Skip to main content
Version: 2.1.1-preview

CISA.MS.AAD.7.7 - Eligible and Active highly privileged role assignments SHALL trigger an alert.

Overview​

Eligible and Active highly privileged role assignments SHALL trigger an alert.

Rationale: Closely monitor assignment of the highest privileged roles for signs of compromise. Send assignment alerts to enable the security monitoring team to detect compromise attempts.

Remediation action:​

  1. In Entra admin center select Identity governance and Privileged Identity Management.

  2. Under Manage, select Microsoft Entra roles.

  3. Under Manage, select Roles.

    Perform the steps below for each highly privileged role. We reference the Global Administrator role as an example.

  4. Click the Global Administrator role.

  5. Click Settings and then click Edit.

  6. Click the Notifications tab.

  7. Under Send notifications when members are assigned as eligible to this role, in the Role assignment alert > Additional recipients textbox, enter the email address of the security monitoring mailbox configured to receive privileged role assignment alerts.

  8. Under Send notifications when members are assigned as active to this role, in the Role assignment alert > Additional recipients textbox, enter the email address of the security monitoring mailbox configured to receive privileged role assignment alerts.

  9. Click Update.

  10. For each of the highly privileged roles, if they have any PIM groups actively assigned to them, then also apply the same configurations per the steps above to each PIM group's Member settings.

Test Metadata​

FieldValue
Test IDCISA.MS.AAD.7.7
SeverityHigh
SuiteCISA
CategoryEntra ID P2
PowerShell testTest-MtCisaAssignmentNotification
TagsCISA, CISA.MS.AAD.7.7, Entra ID P2, MS.AAD, MS.AAD.7.7

Source​

  • Pester test: tests/cisa/entra/Test-MtCisaAssignmentNotification.Tests.ps1
  • PowerShell source: powershell/public/cisa/entra/Test-MtCisaAssignmentNotification.ps1