rules/findings/EntraID/IAM/CIS3.1/eid-high-privileged-roles-access-reviews-not-configured.json
|
{
"args": [ ], "provider": "EntraID", "serviceType": "Users", "serviceName": "Microsoft Entra ID", "displayName": "Ensure 'Access reviews' for high privileged Entra ID roles are configured", "description": " Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization. Ensure Access reviews for high privileged Entra ID roles are done no less frequently than weekly. These reviews should include at a minimum the roles listed below: * Global Administrator * Exchange Administrator * SharePoint Administrator * Teams Administrator * Security Administrator **NOTE** : An access review is created for each role selected after completing the process. ", "rationale": "Regular review of critical high privileged roles in Entra ID will help identify role drift, or potential malicious activity. This will enable the practice and application of `separation of duties` where even non-privileged users like security auditors can be assigned to review assigned roles in an organization. Furthermore, if configured these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review.", "impact": null, "remediation": { "text": "", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review", "https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "3.1.0", "reference": "5.3.3", "profile": "E5 Level 1" } ], "level": "low", "tags": [ ], "rule": { "path": "", "subPath": null, "selectCondition": { }, "query": [ ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { }, "expandObject": null }, "table": null, "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "isManual":false, "showGoToButton": false, "showModalButton": false, "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Ensure 'Access reviews' for High Privileged Users are configured", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "eid_high_privileged_roles_access_review_not_present", "notes": [ ], "categories": [ ] } |