last sync: 2024-Jun-13 18:14:14 UTC

Microsoft Managed Control 1018 - Account Management | Role-Based Schemes | Regulatory Compliance - Access Control

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1018 - Account Management | Role-Based Schemes
Id c9121abf-e698-4ee9-b1cf-71ee528ff07f
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Access Control control
Additional metadata Name/Id: ACF1018 / Microsoft Managed Control 1018
Category: Access Control
Title: Account Management | Role-Based Schemes - Privileged Accounts via RBAC
Ownership: Customer, Microsoft
Description: The organization: Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
Requirements: Administrative access within Azure uses the JIT process, which grants temporary administrative access through AD security groups, subscription roles, and temporary accounts created with RBAC permissions applied, and emergency access accounts, which utilize AD security groups for administrative access but create Severity 2 alerts when used. Using these methods, Azure personnel establish elevated access in accordance with a role-based access scheme, which organizes information system privileges into roles that are assigned to AD security groups of which users become a member. For the persistent accounts that are exceptions to the JIT and emergency access implementations, any group membership action that provides elevated persistent access to Azure is provisioned only after explicit approval by asset owners based on the role of the requestor. This access restriction is strictly enforced via security groups, where security group owners determine approval to be added to a security group based on business justification and role of a user.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC