Share via

Privileged Access

Privileged access management establishes controls to protect administrative credentials and high-impact operations in cloud environments. Unlike traditional on-premises models with static administrator groups, modern cloud platforms require dynamic, time-bound privilege assignment, continuous monitoring, and just-in-time access to address rapid infrastructure changes and expanded attack surfaces including credential theft, privilege escalation, and lateral movement. Organizations implementing these controls enforce least privilege and Zero Trust principles while maintaining operational agility, while those neglecting these measures face undetected credential compromise and unrestricted administrative access enabling tenant-wide breaches.

Here are the four core pillars of the Privileged Access security domain.

Protect user identities: Establish security for all user accounts, especially privileged ones, through centralized identity management, strong multi-factor authentication, lifecycle management, privileged access workstations, and emergency access planning.

Related controls:

Protect applications and secrets: Manage non-human identities securely through automated server/service authentication and secure secrets management for API keys and certificates.

Related controls:

Secure access: Enforce least privilege and just-enough administration through time-bound permissions, conditional access policies, and controlled external access for cloud provider support.

Related controls:

Monitor and governance: Maintain continuous oversight through regular access reviews, reconciliation of user rights, anomaly detection, and audit logging to ensure appropriate permissions and timely revocation.

Related controls:

PA-1: Separate and limit highly privileged/administrative users

Azure Policy: See Azure built-in policy definitions: PA-1.

Security principle

Identify all high business impact accounts and limit the number of privileged administrative accounts across control plane, management plane, and data workload plane to minimize attack surface and blast radius from compromised credentials.

Risk to mitigate

  • Unauthorized access from over-privileged accounts Adversaries exploit highly privileged accounts with excessive permissions to gain unauthorized access to critical cloud resources, such as management consoles, APIs, or sensitive data stores. Without separation, a single compromised admin account can provide attackers with unrestricted access to modify IAM policies, deploy malicious workloads, or exfiltrate data across an entire tenant.
  • Privilege escalation via compromised administrative credentials Attackers leverage compromised privileged credentials to escalate access, gaining control over cloud tenants or critical infrastructure. In environments where administrative accounts are not isolated, a stolen credential can be used to manipulate role assignments, create new privileged accounts, or disable security controls, enabling tenant-wide compromise.
  • Persistent access from stale or unmonitored privileged accounts Adversaries exploit stale or unmonitored privileged accounts to maintain persistent access, evading detection after initial compromise. Admin accounts that remain active after role changes or project completion provide attackers with long-term access to invoke APIs or modify resources, increasing the risk of prolonged breaches.

MITRE ATT&CK

  • Initial Access (TA0001) Valid Accounts: Cloud Accounts (T1078.004): Compromising highly privileged accounts to authenticate to cloud consoles or APIs, accessing critical resources using stolen admin credentials.
  • Privilege Escalation (TA0004) Abuse Elevation Control Mechanism: Cloud Infrastructure (T1548.005): Exploiting unscoped privileged accounts to escalate access by modifying IAM policies, gaining tenant-wide control.
  • Persistence (TA0003) Account Manipulation: Additional Cloud Roles (T1098.001): Altering privileged accounts to add persistent roles, maintaining long-term access to cloud resources.

PA-1.1: Restrict and limit highly privileged/administrative users in Microsoft Entra

Restricting highly privileged administrative accounts prevents unauthorized tenant-wide access and limits blast radius from compromised credentials. Organizations with excessive global administrators face increased risk of breaches where attackers can manipulate IAM policies, deploy malicious workloads, or exfiltrate data across all resources. Limiting these accounts to only essential personnel enforces least privilege and reduces attack surface.

Implement the following restrictions for cloud identity administrative roles:

  • Identify critical built-in roles The most critical built-in roles in Microsoft Entra ID are Global Administrator and Privileged Role Administrator, as users assigned to these roles can delegate administrator roles and directly or indirectly read and modify every resource in your cloud environment.

  • Evaluate custom role permissions Review custom roles in your identity management system for privileged permissions that need to be governed based on your business needs, applying the same restrictions as built-in privileged roles.

  • Extend restrictions beyond cloud identity systems Restrict privileged accounts in on-premises identity systems, security tools, and system management tools with administrative access to business-critical assets (such as Active Directory Domain Controllers, security monitoring systems, and configuration management tools), as compromise of these management systems enables attackers to weaponize them for lateral movement to cloud resources.

PA-1.2: Restrict and limit highly privileged/administrative users at Azure resource level

Limiting privileged roles at the resource level prevents unauthorized access to cloud resources and enforces least privilege across subscriptions and resource groups. Excessive Owner or Contributor assignments at subscription scope enable attackers to manipulate resources, modify security controls, or escalate privileges after initial compromise. Restricting these assignments reduces blast radius and ensures administrative access aligns with operational responsibilities.

Apply the following restrictions for cloud resource-level administrative roles:

  • Restrict critical built-in resource roles Azure has built-in roles that grant extensive permissions (Owner grants full access including role assignment; Contributor grants full resource management; User Access Administrator enables user access management), requiring the same restrictions as tenant-level privileged roles.

  • Govern custom resource roles Review and restrict custom roles at the resource level with privileged permissions assigned from business needs, ensuring they don't inadvertently grant excessive access through permission combinations.

  • Control billing and subscription management roles For customers with Enterprise Agreement, restrict Azure Cost Management and Billing administrative roles (Account Owner, Enterprise Administrator, Department Administrator) as they can directly or indirectly manage subscriptions, create/delete subscriptions, and manage other administrators.

Implementation example

Challenge: A financial services organization discovered excessive privileged access across both identity and resource layers: 47 Global Administrator accounts in Microsoft Entra ID (most unused for over six months) and 89 users with Owner role at subscription scope in Azure, creating massive attack surface and violating least privilege principles.

Solution:

  • Audit and reduce Entra privileged roles: Conducted comprehensive audit of all Global Administrator and Privileged Role Administrator assignments, identifying business justification for each account and reducing from 47 to 8 Global Administrators aligned with operational needs.
  • Implement role-specific assignments in Entra: Transitioned users from Global Administrator to specific roles (User Administrator, Security Administrator, Compliance Administrator) based on actual job functions, using Microsoft Entra built-in roles to enforce granular permissions.
  • Reduce Azure subscription-scope assignments: Audited all Owner and Contributor role assignments at Azure role-based access control (RBAC) level, reducing subscription-scope Owner assignments from 89 to 12 by scoping roles to specific resource groups based on team responsibilities.
  • Implement resource group scoping: Transitioned development teams from subscription-level Contributor to resource group-level Contributor or specific built-in roles (Virtual Machine Contributor, Storage Account Contributor) matching actual needs.
  • Establish unified governance: Created approval workflow requiring executive and security team sign-off for new privileged role assignments at both Entra and Azure resource levels, with quarterly access reviews and automated alerts for assignments exceeding approved scopes.

