CISA.MS.AAD.7.5 - Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.
Overview
Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.
Rationale: Provisioning users to privileged roles within a PAM system enables enforcement of numerous privileged access policies and monitoring. If privileged users are assigned directly to roles in the M365 admin center or via PowerShell outside of the context of a PAM system, a significant set of critical security capabilities are bypassed.
Remediation action:
-
In Entra admin center select Show more > Roles & admins and then select All roles.
Perform the steps below for each highly privileged role. We reference the Global Administrator role as an example.
-
Select the Global administrator role.
-
Under Manage, select Assignments and click the Active assignments tab.
-
For each user or group listed, examine the value in the Start time column. If it contains a value of -, this indicates the respective user/group was assigned to that role outside of Entra ID PIM. If the role was assigned outside of Entra ID PIM, delete the assignment and recreate it using Entra ID PIM.
Related links
- Entra admin center - Roles and administrators | All roles
- CISA 7.5 Highly Privileged User Access - MS.AAD.7.5v1
- CISA ScubaGear Rego Reference
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.7.5 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID P2 |
| PowerShell test | Test-MtCisaUnmanagedRoleAssignment |
| Tags | CISA, CISA.MS.AAD.7.5, Entra ID P2, MS.AAD, MS.AAD.7.5 |
Source
- Pester test:
tests/cisa/entra/Test-MtCisaUnmanagedRoleAssignments.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaUnmanagedRoleAssignment.ps1