GR1 | Validation 6 | Cloud Administrators are using Native Accounts Check (M)

[MathesonSho]

ItemName: “Cloud Administrators are using Native Accounts (M)” ItemName FR : « Les administrateurs infonuagiques utilisent des comptes natifs (M) »

Description: This is a new control for the validation “ Provide evidence that there are dedicated user accounts for administration (for example, privileged access)”

Option 1: • If any “highly privileged roles” have been assigned to a guest account or to a synced account the environment would fail this control.

• Determine the privileged roles assigned in the tenant.
• Check if those roles are assigned to guest or synced account
• If all of the privileged roles are assigned to native accounts the tenant is compliant.
• If any of the privileged roles are assigned to a guest or synced account then the tenant is non-compliant.

Option 2: • Client provides privileged UPN account list of Cloud Admins and CaC verifies that all of the provided accounts are native.

• Parse list and look for any non-native accounts.
  • If all of the accounts are native then the tenant is compliant.
  • If any of the accounts are a guest or synced account the tenant is non-compliant.

Comments ENG If Compliant : "All Cloud Administrators are using native accounts." If Non-compliant: "Non-compliant – review cloud administrators assignments and permissions for guest users or synced accounts with privileged roles."

Comments FR If Compliant : « Tous les administrateurs infonuagiques utilisent des comptes natifs. » If Non-compliant: « Non conforme – examinez les affectations et les autorisations des administrateurs infonuagiques pour les utilisateurs invités ou les comptes synchronisés avec des rôles privilégiés. »

[MathesonSho]

After team evaluation this ticket for enhancement has been replaced with https://github.com/ssc-spc-ccoe-cei/azure-guardrails-solution-accelerator/issues/157