Framework/Configurations/SVT/AAD/AAD.User.json

{
  "FeatureName": "User",
  "Reference": "aka.ms/azsktcp/user",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "AAD_User_DirSync_Setting_Should_Match_Tenant",
      "Description": "A user's dirsync-enabled setting must match the tenant level setting",
      "Id": "User110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckUserDirSyncSetting",
      "Rationale": "When a tenant is setup with dir-sync, users are usually created on-premise and synchronized outbound. In such a case, seeing a user object with dirsync setting that does not match the tenant's setting is likely an anomaly and needs scrutiny.",
      "Recommendation": "Refer: TODO",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthN"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AAD_User_Do_Not_Disable_Password_Expiration",
      "Description": "Do not disable password expiration policy for users",
      "Id": "User120",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckPasswordExpiration",
      "Rationale": "Users with password expiration disabled represent a long term risk to the tenant in the event of password compromise. Ensuring that password expiration is enabled for everyone ensures that the window of attack is limited.",
      "Recommendation": "Refer: TODO",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthN"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AAD_User_Do_Not_Disable_Strong_Password",
      "Description": "Do not disable strong password policy for users",
      "Id": "User130",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckStrongPassword",
      "Rationale": "Strong passwords are harder to compromise. When strong passwords are disabled for a user, their account becomes vulnerable to various brute-force password guessing/cracking attacks.",
      "Recommendation": "Refer: TODO",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthN"
      ],
      "Enabled": true
    }
]
}