From 1fb337a408e4b89da274626b45a0a74fcc7a9b31 Mon Sep 17 00:00:00 2001 From: William Yip Date: Thu, 30 Apr 2026 16:40:43 +1000 Subject: [PATCH 1/4] Add Rego policies for CIS 5.1.4.2, 5.1.4.3, and 5.1.4.4 All three controls use the existing device_registration_policy collector (/policies/deviceRegistrationPolicy beta endpoint). The metadata for 5.1.4.2-5.1.4.4 previously referenced entra.devices.device_management_settings which does not expose the relevant fields; corrected to entra.devices.device_registration_policy. 5.1.4.2 - checks userDeviceQuota > 0 (0 treated as unlimited) 5.1.4.3 - checks azureADJoin.localAdministratorsConfiguration.enableGlobalAdmins == false 5.1.4.4 - checks azureADJoin.localAdministratorsConfiguration.registeringUsers == notAllowed The localAdministratorsConfiguration fields are beta-only and may be absent on older tenants; the policy returns a clear non-compliant message in that case. Made-with: Cursor --- .../v6.0.0/controls.md | 6 +-- .../devices/device_registration_policy.py | 24 ++++----- ...1.4.2_limit_device_registration_quota.rego | 47 +++++++++++++++++ .../5.1.4.3_ga_not_local_admin_on_join.rego | 50 +++++++++++++++++++ .../5.1.4.4_limit_local_admin_on_join.rego | 50 +++++++++++++++++++ .../v6.0.0/metadata.json | 30 +++++------ 6 files changed, 174 insertions(+), 33 deletions(-) create mode 100644 engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.2_limit_device_registration_quota.rego create mode 100644 engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.3_ga_not_local_admin_on_join.rego create mode 100644 engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.4_limit_local_admin_on_join.rego diff --git a/docs/engine/policies/cis/microsoft-365-foundations/v6.0.0/controls.md b/docs/engine/policies/cis/microsoft-365-foundations/v6.0.0/controls.md index 2c6f0ce64..805f47d16 100644 --- a/docs/engine/policies/cis/microsoft-365-foundations/v6.0.0/controls.md +++ b/docs/engine/policies/cis/microsoft-365-foundations/v6.0.0/controls.md @@ -126,9 +126,9 @@ This document provides a comprehensive overview of all 140 controls in the CIS M | 5.1.3.1 | L1 | Ensure a dynamic group for guest users is created | Automated | Not Started | `entra.groups.groups` | Not Started | Collector exists but control logic not defined | | 5.1.3.2 | L1 | Ensure users cannot create security groups | Automated | Automated | `entra.policies.authorization_policy` | Implemented | Check allowedToCreateSecurityGroups | | 5.1.4.1 | L2 | Ensure the ability to join devices to Entra is restricted | Automated | Automated | `entra.devices.device_registration_policy` | Implemented | | -| 5.1.4.2 | L1 | Ensure the maximum number of devices per user is limited | Automated | Automated | `entra.devices.device_management_settings` | Implemented | | -| 5.1.4.3 | L1 | Ensure the GA role is not added as a local administrator during Entra join | Automated | Automated | `entra.devices.device_management_settings` | Implemented | | -| 5.1.4.4 | L1 | Ensure local administrator assignment is limited during Entra join | Automated | Automated | `entra.devices.device_management_settings` | Implemented | | +| 5.1.4.2 | L1 | Ensure the maximum number of devices per user is limited | Automated | Automated | `entra.devices.device_registration_policy` | Implemented | `userDeviceQuota > 0`; 0 treated as unlimited | +| 5.1.4.3 | L1 | Ensure the GA role is not added as a local administrator during Entra join | Automated | Automated | `entra.devices.device_registration_policy` | Implemented | `azureADJoin.localAdministratorsConfiguration.enableGlobalAdmins == false`; field may be absent on older tenants | +| 5.1.4.4 | L1 | Ensure local administrator assignment is limited during Entra join | Automated | Automated | `entra.devices.device_registration_policy` | Implemented | `azureADJoin.localAdministratorsConfiguration.registeringUsers == notAllowed` | | 5.1.4.5 | L1 | Ensure Local Administrator Password Solution is enabled | Automated | Not Started | | Not Started | Need LAPS configuration collector | | 5.1.4.6 | L2 | Ensure users are restricted from recovering BitLocker keys | Automated | Automated | `entra.policies.authorization_policy` | Implemented | Check allowedToReadBitlockerKeysForOwnedDevice | | 5.1.5.1 | L2 | Ensure user consent to apps accessing company data on their behalf is not allowed | Automated | Automated | `entra.policies.authorization_policy` | Implemented | | diff --git a/engine/collectors/entra/devices/device_registration_policy.py b/engine/collectors/entra/devices/device_registration_policy.py index e4f8f6526..9d0c2a40c 100644 --- a/engine/collectors/entra/devices/device_registration_policy.py +++ b/engine/collectors/entra/devices/device_registration_policy.py @@ -15,29 +15,20 @@ class DeviceRegistrationPolicyDataCollector(BaseDataCollector): - """Collects device registration policy for CIS compliance evaluation. - - This collector retrieves device join settings, LAPS configuration, - and local admin assignment settings for compliance evaluation. - """ + """Collects device registration policy for CIS compliance evaluation.""" async def collect(self, client: GraphClient) -> dict[str, Any]: """Collect device registration policy data. Returns: - Dict containing: - - device_registration_policy: The device registration policy - - azure_ad_join_settings: Azure AD join configuration - - local_admin_settings: Local admin assignment settings - - laps_settings: LAPS configuration + Dict containing device join settings, quota, local admin config, and LAPS state. """ - # Get device registration policy policy = await client.get("/policies/deviceRegistrationPolicy", beta=True) - # Extract key settings - azure_ad_join = policy.get("azureADJoin", {}) - azure_ad_registration = policy.get("azureADRegistration", {}) - local_admin_password = policy.get("localAdminPassword", {}) + azure_ad_join = policy.get("azureADJoin", {}) or {} + azure_ad_registration = policy.get("azureADRegistration", {}) or {} + local_admin_password = policy.get("localAdminPassword", {}) or {} + local_admins_config = azure_ad_join.get("localAdministratorsConfiguration", {}) or {} return { "device_registration_policy": policy, @@ -51,4 +42,7 @@ async def collect(self, client: GraphClient) -> dict[str, Any]: "laps_enabled": local_admin_password.get("isEnabled"), "user_device_quota": policy.get("userDeviceQuota"), "multi_factor_auth_configuration": policy.get("multiFactorAuthConfiguration"), + "local_admins_config": local_admins_config, + "global_admins_enabled_on_join": local_admins_config.get("enableGlobalAdmins"), + "registering_users_local_admin": local_admins_config.get("registeringUsers"), } diff --git a/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.2_limit_device_registration_quota.rego b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.2_limit_device_registration_quota.rego new file mode 100644 index 000000000..f805cc2db --- /dev/null +++ b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.2_limit_device_registration_quota.rego @@ -0,0 +1,47 @@ +# METADATA +# title: Ensure the maximum number of devices per user is limited +# description: | +# Setting an upper bound on device registrations per user reduces the attack +# surface from compromised accounts and limits lateral movement via registered +# devices. CIS recommends setting this to 5. +# related_resources: +# - ref: https://www.cisecurity.org/benchmark/microsoft_365 +# description: CIS Microsoft 365 Foundations Benchmark +# custom: +# control_id: CIS-5.1.4.2 +# framework: cis +# benchmark: microsoft-365-foundations +# version: v6.0.0 +# severity: medium +# service: EntraID +# requires_permissions: +# - Policy.Read.DeviceConfiguration + +package cis.microsoft_365_foundations.v6_0_0.control_5_1_4_2 + +import rego.v1 + +default result := { + "compliant": false, + "message": "Evaluation failed: unable to retrieve device registration policy", + "details": {}, +} + +compliant := true if { + input.user_device_quota != null + input.user_device_quota > 0 +} else := false + +result := output if { + quota := input.user_device_quota + output := { + "compliant": compliant, + "message": build_message(quota), + "affected_resources": [], + "details": {"user_device_quota": quota}, + } +} + +build_message(q) := sprintf("Device registration quota is set to %d", [q]) if { q > 0 } +build_message(0) := "Device registration quota is set to unlimited" +build_message(null) := "Device registration quota is not configured" diff --git a/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.3_ga_not_local_admin_on_join.rego b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.3_ga_not_local_admin_on_join.rego new file mode 100644 index 000000000..2c7614c47 --- /dev/null +++ b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.3_ga_not_local_admin_on_join.rego @@ -0,0 +1,50 @@ +# METADATA +# title: Ensure the GA role is not added as a local administrator during Entra join +# description: | +# When a device joins Entra ID, automatically granting the Global Administrator +# role local admin rights on that machine creates unnecessary privilege exposure. +# The GA role should not be part of the local administrators configuration for +# joined devices. +# related_resources: +# - ref: https://www.cisecurity.org/benchmark/microsoft_365 +# description: CIS Microsoft 365 Foundations Benchmark +# custom: +# control_id: CIS-5.1.4.3 +# framework: cis +# benchmark: microsoft-365-foundations +# version: v6.0.0 +# severity: medium +# service: EntraID +# requires_permissions: +# - Policy.Read.DeviceConfiguration + +package cis.microsoft_365_foundations.v6_0_0.control_5_1_4_3 + +import rego.v1 + +default result := { + "compliant": false, + "message": "Evaluation failed: unable to retrieve device registration policy", + "details": {}, +} + +compliant := true if { + input.global_admins_enabled_on_join == false +} else := false + +result := output if { + ga_enabled := input.global_admins_enabled_on_join + output := { + "compliant": compliant, + "message": build_message(ga_enabled), + "affected_resources": [], + "details": { + "global_admins_enabled_on_join": ga_enabled, + "local_admins_config": object.get(input, "local_admins_config", null), + }, + } +} + +build_message(false) := "Global Administrator role is not assigned local admin rights on Entra-joined devices" +build_message(null) := "Unable to determine whether GA role is granted local admin rights on join; azureADJoin.localAdministratorsConfiguration not returned by API" +build_message(true) := "Global Administrator role is configured as a local administrator on Entra-joined devices" diff --git a/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.4_limit_local_admin_on_join.rego b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.4_limit_local_admin_on_join.rego new file mode 100644 index 000000000..f0f395fb2 --- /dev/null +++ b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.4_limit_local_admin_on_join.rego @@ -0,0 +1,50 @@ +# METADATA +# title: Ensure local administrator assignment is limited during Entra join +# description: | +# By default, the user registering a device may be granted local administrator +# rights on that device. Restricting this prevents standard users from gaining +# local admin access simply by joining a machine to Entra ID. +# related_resources: +# - ref: https://www.cisecurity.org/benchmark/microsoft_365 +# description: CIS Microsoft 365 Foundations Benchmark +# custom: +# control_id: CIS-5.1.4.4 +# framework: cis +# benchmark: microsoft-365-foundations +# version: v6.0.0 +# severity: medium +# service: EntraID +# requires_permissions: +# - Policy.Read.DeviceConfiguration + +package cis.microsoft_365_foundations.v6_0_0.control_5_1_4_4 + +import rego.v1 + +default result := { + "compliant": false, + "message": "Evaluation failed: unable to retrieve device registration policy", + "details": {}, +} + +compliant := true if { + input.registering_users_local_admin != null + lower(input.registering_users_local_admin) == "notallowed" +} else := false + +result := output if { + reg_users := input.registering_users_local_admin + output := { + "compliant": compliant, + "message": build_message(reg_users), + "affected_resources": [], + "details": { + "registering_users_local_admin": reg_users, + "local_admins_config": object.get(input, "local_admins_config", null), + }, + } +} + +build_message(null) := "Unable to determine local admin assignment for registering users; azureADJoin.localAdministratorsConfiguration not returned by API" +build_message(val) := "Registering users are not granted local administrator rights on Entra-joined devices" if { lower(val) == "notallowed" } +build_message(val) := sprintf("Registering users are granted local admin rights on join (registeringUsers=%s)", [val]) diff --git a/engine/policies/cis/microsoft-365-foundations/v6.0.0/metadata.json b/engine/policies/cis/microsoft-365-foundations/v6.0.0/metadata.json index c6c02e25a..3ef2ee709 100644 --- a/engine/policies/cis/microsoft-365-foundations/v6.0.0/metadata.json +++ b/engine/policies/cis/microsoft-365-foundations/v6.0.0/metadata.json @@ -766,11 +766,11 @@ "level": "L1", "is_manual": false, "benchmark_audit_type": "Automated", - "automation_status": "not_started", - "data_collector_id": "entra.devices.device_management_settings", - "policy_file": null, - "requires_permissions": ["Policy.Read.All"], - "notes": null + "automation_status": "ready", + "data_collector_id": "entra.devices.device_registration_policy", + "policy_file": "5.1.4.2_limit_device_registration_quota.rego", + "requires_permissions": ["Policy.Read.DeviceConfiguration"], + "notes": "Compliant when userDeviceQuota > 0; value of 0 treated as unlimited. CIS recommends setting this to 5." }, { "control_id": "5.1.4.3", @@ -781,11 +781,11 @@ "level": "L1", "is_manual": false, "benchmark_audit_type": "Automated", - "automation_status": "not_started", - "data_collector_id": "entra.devices.device_management_settings", - "policy_file": null, - "requires_permissions": ["Policy.Read.All"], - "notes": null + "automation_status": "ready", + "data_collector_id": "entra.devices.device_registration_policy", + "policy_file": "5.1.4.3_ga_not_local_admin_on_join.rego", + "requires_permissions": ["Policy.Read.DeviceConfiguration"], + "notes": "Uses azureADJoin.localAdministratorsConfiguration.enableGlobalAdmins from /policies/deviceRegistrationPolicy (beta). Field may be absent on older tenants; policy returns non-compliant with an explanatory message in that case." }, { "control_id": "5.1.4.4", @@ -796,11 +796,11 @@ "level": "L1", "is_manual": false, "benchmark_audit_type": "Automated", - "automation_status": "not_started", - "data_collector_id": "entra.devices.device_management_settings", - "policy_file": null, - "requires_permissions": ["Policy.Read.All"], - "notes": null + "automation_status": "ready", + "data_collector_id": "entra.devices.device_registration_policy", + "policy_file": "5.1.4.4_limit_local_admin_on_join.rego", + "requires_permissions": ["Policy.Read.DeviceConfiguration"], + "notes": "Uses azureADJoin.localAdministratorsConfiguration.registeringUsers from /policies/deviceRegistrationPolicy (beta). Compliant when value is notAllowed." }, { "control_id": "5.1.4.5", From 0ceaa458fddc4abf0044cc3b03ed8020703620ff Mon Sep 17 00:00:00 2001 From: William Yip Date: Mon, 11 May 2026 21:23:58 +1000 Subject: [PATCH 2/4] Fix device registration policy collector to use correct localAdmins key The API returns azureADJoin.localAdmins (not localAdministratorsConfiguration). Also maps registeringUsers @odata.type to a readable string so the 5.1.4.4 Rego policy can evaluate it correctly. Co-authored-by: Cursor --- .../entra/devices/device_registration_policy.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/engine/collectors/entra/devices/device_registration_policy.py b/engine/collectors/entra/devices/device_registration_policy.py index 9d0c2a40c..8c3bce662 100644 --- a/engine/collectors/entra/devices/device_registration_policy.py +++ b/engine/collectors/entra/devices/device_registration_policy.py @@ -28,7 +28,19 @@ async def collect(self, client: GraphClient) -> dict[str, Any]: azure_ad_join = policy.get("azureADJoin", {}) or {} azure_ad_registration = policy.get("azureADRegistration", {}) or {} local_admin_password = policy.get("localAdminPassword", {}) or {} - local_admins_config = azure_ad_join.get("localAdministratorsConfiguration", {}) or {} + local_admins_config = azure_ad_join.get("localAdmins", {}) or {} + + reg_users_raw = local_admins_config.get("registeringUsers") + if isinstance(reg_users_raw, dict): + odata_type = reg_users_raw.get("@odata.type", "") + if "noDeviceRegistrationMembership" in odata_type: + registering_users_local_admin: str | None = "notAllowed" + elif "allDeviceRegistrationMembership" in odata_type: + registering_users_local_admin = "allowed" + else: + registering_users_local_admin = odata_type or None + else: + registering_users_local_admin = reg_users_raw return { "device_registration_policy": policy, @@ -44,5 +56,5 @@ async def collect(self, client: GraphClient) -> dict[str, Any]: "multi_factor_auth_configuration": policy.get("multiFactorAuthConfiguration"), "local_admins_config": local_admins_config, "global_admins_enabled_on_join": local_admins_config.get("enableGlobalAdmins"), - "registering_users_local_admin": local_admins_config.get("registeringUsers"), + "registering_users_local_admin": registering_users_local_admin, } From 80d80e3487d92d457096218e3430b761323a5c00 Mon Sep 17 00:00:00 2001 From: William Yip Date: Mon, 11 May 2026 22:00:05 +1000 Subject: [PATCH 3/4] Fix Rego policies for 5.1.4.3 and 5.1.4.4 Update 5.1.4.3 null message to reference correct localAdmins API key. Fix 5.1.4.4 build_message conflict by adding mutual exclusion guards to prevent both rules firing when val equals notallowed. Co-authored-by: Cursor --- .../v6.0.0/5.1.4.3_ga_not_local_admin_on_join.rego | 2 +- .../v6.0.0/5.1.4.4_limit_local_admin_on_join.rego | 12 +++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.3_ga_not_local_admin_on_join.rego b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.3_ga_not_local_admin_on_join.rego index 2c7614c47..b69a42785 100644 --- a/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.3_ga_not_local_admin_on_join.rego +++ b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.3_ga_not_local_admin_on_join.rego @@ -46,5 +46,5 @@ result := output if { } build_message(false) := "Global Administrator role is not assigned local admin rights on Entra-joined devices" -build_message(null) := "Unable to determine whether GA role is granted local admin rights on join; azureADJoin.localAdministratorsConfiguration not returned by API" +build_message(null) := "Unable to determine whether GA role is granted local admin rights on join; azureADJoin.localAdmins not returned by API" build_message(true) := "Global Administrator role is configured as a local administrator on Entra-joined devices" diff --git a/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.4_limit_local_admin_on_join.rego b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.4_limit_local_admin_on_join.rego index f0f395fb2..368303102 100644 --- a/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.4_limit_local_admin_on_join.rego +++ b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.4_limit_local_admin_on_join.rego @@ -45,6 +45,12 @@ result := output if { } } -build_message(null) := "Unable to determine local admin assignment for registering users; azureADJoin.localAdministratorsConfiguration not returned by API" -build_message(val) := "Registering users are not granted local administrator rights on Entra-joined devices" if { lower(val) == "notallowed" } -build_message(val) := sprintf("Registering users are granted local admin rights on join (registeringUsers=%s)", [val]) +build_message(null) := "Unable to determine local admin assignment for registering users; azureADJoin.localAdmins not returned by API" +build_message(val) := "Registering users are not granted local administrator rights on Entra-joined devices" if { + val != null + lower(val) == "notallowed" +} +build_message(val) := sprintf("Registering users are granted local admin rights on join (registeringUsers=%s)", [val]) if { + val != null + lower(val) != "notallowed" +} From 17e99fdd09c888a61925eae4bad9e2b58ef65693 