Identity and access management overview

How do Microsoft online services protect production systems from unauthorized or malicious access?

Microsoft online services are designed to allow Microsoft's engineers to operate services without accessing customer content. By default, Microsoft engineers have Zero Standing Access (ZSA) to customer content and no privileged access to the production environment. Microsoft online services use a Just-In-Time (JIT), Just-Enough-Access (JEA) model to provide service team engineers with temporary privileged access to production environments when such access is required to support Microsoft online services. The JIT access model replaces traditional, persistent administrative access with a process for engineers to request temporary elevation into privileged roles when required.

Engineers assigned to a service team to support production services request eligibility for a service team account through an identity and access management solution. The request for eligibility triggers a series of personnel checks to ensure the engineer has passed all cloud screening requirements, completed necessary training, and received appropriate management approval prior to account creation. Only after meeting all eligibility requirements can a service team account be created for the requested environment. To maintain eligibility for a service team account, personnel must go through role-based training annually and rescreening every two years. Failure to complete or pass these checks result in eligibilities automatically being revoked.

Service team accounts do not grant any standing administrator privileges or access to customer content. When an engineer requires additional access to support Microsoft online services, they request temporary elevated access to the resources they require using an access management tool called Lockbox. Lockbox restricts elevated access to the minimum privileges, resources, and time needed to complete the assigned task. If an authorized reviewer approves the JIT access request, the engineer is granted a temporary account with only the privileges necessary to complete their assigned work. This temporary account requires multifactor authentication and is automatically deleted after the approved period expires.

JEA is enforced by eligibilities and Lockbox roles at the time of request for JIT access. Only requests for access to assets within the scope of the engineer's eligibilities are accepted and passed on to the approver. Lockbox automatically rejects JIT requests that are outside the scope of the engineer's eligibilities and Lockbox roles, including requests that exceed allowed thresholds.

How do Microsoft online services use role-based access control (RBAC) with Lockbox to enforce least privilege?

Service team accounts do not grant any standing administrator privileges or access to customer content. JIT requests for limited administrator privileges are managed through Lockbox. Lockbox uses RBAC to limit the types of JIT elevation requests engineers can make, providing an additional layer of protection to enforce least privilege. RBAC also helps enforce separation of duties by limiting service team accounts to appropriate roles. Engineers supporting a service are granted membership to security groups based on their role. Membership in a security group does not grant any privileged access. Instead, security groups allow engineers to use Lockbox to request JIT elevation when required for supporting the system. The specific JIT requests an engineer can make are limited by their security group memberships.

How do Microsoft online services handle remote access to production systems?

Microsoft online services system components are housed in datacenters geographically separated from the operations teams. Datacenter personnel do not have logical access to Microsoft online services systems. As a result, Microsoft service team personnel manage the environment through remote access. Service team personnel who require remote access to support Microsoft online services are only granted remote access after approval from an authorized manager. All remote access uses FIPS 140-2 compatible TLS for secure remote connections.

Microsoft online services use Secure Admin Workstations (SAW) for service team remote access to help protect Microsoft online service environments from compromise. These workstations are designed to prevent intentional or unintentional loss of production data, including locking down USB ports and limiting the software available on the Secure Admin Workstation to what is required for supporting the environment. Secure Admin Workstations are closely tracked and monitored to detect and prevent malicious or inadvertent compromise of customer data by Microsoft engineers.

How does Customer Lockbox add additional protection for customer content?

Customers can add an additional level of access control to their content by enabling Customer Lockbox. When a Lockbox elevation request involves access to customer content, Customer Lockbox requires approval from the customer as a final step in the approval workflow. This process gives organizations the option to approve or deny these requests and provides direct access control to the customer. If the customer rejects a Customer Lockbox request, access to the requested content is denied. If the customer does not reject or approve the request within a certain period, then the request will expire automatically without Microsoft obtaining access to customer content. If the customer approves the request, then Microsoft's temporary access to customer content will be logged, auditable, and revoked automatically after the time assigned to complete the troubleshooting operation expires.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to identity and access control.

Azure and Dynamics 365

External audits Section Latest report date
ISO 27001/27002

Statement of Applicability
Certification
A.9.1: Business requirements of access control
A.9.2: User access management
A.9.3: User responsibilities
A.9.4: System and application access control
A.15.1: Information security in supplier relationships
December 2, 2020
ISO 27017

Statement of Applicability
Certification
A.9.1: Business requirements of access control
A.9.2: User access management
A.9.3: User responsibilities
A.9.4: System and application access control
A.15.1: Information security in supplier relationships
December 2, 2020
SOC 1
SOC 2
SOC 3
OA-2: Provisioning access
OA-7: JIT access
OA-21: Secure Admin Workstations and MFA
March 31, 2021

Office 365

External audits Section Latest report date
FedRAMP AC-2: Account management
AC-3: Access enforcement
AC-5: Separation of duties
AC-6: Least privilege
AC-17: Remote access
September 24, 2020
ISO 27001/27002/27017

Statement of Applicability
A.9.1: Business requirements of access control
A.9.2: User access management
A.9.3: User responsibilities
A.9.4: System and application access control
A.15.1: Information security in supplier relationships
April 20, 2021
SOC 1 CA-33: Account modification
CA-34: User authentication
CA-35: Privileged access
CA-36: Remote access
CA-57: Customer Lockbox Microsoft management approval
CA-58: Customer Lockbox service requests
CA-59: Customer Lockbox notifications
CA-61: JIT review and approval
December 24, 2020
SOC 2 CA-32: Shared account policy
CA-33: Account modification
CA-34: User authentication
CA-35: Privileged access
CA-36: Remote access
CA-53: Third-party monitoring
CA-56: Customer Lockbox customer approval
CA-57: Customer Lockbox Microsoft management approval
CA-58: Customer Lockbox service requests
CA-59: Customer Lockbox notifications
CA-61: JIT review and approval
December 24, 2020
SOC 3 CUEC-15: Customer Lockbox requests December 24, 2020