Security Control v3: Privileged access
Privileged Access covers controls to protect privileged access to your Azure tenant and resources, including a range of controls to protect your administrative model, administrative accounts, and privileged access workstations against deliberate and inadvertent risk.
PA-1: Separate and limit highly privileged/administrative users
| CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
|---|---|---|
| 5.4, 6.8 | AC-2, AC-6 | 7.1, 7.2, 8.1 |
Security Principle: Ensure you are identifying all high business impact accounts. Limit the number of privileged/administrative accounts in your cloud's control plane, management plane and data/workload plane.
Azure Guidance: Azure Active Directory (Azure AD) is Azure's default identity and access management service. The most critical built-in roles in Azure AD are Global Administrator and Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment:
- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.
- Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units.
Outside of the Azure AD, Azure has built-in roles that can be critical for privileged access at the resource level.
- Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
- Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
- User Access Administrator: Lets you manage user access to Azure resources. Note: You may have other critical roles that need to be governed if you use custom roles in the Azure AD level or resource level with certain privileged permissions assigned.
Ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business critical assets, such as Active Directory Domain Controllers (DCs), security tools, and system management tools with agents installed on business critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets.
Implementation and additional context:
- Administrator role permissions in Azure AD
- Use Azure Privileged Identity Management security alerts
- Securing privileged access for hybrid and cloud deployments in Azure AD
Customer Security Stakeholders (Learn more):
- Identity and key management
- Security architecture
- Security Compliance Management
- Security Operations
PA-2: Avoid standing access for user accounts and permissions
| CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
|---|---|---|
| N/A | AC-2 | N/A |
Security Principle: Instead of creating standing privileges, use just-in-time (JIT) mechanism to assign privileged access to the different resource tiers.
Azure Guidance: Enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PIM). JIT is a model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization.
Restrict inbound traffic to your sensitive virtual machines (VM) management ports with Microsoft Defender for Cloud's just-in-time (JIT) for VM access feature. This ensures the privileged access to the VM are granted only when users need it.
Implementation and additional context:
Customer Security Stakeholders (Learn more):
- Identity and key management
- Security architecture
- Security Compliance Management
- Security Operations
PA-3: Manage lifecycle of identities and entitlements
| CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
|---|---|---|
| 6.1, 6.2 | AC-5, AC-6 | 7.1, 7.2, 8.1 |
Security Principle: Use an automated process or technical control to manage the identity and access lifecycle including the request, review, approval, provision, and deprovision.
Azure Guidance: Use Azure AD entitlement management features to automate access (for Azure resource groups) request workflows. This enables workflows for Azure resource groups to manage access assignments, reviews, expiration, and dual or multi-stage approval.
Implementation and additional context:
Customer Security Stakeholders (Learn more):
PA-4: Review and reconcile user access regularly
| CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
|---|---|---|
| 5.1, 5.3, 5.5 | AC-2, AC-6 | 7.1, 7.2, 8.1, A3.4 |
Security Principle: Conduct regular review of privileged account entitlements. Ensure the access granted to the accounts is valid for administration of control plane, management plane, and workloads.
Azure Guidance: Review all privileged accounts and the access entitlements in Azure including such as Azure tenant, Azure services, VM/IaaS, CI/CD processes, and enterprise management and security tools.
Use Azure AD access reviews to review Azure AD roles and Azure resource access roles, group memberships, access to enterprise applications. Azure AD reporting can also provide logs to help discover stale accounts, accounts not being used for certain amount of time.
In addition, Azure AD Privileged Identity Management can be configured to alert when an excessive number of administrator accounts are created for a specific role, and to identify administrator accounts that are stale or improperly configured.
Implementation and additional context:
- Create an access review of Azure resource roles in Privileged Identity Management (PIM)
- How to use Azure AD identity and access reviews
Customer Security Stakeholders (Learn more):
PA-5: Set up emergency access
| CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
|---|---|---|
| N/A | AC-2 | N/A |
Security Principle: Set up emergency access to ensure that you are not accidentally locked out of your critical cloud infrastructure (such as your identity and access management system) in an emergency.
Emergency access accounts should be rarely used and can be highly damaging to the organization if compromised, but their availability to the organization is also critically important for the few scenarios when they are required.
Azure Guidance: To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account (e.g. an account with Global Administrator role) for access when normal administrative accounts cannot be used. Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. Emergency access accounts are limited to emergency or "break glass" scenarios where normal administrative accounts can't be used.
You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency. You may also use additional controls, such dual controls (e.g. splitting the credential into two pieces and giving it to separate persons) to enhance the security of this process. You should also monitor the sign-in and audit logs to ensure the emergency access accounts can only be used under authorization.
Implementation and additional context:
Customer Security Stakeholders (Learn more):
PA-6: Use privileged access workstations
| CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
|---|---|---|
| 12.8, 13.5 | AC-2, SC-2, SC-7 | N/A |
Security Principle: Secured, isolated workstations are critically important for the security of sensitive roles like administrator, developer, and critical service operator.
Azure Guidance: Use Azure Active Directory, Microsoft Defender, and/or Microsoft Intune to deploy privileged access workstations (PAW) on-premise or in the Azure for privileged tasks. The PAW should be centrally managed to enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access.
You may also use Azure Bastion which is a fully platform-managed PaaS service that can be provisioned inside your virtual network. Azure Bastion allows RDP/SSH connectivity to your virtual machines directly from the Azure portal using browser.
Implementation and additional context:
Customer Security Stakeholders (Learn more):
PA-7: Follow just enough administration (least privilege) principle
| CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
|---|---|---|
| 3.3, 6.8 | AC-2, AC-3, AC-6 | 7.1, 7.2 |
Security Principle: Follow the just enough administration (least privilege) principle to manage permissions at fine-grained level. Use features such as role-based access control (RBAC) to manage resource access through role assignments.
Azure Guidance: Use Azure role-based access control (Azure RBAC) to manage Azure resource access through role assignments. Through RBAC, you can assign roles to users, group service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal.
The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges will complement the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privileges should be reviewed periodically. If required, you can also use PIM to define the time-length (time-bound-assignment) condition in role assignment where a user can activate or use the role only within start and end dates.
Note: Use Azure built-in roles to allocate permissions and only create custom roles when required.
Implementation and additional context:
- What is Azure role-based access control (Azure RBAC)
- How to configure RBAC in Azure
- How to use Azure AD identity and access reviews
- Azure AD Privileged Identity Management - Time-bound assignment
Customer Security Stakeholders (Learn more):
- Application security and DevSecOps
- Security Compliance Management
- Posture management
- Identity and key management
PA-8 Determine access process for cloud provider support
| CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
|---|---|---|
| 6.1, 6.2 | AC-4, AC-2, AC-3 | N/A |
Security Principle: Establish an approval process and access path for requesting and approving vendor support request and temporary access to your data through a secure channel.
Azure Guidance: In support scenarios where Microsoft needs to access your data, use Customer Lockbox to review and approve or reject each Microsoft's data access request.
Implementation and additional context:
Customer Security Stakeholders (Learn more):
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for