2.3.1 Ensure the Account Provisioning Activity report is reviewed at least weekly

Information

The Account Provisioning Activity report details any account provisioning that was attempted by an external application.

Rationale:

If the organization doesn't usually use a third-party provider to manage accounts, any entry on the list is likely illicit. Otherwise, it is recommended to monitor transaction volumes and look for new or unusual third party applications that may be managing users. If anything unusual is observed, the provider should be contacted to determine the legitimacy of the action.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review the Account Provisioning Activity report:

Navigate to Microsoft 365 Defender https://security.microsoft.com.

Click on Audit.

Set Activities to Added user for User administration activities.

Set Start Date and End Date.

Click Search.

Review.

To review Account Provisioning Activity report using PowerShell:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following Exchange Online PowerShell command:

$startDate = ((Get-date).AddDays(-7)).ToShortDateString()
$endDate = (Get-date).ToShortDateString()

Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate | Where-Object { $_.Operations -eq 'add user.' }

Review the output.

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.2

Plugin: microsoft_azure

Control ID: 8e657da04e6ab2ca74b40038b6616b59c9254441b4e1ad661442bed682728ce9