| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1617 - Application Partitioning | ||
| Id | a631d8f5-eb81-4f9d-9ee1-74431371e4a3 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this System and Communications Protection control | ||
| Additional metadata |
Name/Id: ACF1617 / Microsoft Managed Control 1617 Category: System and Communications Protection Title: Application Partitioning Ownership: Customer, Microsoft Description: The information system separates user functionality (including user interface services) from information system management functionality. Requirements: Azure separates functionality into standard access and elevated access, corresponding to user and management functionality. This ensures logical separation of functionality. All personnel with standard access are granted system metadata read access used for regular troubleshooting, release management, and other maintenance and monitoring activities. Standard access provides permissions to key Azure tools, services, SharePoint sites, documentation, and a variety of dashboards. All personnel must use JIT when elevated access is required in the Azure production environment. Unless an approved exception as described below, there is no standing or persistent elevated access to the Azure production environment. The primary exception is emergency elevated access. In other instances of persistent elevated access, where the only access supported is elevated access, access is identified as an exception and approved. This occurs with local accounts on assets, some of which cannot be disabled. Azure separates internal traffic from external traffic to achieve greater logical separation as well. Internal traffic uses private address space that is not externally routable. The translation between internal address space and external space is performed at the Azure Load Balancers. Virtual IPs (VIPs) that are externally routable are translated into internal Dynamic IPs (DIPs) that are only routable within Azure. Without the internal IP information, traffic is simply blocked. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|