CISA.MS.AAD.7.6 - Activation of the Global Administrator role SHALL require approval.
Overview
Activation of the Global Administrator role SHALL require approval.
Rationale: Requiring approval for a user to activate Global Administrator, which provides unfettered access, makes it more challenging for an attacker to compromise the tenant with stolen credentials and it provides visibility of activities indicating a compromise is taking place.
Remediation action:
- In Entra admin center select Identity governance and Privileged Identity Management.
- Under Manage, select Microsoft Entra roles.
- Under Manage, select Roles.
- Select the Global Administrator role in the list.
- Click Settings.
- Click Edit.
- Select the Require approval to activate option.
- Click Update.
- Review the list of groups that are actively assigned to the Global Administrator role. If any of the groups are enrolled in PIM for Groups, then also apply the same configurations under step 2 above to each PIM group's Member settings.
Related links
- Entra admin center - Privileged Identity Management | Microsoft Entra roles
- CISA 7.6 Highly Privileged User Access - MS.AAD.7.6v1
- CISA ScubaGear Rego Reference
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.7.6 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID P2 |
| PowerShell test | Test-MtCisaRequireActivationApproval |
| Tags | CISA, CISA.MS.AAD.7.6, Entra ID P2, MS.AAD, MS.AAD.7.6 |
Source
- Pester test:
tests/cisa/entra/Test-MtCisaRequireActivationApproval.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaRequireActivationApproval.ps1