takes a while

We need to make sure a few prequisite modules are installed

Az (Azure Powershell)
Az.ResourceGraph
Microsoft.Graph

Note that Microsoft.Graph is a collection of many modules.

If there are multiple of the same modules listed using below code, then you have Microsoft.Graph modules installed in multiple places and possibly multiple different versions.

I would suggest completely uninstalling and then install the necessary modules. Also beware if you are installing to PowerShell Desktop or Core, check $PSVersionTable.

$MGModuleNames = 'Microsoft.Graph.Identity.DirectoryManagement', 'Microsoft.Graph.Authentication', 'Microsoft.Graph.Identity.SignIns', 'Microsoft.Graph.Groups', 'Microsoft.Graph.DirectoryObjects', 'Microsoft.Graph.Users', 'Microsoft.Graph.Applications'
$MGModuleNames | % {Install-Module -Name $_ -Scope AllUsers -Force -Verbose}
# beta modules
$MGModuleNames = 'Microsoft.Graph.Beta.Identity.SignIns', 'Microsoft.Graph.Beta.Identity.Governance', 'Microsoft.Graph.Beta.Applications', 'Microsoft.Graph.Beta.Identity.DirectoryManagement', 'Microsoft.Graph.Beta.DirectoryObjects', 'Microsoft.Graph.Beta.Reports'
$MGModuleNames | % {Install-Module -Name $_ -Scope AllUsers -Force -Verbose -AllowClobber}

Note that this installation takes a while to complete.

You can list the modules, versions and their install location using

Get-Module -ListAvailable | Where-Object {$_.Name -like "Microsoft.Graph*"}

Beware of having multiple versions or differing versions installed. You can encounter this error Assembly with same name is already loaded if two different modules are loading two different assemblies with the same name but different versions. Avoid this by always using the latest version.

Update all MG modules using

Get-Module -ListAvailable | Where-Object {$_.Name -like "*Microsoft.Graph.*"} | Update-Module -Force

And then use MicrosoftGraphPS to remove old versions.

Install-Module -Name MicrosoftGraphPS
# and run
Manage-Version-Microsoft.Graph -CleanupOldMicrosoftGraphVersions

We will also be using a community module:

Install-Module -Name AzResourceGraphPS

and for PS Core only users we need Out-GridView (Windows GUI elements not available in PS Core)

Install-Module Microsoft.PowerShell.ConsoleGuiTools
# And set the alias - note this is just for the session.
Set-Alias -Name Out-GridView -Value Out-ConsoleGridview

Azure Policies

This notebook is not a replacement for Azure Policies. Many of the checks done here is much better to do using Azure Policies (if possible), as these continously evaluate, and can also enforce specific settings.