Detections
Analytics

5.3.3 Ensure 'Access reviews' for high privileged Azure AD roles are configured

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization.

Ensure Access reviews for high privileged Azure AD roles are done no less frequently than weekly. These reviews should include at a minimum the roles listed below:

Global Administrator

Exchange Administrator

SharePoint Administrator

Teams Administrator

Security Administrator

NOTE: An access review is created for each role selected after completing the process.

Rationale:

Regular review of critical high privileged roles in Azure AD will help identify role drift, or potential malicious activity. This will enable the practice and application of 'separation of duties' where even non-privileged users like security auditors can be assigned to review assigned roles in an organization. Furthermore, if configured these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Create an access review for high privileged roles:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/

Click to expand Identity Governance and select Privileged Identity Management

Select Azure AD Roles under Manage

Select Access reviews and click New access review.

Provide a name and description.

Frequency set to Weekly or more frequent.

Duration (in days) is set to at most 3.

End set to Never.

Role select these roles: Global Administrator,Exchange Administrator,SharePoint Administrator,Teams Administrator,Security Administrator

Assignment type set to All active and eligible assignments.

Reviewers set to Selected user(s) or group(s)

Select reviewers are member(s) responsible for this type of review.

Auto apply results to resource set to Enable

If reviewers don't respond is set to No change

Show recommendations set to Enable

Require reason or approval set to Enable

Mail notifications set to Enable

Reminders set to Enable

Click Start to save the review.

NOTE: Reviewers will have the ability to revoke roles should be trusted individuals who understand the impact of the access reviews. The principal of separation of duties should be considered so that no one administrator is reviewing their own access levels.

Default Value:

By default access reviews are not configured.

See Also

https://workbench.cisecurity.org/benchmarks/12934

Item Details

Plugin: microsoft_azure

Control ID: dbbd02c6f0153789a59478d576f54fdf329745510456f07073b7087bb7118777