| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1009 - Account Management | ||
| Id | b26f8610-e615-47c2-abd6-c00b2b0b503a | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Access Control control | ||
| Additional metadata |
Name/Id: ACF1009 / Microsoft Managed Control 1009 Category: Access Control Title: Account Management - Notifications Ownership: Customer, Microsoft Description: The organization: Notifies account managers: When accounts are no longer required; When users are terminated or transferred; and When individual information system usage or need-to-know changes; Requirements: When a user leaves the company, their manager or their manager’s work-on-behalf will submit the user’s resignation in the Employee Central system. Subsequently, an automatic notification is sent to the HR administrator. The Employee Central system also automatically notifies Core Services Engineering and Operations (CSEO) and the Global Security Group of the user’s last working day. The user’s resignation includes the user’s last working day. If the last working day needs to be changed, the user’s manager or HR administrator will take the action to change the date in the HR database. The last working day information automatically flows to the HR database to ensure accounts tied to their CorpNet credentials are disabled on the user’s last working day. For urgent terminations, the HR administrator will also notify Core Services Engineering and Operations (CSEO) outside of the Employee Central notification window to initiate immediate action to disable access. As a result, Azure user accounts are disabled upon the user’s last working day or during the time when access is requested to be disabled. When a user is promoted or transferred to another group, the user role and access rights are reviewed and revoked according to the access policy. The user profile is changed after proper approvals and authorization from the respective group owners. Accounts of terminated users and transferred users are deactivated after confirmation from the appropriate manager. User accounts are evaluated to determine if they are actively employed by Microsoft daily. The OneIdentity Life Cycle Management job is run to disable any user accounts within Azure domains daily if there is no HR record or have been inactive over one hundred and eighty (180) days. Azure receives a daily HR feed of personnel, which it compares to the list of Azure domain users. Any user accounts that do not have a matching HR record have had a position change in the HR record or have been flagged as inactive are then disabled by the tools. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|