| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands | ||
| Id | fa4c2a3d-1294-41a3-9ada-0e540471e9fb | ||
| Version | 1.0.0 Details on versioning |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Access Control control | ||
| Additional metadata |
Name/Id: ACF1037 / Microsoft Managed Control 1037 Category: Access Control Title: Least Privilege | Network Access To Privileged Commands Ownership: Customer, Microsoft Description: The organization authorizes network access to privileged commands used to change/configure network devices only for maintenance and operational needs and documents the rationale for such access in the security plan for the information system. Requirements: Azure establishes conditions for system account group membership using Active Directory. All group membership for Azure systems must be approved by the respective security group owner. Users are not granted membership to account groups for which they do not require access. Following the least privilege principle, group membership is given with the minimum access needed by the authorized individual to perform his or her job function and role. Elevated commands can only be executed by administrative accounts, which are either compliant with JIT and emergency access accounts and must be authorized and approved prior to or upon use, or are exception accounts that must be approved formally to maintain persistent administrative access. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|