last sync: 2024-Jun-14 18:20:16 UTC

Microsoft Managed Control 1034 - Least Privilege | Regulatory Compliance - Access Control

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1034 - Least Privilege
Id 02a5ed00-6d2e-4e97-9a98-46c32c057329
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Access Control control
Additional metadata Name/Id: ACF1034 / Microsoft Managed Control 1034
Category: Access Control
Title: Least Privilege
Ownership: Customer, Microsoft
Description: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Requirements: Privileges to Azure production systems and administrative interfaces are assigned to Azure personnel based on least privilege principles in accordance with job responsibilities. Elevated access must be approved by the respective account managers. OneIdentityand MyAccess, used for access provisioning to resources, are based on structured business resources/rules created by the Azure service teams. They are used to grant Azure personnel access to designated and restricted security groups on least privilege principles. Service teams can obtain Just in Time (JIT) for troubleshooting purposes. JIT access is provided though the JIT portal based on the workflow configured and the access is granted only to the requested assets. The access can be configured to support business needs and can range from one (1) hour to seven (7) days and revoked based on the JIT policy settings prescribed by the resource owner. Emergency access accounts are provided the minimum permissions necessary to execute work if JIT is nonfunctioning. Access to Azure systems is granted based upon need-to-know and least-privilege principles. Access that has not been explicitly permitted is denied by default. Role-based access controls are used to allocate logical access to a specific job function or area of responsibility, rather than to an individual.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC