| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1451 - Physical Access Control | ||
| Id | e3f1e5a3-25c1-4476-8cb6-3955031f8e65 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Physical and Environmental Protection control | ||
| Additional metadata |
Name/Id: ACF1451 / Microsoft Managed Control 1451 Category: Physical and Environmental Protection Title: Physical Access Control - Authorization Verification Ownership: Microsoft Description: The organization: Enforces physical access authorizations at All physical access points to the facility by; Verifying individual access authorizations before granting access to the facility; and Controlling ingress/egress to the facility using Defined physical access control systems/devices; Requirements: Azure enforces physical access authorizations for all physical access points to Azure datacenters. The exteriors of the datacenter buildings are non-descript and do not advertise that they are Microsoft datacenters. Depending on the design of a datacenter, physical access authorizations at Azure datacenters may begin at a controlled perimeter gate or secured facility door that requires either access badge authorization or security officer authorization. Main access to Azure datacenter facilities is restricted to a single point of entry that is manned twenty-four (24) hours a day, seven (7) days a week by security personnel. Emergency exits are alarmed and under video surveillance. Electronic access control devices are installed on doors separating the reception area from the facilities’ interior to restrict access to approved personnel only. Azure datacenters have a security operations desk located in the reception area and in line of sight of the single entry point. The datacenter lobbies have man-trap portal devices that require multifactor authentication such as access card and biometric hand geometry or fingerprint authentication to pass beyond the lobby. Areas within Microsoft datacenters that contain critical systems (e.g., colocations, critical environments, Main Distribution Frame (MDF) rooms, etc.) are further restricted through various security mechanisms such as electronic access control, biometric devices, and anti-passback controls. Additionally, doors are alarmed and under video surveillance. Access authorizations at Azure datacenters are managed through the Datacenter Access Tool (DCAT). DCAT contains the authorized access lists of personnel who have been approved by the Datacenter Management (DCM) team. Access to areas within the datacenter is granted based on the least privilege principle. Before a person arrives at a datacenter, they must have a DCAT request approved by the DCM team. The DCM team reviews the request for a valid business justification and for appropriate access levels. Upon arriving at the datacenter, the individual on the request must have their identification verified by the Control Room Supervisor against a Microsoft identification badge or a valid government issued identification card or document. Azure datacenters (leased and fully-managed) utilize physical access devices such as metal detectors, perimeter gates, electronic access badge readers, biometric readers, man-traps/portals, anti-tailgate devices (in leased datacenters), and anti-pass back controls, as well as security officers to control access to datacenters. As an additional security measure for leased datacenters, Azure has required that anti-tailgating alarms be deployed at the doors to Microsoft colocation rooms. Azure Third-Party (Leased) Datacenters The physical security requirements of a leased datacenter are designed to reflect similar security capabilities of a fully-managed Azure datacenter. As an additional security measure for leased datacenters, Azure has required that anti-tailgating alarms be deployed at the doors to Microsoft colocation rooms. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|