GR1 | Validation 6 | Dedicated User Accounts for Administration (M)

[MathesonSho]

NEW ItemName: Dedicated User Accounts for Administration (M) ItemNameFR: Comptes d’utilisateurs dédiés sont utilisés pour l’administration (M)

Description: This is a new control for the validation “ Provide evidence that there are dedicated user accounts for administration (for example, privileged access)”. The check will look at highly privileged roles such as Global Administrators. Highly Privileged Roles include:

• Global Administrator
• Privileged Role Administrator

The control will confirm the UPN format for users logging in to use the GA role assigned as well as the format for used for other activities by the same user. The check will confirm that each Global Administrator account has a matching non-admin account.

i.e., Gerry is a Cloud Administrator/ Global Administrator. He has two accounts for his azure tenant.

• Account 1 UPN Format: admin-gerry.gerry@ms-sm.ca
• Account 2 UPN Format: gerry.gerry@ms-sm.ca

Account 1 has the ability to use the Global Administrator role. Account 2 is used for other role assignments

Another example of formats:

• Account 1: John.smith.admin@department.gc.ca
• Account 2: John.smith@department.gc.ca

Flow: During installation the config.json will ask for the account format for a highly privileged user and other users. OR Department uploads evidence document with the formats/ UPNs for the check Comments

• Compliant : All Cloud Administrators are using dedicated accounts.
• Non-compliant: Non-compliant – review Global Administrator role assignments and ensure there are dedicated accounts being used.

Comments FR: