CISA.MS.AAD.7.9 - User activation of other highly privileged roles SHOULD trigger an alert.
Overviewβ
User activation of the Global Administrator role SHALL trigger an alert.
Rationale: Closely monitor activation of the Global Administrator role for signs of compromise. Send activation alerts to enable the security monitoring team to detect compromise attempts.
User activation of other highly privileged roles SHOULD trigger an alert.
Rationale: Closely monitor activation of high-risk roles for signs of compromise. Send activation alerts to enable the security monitoring team to detect compromise attempts. In some environments, activating privileged roles can generate a significant number of alerts.
Remediation action:β
-
In Entra admin center select Identity governance and Privileged Identity Management.
-
Under Manage, select Microsoft Entra roles.
-
Under Manage, select Roles.
-
Search and click the Global Administrator role.
For each of the highly privileged roles (other than Global Administrator), follow the same steps but enter a security monitoring mailbox different from the one used to monitor Global Administrator activations.
-
Click Settings and then click Edit.
-
Click the Notifications tab.
-
Under Send notifications when eligible members activate this role, in the Role activation alert > Additional recipients textbox, enter the email address of the security monitoring mailbox configured to receive role activation alerts.
-
Click Update.
-
If the role has any PIM groups actively assigned to it, then also apply the same configurations per the steps above to each PIM group's Member settings.
Related linksβ
- Entra admin center - Privileged Identity Management | Microsoft Entra roles
- CISA 7.8 Highly Privileged User Access - MS.AAD.7.8v1
- CISA ScubaGear Rego Reference
- CISA 7.9 Highly Privileged User Access - MS.AAD.7.9v1
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.7.9 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID P2 |
| PowerShell test | Test-MtCisaActivationNotification |
| Tags | CISA, CISA.MS.AAD.7.9, Entra ID P2, MS.AAD, MS.AAD.7.9 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1