Product logo
DocsBlogPricing

Policy types for @turbot/azure-activedirectory

Azure > Active Directory > Application > CMDB

Configure whether to record and synchronize details for the Azure active directory application into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/azure-activedirectory#/policy/types/applicationCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

Azure > Active Directory > Client Secret > Active


The control determines whether the resource is in active use. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (`Azure > Active Directory > Client Secret > Active > *`) and raises an alarm. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

See [Active](https://turbot.com/v5/docs/concepts/guardrails/active) for more information.
URI
tmod:@turbot/azure-activedirectory#/policy/types/clientSecretActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Active Directory > Client Secret > Active > Age

The age after which the Azure Active Directory client secret
is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active
control determines whether the resource is in active use. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Active Directory > Client Secret > Active > *) and
raises an alarm. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

See Active for more information.

URI
tmod:@turbot/azure-activedirectory#/policy/types/clientSecretActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Active Directory > Client Secret > Approved

Determine the action to take when an Azure Active Directory client secret is not approved based on Azure > Active Directory > Client Secret > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm.

See Approved for more information.

URI
tmod:@turbot/azure-activedirectory#/policy/types/clientSecretApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Active Directory > Client Secret > Approved > Custom

Determine whether the Azure Active Directory client secret is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Active Directory client secret is not approved, it will be subject to the action specified in the Azure > Active Directory > Client Secret > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/azure-activedirectory#/policy/types/clientSecretApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Active Directory > Client Secret > Approved > Usage

Determine whether the Azure Active Directory client secret is allowed to exist.

This policy will be evaluated by the Approved control. If an Azure Active Directory client secret is not approved, it will be subject to the action specified in the Azure > Active Directory > Client Secret > Approved policy.

See Approved for more information.

URI
tmod:@turbot/azure-activedirectory#/policy/types/clientSecretApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved"
}

Azure > Active Directory > Client Secret > CMDB

Configure whether to record and synchronize details for the Azure Active Directory client secret into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/azure-activedirectory#/policy/types/clientSecretCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

Azure > Active Directory > Custom Domain > Approved


The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm.

See [Approved](https://turbot.com/v5/docs/concepts/guardrails/approved) for more information.
URI
tmod:@turbot/azure-activedirectory#/policy/types/customDomainApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Active Directory > Custom Domain > Approved > Usage

Determine whether the Azure Active Directory custom domain is allowed to exist.

This policy will be evaluated by the Approved control. If an Azure Active Directory custom domain is not approved, it will be subject to the action specified in the Azure > Active Directory > Custom Domain > Approved policy.

See Approved for more information.

URI
tmod:@turbot/azure-activedirectory#/policy/types/customDomainApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved"
}

Azure > Active Directory > Custom Domain > CMDB

Configure whether to record and synchronize details for the Azure Active Directory custom domain into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/azure-activedirectory#/policy/types/customDomainCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

Azure > Active Directory > Directory > CMDB

Configure whether to record and synchronize details for Azure AD into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.

Note that if CMDB is set to Skip for a resource, then it will not be added to the CMDB, and no controls that target it will run.

URI
tmod:@turbot/azure-activedirectory#/policy/types/directoryCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

Azure > Active Directory > Group > CMDB

Configure whether to record and synchronize details for the Azure active directory group into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/azure-activedirectory#/policy/types/groupCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

Azure > Active Directory > Service Principal > CMDB

Configure whether to record and synchronize details for the Azure Active Directory service principal into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/azure-activedirectory#/policy/types/servicePrincipalCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

Azure > Active Directory > User > Approved

Determine the action to take when an Azure Active Directory user is not approved based on Azure > Active Directory > User > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/azure-activedirectory#/policy/types/userApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Active Directory > User > Approved > Custom

Determine whether the Azure Active Directory user is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Active Directory user is not approved, it will be subject to the action specified in the Azure > Active Directory > User > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/azure-activedirectory#/policy/types/userApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Active Directory > User > Approved > Usage

Determine whether the Azure Active Directory user is allowed to exist.

This policy will be evaluated by the Approved control. If an Azure Active Directory user is not approved, it will be subject to the action specified in the Azure > Active Directory > User > Approved policy.

See Approved for more information.

URI
tmod:@turbot/azure-activedirectory#/policy/types/userApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved"
}

Azure > Active Directory > User > Approved > User Types

Determine whether the Azure Active Directory user type is allowed to exist.

This policy will be evaluated by the Approved control. If an Azure active directory user is not approved, it will be subject to the action specified in the Azure > Active Directory > User > Approved policy.

See Approved for more information.

URI
tmod:@turbot/azure-activedirectory#/policy/types/userApprovedUserTypes
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string",
    "enum": [
      "Guest",
      "Member"
    ]
  },
  "default": [
    "Guest",
    "Member"
  ]
}

Azure > Active Directory > User > CMDB

Configure whether to record and synchronize details for the Azure active directory user into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/azure-activedirectory#/policy/types/userCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

Azure > Turbot > Directory Event Poller

Configure the Azure Directory Event Poller. When set to Enabled, the poller will
run at the interval specified to retrieve the latest events and forward
them to the Turbot Router.

URI
tmod:@turbot/azure-activedirectory#/policy/types/eventPoller
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "default": "Enabled"
}

Azure > Turbot > Directory Event Poller > Interval

The polling interval. This policy determines how often the event poller will run.

URI
tmod:@turbot/azure-activedirectory#/policy/types/eventPollerInterval
Category
Parent
Targets
Valid Value
[
  "Every 1 minute",
  "Every 2 minutes",
  "Every 3 minutes",
  "Every 4 minutes",
  "Every 5 minutes",
  "Every 6 minutes",
  "Every 7 minutes",
  "Every 8 minutes",
  "Every 9 minutes",
  "Every 10 minutes"
]
Schema
{
  "type": "string",
  "enum": [
    "Every 1 minute",
    "Every 2 minutes",
    "Every 3 minutes",
    "Every 4 minutes",
    "Every 5 minutes",
    "Every 6 minutes",
    "Every 7 minutes",
    "Every 8 minutes",
    "Every 9 minutes",
    "Every 10 minutes"
  ],
  "default": "Every 2 minutes"
}

Azure > Turbot > Directory Event Poller > Window

The polling window, in minutes. This policies determines the oldest
events the event poller will retrieve. For example, setting the window
to '5 minutes' will cause the poller to retrieve all events from
the previous 5 minutes every time it runs.

The Window must be greater than the Interval, and it is recommended
to be at least twice the Interval. For example, if the Interval
is 'Every 5 Minutes', the Window should be at least '10 Minutes'.

URI
tmod:@turbot/azure-activedirectory#/policy/types/eventPollerWindow
Category
Parent
Targets
Valid Value
[
  "5 minutes",
  "6 minutes",
  "7 minutes",
  "8 minutes",
  "9 minutes",
  "10 minutes",
  "11 minutes",
  "12 minutes",
  "13 minutes",
  "14 minutes",
  "15 minutes",
  "16 minutes",
  "17 minutes",
  "18 minutes",
  "19 minutes",
  "20 minutes",
  "30 minutes",
  "40 minutes"
]
Schema
{
  "type": "string",
  "enum": [
    "5 minutes",
    "6 minutes",
    "7 minutes",
    "8 minutes",
    "9 minutes",
    "10 minutes",
    "11 minutes",
    "12 minutes",
    "13 minutes",
    "14 minutes",
    "15 minutes",
    "16 minutes",
    "17 minutes",
    "18 minutes",
    "19 minutes",
    "20 minutes",
    "30 minutes",
    "40 minutes"
  ],
  "default": "10 minutes"
}