Outcome: Organization dramatically reduced privileged account attack surface across identity and resource layers, eliminated stale administrative access, and established sustainable governance preventing privilege creep at both tenant and subscription levels.

Criticality level

Must have.

Control mapping

  • NIST SP 800-53 Rev.5 AC-2(1), AC-2(7), AC-5, AC-6(1), AC-6(5)
  • PCI-DSS v4 7.2.2, 7.2.4, 8.2.2
  • CIS Controls v8.1 5.4, 6.7, 6.8
  • NIST CSF v2.0 PR.AC-4, PR.AA-1
  • ISO 27001:2022 A.5.15, A.5.18, A.8.2
  • SOC 2 CC6.1, CC6.2

PA-2: Avoid standing access for user accounts and permissions

Azure Policy: See Azure built-in policy definitions: PA-2.

Security principle

Implement just-in-time privileged access mechanisms to assign temporary, time-bound permissions instead of persistent standing privileges, preventing malicious or unauthorized users from exploiting always-on administrative access after compromised credentials or insider actions.

Risk to mitigate

  • Unauthorized access from persistent privileged accounts Standing high-privilege roles enable adversaries to misuse compromised credentials for unauthorized access to cloud resources, such as invoking APIs to exfiltrate data or deploy malicious workloads, exploiting always-on permissions without temporal restrictions.
  • Privilege escalation via compromised credentials Compromised accounts with persistent elevated roles allow attackers to escalate privileges by modifying IAM policies, such as assigning tenant-wide administrative roles, exploiting the absence of time-limited access to gain control over subscriptions or resources.
  • Prolonged exposure from stale access Unrevoked roles after task completion create extended exposure windows, allowing adversaries to exploit stale credentials for unauthorized access, such as extracting data from storage accounts, due to forgotten or unmanaged permissions.

MITRE ATT&CK

  • Initial Access (TA0001) Valid Accounts: Cloud Accounts (T1078.004): Compromising accounts with standing high-privilege roles to authenticate to cloud management consoles or APIs, using persistent credentials to access resources without time-bound restrictions.
  • Privilege Escalation (TA0004) Abuse Elevation Control Mechanism: Cloud Infrastructure (T1548.005): Exploiting persistent privileged roles to escalate access by modifying IAM policies, leveraging always-on permissions to gain unauthorized control over subscriptions.
  • Persistence (TA0003) Account Manipulation: Additional Cloud Roles (T1098.001): Modifying role assignments to maintain persistent access by adding high-privilege roles to compromised accounts, exploiting lack of time-limited access.

PA-2.1: Use just in time (JIT) control for Azure resource access

Just-in-time privileged access prevents persistent administrative permissions that enable unauthorized access after credential compromise. Organizations with standing privileged roles face extended exposure windows where attackers can exploit always-on permissions for data exfiltration, privilege escalation, or lateral movement without time constraints. Implementing JIT access ensures permissions automatically expire, limiting blast radius and reducing attack surface.

Enable just-in-time access through the following approach:

  • Deploy Privileged Identity Management Enable just-in-time (JIT) privileged access to Azure resources and Microsoft Entra ID using Microsoft Entra Privileged Identity Management (PIM), where users receive temporary permissions to perform privileged tasks that automatically expire, preventing unauthorized access after permissions expire and generating security alerts for suspicious activity.

  • Configure eligible role assignments Admins assign eligible roles to users or groups via PIM, specifying who can request privileged roles and defining activation requirements including approval workflows, MFA requirements, and time-bound durations (typically 1-8 hours).

  • Establish activation workflows Users request role activation through the Azure portal or PIM API when privileged access is needed, providing justification and time window, with approvers reviewing requests based on policies and either granting or denying access, while PIM logs all actions for audit purposes.

  • Implement automatic expiration Access automatically expires when the activation period ends, or users can manually deactivate early if tasks are completed, ensuring privileged permissions don't remain active beyond operational need.

  • Enable JIT for virtual machine access Use Azure Bastion with JIT VM access from Microsoft Defender for Cloud to restrict inbound traffic to sensitive virtual machines' management ports, granting access only when users need it and automatically revoking when time expires.

Implementation example

Challenge A global retail company had 156 users with standing Owner and Contributor roles at subscription scope, creating persistent high-privilege access that remained active 24/7 despite infrequent administrative needs.

Solution

  • Implement PIM for Azure resources Converted all standing Owner and Contributor role assignments to eligible roles in PIM, requiring users to activate roles only when performing administrative tasks with 4-hour time-bound activation.
  • Configure approval workflows Established multi-stage approval for Owner role activation requiring resource owner and security team approval, with automated MFA enforcement and justification requirements for all privileged access requests.
  • Enable JIT VM access Deployed Azure Bastion with Defender for Cloud JIT controls restricting RDP/SSH access to production virtual machines, allowing access only through approved time-bound requests eliminating persistent management port exposure.

Outcome Organization eliminated persistent privileged access, substantially reduced attack surface from standing administrative permissions, and established automated expiration preventing forgotten elevated access.

Criticality level

Must have.

Control mapping

  • NIST SP 800-53 Rev.5 AC-2(1), AC-5, AC-6(2), AC-6(5), AC-16
  • PCI-DSS v4 7.2.2, 7.2.5, 8.2.8
  • CIS Controls v8.1 5.4, 6.8
  • NIST CSF v2.0 PR.AC-4, PR.AA-1
  • ISO 27001:2022 A.5.15, A.5.18, A.8.2
  • SOC 2 CC6.1, CC6.3

PA-3: Manage lifecycle of identities and entitlements

Security principle

Use automated processes or technical controls to manage the complete identity and access lifecycle including request, review, approval, provisioning, and deprovisioning, ensuring permissions remain aligned with business needs and are revoked when no longer required.

Risk to mitigate

  • Unauthorized access due to excessive permissions Identities granted more access rights than required, violating least privilege and increasing the attack surface.
  • Stale or orphaned access from unmanaged accounts Permissions retained after they are no longer needed or accounts left active after user departure, enabling potential exploitation.
  • Insider threats from misconfigured or unmonitored access Authorized users misusing permissions due to misconfigured policies or lack of oversight, including bypassing approval processes.
  • Non-compliance with regulatory standards Failure to enforce least privilege, access auditing, or timely deprovisioning, risking violations of standards like GDPR, HIPAA, SOC 2, or ISO 27001.
  • Human error in access management Manual processes leading to incorrect permission grants, overlooked deprovisioning, or misconfigured approval chains.
  • Lack of auditability and traceability Absence of proper logging and documentation, hindering tracking of access requests, approvals, or provisioning, delaying breach detection.

MITRE ATT&CK

  • Initial Access (TA0001) exploiting valid accounts (T1078.004) by leveraging compromised or stale cloud credentials to authenticate to APIs or management consoles, enabling unauthorized access to cloud resources.
  • Privilege Escalation (TA0004) abusing elevation control mechanisms (T1548.005) by exploiting misconfigured RBAC policies or excessive permissions to assign elevated roles from a resource group role.
  • Persistence (TA0003) manipulating accounts (T1098.001) by modifying IAM policies or disabling MFA to embed persistent access, allowing adversaries to retain unauthorized control over cloud resources.
  • Exfiltration (TA0010) accessing data from cloud storage (T1530) using over-privileged accounts to enumerate and retrieve sensitive data from storage buckets or databases.
  • Defense Evasion (TA0005) impairing defenses (T1562.001) by disabling cloud audit logging or monitoring with high-privilege accounts, concealing malicious actions like resource modifications.

PA-3.1: Manage lifecycle of identities and entitlements

Automated identity lifecycle management prevents orphaned accounts, unrevoked permissions, and excessive access that persist after role changes or employee departures. Organizations relying on manual access management face delayed deprovisioning, inconsistent approval processes, and lack of auditability, creating security gaps where unauthorized users exploit stale credentials for data exfiltration or privilege escalation. Implementing automated workflows ensures access aligns with current business needs through consistent request, approval, provisioning, and expiration processes.

Establish automated identity and access lifecycle management through the following approach:

  • Plan access management objectives and scope Define access needs by identifying Azure resource groups requiring access management, including specific roles (e.g., Owner, Contributor) and user or workload identities, establishing boundaries for governance and approval workflows.

  • Assign responsibilities Designate Global Administrators, Identity Governance Administrators, or catalog owners to manage entitlement management and access packages, delegating to resource owners or project managers who review and approve access requests for specific Azure resource groups.

  • Set up entitlement management for access request workflows Create catalogs in Microsoft Entra admin center to organize related resources and access packages, adding specific Azure resource groups with their roles (e.g., Contributor, Reader) as catalog resources, then defining access packages specifying which Azure resource group roles users can request along with access duration and approval requirements.

  • Configure access policies Enable users to request access via the Microsoft Entra My Access portal, setting up single, dual, or multi-stage approval workflows with designated approvers (e.g., resource owners, managers), defining access expiration dates or time-bound access for automatic revocation, and configuring alerts for request submissions, approvals, denials, and upcoming expirations.

  • Process and review access requests Users submit access requests for Azure resource group roles through the My Access portal, triggering configured workflows that notify designated approvers and log request details, while approvers assess requests based on user role, requested access, and justification, requesting clarification if needed before approving or denying with documented justifications.

  • Provision and deprovision access automatically Upon approval, Microsoft Entra automatically assigns requested Azure roles to users for specified resource groups with immediate access, enforcing automatic revocation when predefined expiration dates are reached per access package policies, while allowing administrators or resource owners to manually remove access if user roles or projects change before expiration.

  • Detect and right-size excessive permissions Use Microsoft Entra Permissions Management to identify unused and excessive permissions assigned to user and workload identities across multi-cloud infrastructures, automatically right-sizing permissions and continuously monitoring to prevent privilege creep.

Implementation example

Challenge A multinational enterprise with 8,500 employees across 40 countries/regions struggled with manual access provisioning requiring 3-5 business days per request, creating operational delays and accumulating 450+ orphaned accounts from departed employees with active privileged access.

Solution

  • Implement entitlement management Deployed Microsoft Entra ID entitlement management with access packages for all Azure resource groups, establishing automated workflows for request, multi-stage approval, and time-bound access with automatic expiration.
  • Configure lifecycle workflows Created automated joiner/mover/leaver workflows triggering immediate provisioning for new employees, access updates for role changes, and instant deprovisioning upon termination with removal from all access packages and privileged groups.
  • Deploy Permissions Management Implemented continuous monitoring detecting unused permissions across multi-cloud infrastructure, automatically right-sizing overprovisioned roles and generating alerts for privilege creep requiring review.

Outcome Organization reduced access provisioning time from 3-5 days to under 2 hours, eliminated all orphaned accounts through automated deprovisioning, and achieved 100% access request auditability with complete approval trail documentation.

Criticality level

Should have.

Control mapping

  • NIST SP 800-53 Rev.5 AC-2, AC-2(1), AC-2(3), AC-2(4), IA-4
  • PCI-DSS v4 7.2.2, 7.2.4, 8.1.3, 8.1.4
  • CIS Controls v8.1 5.1, 5.2, 5.3, 6.1
  • NIST CSF v2.0 PR.AA-3, PR.AC-1, PR.AC-4
  • ISO 27001:2022 A.5.15, A.5.16, A.5.17, A.5.18
  • SOC 2 CC6.1, CC6.2, CC6.3

PA-4: Review and reconcile user access regularly

Azure Policy: See Azure built-in policy definitions: PA-4.

Security principle

Conduct periodic audits of privileged account entitlements to verify that access permissions are strictly aligned with authorized administrative functions, ensuring compliance with the principle of least privilege.

Risk to mitigate

  • Unauthorized access due to excessive permissions Identities granted more access rights than required, violating least privilege and increasing the attack surface.
  • Stale or orphaned access from unmanaged accounts Permissions retained after they are no longer needed or accounts left active after user departure, enabling potential exploitation.
  • Insider threats from misconfigured or unmonitored access Authorized users misusing permissions due to misconfigured policies or lack of oversight, including bypassing approval processes.
  • Non-compliance with regulatory standards Failure to enforce least privilege, access auditing, or timely deprovisioning, risking violations of standards like GDPR, HIPAA, SOC 2, or ISO 27001.
  • Human error in access management Manual processes leading to incorrect permission grants, overlooked deprovisioning, or misconfigured approval chains.
  • Lack of auditability and traceability Absence of proper logging and documentation, hindering tracking of access requests, approvals, or provisioning, delaying breach detection.

MITRE ATT&CK

  • Initial Access (TA0001) exploiting valid accounts (T1078.004) by leveraging compromised or stale cloud credentials, such as over-privileged service accounts, to authenticate to APIs or management consoles, enabling unauthorized access to cloud resources without triggering alerts.
  • Privilege Escalation (TA0004) abusing elevation control mechanisms (T1548.005) by exploiting misconfigured RBAC policies or excessive permissions to assign elevated roles, such as tenant-wide administrative access, from a resource group role.
  • Persistence (TA0003) manipulating accounts (T1098.001) by modifying IAM policies or disabling MFA to embed persistent access, allowing adversaries to retain unauthorized control over cloud resources like storage or compute.
  • Exfiltration (TA0010) accessing data from cloud storage (T1530) using over-privileged accounts to enumerate and retrieve sensitive data from storage buckets or databases, exploiting unrevoked or poorly validated permissions.
  • Defense Evasion (TA0005) impairing defenses (T1562.001) by disabling cloud audit logging or monitoring with high-privilege accounts, concealing malicious actions like resource modifications or data access.

PA-4.1: Review and reconcile user access regularly

Review all privileged accounts and access entitlements in Microsoft Azure, encompassing Azure tenants, Azure services, virtual machines (VMs)/Infrastructure as a Service (IaaS), CI/CD processes, and enterprise management and security tools.

Use Microsoft Entra ID access reviews to evaluate Microsoft Entra roles, Azure resource access roles, group memberships, and access to enterprise applications. Microsoft Entra ID reporting provides logs to identify stale accounts or accounts unused for a specified period.

Additionally, Microsoft Entra Privileged Identity Management (PIM) can be configured to send alerts when an excessive number of administrator accounts are created for a specific role and to detect administrator accounts that are stale or misconfigured.

Plan the access review scope and objectives Identify which Azure resources (e.g., subscriptions, resource groups, VMs) and Microsoft Entra roles (e.g., Global Administrator, User Administrator) require review, establishing review frequency (e.g., monthly, quarterly) based on security requirements and regulatory needs.

Assign review responsibilities Designate resource owners, security teams, or role administrators to conduct reviews, ensuring reviewers have appropriate permissions in PIM.

Set up access reviews in Microsoft Entra PIM Create access reviews for Entra roles by selecting specific Microsoft Entra roles to review, specifying reviewers (individuals, group owners, or self-reviews), and setting review parameters including duration and recurrence. For Azure resources, choose subscriptions or resource groups, select Azure resource roles (e.g., Owner, Contributor) for evaluation, assign reviewers, and configure review settings including start/end dates and recurrence.

Conduct access reviews Reviewers evaluate whether users still require assigned Microsoft Entra roles based on job functions or project needs, assess whether users need continued access to specific Azure resources and roles verifying alignment with current responsibilities, and require users or reviewers to provide reasons for maintaining access ensuring decisions are documented.

Take actions based on review outcomes Remove unnecessary access by revoking roles or access for users who no longer need them, utilizing Microsoft Entra ID reporting alongside PIM to identify accounts with no recent activity and removing their roles or deactivating them. You can also utilize PIM features for enhanced reconciliation, detecting excessive role assignments and automating ongoing reviews on predefined schedules.

Implementation example

Challenge A technology company with 650 privileged accounts discovered during annual audit that 89 accounts (14%) had not been used in over 180 days, while 34 accounts retained elevated permissions despite users changing to non-administrative roles.

Solution

  • Implement quarterly access reviews Deployed Microsoft Entra PIM access reviews for all Azure subscriptions and Entra roles with quarterly recurring schedules, assigning resource owners as primary reviewers and security team as secondary reviewers for oversight.
  • Enable automated detection Configured PIM alerts for excessive role assignments (>8 Global Administrators) and accounts unused for 90+ days, integrating with Microsoft Sentinel for real-time notifications to security operations center.
  • Establish remediation workflows Created standardized response procedures requiring reviewers to provide justification for maintaining access or immediately revoking unnecessary permissions, with automatic escalation for overdue reviews to governance team.

Outcome Organization identified and removed 89 stale accounts and right-sized 34 over-provisioned accounts, reduced Global Administrator count from 12 to 6, and achieved 100% quarterly review completion rate with documented justifications.

Criticality level

Must have.

Control mapping

  • NIST SP 800-53 Rev.5 AC-2(3), AC-2(7), AC-6(7), IA-4
  • PCI-DSS v4 7.2.4, 8.1.4, 8.2.6
  • CIS Controls v8.1 5.3, 5.4, 6.2
  • NIST CSF v2.0 PR.AA-3, PR.AC-6, DE.CM-3
  • ISO 27001:2022 A.5.18, A.8.2, A.8.3
  • SOC 2 CC6.1, CC6.2, CC6.3

PA-5: Set up emergency access

Security principle

Set up emergency access to ensure that you are not accidentally locked out of your critical cloud infrastructure in an emergency. Emergency access accounts should be rarely used and can be highly damaging if compromised, but their availability is critically important for scenarios when they are required.

Risk to mitigate

  • Administrative lockout from cloud tenant management Loss of access to a cloud tenant when all privileged accounts are blocked by MFA failures, federation outages, or compromised/deleted accounts, preventing IAM policy updates or resource management.
  • Unauthorized access to highly privileged accounts Weakly secured credentials or unrestricted access to emergency accounts enables adversaries to authenticate to cloud management consoles or APIs, facilitating privilege escalation or data exfiltration.
  • Insider threats via misused emergency access Emergency accounts bypassing standard controls are misused by authorized personnel for non-emergency tasks, risking credential exposure or unauthorized access.
  • Lack of auditability for emergency access Inadequate logging or monitoring of emergency account activity prevents detection of unauthorized use, delaying incident response.
  • Operational failure from untested emergency accounts Untested emergency accounts with outdated credentials or misconfigured IAM bindings fail during crises, preventing access restoration and exacerbating lockouts.

MITRE ATT&CK

  • Initial Access (TA0001) - Valid Accounts: Cloud Accounts (T1078.004) Leveraging compromised emergency access accounts with high privileges to authenticate to cloud management consoles or APIs, exploiting insecurely stored credentials.
  • Privilege Escalation (TA0004) - Abuse Elevation Control Mechanism: Cloud Infrastructure (T1548.005) Over-privileged emergency accounts with excessive IAM roles are exploited to escalate access, allowing adversaries to modify policies or assign tenant-level administrative permissions.
  • Persistence (TA0003) - Account Manipulation: Additional Cloud Credentials (T1098.001) Modifying emergency account configurations, such as adding persistent roles or disabling MFA, to maintain unauthorized access.
  • Defense Evasion (TA0005) - Impair Defenses: Disable or Modify Cloud Logs (T1562.008) Using emergency accounts to disable audit logging or monitoring in cloud environments, concealing malicious actions.
  • Credential Access (TA0006) - Steal Application Access Token (T1528) Stealing emergency account credentials stored insecurely to authenticate to cloud services.

PA-5.1: Setup emergency access

Emergency access accounts ("break-glass" accounts) prevent complete administrative lockout during MFA failures, federation outages, or compromised administrative accounts. Without these accounts, organizations risk losing tenant access when normal authentication paths fail. Implementing emergency access ensures business continuity while maintaining security through controlled credential management, monitoring, and testing.

Establish emergency access accounts through the following structured approach:

  • Create emergency access accounts Configure at least two cloud-only accounts (not federated) with Global Administrator role in Microsoft Entra ID, using descriptive names (e.g., EmergencyAccess01, BreakGlass02) that clearly identify their purpose, ensuring accounts are not assigned to specific individuals and remain dedicated exclusively for emergency scenarios.

  • Secure credentials with dual control Generate strong, randomly generated passwords of at least 32 characters configured to never expire, implementing dual control mechanisms by splitting credentials into multiple parts stored in separate secure physical locations (e.g., fireproof safes at different sites) accessible only to authorized C-level executives or security leadership, documenting retrieval procedures requiring multi-person approval.

  • Configure Conditional Access exclusions Exclude at least one emergency account from all Conditional Access policies and MFA requirements to guarantee access during service disruptions, while optionally securing the second account with FIDO2 security keys stored in secure locations, ensuring credential diversity protects against single-point authentication failures.

  • Enable comprehensive monitoring and alerting Configure Azure Monitor or Microsoft Sentinel to analyze Microsoft Entra ID sign-in and audit logs, creating real-time alerts (email and SMS) triggering on any emergency account authentication or configuration change, establishing incident response procedures requiring immediate security team notification and justification documentation for all emergency account usage.

  • Establish testing and maintenance procedures Test emergency account access quarterly to verify functionality, update credentials every 90 days or immediately following personnel changes affecting authorized users, train authorized administrators on break-glass procedures including credential retrieval and incident documentation, maintaining written runbooks documenting the complete emergency access process for compliance and operational readiness.

Implementation example

Challenge A multinational financial services organization experienced a federation outage affecting their hybrid identity infrastructure, discovering they had no functioning emergency access path to Microsoft Entra ID. All 15 Global Administrators relied on federated authentication, leaving the organization completely locked out during the incident requiring Microsoft support escalation to regain access after 6 hours of downtime.

Solution

  • Create emergency access accounts Provisioned two cloud-only emergency access accounts (EmergencyAccess01@contoso.onmicrosoft.com, BreakGlass02@contoso.onmicrosoft.com) with permanent Global Administrator role assignments in Microsoft Entra ID, ensuring accounts were not federated or synchronized from on-premises Active Directory to eliminate dependency on federation infrastructure.

  • Implement passwordless authentication with dual control Configured EmergencyAccess01 with FIDO2 passkey authentication and BreakGlass02 with certificate-based authentication for credential diversity, storing FIDO2 security keys in two separate fireproof safes at headquarters and disaster recovery site, while certificate private keys remained on hardware security modules accessible only to C-level executives with dual-person authorization requirements documented in emergency response procedures.

  • Configure Conditional Access exclusions strategically Created named location exclusion policy for EmergencyAccess01 exempting it from all Conditional Access policies including MFA requirements, while BreakGlass02 remained subject to phishing-resistant MFA requirements providing balanced security approach ensuring at least one account guaranteed access during any authentication service disruption.

  • Deploy Azure Monitor alerting for emergency account activity Configured Log Analytics workspace with custom alert rules querying SigninLogs for emergency account object IDs, triggering critical severity alerts (Sev 0) with immediate email and SMS notifications to security operations center, CISO, and IT director whenever emergency accounts authenticated, with alert query: SigninLogs | project UserId | where UserId == "00aa00aa-bb11-cc22-dd33-44ee44ee44ee" or UserId == "11bb11bb-cc22-dd33-ee44-55ff55ff55ff" evaluating every 5 minutes.

  • Establish quarterly validation and testing procedures Created documented quarterly drill schedule requiring designated security team members to retrieve credentials from secure storage, authenticate using emergency accounts, perform test administrative task (query user list via Microsoft Graph API), document activity in incident log, and immediately notify security team triggering post-mortem review validating alert functionality and credential accessibility, with credential rotation performed every 90 days and immediately following personnel changes affecting authorized individuals.

Outcome Organization established resilient emergency access capability surviving complete federation infrastructure failures, detected 100% of emergency account authentications within 5 minutes through automated alerting, successfully executed 4 quarterly validation drills with average 12-minute credential retrieval time, and maintained zero unauthorized emergency account usage over 12-month period with comprehensive audit trail for all test activities.

Criticality level

Must have.

Control mapping

  • NIST SP 800-53 Rev.5 AC-2, CP-2, CP-9, IR-4, IA-4
  • PCI-DSS v4 8.2.8, 8.6.1, 12.10.1
  • CIS Controls v8.1 5.4, 6.5, 17.9
  • NIST CSF v2.0 PR.IP-10, RS.CO-3, RS.RP-1
  • ISO 27001:2022 A.5.24, A.5.29, A.17.1
  • SOC 2 CC6.1, CC7.4, CC9.1

PA-6: Use privileged access solution

Security principle

Secured, isolated privileged access solutions are critically important for the security of sensitive roles like administrator, developer, and critical service operator.

Risk to mitigate

  • Credential compromise via malware or phishing on administrative workstations Attackers deploy keyloggers, phishing pages, or memory-scraping malware on unhardened workstations to capture privileged credentials, such as API tokens or passwords, enabling unauthorized access to cloud management consoles or APIs. For example, a phishing attack mimicking a cloud portal login page or a trojan on a non-PAW device can extract admin credentials, allowing adversaries to invoke API calls, modify IAM policies, or exfiltrate data.
  • Privilege escalation through unsecured workstation configurations Adversaries exploit local admin rights, unpatched vulnerabilities, or weak application controls on administrative workstations to escalate privileges, manipulating IAM roles or access tokens. For instance, a workstation without AppLocker policies may allow malicious scripts to execute, enabling attackers to elevate from user-level to tenant-wide administrative access, compromising resources like virtual machines or storage.
  • Unauthorized access via insecure remote connectivity Attackers target exposed RDP/SSH endpoints or unsecured protocols to intercept admin sessions or perform brute force attacks, gaining access to cloud resources. Direct connections over public IPs risk session hijacking or credential stuffing, allowing adversaries to execute unauthorized commands or extract data from virtual machines or databases.
  • Insider threats from misused privileged access on non-PAW devices Authorized admins misuse standing privileged access or bypass controls by using personal devices, risking credential exposure to malware or policy violations. For example, an admin performing privileged tasks on a BYOD device may inadvertently leak credentials to spyware, enabling unauthorized IAM changes or data access, violating least privilege principles.
  • Malware propagation and persistence on administrative workstations Adversaries deploy persistent malware, such as ransomware or backdoors, on unhardened workstations to exfiltrate data or pivot to cloud resources. A compromised admin device without restricted execution may allow malware to manipulate IAM configurations or deploy malicious workloads, exploiting outdated software to maintain long-term access.
  • Lack of auditability and traceability for privileged workstation activity Inadequate logging of privileged sessions or IAM actions on workstations prevents detection of unauthorized access, delaying incident response. Unmonitored admin activities, such as console logins or API calls, with limited log retention (e.g., 30 days), hinder forensic analysis, allowing attackers to operate undetected in cloud environments.

MITRE ATT&CK

  • Credential Access (TA0006) Stealing credentials (e.g., passwords, API tokens) from unhardened administrative workstations via keyloggers, phishing, or memory-scraping malware (T1552.001), using captured credentials to authenticate to cloud management consoles or APIs for unauthorized access.
  • Privilege Escalation (TA0004) Exploiting local admin rights or unpatched vulnerabilities on non-PAW devices to escalate privileges (T1068), manipulating IAM roles or access tokens to gain tenant-wide administrative access, such as modifying cloud resource policies.
  • Initial Access (TA0001) Targeting exposed RDP/SSH endpoints on cloud resources via brute force or session interception (T1133), using compromised admin sessions from unsecured remote connections to execute commands or access sensitive data.
  • Persistence (TA0003) Establishing persistent access by deploying malware or backdoors on unhardened workstations (T1547.001), maintaining control over admin devices to repeatedly access cloud IAM configurations or deploy malicious workloads.
  • Defense Evasion (TA0005) Disabling cloud logging or monitoring services via compromised admin accounts on non-PAW devices (T1562.008), concealing unauthorized IAM changes or resource manipulations by suppressing audit trails.

PA-6.1: Use privileged access solution

Privileged Access Workstations (PAWs) provide hardened, isolated environments preventing credential theft from malware, phishing, and unauthorized access on administrative devices. Without PAWs, administrators using standard workstations or personal devices expose privileged credentials to keyloggers, memory-scraping malware, and session hijacking, enabling attackers to compromise cloud tenants. Implementing PAWs with device hardening, strong authentication, and secure remote access ensures administrative operations remain protected from endpoint-based attacks.

Deploy privileged access workstations through the following structured approach:

Provision and configure hardened PAW devices Deploy dedicated Windows devices as PAWs (physical workstations or Azure VMs) enrolling them in Microsoft Intune for centralized management, applying Microsoft Defender for Endpoint security baselines removing local administrator rights, enforcing device encryption with BitLocker, and configuring Windows Defender Application Control (WDAC) or AppLocker policies restricting application execution to approved administrative tools only (Azure portal, PowerShell, Azure CLI, Visual Studio Code).

Implement device compliance and application control Configure Intune device configuration profiles enforcing security policies including disabled local admin accounts, mandatory screen lock after 5 minutes of inactivity, blocked removable storage devices, and restricted Microsoft Store installations, deploying Company Portal app for managed application delivery ensuring only approved tools reach PAWs while blocking personal applications and consumer cloud services through Microsoft Defender for Cloud Apps integration.

Enable threat detection and monitoring Integrate Microsoft Defender for Endpoint on all PAWs for real-time behavioral monitoring detecting credential theft attempts, suspicious process execution, and malware activity, configuring attack surface reduction rules blocking Office macros, script-based malware, and credential dumping tools, with automated alerts triggering security team notifications for high-severity threats requiring immediate investigation.

Enforce identity and access controls Create Microsoft Entra Conditional Access policies requiring phishing-resistant MFA (FIDO2 security keys or certificate-based authentication) for all privileged account access to Azure portal and Microsoft 365 from PAWs, implementing device-based filters restricting access exclusively to Entra-joined or Intune-compliant PAWs while blocking BYOD scenarios, and enabling Microsoft Entra Privileged Identity Management (PIM) for just-in-time role activation requiring approval and justification before granting time-bound administrative permissions.

Deploy secure remote access for cloud resources Provision Azure Bastion as fully platform-managed PaaS service in virtual networks enabling RDP/SSH connectivity to Azure VMs directly through Azure portal via web browser without public IP exposure, storing SSH private keys as secrets in Azure Key Vault with Entra ID-based access policies restricting key usage to authorized PAW devices, configuring network security groups (NSGs) limiting Bastion traffic by source IP ranges and protocols, and integrating with Azure Monitor for alerting on configuration changes or unauthorized access attempts.

Establish PAW usage policies and training Document mandatory PAW usage requirements for all privileged operations including Azure portal access, PowerShell administration, and infrastructure changes, prohibiting privileged account usage from non-PAW devices through technical controls and policy enforcement, training administrators on PAW access procedures, approved tool usage, and incident reporting protocols, with quarterly compliance reviews verifying adherence to PAW-only administrative access.

Implementation example

Challenge A healthcare organization discovered 23 administrators using personal laptops and standard corporate workstations with unrestricted local admin rights to manage production Azure resources containing protected health information (PHI), exposing privileged credentials to malware and phishing attacks without endpoint protection, application control, or activity monitoring, creating HIPAA compliance risks and enabling potential credential theft.

Solution

  • Deploy dedicated PAW infrastructure Provisioned 25 dedicated Windows 11 Enterprise devices as PAWs enrolled in Microsoft Intune with strict device compliance policies, applied Microsoft Defender for Endpoint security baseline removing all local administrator rights, enabled BitLocker full disk encryption with TPM protection, and configured Windows Defender Application Control (WDAC) whitelisting only approved administrative tools (Azure portal, PowerShell 7, Azure CLI, Visual Studio Code, Microsoft Remote Desktop) blocking all other application execution including Office productivity suites and web browsers except Edge in application guard mode.

  • Implement comprehensive device hardening Configured Intune device configuration profiles enforcing security policies including mandatory 5-minute screen lock with Windows Hello authentication, blocked USB storage devices and external media, disabled camera and microphone access, prevented local credential caching, deployed Company Portal for managed app delivery restricting installations to approved administrative tools, and integrated Microsoft Defender for Cloud Apps blocking access to consumer cloud storage services (Dropbox, personal OneDrive, Gmail) through network traffic inspection.

  • Enable advanced threat protection Integrated Microsoft Defender for Endpoint on all PAWs with attack surface reduction rules blocking Office macros, script-based threats, credential harvesting tools (Mimikatz), and suspicious process injections, configured endpoint detection and response (EDR) with automated investigation and remediation for high-severity threats, enabled tamper protection preventing security control disablement, and established security operations center (SOC) alerting with 15-minute response SLA for critical PAW security events.

  • Enforce phishing-resistant authentication Created Microsoft Entra Conditional Access policies requiring FIDO2 security key authentication for all privileged accounts accessing Azure portal and Microsoft 365 from PAWs, implemented device compliance filters allowing access exclusively from Intune-managed PAWs with compliant security posture, blocked legacy authentication protocols (Basic Auth, POP3, IMAP), enabled Microsoft Entra PIM requiring approval workflow and 4-hour time-bound activation for Owner and Contributor roles with mandatory justification documentation.

  • Deploy secure remote access infrastructure Provisioned Azure Bastion in Standard SKU across all production virtual networks enabling browser-based RDP/SSH access to Azure VMs without public IP exposure, stored SSH private keys in Azure Key Vault Premium with HSM protection and Entra ID-based access policies restricting key usage to specific PAW device identities, configured NSGs limiting Bastion subnet traffic to authorized source IP ranges from corporate network and PAW subnet, integrated Azure Monitor with alert rules triggering on Bastion configuration changes, unauthorized access attempts, or session duration exceeding 8 hours.

  • Establish mandatory PAW usage governance Documented and enforced zero-tolerance policy prohibiting privileged account usage from non-PAW devices through Conditional Access blocks, trained 23 administrators on PAW access procedures including FIDO2 key usage, approved tool limitations, and incident reporting protocols through hands-on workshops, implemented quarterly compliance audits with automated Intune reporting validating 100% privileged operations originating from compliant PAWs, and established executive escalation for policy violations requiring immediate investigation and remediation.

Outcome Organization eliminated credential exposure risk from 23 unsecured administrative devices, achieved 100% PAW adoption for privileged access with zero security baseline violations across 25 devices over 6-month period, prevented 12 phishing attempts detected by Defender for Endpoint with automated credential theft tool blocks, reduced privileged account compromise risk by 87% through phishing-resistant authentication and device hardening, and achieved HIPAA compliance for administrative access controls with complete audit trail for all privileged operations.

Criticality level

Must have.

Control mapping

  • NIST SP 800-53 Rev.5 AC-2, AC-3, AC-6, IA-2, IA-5, IA-8, SI-4
  • PCI-DSS v4 2.2.1, 7.2.5, 8.2.8, 8.4.2
  • CIS Controls v8.1 4.1, 5.4, 6.3, 6.4
  • NIST CSF v2.0 PR.AC-7, PR.PT-3, DE.CM-1
  • ISO 27001:2022 A.5.15, A.8.5, A.8.16
  • SOC 2 CC6.1, CC6.6, CC6.7

PA-7: Follow just enough administration (least privilege) principle

Azure Policy: See Azure built-in policy definitions: PA-7.

Security principle

Follow the just enough administration (least privilege) principle to manage permissions at fine-grained level. Use features such as role-based access control (RBAC) to manage resource access through role assignments.

Risk to mitigate

  • Unauthorized access due to excessive permissions Attackers exploit over-privileged accounts with permissions beyond what is required for their role, enabling unauthorized access to sensitive cloud resources such as storage accounts, virtual machines, or databases. In cloud environments, excessive permissions often result from broad role assignments (e.g., granting Owner instead of Contributor at a subscription scope), allowing adversaries to perform actions like data exfiltration, resource deletion, or IAM policy modification. For instance, a user with unnecessary write access to a storage account can extract confidential data or deploy malicious content, amplifying the attack surface.
  • Privilege escalation from misconfigured role assignments Adversaries leverage misconfigured or overly permissive role assignments to escalate privileges, gaining unauthorized control over cloud resources or entire tenants. Without granular RBAC policies, a user with a seemingly low-privilege role (e.g., Reader at a resource group scope) might exploit inherited permissions or role misconfigurations to assign themselves higher privileges, such as Owner at a subscription level. This can lead to tenant-wide compromise, enabling attackers to manipulate IAM configurations, deploy malicious workloads, or disable security controls.
  • Insider threats from unrestricted access Authorized users, intentionally or unintentionally, misuse broad access privileges to perform unauthorized actions, such as modifying critical resources or accessing sensitive data. In cloud platforms, an insider with a role granting excessive permissions (e.g., Contributor across multiple resource groups) can alter virtual machine configurations, extract data from databases, or disrupt services without detection. Lack of least privilege enforcement allows such actions to bypass standard oversight, increasing the risk of data breaches or operational disruptions.
  • Lateral movement across cloud resources Attackers exploit over-privileged accounts to move laterally across cloud resources, accessing unrelated systems or data after compromising a single account. In a cloud tenant, a compromised account with a role granting access to multiple resource groups (e.g., Contributor at a subscription scope) allows adversaries to pivot from one resource (e.g., a virtual machine) to another (e.g., a storage account), escalating their impact. This risk is heightened when role assignments lack resource-specific scoping, enabling attackers to enumerate and exploit interconnected resources.

MITRE ATT&CK

  • Initial Access (TA0001) Valid Accounts: Cloud Accounts (T1078.004): Compromising over-privileged accounts with broad RBAC roles (e.g., Owner at subscription scope) to authenticate to cloud management consoles or APIs, enabling adversaries to access sensitive resources like storage accounts or virtual machines without detection.
  • Privilege Escalation (TA0004) Abuse Elevation Control Mechanism: Cloud Infrastructure (T1548.005): Exploiting misconfigured RBAC roles with excessive permissions to escalate privileges, such as modifying IAM policies to assign tenant-wide administrative roles from a resource group scope, granting unauthorized control over cloud resources.
  • Persistence (TA0003) Account Manipulation: Additional Cloud Roles (T1098.001): Modifying RBAC role assignments to add persistent high-privilege roles to compromised accounts, allowing adversaries to maintain access to cloud resources like databases or compute instances via unauthorized role bindings.
  • Exfiltration (TA0010) Data from Cloud Storage (T1530): Accessing and extracting sensitive data from cloud storage using accounts with overly permissive RBAC roles, enabling adversaries to enumerate and download confidential files from storage buckets due to unscoped permissions.
  • Defense Evasion (TA0005) Impair Defenses: Disable or Modify Cloud Logs (T1562.008): Using accounts with excessive RBAC permissions to disable audit logging or monitoring services, concealing malicious actions like resource modifications or IAM changes by suppressing cloud-native audit trails.

PA-7.1: Use Azure RBAC to manage Azure resource access

Use Azure role-based access control (Azure RBAC) to manage Azure resource access through role assignments. Through RBAC, you can assign roles to users, groups, service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal.

The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges will complement the just-in-time (JIT) approach of Microsoft Entra ID Privileged Identity Management (PIM), and those privileges should be reviewed periodically. If required, you can also use PIM to define a time-bound assignment, which is a condition in a role assignment where a user can only activate the role within the specified start and end dates.

Note: Use Azure built-in roles to allocate permissions and only create custom roles when required.

Implementation example

Challenge A software company granted 145 developers Owner role at subscription scope for convenience, providing excessive permissions allowing database deletion, network security group modification, and IAM policy changes far beyond development needs.

Solution

  • Implement least privilege RBAC Analyzed actual permission requirements and reassigned developers to scoped custom roles limiting access to specific resource groups with granular permissions (read/write for App Services, read-only for Key Vault, no access to network or IAM resources).
  • Deploy PIM for time-bound assignments Configured Microsoft Entra PIM for elevated access needs requiring developers to activate Contributor role for 4-hour windows with justification and approval, replacing standing Owner assignments with on-demand access.
  • Establish RBAC governance Created automated monthly reviews of all role assignments using PIM access reviews, requiring resource owners to justify continued access and automatically flagging role assignments broader than resource group scope for security team review.

Outcome Organization reduced 145 standing Owner assignments to 0, limited developer access to 23 scoped resource groups with custom roles averaging 8 permissions vs previous 100+ Owner permissions, and prevented 3 accidental production deletions in first quarter through restricted access.

Criticality level

Must have.

Control mapping

  • NIST SP 800-53 Rev.5 AC-2, AC-3, AC-5, AC-6, AC-6(1), AC-6(2)
  • PCI-DSS v4 7.2.1, 7.2.2, 7.2.3, 8.2.2
  • CIS Controls v8.1 3.3, 5.4, 6.1, 6.8
  • NIST CSF v2.0 PR.AC-4, PR.AC-7, PR.AA-1
  • ISO 27001:2022 A.5.15, A.5.18, A.8.2, A.8.3
  • SOC 2 CC6.1, CC6.3, CC6.7

PA-8: Determine access process for cloud provider support

Security principle

Establish an approval process and access path for requesting and approving vendor support requests and temporary access to your data through a secure channel.

Risk to mitigate

  • Unauthorized data access via cloud provider support Risk of cloud provider support personnel accessing customer data stores without explicit consent, potentially exploiting privileged credentials during diagnostic or maintenance operations.
  • Insider threat exploitation through provider access Potential for malicious or negligent cloud provider insiders to abuse privileged access, leading to data exfiltration or unauthorized modifications within customer tenants.
  • Opaque access operations without visibility Lack of visibility into data access events, hindering traceability and accountability, which can erode trust and violate audit requirements.
  • Excessive privilege escalation Risk of cloud provider support engineers obtaining overly broad access scopes, exceeding the least privilege principle and increasing the attack surface within cloud resources.
  • Regulatory non-compliance with audit requirements Uncontrolled data access violating data protection frameworks (e.g., GDPR, HIPAA, CCPA), risking non-compliance penalties due to inadequate access governance.
  • Data exposure during support operations Potential for sensitive data leakage or mishandling during support activities, such as remote desktop sessions or log analysis, without customer governance.

MITRE ATT&CK

  • Valid Accounts (T1078.004) Exploitation of compromised or misused cloud account credentials, such as those of support personnel, to access customer data in cloud environments, bypassing standard authentication controls.
  • Account Manipulation (T1098.001) Addition of unauthorized credentials, like keys or tokens, to cloud identity services or applications, enabling persistent access to customer resources during support operations.
  • Brute Force (T1110) Repeated attempts to guess cloud account credentials, such as those used by support engineers, to gain unauthorized access to customer data during troubleshooting activities.
  • Steal Application Access Token (T1528) Theft of access tokens used by support personnel to interact with customer cloud resources, facilitating unauthorized data access or lateral movement within the tenant.
  • OS Credential Dumping (T1003.006) Extraction of credentials from cloud identity services by insiders with temporary elevated access, allowing synchronization of sensitive identity data for persistent access.

PA-8.1: Use Azure Customer Lockbox

Customer Lockbox provides explicit approval control for Microsoft support engineer data access, ensuring customers maintain governance over who accesses their cloud resources during troubleshooting. Without Lockbox, support engineers could access customer data without explicit consent, creating compliance risks and reducing visibility into vendor access activities. Implementing Lockbox ensures every support data access request requires customer approval, maintaining audit trails and regulatory compliance.

Implement Customer Lockbox through the following process:

  • Enable Lockbox A Global Administrator enables Customer Lockbox at the tenant level via the Azure portal's Administration module, requiring an Azure support plan (Developer or higher) with all subscriptions and resources under the tenant covered.

  • Initiate support request Users open support tickets in the Azure portal for workload issues, where Microsoft support engineers review tickets and determine if data access is needed beyond standard troubleshooting tools.

  • Request elevated access If standard tools can't resolve the issue, engineers request elevated permission via Just-In-Time (JIT) access service, creating Lockbox requests for direct data access (e.g., virtual machine remote desktop) specifying purpose, duration, and resources.

  • Notify designated approvers Designated approvers (Subscription Owners, Global Admins, or Azure Customer Lockbox Approvers) receive email notifications with request details and links to the Lockbox blade, with alternate email notifications configurable for non-email-enabled accounts or service principals.

  • Review and approve or deny Approvers sign into the Azure portal to review requests and associated support tickets, approving or denying within four days, with approval granting access for limited time (default: 8 hours) and denial or expiration preventing access.

Implementation example

Challenge A financial services organization required explicit approval control for Microsoft support data access due to regulatory requirements but lacked visibility into support engineer access requests and approval workflows for compliance auditing.

Solution

  • Enable Customer Lockbox Activated Customer Lockbox at tenant level for all subscriptions requiring Global Administrator approval, establishing documented approval process with designated Subscription Owners and Azure Customer Lockbox Approvers receiving automated email notifications for all data access requests.
  • Configure approval workflows Established 4-day review window for all Lockbox requests with mandatory approver justification documentation, configuring alternate email notifications for service principals and implementing escalation procedures for time-sensitive support scenarios.
  • Implement monitoring and audit logging Integrated Customer Lockbox approval events with Microsoft Sentinel generating real-time alerts for security team, enabling comprehensive audit trail of all support access requests, approval decisions, and access durations for regulatory reporting.

Outcome Organization achieved 100% explicit approval for Microsoft support data access with average 2-hour approval latency, maintained complete audit trail of 47 Lockbox requests over 6 months for regulatory compliance, and denied 3 requests not meeting approval criteria demonstrating governance control.

Criticality level

Must have.

Control mapping

  • NIST SP 800-53 Rev.5 AC-2, AC-3, AC-6(2), AU-6, CA-3
  • PCI-DSS v4 8.2.2, 10.2.2, 12.8.2, 12.8.5
  • CIS Controls v8.1 5.4, 6.8, 8.2, 8.11
  • NIST CSF v2.0 PR.AC-4, PR.PT-2, DE.AE-3
  • ISO 27001:2022 A.5.19, A.5.20, A.5.23, A.8.2
  • SOC 2 CC6.3, CC6.7, CC7.2
  • Last updated on