Detections
Analytics
5.3.3 Ensure 'Access reviews' for high privileged Azure AD roles are configured
Information
Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization.Ensure Access reviews for high privileged Azure AD roles are done no less frequently than weekly. These reviews should include at a minimum the roles listed below:
Global Administrator
Exchange Administrator
SharePoint Administrator
Teams Administrator
Security Administrator
NOTE: An access review is created for each role selected after completing the process.
Rationale:
Regular review of critical high privileged roles in Azure AD will help identify role drift, or potential malicious activity. This will enable the practice and application of 'separation of duties' where even non-privileged users like security auditors can be assigned to review assigned roles in an organization. Furthermore, if configured these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Create an access review for high privileged roles:Navigate to Microsoft Entra admin center https://entra.microsoft.com/
Click to expand Identity Governance and select Privileged Identity Management
Select Azure AD Roles under Manage
Select Access reviews and click New access review.
Provide a name and description.
Frequency set to Weekly or more frequent.
Duration (in days) is set to at most 3.
End set to Never.
Role select these roles: Global Administrator,Exchange Administrator,SharePoint Administrator,Teams Administrator,Security Administrator
Assignment type set to All active and eligible assignments.
Reviewers set to Selected user(s) or group(s)
Select reviewers are member(s) responsible for this type of review.
Auto apply results to resource set to Enable
If reviewers don't respond is set to No change
Show recommendations set to Enable
Require reason or approval set to Enable
Mail notifications set to Enable
Reminders set to Enable
Click Start to save the review.
NOTE: Reviewers will have the ability to revoke roles should be trusted individuals who understand the impact of the access reviews. The principal of separation of duties should be considered so that no one administrator is reviewing their own access levels.
Default Value:
By default access reviews are not configured.
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E5 L1 v3.0.0
Category: ACCESS CONTROL
References: 800-53|AC-2, 800-53|AC-2(3)
Plugin: microsoft_azure
Control ID: 6742bccbe22f19fbad1b0e7d6ab52050808f01d334f5727531a339d8eeb61215