Update Purview Premium assesment to check status for all users

[schrolla]

💡 Summary

Recap of this issue where we discovered the advanced audit log for the UAL (renamed to Purview Premium) is enabled on a per-user basis. Each user must also be assigned at minimum a E5/G5 license. Currently in the baseline policy we have 'advanced audit logging SHALL be enabled`. OMB M-21-31, as noted in the baseline policy, also requires that advanced audit logging be turned on. #308 covers the same topic in the SharePoint baseline.

Reposting several points made from the previous issues:

What are the the cons:

• Requires looping through all the users in both the GUI AND the command-line to enable
• Requires each user to be assigned an E5/G5 license or a special add-on license.

What are the benefits:

• Provides access to EXO and SharePoint events in the UAL that are useful for IR

Questions to CISA

• Do we relegate this policy to a SHOULD? (Answer: No, it remains a SHALL. Related additional specific audit items remain a SHOULD.)
• Is there another path forward for this policy?

---

(Initial Issue text)
Follow-up to issue #200, where we discovered that advanced audit is enabled on a per-user basis not tenant-wide (TLRD: we decided to not implement the rego check for the alpha but to reassess the requirement for the MVP).

The cons of advanced audit are pretty self-evident now.

• Requires looping through all the users in both the GUI AND the command-line to enable (Workaround possible)
• Requires each user to be assigned an E5/G5 license or a special add-on license (Still true)

What are the benefits? Do they outweigh the cons?

Since this issue was originally created, Microsoft has indicated a change to which events are going to be made available as part of Purview Standard vs Purview Premium. As a result, a careful review of individual audit items needs to be done to determine what specific audit items should be included in the baseline. Regardless, advanced audit (Premium) checks are still desirable.

[gdasher]

My initial sense is that we demote to a should for now given the tradeoffs.

[schrolla]

@gdasher Demoting to a SHOULD addresses the policy question, but still leaves it in a difficult state for automating assessment due to the per user nature of the check. Even at a SHOULD, we cannot at this time automate the assessment without serious impact to the time and space required to automatically assess for all users in a tenant with large tenants (wrt users). So the other question here is should we add a policy to the baseline that cannot be easily assessed automatically?

My initial sense is that we demote to a should for now given the tradeoffs.

[gdasher]

I believe its no worse than the status quo situation. We have several policies that can't be easily assessed automatically. This one is particularly egregious though and hard for agencies to implement if they aren't in a position to script it.

Ok, on re-evaluating, I'm ok with removing this one from the baselines until/unless Microsoft adds a tenant level setting to enable.

[schrolla]

Based on the previous answer, should this issue be closed as won't fix for now? As I believe there's no further action to take wrt AAD baseline policy.

[gdasher]

I think the action is to remove this from the baseline, right? I'm not tracking if its there or not.

[schrolla]

I think the action is to remove this from the baseline, right? I'm not tracking if its there or not.

@gdasher There are currently audit related items from the baseline, but this particular question is around specifically enabling some custom audit items that are only available if Purview Premium is enabled. The implementation details for said implementation are in dependent issue #308. So there is no removal necessary, we would simply close that issue as a won't fix or push to the backlog for re-evaluation at a future date as the action.

[schrolla]

Waiting on final disposition based on continuing conversations within CISA regarding auditing.

[schrolla]

Waiting on final disposition based on continuing conversations within CISA regarding auditing.

@gdasher Any updates on final disposition of including advanced auditing in the baselines?

[schrolla]

Update from @gdasher indicated that advanced auditing enablement remains in the baselines as a SHALL and that the specific advanced audit items for EXO and SharePoint be a SHOULD item. Currently investigating a possible mechanism for validating these settings with Rego in a performant way.

[schrolla]

Note that the following command allows for server-side filtering and return a count of users in a tenant who have the Advanced Auditing license assigned to them. Can use this compared to full user count to determine if any users are missing from advanced auditing or you can negate the equality below to get a count of those without.

Get-MgBetaUser -Filter "assignedPlans/any(a:a/servicePlanId eq 2f442157-a11c-46b9-ae5b-6e39ff4e5849 and a/capabilityStatus eq 'Enabled')" -ConsistencyLevel eventual -Count userCount -All

This command will return all matching users and set the PowerShell variable $userCount equal to the number of matching users. If the list of users isn't desired, pipe the output to Out-Null. To negate the results to get a count of users without Advanced Auditing licensing assigned, add a 'not' to the beginning of the filter.