Share via


Identity and access management overview

How do Microsoft online services protect production systems from unauthorized or malicious access?

Microsoft online services are designed to allow Microsoft's engineers to operate services without accessing customer content. By default, Microsoft engineers have Zero Standing Access (ZSA) to customer content and no privileged access to the production environment. Microsoft online services use a Just-In-Time (JIT), Just-Enough-Access (JEA) model to provide service team engineers with temporary privileged access to production environments when such access is required to support Microsoft online services. The JIT access model replaces traditional, persistent administrative access with a process for engineers to request temporary elevation into privileged roles when required.

Engineers assigned to a service team to support production services request eligibility for a service team account through an identity and access management solution. The request for eligibility triggers a series of personnel checks to ensure the engineer has passed all cloud screening requirements, completed necessary training, and received appropriate management approval prior to account creation. Only after meeting all eligibility requirements can a service team account be created for the requested environment. To maintain eligibility for a service team account, personnel must go through role-based training annually and rescreening every two years. Failure to complete or pass these checks result in eligibilities automatically being revoked.

Service team accounts don’t grant any standing administrator privileges or access to customer content. When an engineer requires additional access to support Microsoft online services, they request temporary elevated access to the resources they require using an access management tool called Lockbox. Lockbox restricts elevated access to the minimum privileges, resources, and time needed to complete the assigned task. If an authorized reviewer approves the JIT access request, the engineer is granted temporary access with only the privileges necessary to complete their assigned work. This temporary access requires multi-factor authentication and is automatically revoked after the approved period expires.

JEA is enforced by eligibilities and Lockbox roles at the time of request for JIT access. Only requests for access to assets within the scope of the engineer's eligibilities are accepted and passed on to the approver. Lockbox automatically rejects JIT requests that are outside the scope of the engineer's eligibilities and Lockbox roles, including requests that exceed allowed thresholds.

How do Microsoft online services use role-based access control (RBAC) with Lockbox to enforce least privilege?

Service team accounts don’t grant any standing administrator privileges or access to customer content. JIT requests for limited administrator privileges are managed through Lockbox. Lockbox uses RBAC to limit the types of JIT elevation requests engineers can make, providing an additional layer of protection to enforce least privilege. RBAC also helps enforce separation of duties by limiting service team accounts to appropriate roles. Engineers supporting a service are granted membership to security groups based on their role. Membership in a security group doesn’t grant any privileged access. Instead, security groups allow engineers to use Lockbox to request JIT elevation when required for supporting the system. The specific JIT requests an engineer can make are limited by their security group memberships.

How do Microsoft online services handle remote access to production systems?

Microsoft online services system components are housed in datacenters geographically separated from the operations teams. Datacenter personnel don’t have logical access to Microsoft online services systems. As a result, Microsoft service team personnel manage the environment through remote access. Service team personnel who require remote access to support Microsoft online services are only granted remote access after approval from an authorized manager. All remote access uses FIPS 140-2 compatible TLS for secure remote connections.

Microsoft online services use Secure Admin Workstations (SAW) for service team remote access to help protect Microsoft online service environments from compromise. These workstations are designed to prevent intentional or unintentional loss of production data, including locking down USB ports and limiting the software available on the Secure Admin Workstation to what is required for supporting the environment. Secure Admin Workstations are closely tracked and monitored to detect and prevent malicious or inadvertent compromise of customer data by Microsoft engineers.

Privileged access by Microsoft personnel follows a specific path through Microsoft-controlled TSGs with two-factor authentication. All access and activities through TSGs are closely monitored, and alerts and reports are used to identify any anomalous connections. Service teams also implement trend-based monitoring to ensure service health and detect abnormal usage patterns.

How does Customer Lockbox add additional protection for customer content?

Customers can add an additional level of access control to their content by enabling Customer Lockbox. When a Lockbox elevation request involves access to customer content, Customer Lockbox requires approval from the customer as a final step in the approval workflow. This process gives organizations the option to approve or deny these requests and provides direct access control to the customer. If the customer rejects a Customer Lockbox request, access to the requested content is denied. If the customer doesn’t reject or approve the request within a certain period, then the request will expire automatically without Microsoft obtaining access to customer content. If the customer approves the request, then Microsoft's temporary access to customer content will be logged, auditable, and revoked automatically after the time assigned to complete the troubleshooting operation expires.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to identity and access control.

Azure and Dynamics 365

External audits Section Latest report date
ISO 27001

Statement of Applicability
Certificate
A.9.1: Business requirements of access control
A.9.2: User access management
A.9.3: User responsibilities
A.9.4: System and application access control
A.15.1: Information security in supplier relationships
April 8, 2024
ISO 27017

Statement of Applicability
Certificate
A.9.1: Business requirements of access control
A.9.2: User access management
A.9.3: User responsibilities
A.9.4: System and application access control
A.15.1: Information security in supplier relationships
April 8, 2024
SOC 1
SOC 2
SOC 3
OA-2: Provisioning access
OA-7: JIT access
OA-21: Secure Admin Workstations and MFA
May 20, 2024

Microsoft 365

External audits Section Latest report date
FedRAMP (Office 365) AC-2: Account management
AC-3: Access enforcement
AC-5: Separation of duties
AC-6: Least privilege
AC-17: Remote access
July 31, 2023
ISO 27001/27017

Statement of Applicability
Certification (27001)
Certification (27017)
A.9.1: Business requirements of access control
A.9.2: User access management
A.9.3: User responsibilities
A.9.4: System and application access control
A.15.1: Information security in supplier relationships
March 2024
SOC 1 CA-33: Account modification
CA-34: User authentication
CA-35: Privileged access
CA-36: Remote access
CA-57: Customer Lockbox Microsoft management approval
CA-58: Customer Lockbox service requests
CA-59: Customer Lockbox notifications
CA-61: JIT review and approval
January 23, 2024
SOC 2 CA-32: Shared account policy
CA-33: Account modification
CA-34: User authentication
CA-35: Privileged access
CA-36: Remote access
CA-53: Third-party monitoring
CA-56: Customer Lockbox customer approval
CA-57: Customer Lockbox Microsoft management approval
CA-58: Customer Lockbox service requests
CA-59: Customer Lockbox notifications
CA-61: JIT review and approval
January 23, 2024
SOC 3 CUEC-15: Customer Lockbox requests January 23, 2024