AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Distribute authenticators | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Distribute authenticators

098dcde7-016a-06c3-0985-0daaf3301d3a

Version

1.1.0
Details on versioning

Versioning

Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]

Category

Regulatory Compliance
Microsoft Learn

Description

CMA_0184 - Distribute authenticators

Additional metadata

Name/Id: CMA_0184 / CMA_0184
Category: Operational
Title: Distribute authenticators
Ownership: Customer
Description: Microsoft recommends that your organization enforce the following requirement: users who register to receive authenticators (e.g., passwords, tokens, smart cards, PKI certificates, etc.) do so in-person or by trusted third-party registration in compliance with your organization's policies and requirements. Customers using Active Directory Federation Services leverage existing user accounts for their internal domain infrastructures and do not need to create additional authenticators specific to Azure. Microsoft recommends that your organization create and maintain Identification and Authentication policies and standard operating procedures that require users who register to receive authenticators (e.g., passwords, tokens, smart cards, PKI certificates, etc.) do so in-person or by trusted third-party registration in compliance with your organization's policies and requirements. NIST 800-63C recommends using a secure method of transferring keying information during the registration process to establish and exchange the keying information needed to operate the federated relationship. The framework also recommends ensuring that symmetric keys are unique to a pair of federation participants.
Requirements: The customer is responsible for implementing this recommendation.

Mode

All

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Manual
Allowed
Manual, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (1)
Microsoft.Resources/subscriptions

Compliance

The following 8 compliance controls are associated with this Policy definition 'Distribute authenticators' (098dcde7-016a-06c3-0985-0daaf3301d3a)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
FedRAMP_High_R4	IA-5(3)	FedRAMP_High_R4_IA-5(3)	FedRAMP High IA-5 (3)	Identification And Authentication	In-Person Or Trusted Third-Party Registration	Shared	n/a	The organization requires that the registration process to receive [Assignment: organization- defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].	link	1
FedRAMP_Moderate_R4	IA-5(3)	FedRAMP_Moderate_R4_IA-5(3)	FedRAMP Moderate IA-5 (3)	Identification And Authentication	In-Person Or Trusted Third-Party Registration	Shared	n/a	The organization requires that the registration process to receive [Assignment: organization- defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].	link	1
hipaa	0948.09y2Organizational.3-09.y	hipaa-0948.09y2Organizational.3-09.y	0948.09y2Organizational.3-09.y	09 Transmission Protection	0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services	Shared	n/a	Where a trusted authority is used (e.g., for the purposes of issuing and maintaining digital signatures and/or digital certificates), security is integrated and embedded throughout the entire end-to-end certificate/signature management process.		6
hipaa	1112.01b2System.2-01.b	hipaa-1112.01b2System.2-01.b	1112.01b2System.2-01.b	11 Access Control	1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems	Shared	n/a	User identities are verified in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor or other individual defined in an applicable security plan) prior to receiving a hardware token.		7
hipaa	1127.01q2System.3-01.q	hipaa-1127.01q2System.3-01.q	1127.01q2System.3-01.q	11 Access Control	1127.01q2System.3-01.q 01.05 Operating System Access Control	Shared	n/a	Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access.		2
NIST_SP_800-53_R4	IA-5(3)	NIST_SP_800-53_R4_IA-5(3)	NIST SP 800-53 Rev. 4 IA-5 (3)	Identification And Authentication	In-Person Or Trusted Third-Party Registration	Shared	n/a	The organization requires that the registration process to receive [Assignment: organization- defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].	link	1
PCI_DSS_v4.0	8.3.11	PCI_DSS_v4.0_8.3.11	PCI DSS v4.0 8.3.11	Requirement 08: Identify Users and Authenticate Access to System Components	Strong authentication for users and administrators is established and managed	Shared	n/a	Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used: • Factors are assigned to an individual user and not shared among multiple users. • Physical and/or logical controls ensure only the intended user can use that factor to gain access.	link	6
SWIFT_CSCF_v2022	5.2	SWIFT_CSCF_v2022_5.2	SWIFT CSCF v2022 5.2	5. Manage Identities and Segregate Privileges	Ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal tokens (when tokens are used).	Shared	n/a	Connected and disconnected hardware authentication or personal tokens are managed appropriately during their assignment, distribution, revocation, use, and storage.	link	5

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
FedRAMP High	d5264498-16f4-418a-b659-fa7ef418175f	Regulatory Compliance	GA	BuiltIn
FedRAMP Moderate	e95f5a9f-57ad-4d03-bb0b-b1d16db93693	Regulatory Compliance	GA	BuiltIn
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 4	cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f	Regulatory Compliance	GA	BuiltIn
PCI DSS v4	c676748e-3af9-4e22-bc28-50feed564afb	Regulatory Compliance	GA	BuiltIn
SWIFT CSP-CSCF v2022	7bc7cd6c-4114-ff31-3cac-59be3157596d	Regulatory Compliance	GA	BuiltIn

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-27 16:35:32	change	Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40	add	098dcde7-016a-06c3-0985-0daaf3301d3a

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC