last sync: 2024-May-23 18:02:58 UTC

Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands | Regulatory Compliance - Access Control

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands
Id fa4c2a3d-1294-41a3-9ada-0e540471e9fb
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Access Control control
Additional metadata Name/Id: ACF1037 / Microsoft Managed Control 1037
Category: Access Control
Title: Least Privilege | Network Access To Privileged Commands
Ownership: Customer, Microsoft
Description: The organization authorizes network access to privileged commands used to change/configure network devices only for maintenance and operational needs and documents the rationale for such access in the security plan for the information system.
Requirements: Azure establishes conditions for system account group membership using Active Directory. All group membership for Azure systems must be approved by the respective security group owner. Users are not granted membership to account groups for which they do not require access. Following the least privilege principle, group membership is given with the minimum access needed by the authorized individual to perform his or her job function and role. Elevated commands can only be executed by administrative accounts, which are either compliant with JIT and emergency access accounts and must be authorized and approved prior to or upon use, or are exception accounts that must be approved formally to maintain persistent administrative access.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC