last sync: 2024-May-24 18:03:04 UTC

Microsoft Managed Control 1011 - Account Management | Regulatory Compliance - Access Control

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1011 - Account Management
Id 7e6a54f3-883f-43d5-87c4-172dfd64a1f5
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Access Control control
Additional metadata Name/Id: ACF1011 / Microsoft Managed Control 1011
Category: Access Control
Title: Account Management - Account Review for Compliance
Ownership: Customer, Microsoft
Description: The organization: Reviews accounts for compliance with account management requirements Quarterly; and
Requirements: Access is based on specific roles and duties to support the operational environments. The foundation is granting elevated access for a limited duration through JIT not to exceed seven (7) days; and a formal program that monitors account activities enabled by auditing account management actions. This provides ongoing review of accounts and alerts of changes. The objective is a continuous rather than static review of access authorizations and activities. Azure utilizes Just in Time (JIT) access and emergency access accounts for the implementation of this control. Individuals request elevated access for a specific, limited purpose. Upon approval, JIT grants temporary audited access on the Azure asset (e.g., assign RBAC role, assign claim, generate account and assign to the local administrator group on a virtual machine, etc.). The access is automatically revoked after a set limited time and all access grants are securely audited using the JIT system and/or destination resource logging mechanisms. JIT terminates access based on the rules configured in the adjudicating policy, as defined by the resource owner. Once a JIT grant has expired, the access will be revoked and the user must submit a new request for access if access is still required. Because no JIT access is provided exceeding seven (7) days, and all JIT requests are reviewed prior to approval either manually or via automated rules set by the owning service team, the intent of this requirement is met. Emergency access accounts, which have persistent elevated access to the production environment, are only utilized in emergency situations when JIT is inaccessible. The use of these accounts generates a Severity 2 ticket, which requires review immediately, meeting the intent of the requirement. Microsoft also executes a Quarterly Access Review (QAR) of all accounts each quarter. A full inventory of accounts is analyzed with the managers of each account identified. Managers are required to revalidate access for an account to remain active. If a manager indicates an account is no longer necessary, or a manager does not respond, the account is deactivated.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC