| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1447 - Physical Access Authorizations | ||
| Id | b9783a99-98fe-4a95-873f-29613309fe9a | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Physical and Environmental Protection control | ||
| Additional metadata |
Name/Id: ACF1447 / Microsoft Managed Control 1447 Category: Physical and Environmental Protection Title: Physical Access Authorizations - List of Authorized Individuals Ownership: Microsoft Description: The organization: Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; Requirements: Access to an Azure datacenter must be approved by the Datacenter Management (DCM) team through the Datacenter Access Tool (DCAT). On a quarterly basis, the DCM team for each datacenter is required to perform an appropriateness review of the personnel with authorized access to their datacenter. The review consists of reviewing reports from security showing personnel with current access to the datacenter. The DCM determines the access changes to be made and communicates a request to security to have the changes performed. After the changes have been made, the DCM team reviews reports verifying that the changes have been completed. The quarterly access review is documented in a work ticket that includes the reports that were reviewed by the DCM team. These tickets are reviewed as part of quality control, quality assurance process. The DC Quarterly Access Review process is documented in the Datacenter Services (DCS) SOP. In between quarterly access reviews, DCAT procedures support the least privileges principle by requiring access assignments to require an end date. After the end date is reached, access is removed by DCAT. The DCAT termination process can be manual or automatic. Manual scenarios are where a Datacenter Manager or security team member initiates the termination of an individual’s DCAT requests. An automatic termination occurs when an individual with a Microsoft alias/domain account has their employment terminated in Microsoft’s headcount management tool (HeadTrax). Additionally, when access is no longer required, it is the standard procedure for security officers at the datacenter or the DCM team to manually request the termination of access. The DC Quarterly Access Review is a quarterly true-up of the access list and not the primary control relied upon to keep the access list current. Azure Third-Party (Leased) Datacenters The DCM of a leased datacenter is responsible for conducting the same access review as a fully-managed Azure datacenter. Instead of reviewing the access levels for the entire datacenter, the DCM requests the access list for the Microsoft areas from the datacenter's security team. The DCM is responsible for ensuring that both the landlord's access system and DCAT reflect the same data. The quarterly access review is conducted in the same manner as a fully-managed Azure datacenter. DCAT requests are used in leased datacenter locations in a slightly different manner from a fully-managed Azure datacenter. The exception is that the approved DCAT request is emailed by the DCM team to the security team at the leased datacenter. The leased datacenter security team inputs the approved request into the leased datacenter's access tool. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|