last sync: 2024-Feb-21 20:03:25 UTC

Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators | Regulatory Compliance - Identification and Authentication

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators
Id e51ff84b-e5ea-408f-b651-2ecc2933e4c6
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Identification and Authentication control
Additional metadata Name/Id: ACF1340 / Microsoft Managed Control 1340
Category: Identification and Authentication
Title: Authenticator Management | No Embedded Unencrypted Static Authenticators
Ownership: Customer, Microsoft
Description: The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
Requirements: Azure explicitly prohibits the use of unencrypted static authenticators embedded in applications, access scripts, or function keys. Any script that uses an authenticator makes a call to a secrets management database prior to each use. Access to the secrets management database is audited, which allows detection of violations of this prohibition if a service account is used to access a system without a corresponding call to the secrets management database. Azure service teams perform security testing for Azure services through the Security Development Lifecycle (SDL) process that is followed for all engineering and development projects. As part of the security testing that occurs during multiple phases of the SDL process, Azure teams ensure there are no unencrypted authenticators embedded in the applications, access scripts or function keys. CredScan is utilized on all official builds in all build pipelines, and either breaking the build process preventing production use or creating work items assigned to the Azure service team for remediation.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a