From 9cadf1f5f3d22ed9d2e6a5019cc0c342f39e3deb Mon Sep 17 00:00:00 2001 From: AkhtarAmir Date: Mon, 6 Oct 2025 18:13:28 +0500 Subject: [PATCH] update active directory to entra id --- docs/azure.md | 2 +- exports.js | 16 ++++++++-------- helpers/azure/api.js | 14 +++++++------- .../appOrgnaizationalDirectoryAccess.js | 6 +++--- .../appOrgnaizationalDirectoryAccess.spec.js | 0 .../ensureNoGuestUser.js | 6 +++--- .../ensureNoGuestUser.spec.js | 0 .../minPasswordLength.js | 4 ++-- .../noCustomOwnerRoles.js | 2 +- .../noCustomOwnerRoles.spec.js | 0 .../passwordRequiresLowercase.js | 4 ++-- .../passwordRequiresNumbers.js | 4 ++-- .../passwordRequiresSymbols.js | 2 +- .../passwordRequiresUppercase.js | 4 ++-- 14 files changed, 32 insertions(+), 32 deletions(-) rename plugins/azure/{activedirectory => entraid}/appOrgnaizationalDirectoryAccess.js (88%) rename plugins/azure/{activedirectory => entraid}/appOrgnaizationalDirectoryAccess.spec.js (100%) rename plugins/azure/{activedirectory => entraid}/ensureNoGuestUser.js (91%) rename plugins/azure/{activedirectory => entraid}/ensureNoGuestUser.spec.js (100%) rename plugins/azure/{activedirectory => entraid}/minPasswordLength.js (87%) rename plugins/azure/{activedirectory => entraid}/noCustomOwnerRoles.js (99%) rename plugins/azure/{activedirectory => entraid}/noCustomOwnerRoles.spec.js (100%) rename plugins/azure/{activedirectory => entraid}/passwordRequiresLowercase.js (88%) rename plugins/azure/{activedirectory => entraid}/passwordRequiresNumbers.js (88%) rename plugins/azure/{activedirectory => entraid}/passwordRequiresSymbols.js (90%) rename plugins/azure/{activedirectory => entraid}/passwordRequiresUppercase.js (88%) diff --git a/docs/azure.md b/docs/azure.md index 5fe8997096..8ae9225f00 100644 --- a/docs/azure.md +++ b/docs/azure.md @@ -1,7 +1,7 @@ # CloudSploit For Microsoft Azure ## Cloud Provider Configuration -1. Log into your Azure Portal and navigate to the Azure Active Directory service. +1. Log into your Azure Portal and navigate to the Azure Entra ID service. 1. Select App registrations and then click on New registration. 1. Enter "CloudSploit" and/or a descriptive name in the Name field, take note of it, it will be used again in step 3. 1. Leave the "Supported account types" default: "Accounts in this organizational directory only (YOURDIRECTORYNAME)". diff --git a/exports.js b/exports.js index f83bb6a31b..215cd9c338 100644 --- a/exports.js +++ b/exports.js @@ -1039,14 +1039,14 @@ module.exports = { 'endpointLoggingEnabled' : require(__dirname + '/plugins/azure/cdnprofiles/endpointLoggingEnabled.js'), 'detectInsecureCustomOrigin' : require(__dirname + '/plugins/azure/cdnprofiles/detectInsecureCustomOrigin.js'), - 'passwordRequiresLowercase' : require(__dirname + '/plugins/azure/activedirectory/passwordRequiresLowercase.js'), - 'passwordRequiresNumbers' : require(__dirname + '/plugins/azure/activedirectory/passwordRequiresNumbers.js'), - 'passwordRequiresSymbols' : require(__dirname + '/plugins/azure/activedirectory/passwordRequiresSymbols.js'), - 'passwordRequiresUppercase' : require(__dirname + '/plugins/azure/activedirectory/passwordRequiresUppercase.js'), - 'minPasswordLength' : require(__dirname + '/plugins/azure/activedirectory/minPasswordLength.js'), - 'ensureNoGuestUser' : require(__dirname + '/plugins/azure/activedirectory/ensureNoGuestUser.js'), - 'noCustomOwnerRoles' : require(__dirname + '/plugins/azure/activedirectory/noCustomOwnerRoles.js'), - 'appOrgnaizationalDirectoryAccess' : require(__dirname + '/plugins/azure/activedirectory/appOrgnaizationalDirectoryAccess.js'), + 'passwordRequiresLowercase' : require(__dirname + '/plugins/azure/entraid/passwordRequiresLowercase.js'), + 'passwordRequiresNumbers' : require(__dirname + '/plugins/azure/entraid/passwordRequiresNumbers.js'), + 'passwordRequiresSymbols' : require(__dirname + '/plugins/azure/entraid/passwordRequiresSymbols.js'), + 'passwordRequiresUppercase' : require(__dirname + '/plugins/azure/entraid/passwordRequiresUppercase.js'), + 'minPasswordLength' : require(__dirname + '/plugins/azure/entraid/minPasswordLength.js'), + 'ensureNoGuestUser' : require(__dirname + '/plugins/azure/entraid/ensureNoGuestUser.js'), + 'noCustomOwnerRoles' : require(__dirname + '/plugins/azure/entraid/noCustomOwnerRoles.js'), + 'appOrgnaizationalDirectoryAccess' : require(__dirname + '/plugins/azure/entraid/appOrgnaizationalDirectoryAccess.js'), 'dbAuditingEnabled' : require(__dirname + '/plugins/azure/sqldatabases/dbAuditingEnabled.js'), 'dbDataMaskingEnabled' : require(__dirname + '/plugins/azure/sqldatabases/dbDataMaskingEnabled.