| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges | ||
| Id | e0de232d-02a0-4652-872d-88afb4ae5e91 | ||
| Version | 1.0.0 Details on versioning |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Configuration Management control | ||
| Additional metadata |
Name/Id: ACF1206 / Microsoft Managed Control 1206 Category: Configuration Management Title: Access Restrictions For Change | Limit Production / Operational Privileges - Privilege Limitation Ownership: Customer, Microsoft Description: The organization: Limits privileges to change information system components and system-related information within a production or operational environment; and Requirements: Azure personnel do not have access to any of the Azure production environments to change hardware, software, or firmware components. Developers and integrators are responsible for developing the code, generating the builds, performing integration testing, and managing deployments. Azure limits privileges to release software and configuration changes to production to authorized personnel; only the designated approvers such as leads, managers, or PMs can approve changes to production, and the service teams deploy the changes using the DevOps model. Segregation of duties is established on all critical functions within Azure’s production environment, to minimize the risk of unauthorized changes to productions systems. As such, access to make changes to the production environment is limited to authorized service team members using the DevOps model. Datacenter Services (DCS) Operations is responsible for managing physical access to the Azure environment. Physical access to the production environment is restricted to DCS personnel, who perform hardware changes. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|