Control 8.2 : Privileged Access Rights

Summary

The allocation and use of privileged access rights should be restricted and managed. This ensures that administrative power is only granted to authorized individuals on a need-to-know basis to prevent accidental or malicious system-wide damage.

Applicability

In-Scope: Critical for maintaining the integrity of the Microsoft 365 tenant. It is a fundamental control for meeting the principle of least privilege and reducing the attack surface of high-value accounts.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

Just-In-Time Access: Implement Entra ID Privileged Identity Management (PIM) to ensure that administrative roles are only active when needed and for a limited duration.
Approval Workflows: Configure PIM to require a formal justification and a second-person approval before highly sensitive roles (like Global Administrator) are activated.
Dedicated Accounts: Require administrators to use separate, dedicated cloud-only accounts for privileged tasks, distinct from their everyday productivity accounts.

Evidence Checklist

Privileged Access Policy: Rules defining who can hold administrative roles and the requirements for using them.
PIM Audit Logs: Records showing when privileged roles were requested, approved, and utilized.
Access Review Records: Evidence that administrative assignments are reviewed and re-validated at least quarterly.

Practical Audit Advice

Here are some questions the auditor might ask:

How many permanent Global Administrators does the organization currently have, and how is this number justified?
Can you demonstrate the workflow required for a specialist to gain contributor-level access to a production environment for a specific maintenance window?
How are privileged accounts protected against credential theft compared to standard user accounts (e.g., FIDO2 keys)?
What process is in place to monitor the activity of privileged users to detect potentially unauthorized changes?