Skip to main content

azure_active_directory_domain_services resource

Use the azure_active_directory_domain_services InSpec audit resource to test the properties of some or all Azure Active Directory domains within a tenant.

Azure REST API version, endpoint, and HTTP client parameters

This resource interacts with API versions supported by the resource provider. You can specify the api_version as a resource parameter to use a specific version of the Azure REST API. If you don’t specify an API version, this resource uses the latest version available. For more information about API versioning, see the azure_generic_resource.

By default, this resource uses the azure_cloud global endpoint and default HTTP client settings. You can override these settings if you need to connect to a different Azure environment (such as Azure Government or Azure China). For more information about configuration options, see the resource pack README.

Syntax

An azure_active_directory_domain_services resource block returns all Azure Active Directory domains contained within the configured tenant and then tests that group of domains.

describe azure_active_directory_domain_services do
  #...
end

Parameters

The following parameters can be passed for targeting specific domains.

filter
A hash containing the filtering options and their values. The starts_with_ operator can be used for fuzzy string matching. Parameter names are in the snake case.

For example, { starts_with_given_name: 'J', starts_with_department: 'Core', country: 'United Kingdom', given_name: John}

filter_free_text
OData query string in double quotes, ".

Property names are in camel case. For more information, refer to Microsoft’s query parameters documentation.

For example, "startswith(displayName,'J') and surname eq 'Doe'" or "userType eq 'Guest'"

It is advised to use these parameters to narrow down the targeted resources at the server side, Azure Graph API, for a more efficient test.

Properties

ids
A list of fully qualified names of the domain.

Field: id

authentication_types
A list of the configured authentication types for the domain.

Field: authenticationType

availability_statuses
A list of domain entities when verify action is set.

Field: availabilityStatus

is_admin_manageds
A list of admin-managed configurations.

Field: isAdminManaged

is_defaults
A list of flags to indicate if they are default domains.

Field: isDefault

is_initials
A list of flags to indicate if they are initial domains created by Microsoft Online Services.

Field: isInitial

is_roots
A list of flags to indicate if they are verified root domains.

Field: isRoot

is_verifieds
A list of flags to indicate if the domains have completed domain ownership verification.

Field: isVerified

password_notification_window_in_days
A list of password notification window days.

Field: passwordNotificationWindowInDays

password_validity_period_in_days
A list of password validity periods in days.

Field: passwordValidityPeriodInDays

supported_services
A list of capabilities assigned to the domain.

Field: supportedServices

states
A list of asynchronous operations scheduled.

Field: state

Note

For information on using filter criteria on plural resources, see the documentation on FilterTable

Examples

The following examples show how to use this InSpec audit resource.

Check domains with some filtering parameters applied at the server side using ‘filter’:

describe azure_active_directory_domain_services(filter: {authenticationType: "authenticationType-value"}) do
  it { should exist }
end

Check domains with some filtering parameters applied at the server side using ‘filter_free_text’:

describe azure_active_directory_domain_services(filter_free_text: "startswith(authenticationType,'authenticationType-value')") do
  it { should exist }
end

Test to ensure there are supported services using client-side filtering:

describe azure_active_directory_domain_services.supportedServices do
  it { should_not exist }
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

exists

The control passes if the filter returns at least one result. Use should_not if you expect zero matches.

describe azure_active_directory_domain_services do
  it { should_not exist }
end

Azure permissions

Graph resources require specific privileges granted to your service principal. Please refer to the Microsoft Documentation for information on how to grant these permissions to your application.

Thank you for your feedback!

×