Detections
Analytics

5.3.3 (L1) Ensure 'Access reviews' for privileged roles are configured

Information

Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization.

Ensure Access reviews for high privileged Entra ID roles are done monthly or more frequently. These reviews should include at a minimum the roles listed below:

 - Global Administrator
 - Exchange Administrator
 - SharePoint Administrator
 - Teams Administrator
 - Security Administrator

Note: An access review is created for each role selected after completing the process.

Regular review of critical high privileged roles in Entra ID will help identify role drift, or potential malicious activity. This will enable the practice and application of "separation of duties" where even non-privileged users like security auditors can be assigned to review assigned roles in an organization. Furthermore, if configured these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

 - Navigate to Microsoft Entra admin center

https://entra.microsoft.com/

 - Click to expand Identity Governance and select Privileged Identity Management
 - Select Microsoft Entra Roles under Manage
 - Select Access reviews and click New access review
 - Provide a name and description.
 - Set Frequency to Monthly or more frequently.
 - Set Duration (in days) to at most 4
 - Set End to Never
 - Set Users scope to All users and groups
 - In Role select these roles: Global Administrator Exchange Administrator SharePoint Administrator Teams Administrator Security Administrator
 - Set Assignment type to All active and eligible assignments
 - Set Reviewers member(s) responsible for this type of review, other than self.

 - Upon completion settings:
 - Set Auto apply results to resource to Enable
 - Set If reviewers don't respond to No change

 - Advanced settings:
 - Set Show recommendations to Enable
 - Set Require reason on approval to Enable
 - Set Mail notifications to Enable
 - Set Reminders to Enable

 - Click Start to save the review.

Warning: Care should be taken when configuring the If reviewers don't respond setting for Global Administrator reviews, if misconfigured break-glass accounts could automatically have roles revoked. Additionally, reviewers should be educated on the purpose of break-glass accounts to prevent accidental manual removal of roles.

Impact:

In order to avoid disruption reviewers who have the authority to revoke roles should be trusted individuals who understand the significance of access reviews. Additionally, the principle of separation of duties should be applied to ensure that no administrator is responsible for reviewing their own access levels. This will cause additional administrative overhead.

If the reviews are configured to automatically revoke highly privileged roles like the Global Administrator role, then this could result in removing all Global Administrators from the organization. Care should be taken when configuring this setting especially in the case of break-glass accounts which would be included by association.

See Also

https://workbench.cisecurity.org/benchmarks/20006

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, 800-53|AC-2(3)

Plugin: microsoft_azure

Control ID: 898d32935bbd56a697b281be4fa7875a1fb71dca36be40509920cc76c16ce999