Name/Id: ACF1021 / Microsoft Managed Control 1021 Category: Access Control Title: Account Management | Restrictions On Use Of Shared / Group Accounts Ownership: Customer, Microsoft Description: The organization only permits the use of shared/group accounts that meet these requirements: established for a clearly-defined administrative purpose that cannot be fulfilled using individual accounts; credentials stored in an approved secret management store. Requirements: Group or shared accounts are not utilized within Azure unless necessary, such as where the local account or accounts cannot be deleted or disabled, or is necessary for emergency access. For accounts tracked as approved exceptions, the credentials for these accounts are stored in an approved secret management store, which tracks and monitors access to secrets and ensures group or shared account usage is uniquely attributable to the user accessing it by associated the secret store logs with the group or shared account usage. When a user accesses the credentials in the secret management store, that user is identified uniquely, ensuring non-repudiation and attributing user activity to the shared account.
Rule resource types
IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups