5.3.1 Ensure 'Privileged Identity Management' is used to manage roles

Information

Microsoft Entra Privileged Identity Management can be used to audit roles, allow just in time activation of roles and allow for periodic role attestation. Organizations should remove permanent members from privileged Office 365 roles and instead make them eligible, through a JIT activation workflow.

Rationale:

Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Entra ID. Organizations can give users just-in-time (JIT) privileged access to roles. There is a need for oversight for what those users are doing with their administrator privileges. PIM helps to mitigate the risk of excessive, unnecessary, or misused access rights.

Impact:

Implementation of Just in Time privileged access is likely to necessitate changes to administrator routine. Administrators will only be granted access to administrative roles when required. When administrators request role activation, they will need to document the reason for requiring role access, anticipated time required to have the access, and to reauthenticate to enable role access.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To remediate using the UI:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

Click to expand Identity Governance select Privileged Identity Management.

Select Microsoft Entra Roles.

Select Roles beneath Manage.

Inspect at a minimum the following sensitive roles. For each of the members that have an ASSIGNMENT TYPE of Permanent, click on the ... and choose Make eligible:
Application Administrator
Authentication Administrator
Billing Administrator
Cloud Application Administrator
Cloud Device Administrator
Compliance Administrator
Customer LockBox Access Approver
Device Administrators
Exchange Administrators
Global Administrators
HelpDesk Administrator
Information Protection Administrator
Intune Service Administrator
Kaizala Administrator
License Administrator
Password Administrator
PowerBI Service Administrator
Privileged Authentication Administrator
Privileged Role Administrator
Security Administrator
SharePoint Service Administrator
Skype for Business Administrator
Teams Service Administrator
User Administrator

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-1, 800-53|AC-2, 800-53|AC-2(1), 800-53|IA-4, 800-53|IA-5, CSCv7|4.1

Plugin: microsoft_azure

Control ID: 7f46d0e16bc39445b5cad94a27833699a80525d05199e455186898445206fb0e