Skip to main content
Version: 2.1.1-preview

CISA.MS.AAD.7.4 - Permanent active role assignments SHALL NOT be allowed for highly privileged roles.

Overview

Permanent active role assignments SHALL NOT be allowed for highly privileged roles.

Rationale: Instead of giving users permanent assignments to privileged roles, provisioning access just in time lessens exposure if those accounts become compromised. In Azure AD PIM or an alternative PAM system, just in time access can be provisioned by assigning users to roles as eligible instead of perpetually active.

Note: Exceptions to this policy are:

  • Emergency access accounts that need perpetual access to the tenant in the rare event of system degradation or other scenarios.
  • Some types of service accounts that require a user account with privileged roles; since these accounts are used by software programs, they cannot perform role activation.

Remediation action:

  1. In Entra admin center select Show more and Roles & Admins and then All roles.

    Perform the steps below for each highly privileged role. We reference the Global Administrator role as an example.

  2. Select the Global administrator role.

  3. Under Manage, select Assignments and click the Active assignments tab.

  4. Verify there are no users or groups with a value of Permanent in the End time column. If there are any, recreate those assignments to have an expiration date using Entra ID PIM or an alternative PAM system. If a group is identified and it is enrolled in PIM for Groups, see the exception cases below for details.

Test Metadata

FieldValue
Test IDCISA.MS.AAD.7.4
SeverityHigh
SuiteCISA
CategoryEntra ID P2
PowerShell testTest-MtCisaPermanentRoleAssignment
TagsCISA, CISA.MS.AAD.7.4, Entra ID P2, MS.AAD, MS.AAD.7.4

Source

  • Pester test: tests/cisa/entra/Test-MtCisaPermanentRoleAssignment.Tests.ps1
  • PowerShell source: powershell/public/cisa/entra/Test-MtCisaPermanentRoleAssignment.ps1