5.10 Ensure the Account Provisioning Activity report is reviewed at least weekly

Information

The Account Provisioning Activity report details any account provisioning that was attempted by an external application.

Rationale:

If you don't usually use a third party provider to manage accounts, any entry on the list is likely illicit. If you do, this is a great way to monitor transaction volumes and look for new or unusual third party applications that are managing users. If you see something unusual, contact the provider to determine if the action is legitimate.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review the report, use the Microsoft 365 Admin Center:

Go to Security.

Click on Audit then select Search.

Set Activities to Added user for Activities.

Set Start Date and End Date.

Click Search.

Review.

To review Account Provisioning Activity report, use the Exchange Online PowerShell Module:

Connect to Exchange Online service using Connect-EXOPSSession.

Run the following Exchange Online PowerShell command:

$startDate = ((Get-date).AddDays(-7)).ToShortDateString()
$endDate = (Get-date).ToShortDateString()

Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate | Where-Object { $_.Operations -eq 'add user.' }

Review the output

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.2

Plugin: microsoft_azure

Control ID: 41612d686e181ad3c7064cc555a1da0cd2df49934f8713d7156d77219ce9e597