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 9388c0157f..469e3ea9c4 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -260,21 +260,21 @@ var serviceMap = { BridgeCollectionService: 'wafpolicies', DataIdentifier: 'data', } ], - 'Active Directory': [ + 'Entra ID': [ { enabled: true, isSingleSource: true, InvAsset: 'activeDirectory', InvService: 'activeDirectory', InvResourceCategory: 'cloud_resources', InvResourceType: 'Roles', BridgeServiceName: 'roledefinitions', - BridgePluginCategoryName: 'Active Directory', BridgeProvider: 'Azure', BridgeCall: 'list', + BridgePluginCategoryName: 'Entra ID', BridgeProvider: 'Azure', BridgeCall: 'list', BridgeArnIdentifier: '', BridgeIdTemplate: '', BridgeResourceType: 'roleDefinitions', - BridgeResourceNameIdentifier: 'name', BridgeExecutionService: 'Active Directory', + BridgeResourceNameIdentifier: 'name', BridgeExecutionService: 'Entra ID', BridgeCollectionService: 'roledefinitions', DataIdentifier: 'data', }, { enabled: true, isSingleSource: true, InvAsset: 'activeDirectory', InvService: 'activeDirectory', InvResourceCategory: 'cloud_resources', InvResourceType: 'Application', BridgeServiceName: 'applications', - BridgePluginCategoryName: 'Active Directory', BridgeProvider: 'Azure', BridgeCall: 'list', + BridgePluginCategoryName: 'Entra ID', BridgeProvider: 'Azure', BridgeCall: 'list', BridgeArnIdentifier: '', BridgeIdTemplate: '', BridgeResourceType: '', - BridgeResourceNameIdentifier: 'name', BridgeExecutionService: 'Active Directory', + BridgeResourceNameIdentifier: 'name', BridgeExecutionService: 'Entra ID', BridgeCollectionService: 'applications', DataIdentifier: 'data', } ] @@ -486,7 +486,7 @@ var calls = { list: { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01' }, - sendIntegration: serviceMap['Active Directory'][0] + sendIntegration: serviceMap['Entra ID'][0] }, managementLocks: { listAtSubscriptionLevel: { @@ -519,7 +519,7 @@ var calls = { url: 'https://graph.microsoft.com/v1.0/applications/', graph: true, }, - sendIntegration: serviceMap['Active Directory'][1] + sendIntegration: serviceMap['Entra ID'][1] }, automationAccounts: { list: { diff --git a/plugins/azure/activedirectory/appOrgnaizationalDirectoryAccess.js b/plugins/azure/entraid/appOrgnaizationalDirectoryAccess.js similarity index 88% rename from plugins/azure/activedirectory/appOrgnaizationalDirectoryAccess.js rename to plugins/azure/entraid/appOrgnaizationalDirectoryAccess.js index c0c9f6afaf..1e3484184a 100644 --- a/plugins/azure/activedirectory/appOrgnaizationalDirectoryAccess.js +++ b/plugins/azure/entraid/appOrgnaizationalDirectoryAccess.js @@ -3,12 +3,12 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Azure AD App Organizational Directory Access', - category: 'Active Directory', + category: 'Entra ID', domain: 'Identity and Access Management', severity: 'Medium', - description: 'Ensures that Azure Active Directory applications are accessible to accounts in organisational directory only.', + description: 'Ensures that Azure Entra ID applications are accessible to accounts in organisational directory only.', more_info: 'AAD provides different types of account access. By using single-tenant authentication, the impact gets limited to the application’s tenant i.e. all users from the same tenant could connect to the application and save app from unauthorised access.', - link: 'https://learn.microsoft.com/en-us/azure/active-directory/develop/single-and-multi-tenant-apps', + link: 'https://learn.microsoft.com/en-us/entra/identity-platform/single-and-multi-tenant-apps', recommended_action: 'Modify the Azure app authentication setting and provide access to accounts in organisational directory only', apis: ['applications:list'], diff --git a/plugins/azure/activedirectory/appOrgnaizationalDirectoryAccess.spec.js