From b92bfc8a85a766d21ce6a9f821ab06f7bf7d9583 Mon Sep 17 00:00:00 2001
From: Richa Jaiswal <v-rijaiswal@microsoft.com>
Date: Tue, 20 Jun 2023 14:00:07 +0530
Subject: [PATCH 1/2] Git hub documentation update for TBv9 Control

---
 Control coverage/Feature/SubscriptionCore.md | 70 ++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/Control coverage/Feature/SubscriptionCore.md b/Control coverage/Feature/SubscriptionCore.md
index a994d947..179457e1 100644
--- a/Control coverage/Feature/SubscriptionCore.md	
+++ b/Control coverage/Feature/SubscriptionCore.md	
@@ -21,6 +21,8 @@
 - [Azure_Subscription_Configure_Conditional_Access_for_PIM](#Azure_Subscription_Configure_Conditional_Access_for_PIM)
 - [Azure_Subscription_AuthZ_Limit_Admin_Owner_Count](#Azure_Subscription_AuthZ_Limit_Admin_Owner_Count)
 - [Azure_Subscription_SI_Dont_Use_B2C_Tenant](#azure_subscription_si_dont_use_b2c_tenant)
+- [Azure_Subscription_Identity_Rotate_SPN_Credentials](#Azure_Subscription_Identity_Rotate_SPN_Credentials)
+- [Azure_Subscription_AuthZ_SPN_Owners_Governance](#Azure_Subscription_AuthZ_SPN_Owners_Governance)
 
 <!-- /TOC -->
 <br/>
@@ -1068,6 +1070,74 @@ This Service depends mainly on 3rd party identity provider, and that can cause a
 **Properties:** [\*].value.namespace , [\*].value.registrationState
  <br />
 
+ <br />
+
+
+## Azure_Subscription_Identity_Rotate_SPN_Credentials 
+
+### Display Name 
+Service Principal credentials must be regularly rotated.
+
+### Rationale 
+SPNs having access to subscription must have secrets within maximum approved expiry time.
+
+### Control Spec 
+> **Passed:** 
+> The gap between the End date and Start date of a secret is within maximum approved expiry time 
+> 
+> **Failed:** 
+> The gap between the End date and Start date of a secret is not within maximum approved expiry time 
+
+
+### Recommendation 
+
+- **Azure Portal** 
+ <br/>Rotate/Delete expired SPN secrets.
+
+ ### Control Settings 
+```json 
+{
+    "ExpirationPeriodInDays":380,
+    "ServicePrincipalTypeFilter":["Application","Legacy"],
+    "AllowedObjectIds":[]
+}
+ ```  
+ <br />
+
+ <br />
+
+
+## Azure_Subscription_AuthZ_SPN_Owners_Governance 
+
+### Display Name 
+App Registrations and Service Principals must have at least two FTE Owners (SC-Alt/SAS-Alt only)
+
+### Rationale 
+SPNs in a subscription with access at subscription or resource group level should not have access to any External Users..
+
+### Control Spec 
+> **Passed:** 
+> A SPN have atleast two FTE Owners with (SC-Alt/SAS-Alt only)
+> 
+> **Failed:** 
+> A SPN does not have atleast two FTE Owners with (SC-Alt/SAS-Alt only) <b>OR</b>
+> A SPN have FTE Owners without (SC-Alt/SAS-Alt only) <b>OR</b>
+> A SPN have Non FTE Owners
+
+### Recommendation 
+
+- **Azure Portal** 
+ <br/>Add exactly two FTE owners or remove SPN's subscription/resource group level access.
+
+ ### Control Settings 
+```json 
+{
+    "ServicePrincipalTypeFilter":["Application","Legacy"],
+    "AllowedObjectIds":[]
+}
+ ```  
+ <br />
+
 <br />
 
 ___ 

From 60e321814b9e10c12421a0ff7d5b0311e6f34088 Mon Sep 17 00:00:00 2001
From: Richa Jaiswal <v-rijaiswal@microsoft.com>
Date: Mon, 3 Jul 2023 12:16:19 +0530
Subject: [PATCH 2/2] Updated the display name for control as approved by Sec
 Std team

---
 Control coverage/Feature/SubscriptionCore.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Control coverage/Feature/SubscriptionCore.md b/Control coverage/Feature/SubscriptionCore.md
index 179457e1..302b6ab1 100644
--- a/Control coverage/Feature/SubscriptionCore.md	
+++ b/Control coverage/Feature/SubscriptionCore.md	
@@ -1076,7 +1076,7 @@ This Service depends mainly on 3rd party identity provider, and that can cause a
 ## Azure_Subscription_Identity_Rotate_SPN_Credentials 
 
 ### Display Name 
-Service Principal credentials must be regularly rotated.
+App Registrations and Service Principals credentials must be regularly rotated.
 
 ### Rationale 
 SPNs having access to subscription must have secrets within maximum approved expiry time.
@@ -1113,7 +1113,7 @@ SPNs having access to subscription must have secrets within maximum approved exp
 App Registrations and Service Principals must have at least two FTE Owners (SC-Alt/SAS-Alt only)
 
 ### Rationale 
-SPNs in a subscription with access at subscription or resource group level should not have access to any External Users..
+SPNs in a subscription with access at subscription or resource group level should not have access to any External Users.
 
 ### Control Spec 
 > **Passed:**