| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1034 - Least Privilege | ||
| Id | 02a5ed00-6d2e-4e97-9a98-46c32c057329 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Access Control control | ||
| Additional metadata |
Name/Id: ACF1034 / Microsoft Managed Control 1034 Category: Access Control Title: Least Privilege Ownership: Customer, Microsoft Description: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. Requirements: Privileges to Azure production systems and administrative interfaces are assigned to Azure personnel based on least privilege principles in accordance with job responsibilities. Elevated access must be approved by the respective account managers. OneIdentityand MyAccess, used for access provisioning to resources, are based on structured business resources/rules created by the Azure service teams. They are used to grant Azure personnel access to designated and restricted security groups on least privilege principles. Service teams can obtain Just in Time (JIT) for troubleshooting purposes. JIT access is provided though the JIT portal based on the workflow configured and the access is granted only to the requested assets. The access can be configured to support business needs and can range from one (1) hour to seven (7) days and revoked based on the JIT policy settings prescribed by the resource owner. Emergency access accounts are provided the minimum permissions necessary to execute work if JIT is nonfunctioning. Access to Azure systems is granted based upon need-to-know and least-privilege principles. Access that has not been explicitly permitted is denied by default. Role-based access controls are used to allocate logical access to a specific job function or area of responsibility, rather than to an individual. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|