| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1011 - Account Management | ||
| Id | 7e6a54f3-883f-43d5-87c4-172dfd64a1f5 | ||
| Version | 1.0.0 Details on versioning |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Access Control control | ||
| Additional metadata |
Name/Id: ACF1011 / Microsoft Managed Control 1011 Category: Access Control Title: Account Management - Account Review for Compliance Ownership: Customer, Microsoft Description: The organization: Reviews accounts for compliance with account management requirements Quarterly; and Requirements: Access is based on specific roles and duties to support the operational environments. The foundation is granting elevated access for a limited duration through JIT not to exceed seven (7) days; and a formal program that monitors account activities enabled by auditing account management actions. This provides ongoing review of accounts and alerts of changes. The objective is a continuous rather than static review of access authorizations and activities. Azure utilizes Just in Time (JIT) access and emergency access accounts for the implementation of this control. Individuals request elevated access for a specific, limited purpose. Upon approval, JIT grants temporary audited access on the Azure asset (e.g., assign RBAC role, assign claim, generate account and assign to the local administrator group on a virtual machine, etc.). The access is automatically revoked after a set limited time and all access grants are securely audited using the JIT system and/or destination resource logging mechanisms. JIT terminates access based on the rules configured in the adjudicating policy, as defined by the resource owner. Once a JIT grant has expired, the access will be revoked and the user must submit a new request for access if access is still required. Because no JIT access is provided exceeding seven (7) days, and all JIT requests are reviewed prior to approval either manually or via automated rules set by the owning service team, the intent of this requirement is met. Emergency access accounts, which have persistent elevated access to the production environment, are only utilized in emergency situations when JIT is inaccessible. The use of these accounts generates a Severity 2 ticket, which requires review immediately, meeting the intent of the requirement. Microsoft also executes a Quarterly Access Review (QAR) of all accounts each quarter. A full inventory of accounts is analyzed with the managers of each account identified. Managers are required to revalidate access for an account to remain active. If a manager indicates an account is no longer necessary, or a manager does not respond, the account is deactivated. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|