b/plugins/azure/entraid/appOrgnaizationalDirectoryAccess.spec.js similarity index 100% rename from plugins/azure/activedirectory/appOrgnaizationalDirectoryAccess.spec.js rename to plugins/azure/entraid/appOrgnaizationalDirectoryAccess.spec.js diff --git a/plugins/azure/activedirectory/ensureNoGuestUser.js b/plugins/azure/entraid/ensureNoGuestUser.js similarity index 91% rename from plugins/azure/activedirectory/ensureNoGuestUser.js rename to plugins/azure/entraid/ensureNoGuestUser.js index 13afc564e4..d275e0febb 100644 --- a/plugins/azure/activedirectory/ensureNoGuestUser.js +++ b/plugins/azure/entraid/ensureNoGuestUser.js @@ -3,13 +3,13 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Ensure No Guest User', - category: 'Active Directory', + category: 'Entra ID', domain: 'Identity and Access Management', severity: 'Medium', description: 'Ensures that there are no guest users in the subscription', more_info: 'Guest users are usually users that are invited from outside the company structure, these users are not part of the onboarding/offboarding process and could be overlooked, causing security vulnerabilities.', - link: 'https://learn.microsoft.com/en-us/azure/active-directory/b2b/add-users-administrator', - recommended_action: 'Remove all guest users unless they are required to be members of the Active Directory account.', + link: 'https://learn.microsoft.com/en-us/entra/external-id/add-users-administrator', + recommended_action: 'Remove all guest users unless they are required to be members of the Entra ID account.', apis: ['users:list'], run: function(cache, settings, callback) { diff --git a/plugins/azure/activedirectory/ensureNoGuestUser.spec.js b/plugins/azure/entraid/ensureNoGuestUser.spec.js similarity index 100% rename from plugins/azure/activedirectory/ensureNoGuestUser.spec.js rename to plugins/azure/entraid/ensureNoGuestUser.spec.js diff --git a/plugins/azure/activedirectory/minPasswordLength.js b/plugins/azure/entraid/minPasswordLength.js similarity index 87% rename from plugins/azure/activedirectory/minPasswordLength.js rename to plugins/azure/entraid/minPasswordLength.js index db9f98d394..b02b799ae3 100644 --- a/plugins/azure/activedirectory/minPasswordLength.js +++ b/plugins/azure/entraid/minPasswordLength.js @@ -3,12 +3,12 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Minimum Password Length', - category: 'Active Directory', + category: 'Entra ID', domain: 'Identity and Access Management', severity: 'Low', description: 'Ensures that all Azure passwords require a minimum length', more_info: 'Azure handles most password policy settings, including the minimum password length, defaulted to 8 characters.', - link: 'https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts', + link: 'https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts', recommended_action: 'No action necessary. Azure handles password requirement settings.', apis: ['resources:list'], diff --git a/plugins/azure/activedirectory/noCustomOwnerRoles.js b/plugins/azure/entraid/noCustomOwnerRoles.js similarity index 99% rename from plugins/azure/activedirectory/noCustomOwnerRoles.js rename to plugins/azure/entraid/noCustomOwnerRoles.js index 5c7962b7e3..a6c6a0cf6f 100644 --- a/plugins/azure/activedirectory/noCustomOwnerRoles.js +++ b/plugins/azure/entraid/noCustomOwnerRoles.js @@ -3,7 +3,7 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'No Custom Owner Roles', - category: 'Active Directory', + category: 'Entra ID', domain: 'Identity and Access Management', severity: 'Medium', description: 'Ensures that no custom owner roles exist.', diff --git a/plugins/azure/activedirectory/noCustomOwnerRoles.spec.js b/plugins/azure/entraid/noCustomOwnerRoles.spec.js similarity index 100% rename from plugins/azure/activedirectory/noCustomOwnerRoles.spec.js rename to plugins/azure/entraid/noCustomOwnerRoles.spec.js diff --git a/plugins/azure/activedirectory/passwordRequiresLowercase.js b/plugins/azure/entraid/passwordRequiresLowercase.js similarity index 88% rename from plugins/azure/activedirectory/passwordRequiresLowercase.js rename to plugins/azure/entraid/passwordRequiresLowercase.js index be1f298bf9..bfa1183dd8 100644 --- a/plugins/azure/activedirectory/passwordRequiresLowercase.js +++ b/plugins/azure/entraid/passwordRequiresLowercase.js @@ -3,12 +3,12 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Password Requires Lowercase', - category: 'Active Directory', + category: 'Entra ID', domain: 'Identity and Access Management', severity: 'Low', description: 'Ensures that all Azure passwords require lowercase characters', more_info: 'Azure handles most password policy settings, including which character types are required. Azure requires 3 out of 4 of the following character types: lowercase, uppercase, special characters, and numbers.', - link: 'https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts', + link: 'https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts', recommended_action: 'No action necessary. Azure handles password requirement settings.', apis: ['resources:list'], diff --git a/plugins/azure/activedirectory/passwordRequiresNumbers.js b/plugins/azure/entraid/passwordRequiresNumbers.js similarity index 88% rename from plugins/azure/activedirectory/passwordRequiresNumbers.js rename to plugins/azure/entraid/passwordRequiresNumbers.js index 3606f5d448..d153673854 100644 --- a/plugins/azure/activedirectory/passwordRequiresNumbers.js +++ b/plugins/azure/entraid/passwordRequiresNumbers.js @@ -3,12 +3,12 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Password Requires Numbers', - category: 'Active Directory', + category: 'Entra ID', domain: 'Identity and Access Management', severity: 'Low', description: 'Ensures that all Azure passwords require numbers', more_info: 'Azure handles most password policy settings, including which character types are required. Azure requires 3 out of 4 of the following character types: lowercase, uppercase, special characters, and numbers.', - link: 'https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts', + link: 'https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts', recommended_action: 'No action necessary. Azure handles password requirement settings.', apis: ['resources:list'], diff --git a/plugins/azure/activedirectory/passwordRequiresSymbols.js b/plugins/azure/entraid/passwordRequiresSymbols.js similarity index 90% rename from plugins/azure/activedirectory/passwordRequiresSymbols.js rename to plugins/azure/entraid/passwordRequiresSymbols.js index 91ea294532..8efe66a3c3 100644 --- a/plugins/azure/activedirectory/passwordRequiresSymbols.js +++ b/plugins/azure/entraid/passwordRequiresSymbols.js @@ -8,7 +8,7 @@ module.exports = { severity: 'Low', description: 'Ensures that all Azure passwords require symbol characters', more_info: 'Azure handles most password policy settings, including which character types are required. Azure requires 3 out of 4 of the following character types: lowercase, uppercase, special characters, and numbers.', - link: 'https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts', + link: 'Entra ID', recommended_action: 'No action necessary. Azure handles password requirement settings.', apis: ['resources:list'], diff --git a/plugins/azure/activedirectory/passwordRequiresUppercase.js b/plugins/azure/entraid/passwordRequiresUppercase.js similarity index 88% rename from plugins/azure/activedirectory/passwordRequiresUppercase.js rename to plugins/azure/entraid/passwordRequiresUppercase.js index 5dd2b90e4e..c5c4f71fdd 100644 --- a/plugins/azure/activedirectory/passwordRequiresUppercase.js +++ b/plugins/azure/entraid/passwordRequiresUppercase.js @@ -3,12 +3,12 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Password Requires Uppercase', - category: 'Active Directory', + category: 'Entra ID', domain: 'Identity and Access Management', severity: 'Low', description: 'Ensures that all Azure passwords require uppercase characters', more_info: 'Azure handles most password policy settings, including which character types are required. Azure requires 3 out of 4 of the following character types: lowercase, uppercase, special characters, and numbers.', - link: 'https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts', + link: 'https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts', recommended_action: 'No action necessary. Azure handles password requirement settings.', apis: ['resources:list'],