rules/findings/EntraID/IAM/CIS3.1/entra-id-missing-cloud-only-administrative-account.json
|
{
"args": [ ], "provider": "EntraID", "serviceType": "Entra Identity Governance", "serviceName": "Microsoft Entra ID", "displayName": "Ensure Administrative accounts are separate and cloud-only", "description": "Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for administrative tasks and care should be taken, in the case of a hybrid environment, to keep Administrative accounts separated from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, SharePoint, etc.) and only access to perform tasks as needed for administrative purposes.\r\n\t\t\t\t Ensure administrative accounts are `cloud-only`.", "rationale": "Ensuring administrative accounts are cloud-only, will reduce the attack surface of high privileged identities in your environment. In order to participate in Microsoft 365 security services such as Identity protection, PIM and Conditional Access an administrative account will need a license attached to it. In a hybrid environment, having separate accounts will help ensure that in the event of a breach in the cloud, that the breach does not affect the on-prem environment and vice versa.", "impact": "Administrative users will have to switch accounts and utilizing login/logout functionality when performing administrative tasks, as well as not benefiting from SSO.\r\n\t\t *Note:* Alerts will be sent to the TenantAdmins, including Global Administrators, by default. To ensure proper receipt, configure alerts to be sent to security or operations staff with valid email addresses or a security operations center. Otherwise, after adoption of this recommendation, alerts sent to TenantAdmins may go unreceived due to the lack of an application-based license assigned to the Global Administrator accounts.", "remediation": { "text": null, "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure", "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access", "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.powershell.cmdlets.resources.msgraph.models.apiv10.microsoftgraphuser.onpremisessyncenabled?view=az-ps-latest", "https://practical365.com/listing-azure-ad-office-365-user-accounts-directory-sync-status/" ], "compliance": [ { "name": "CIS Microsoft Microsoft 365 Foundations", "version": "3.1.0", "reference": "1.1.1", "profile": "E3 Level 1" } ], "level": "medium", "tags": [ ], "rule": { "path": "aad_role_assignment", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "include": "aad-m365-privileged-roles.json" } ] }, { "connectOperator": "and", "filter": [ { "conditions": [ [ "dirSyncEnabled", "ne" ], [ "OnPremisesSyncEnabled", "ne" ] ], "whereObject": "effectiveUsers", "operator": "or" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { }, "expandObject": null }, "table": null, "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": false, "showModalButton": false, "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ "userPrincipalName" ], "message": "The {userPrincipalName} user account is not a cloud-only account and hence the account is not separated from on-prem identity", "defaultMessage": null }, "properties": { "resourceName": "displayName", "resourceId": "id", "resourceType": "user" }, "onlyStatus": false } }, "idSuffix": "aad_lack_cloud_only_accounts", "notes": [ ], "categories": [ ] } |