Detections
Analytics

5.3.1 (L2) Ensure 'Privileged Identity Management' is used to manage roles

Information

Microsoft Entra Privileged Identity Management can be used to audit roles, allow just in time activation of roles and allow for periodic role attestation. Organizations should remove permanent members from privileged Office 365 roles and instead make them eligible, through a JIT activation workflow.

Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Entra ID. Organizations can give users just-in-time (JIT) privileged access to roles. There is a need for oversight for what those users are doing with their administrator privileges. PIM helps to mitigate the risk of excessive, unnecessary, or misused access rights.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

 - Navigate to Microsoft Entra admin center

https://entra.microsoft.com/

.
 - Click to expand Identity Governance select Privileged Identity Management
 - Under Manage select Microsoft Entra Roles
 - Under Manage select Roles
 - Inspect at a minimum the following sensitive roles. For each of the members that have an ASSIGNMENT TYPE of Permanent click on the.. and choose Make eligible :

 - Application Administrator
 - Authentication Administrator
 - Azure Information Protection Administrator
 - Billing Administrator
 - Cloud Application Administrator
 - Cloud Device Administrator
 - Compliance Administrator
 - Customer LockBox Access Approver
 - Exchange Administrator
 - Fabric Administrator
 - Global Administrator
 - HelpDesk Administrator
 - Intune Administrator
 - Kaizala Administrator
 - License Administrator
 - Microsoft Entra Joined Device Local Administrator
 - Password Administrator
 - Privileged Authentication Administrator
 - Privileged Role Administrator
 - Security Administrator
 - SharePoint Administrator
 - Skype for Business Administrator
 - Teams Administrator
 - User Administrator

Impact:

Implementation of Just in Time privileged access is likely to necessitate changes to administrator routine. Administrators will only be granted access to administrative roles when required. When administrators request role activation, they will need to document the reason for requiring role access, anticipated time required to have the access, and to reauthenticate to enable role access.

See Also

https://workbench.cisecurity.org/benchmarks/17682

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-1, 800-53|AC-2, 800-53|AC-2(1), 800-53|IA-4, 800-53|IA-5, CSCv7|4.1

Plugin: microsoft_azure

Control ID: 9387b97a529ea1eef8c07328fe4e7e032834f18aedcd2469428165fa77769093