1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint

Information

Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. A license can enable an account to gain access to a variety of different applications, depending on the license assigned.

The recommended state is to not license a privileged account or use licenses without associated applications such as Microsoft Entra ID P1 or Microsoft Entra ID P2

Ensuring administrative accounts do not use licenses with applications assigned to them will reduce the attack surface of high privileged identities in the organization's environment. Granting access to a mailbox or other collaborative tools increases the likelihood that privileged users might interact with these applications, raising the risk of exposure to social engineering attacks or malicious content. These activities should be restricted to an unprivileged 'daily driver' account.

Note: In order to participate in Microsoft 365 security services such as Identity Protection, PIM and Conditional Access an administrative account will need a license attached to it. Ensure that the license used does not include any applications with potentially vulnerable services by using either Microsoft Entra ID P1 or Microsoft Entra ID P2 for the cloud-only account with administrator roles.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To remediate using the UI:

- Navigate to Microsoft 365 admin center https://admin.microsoft.com .
- Click to expand Users select Active users
- Click Add a user
- Fill out the appropriate fields for Name, user, etc.
- When prompted to assign licenses select as needed Microsoft Entra ID P1 or Microsoft Entra ID P2 then click Next
- Under the Option settings screen you may choose from several types of privileged roles. Choose Admin center access followed by the appropriate role then click Next
- Select Finish adding

Note: Utilizing PIM to best practices will satisfy this control. CIS and Microsoft recommend an organization keep zero permanently active assignments for roles other than emergency access accounts.

Impact:

Administrative users will have to switch accounts and utilize login/logout functionality when performing administrative tasks, as well as not benefiting from SSO.

Note: Alerts will be sent to TenantAdmins including Global Administrators, by default. To ensure proper receipt, configure alerts to be sent to security or operations staff with valid email addresses or a security operations center. Otherwise, after adoption of this recommendation, alerts sent to TenantAdmins may go unreceived due to the lack of an application-based license assigned to the Global Administrator accounts.

See Also

https://workbench.cisecurity.org/benchmarks/20006

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.1

Plugin: microsoft_azure

Control ID: 96e2931b1bace9599f596314dcff9e7da85c46e7fb5a0cdb7cbcdee78457dd2e