question

Byty avatar image
0 Votes"
Byty asked vipulsparsh-MSFT commented

Security Center MFA Policy Users report

Hello,
How do i get the users that for example are not compliant with "MFA should be enabled on accounts with owner permissions on your subscription"

Using the Security Center you get the Subscription and when you click on them you get the users.
Is there any Query that could get the users?

The query from "Azure Resource Graph Explorer" only reports the subscriptions.

securityresources
| where type == "microsoft.security/assessments"
| extend source = tostring(properties.resourceDetails.Source)
| extend resourceId =
trim(" ", tolower(tostring(case(source =~ "azure", properties.resourceDetails.Id,
source =~ "aws", properties.resourceDetails.AzureResourceId,
source =~ "gcp", properties.resourceDetails.AzureResourceId,
extract("^(.+)/providers/Microsoft.Security/assessments/.+$",1,id)))))
| extend status = trim(" ", tostring(properties.status.code))
| extend cause = trim(" ", tostring(properties.status.cause))
| extend assessmentKey = tostring(name)
| where assessmentKey == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" and status == "Unhealthy"



Thank you,
Adrian

azure-security-center
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

Thanks for reaching out. Can you try the following query in Azure Resource Graph Explorer :

securityresources
| where type == "microsoft.security/assessments"
| where properties.displayName == "MFA should be enabled on accounts with owner permissions on your subscription"
| where properties.status.code == "Unhealthy"


97146-image.png


Let me know if this helps.



image.png (37.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Byty avatar image
0 Votes"
Byty answered vipulsparsh-MSFT commented

Hello,
The same that gives me the Resources ( Subscriptions ) that have affected users in relation to that policy but does not return the actually users
I want to get the actual users that are affected.

Kind regards,
97665-picresult.jpg



picresult.jpg (95.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Byty The output from the query I shared earlier contains additional data attribute that has the list of the account object IDs for accounts that don't have MFA enforced.

0 Votes 0 ·