Microsoft implements this Identification and Authentication control
Name/Id: ACF1317 / Microsoft Managed Control 1317 Category: Identification and Authentication Title: Authenticator Management - Identity Verification Ownership: Customer, Microsoft Description: The organization manages information system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; Requirements: For personnel supporting Azure services, user accounts within Azure domains tie to accounts of existing Microsoft personnel using their unique Microsoft CorpNet aliases. CorpNet and Azure access are provisioned and managed using separate account management tools. CorpNet account management, using MyAccess, cannot provide access to Azure – it can only provide access to AD security groups that the Azure account management tool, OneIdentity, leverages. The alias is consistent across all of a user's accounts.
Azure utilizes the AME and GME domains for access to the Azure environment. These domains are specific to the environment.
The identities of accounts are verified during the account request process, where initial authenticator distribution information for new Azure domain accounts are sent to the user's CorpNet e-mail address. Initial authenticator distribution is only sent to the CorpNet e-mail account associated to the provisioning request, after manager approval has been received. Azure-issued smart cards are distributed in person by the C+AI Security smart card support team after confirming the identity of the individual receiving the smart card.
Rule resource types
IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups