This implementation automates reporting to verify compliance with GC Cloud Guardrails. SSC and TBS review the results. Cette mise en œuvre automatise la production de rapports afin de vérifier la conformité aux mesures de sécurité infonuagique du GC. SPC et SCT examinent les résultats.
ItemName: Authentication Mechanisms: Risk Based Conditional Access Policies (M)
ItemName FR: « Mécanismes d'authentification : politiques d'accès conditionnel basées sur les risques (M) »
Description: This is a new control that looks at a previously existing check and creates a new one. It will confirm that the environment has enabled risk-based policy’s such as the password change, and an allowed location Conditional Access Policies.
Check for a Conditional access policy with the following configurations
o Under Conditions > User risk, set Configure to Yes.
Under Configure user risk levels needed for policy to be enforced, select High.
o Under Access controls > Grant.
Select Grant access, Require multifactor authentication and Require password change.
o Under Session.
Select Sign-in frequency.
Ensure Every time is selected.
o Enable Policy = On
Reference: Risk-based user sign-in protection in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn
Reuse the existing check from Guardrail 3 called “Conditional Access Policy for Cloud Console Access (R)” and improve as needed.
If both of the conditional access policies exist and are formatted as required the check will be compliant.
Comments
If non-compliantc1= Configure the conditional access policy to force password changes based on user risk.
If non-compliantc2= Configure the conditional access policy to prevent sign-in's from unapproved named locations.
If non-compliantc1c2 = Configure the conditional access policies outlined in the remediation guidance.
If compliant = Compliant. Both conditional access policies have been configured.
ItemName: Authentication Mechanisms: Risk Based Conditional Access Policies (M) ItemName FR: « Mécanismes d'authentification : politiques d'accès conditionnel basées sur les risques (M) »
Description: This is a new control that looks at a previously existing check and creates a new one. It will confirm that the environment has enabled risk-based policy’s such as the password change, and an allowed location Conditional Access Policies.
Check 1: Password Changes –Conditional Access Policy
Check 2: Allowed Location – Conditional Access Policy
If both of the conditional access policies exist and are formatted as required the check will be compliant.
Comments If non-compliantc1= Configure the conditional access policy to force password changes based on user risk. If non-compliantc2= Configure the conditional access policy to prevent sign-in's from unapproved named locations. If non-compliantc1c2 = Configure the conditional access policies outlined in the remediation guidance.
If compliant = Compliant. Both conditional access policies have been configured.