5.6 Ensure user role group changes are reviewed at least weekly

Information

User role group changes should be reviewed on a weekly basis to ensure no one has been improperly added to an administrative role.

Rationale:

Illicit role group changes could give an attacker elevated privileges to perform more dangerous and impactful things in your tenancy.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review user role group changes, perform the following steps using the Microsoft 365 Admin Center:

Go to Compliance.

Click on Audit then select Search.

Set Activities to Added member to role.

Set Start Date and End Date.

Click Search.

Review.

To review user role group changes, perform the following steps using Exchange Online PowerShell Module:

Connect to Exchange Online using Connect-EXOPSSession.

Run the following Exchange Online PowerShell command:

$startDate = ((Get-date).AddDays(-7)).ToShortDateString()
$endDate = (Get-date).ToShortDateString()

Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate | Where-Object { $_.Operations -eq 'Add member to role.' }

Review the output

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.2

Plugin: microsoft_azure

Control ID: b2335d863a796addca4468b59ba1608542b6d97677934c8b6b3dea38d7b1c458