| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1027 - Access Enforcement | ||
| Id | a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Access Control control | ||
| Additional metadata |
Name/Id: ACF1027 / Microsoft Managed Control 1027 Category: Access Control Title: Access Enforcement Ownership: Customer, Microsoft Description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Requirements: Azure enforces approved authorizations for logical access to the Azure environment using role-based access control enforced by Active Directory. Access to Active Directory security groups is managed through OneIdentityand MyAccess. Only screened personnel can access services in the Azure environment. All accounts created in support of Azure are role-based. Service team users request access to Azure, and if approved, are placed in the appropriate security groups according to their roles for supporting their services, using the principles of least privilege. By default, accounts do not have persistent elevated permissions to the production environment. If an Azure user needs access to the production environment to perform a specific action, they request temporary Just in Time (JIT) access through the JIT portal. Approval is granted either automatically using preconfigured rules or a different Azure user with the access approver role. Access is only provided for a finite period based on the expected duration of the work to be performed. If access is approved, the user is assigned the minimum permissions required to perform the work, and permission is automatically revoked at the end of the specified time. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|