Mon Sep 17 00:00:00 2001 From: William Yip Date: Tue, 12 May 2026 22:36:07 +1000 Subject: [PATCH 4/4] Address reviewer feedback for CIS 5.1.4.2 and 5.1.4.4 5.1.4.2: tighten quota check to require userDeviceQuota <= 20 per CIS v6.0.0; update build_message to use else-chain and distinguish compliant vs over-limit values; update metadata notes to reflect 20-or-less rule. 5.1.4.4: refactor build_message to a single else-chain rule to guarantee mutual exclusivity and eliminate any eval_conflict_error. Co-authored-by: Cursor --- .../5.1.4.2_limit_device_registration_quota.rego | 11 ++++++++--- .../v6.0.0/5.1.4.4_limit_local_admin_on_join.rego | 12 ++++-------- .../microsoft-365-foundations/v6.0.0/metadata.json | 2 +- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.2_limit_device_registration_quota.rego b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.2_limit_device_registration_quota.rego index f805cc2db..bc9225d24 100644 --- a/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.2_limit_device_registration_quota.rego +++ b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.2_limit_device_registration_quota.rego @@ -30,6 +30,7 @@ default result := { compliant := true if { input.user_device_quota != null input.user_device_quota > 0 + input.user_device_quota <= 20 } else := false result := output if { @@ -42,6 +43,10 @@ result := output if { } } -build_message(q) := sprintf("Device registration quota is set to %d", [q]) if { q > 0 } -build_message(0) := "Device registration quota is set to unlimited" -build_message(null) := "Device registration quota is not configured" +build_message(q) := "Device registration quota is not configured" if { + q == null +} else := "Device registration quota is set to unlimited (non-compliant; CIS requires 20 or less)" if { + q == 0 +} else := sprintf("Device registration quota is set to %d", [q]) if { + q <= 20 +} else := sprintf("Device registration quota is %d; CIS requires 20 or less", [q]) diff --git a/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.4_limit_local_admin_on_join.rego b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.4_limit_local_admin_on_join.rego index 368303102..44abed19b 100644 --- a/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.4_limit_local_admin_on_join.rego +++ b/engine/policies/cis/microsoft-365-foundations/v6.0.0/5.1.4.4_limit_local_admin_on_join.rego @@ -45,12 +45,8 @@ result := output if { } } -build_message(null) := "Unable to determine local admin assignment for registering users; azureADJoin.localAdmins not returned by API" -build_message(val) := "Registering users are not granted local administrator rights on Entra-joined devices" if { - val != null +build_message(val) := "Unable to determine local admin assignment for registering users; azureADJoin.localAdmins not returned by API" if { + val == null +} else := "Registering users are not granted local administrator rights on Entra-joined devices" if { lower(val) == "notallowed" -} -build_message(val) := sprintf("Registering users are granted local admin rights on join (registeringUsers=%s)", [val]) if { - val != null - lower(val) != "notallowed" -} +} else := sprintf("Registering users are granted local admin rights on join (registeringUsers=%s)", [val]) diff --git a/engine/policies/cis/microsoft-365-foundations/v6.0.0/metadata.json b/engine/policies/cis/microsoft-365-foundations/v6.0.0/metadata.json index 3ef2ee709..11a614dce 100644 --- a/engine/policies/cis/microsoft-365-foundations/v6.0.0/metadata.json +++ b/engine/policies/cis/microsoft-365-foundations/v6.0.0/metadata.json @@ -770,7 +770,7 @@ "data_collector_id": "entra.devices.device_registration_policy", "policy_file": "5.1.4.2_limit_device_registration_quota.rego", "requires_permissions": ["Policy.Read.DeviceConfiguration"], - "notes": "Compliant when userDeviceQuota > 0; value of 0 treated as unlimited. CIS recommends setting this to 5." + "notes": "CIS v6.0.0 requires userDeviceQuota to be set to 20 or less. A value of 0 is treated as unlimited and is non-compliant." }, { "control_id": "5.1.4.3",