Privileged Access Rights

Summary

The allocation and use of privileged access rights should be restricted and managed. This ensures that administrative power is only granted to authorized individuals on a need-to-know basis to prevent accidental or malicious system-wide damage.

Applicability

In-Scope: Critical for maintaining the integrity of the Microsoft 365 tenant. It is a fundamental control for meeting the principle of least privilege and reducing the attack surface of high-value accounts.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Just-In-Time Access: Implement Entra ID Privileged Identity Management (PIM) to ensure that administrative roles are only active when needed and for a limited duration.

• Approval Workflows: Configure PIM to require a formal justification and a second-person approval before highly sensitive roles (like Global Administrator) are activated.

• Dedicated Accounts: Require administrators to use separate, dedicated cloud-only accounts for privileged tasks, distinct from their everyday productivity accounts.

Evidence Checklist

• Privileged Access Policy: Rules defining who can hold administrative roles and the requirements for using them.

• PIM Audit Logs: Records showing when privileged roles were requested, approved, and utilized.

• Access Review Records: Evidence that administrative assignments are reviewed and re-validated at least quarterly.

Practical Audit Advice

Here are some questions the auditor might ask:

• How many permanent Global Administrators does the organization currently have, and how is this number justified?

• Can you demonstrate the workflow required for a specialist to gain contributor-level access to a production environment for a specific maintenance window?

• How are privileged accounts protected against credential theft compared to standard user accounts (e.g., FIDO2 keys)?

• What process is in place to monitor the activity of privileged users to detect potentially unauthorized changes?