Information
Role-Based Access Control allows for permissions to be assigned to users based on their roles within an organization. It is a more manageable form of access control that is less prone to errors. These user roles can be audited inside of Microsoft Purview to provide a security auditor insight into user privilege change.
Rationale:
Weekly reviews provide an opportunity to identify rights changes in an organization and are a large part of maintaining Least Privilege and preventing Privilege creep. Insider Threats, either intentional or unintentional, can occur when a user has higher than needed privileges. Maintaining accountability of role membership will keep insiders and malicious actors limited in the scope of potential damaging activities.
Impact:
By performing regular reviews, the Administrators assigning rights to users will need to inevitably provide justification for those changes to security auditors. Documentation that includes detailed policies, procedures, and change requests will need to be considered to keep a secure organization functioning within its planned operational level.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To review user role group changes:
Navigate to Microsoft Purview https://compliance.microsoft.com/.
Under Solutions click on Audit then select New Search.
In Activities find Added member to Role under the Role administration activities section and select it.
Set a valid Start Date and End Date within the last week.
Click Search.
Review once the search is completed.
To review user role group changes using PowerShell:
Connect to Exchange Online using Connect-ExchangeOnline
Run the following Exchange Online PowerShell command:
$startDate = ((Get-date).AddDays(-7)).ToShortDateString()
$endDate = (Get-date).ToShortDateString()
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -RecordType AzureActiveDirectory -Operations 'Add member to role.'
Review the output.