| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1018 - Account Management | Role-Based Schemes | ||
| Id | c9121abf-e698-4ee9-b1cf-71ee528ff07f | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Access Control control | ||
| Additional metadata |
Name/Id: ACF1018 / Microsoft Managed Control 1018 Category: Access Control Title: Account Management | Role-Based Schemes - Privileged Accounts via RBAC Ownership: Customer, Microsoft Description: The organization: Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; Requirements: Administrative access within Azure uses the JIT process, which grants temporary administrative access through AD security groups, subscription roles, and temporary accounts created with RBAC permissions applied, and emergency access accounts, which utilize AD security groups for administrative access but create Severity 2 alerts when used. Using these methods, Azure personnel establish elevated access in accordance with a role-based access scheme, which organizes information system privileges into roles that are assigned to AD security groups of which users become a member. For the persistent accounts that are exceptions to the JIT and emergency access implementations, any group membership action that provides elevated persistent access to Azure is provisioned only after explicit approval by asset owners based on the role of the requestor. This access restriction is strictly enforced via security groups, where security group owners determine approval to be added to a security group based on business justification and role of a user. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|