Microsoft Entra ID and PCI-DSS Requirement 7

Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
Defined approach requirements

7.1 Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.

PCI-DSS Defined approach requirements Microsoft Entra guidance and recommendations
7.1.1 All security policies and operational procedures that are identified in Requirement 7 are:
Documented
Kept up to date
In use
Known to all affected parties
Integrate access to cardholder data environment (CDE) applications with Microsoft Entra ID for authentication and authorization.
Document Conditional Access policies for remote access technologies. Automate with Microsoft Graph API and PowerShell. Conditional Access: Programmatic access
Archive the Microsoft Entra audit logs to record security policy changes and Microsoft Entra tenant configuration. To record usage, archive Microsoft Entra sign-in logs in a security information and event management (SIEM) system. Microsoft Entra activity logs in Azure Monitor
7.1.2 Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood. Integrate access to CDE applications with Microsoft Entra ID for authentication and authorization.
- Assign users roles to applications or with group membership
- Use Microsoft Graph to list application assignments
- Use Microsoft Entra audit logs to track assignment changes.
List appRoleAssignments granted to a user
Get-MgServicePrincipalAppRoleAssignedTo

Privileged access
Use Microsoft Entra audit logs to track directory role assignments. Administrator roles relevant to this PCI requirement:
- Global
- Application
- Authentication
- Authentication Policy
- Hybrid Identity
To implement least privilege access, use Microsoft Entra ID to create custom directory roles.
If you build portions of CDE in Azure, document privileged role assignments such as Owner, Contributor, user Access Administrator, etc., and subscription custom roles where CDE resources are deployed.
Microsoft recommends you enable Just-In-Time (JIT) access to roles using Privileged Identity Management (PIM). PIM enables JIT access to Microsoft Entra security groups for scenarios when group membership represents privileged access to CDE applications or resources. Microsoft Entra built-in roles
Microsoft Entra identity and access management operations reference guide
Create and assign a custom role in Microsoft Entra ID
Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID
What is Microsoft Entra Privileged Identity Management?
Best practices for all isolation architectures
PIM for Groups

7.2 Access to system components and data is appropriately defined and assigned.

PCI-DSS Defined approach requirements Microsoft Entra guidance and recommendations
7.2.1 An access control model is defined and includes granting access as follows:
Appropriate access depending on the entity’s business and access needs.
Access to system components and data resources that is based on users’ job classification and functions.
The least privileges required (for example, user, administrator) to perform a job function.
Use Microsoft Entra ID to assign users to roles in applications directly or through group memberships.
Organizations with standardized taxonomy implemented as attributes can automate access grants based on user job classification and function. Use Microsoft Entra groups with group membership, and Microsoft Entra entitlement management access packages with dynamic assignment policies.
Use entitlement management to define separation of duties to delineate least privilege.
PIM enables JIT access to Microsoft Entra security groups for custom scenarios where group membership represents privileged access to CDE applications or resources. Manage rules for dynamic membership groups
Configure an automatic assignment policy for an access package in entitlement management
Configure separation of duties for an access package in entitlement management
PIM for Groups
7.2.2 Access is assigned to users, including privileged users, based on:
Job classification and function.
Least privileges necessary to perform job responsibilities.
Use Microsoft Entra ID to assign users to roles in applications directly or through group membership.
Organizations with standardized taxonomy implemented as attributes can automate access grants based on user job classification and function. Use Microsoft Entra groups with group membership, and Microsoft Entra entitlement management access packages with dynamic assignment policies.
Use entitlement management to define separation of duties to delineate least privilege.
PIM enables JIT access to Microsoft Entra security groups for custom scenarios where group membership represents privileged access to CDE applications or resources. Manage rules for dynamic membership groups
Configure an automatic assignment policy for an access package in entitlement management
Configure separation of duties for an access package in entitlement management
PIM for Groups
7.2.3 Required privileges are approved by authorized personnel. Entitlement management supports approval workflows to grant access to resources, and periodic access reviews. Approve or deny access requests in entitlement management
Review access of an access package in entitlement management
PIM supports approval workflows to activate Microsoft Entra directory roles, and Azure roles, and cloud groups. Approve or deny requests for Microsoft Entra roles in PIM
Approve activation requests for group members and owners
7.2.4 All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows:
At least once every six months.
To ensure user accounts and access remain appropriate based on job function.
Any inappropriate access is addressed. Management acknowledges that access remains appropriate.
If you grant access to applications using direct assignment or with group membership, configure Microsoft Entra access reviews. If you grant access to applications using entitlement management, enable access reviews at the access package level. Create an access review of an access package in entitlement management
Use Microsoft Entra External ID for third-party and vendor accounts. You can perform access reviews targeting external identities, for instance third-party or vendor accounts. Manage guest access with access reviews
7.2.5 All application and system accounts and related access privileges are assigned and managed as follows:
Based on the least privileges necessary for the operability of the system or application.
Access is limited to the systems, applications, or processes that specifically require their use.
Use Microsoft Entra ID to assign users to roles in applications directly or through group membership.
Organizations with standardized taxonomy implemented as attributes can automate access grants based on user job classification and function. Use Microsoft Entra groups with group membership, and Microsoft Entra entitlement management access packages with dynamic assignment policies.
Use entitlement management to define separation of duties to delineate least privilege.
PIM enables JIT access to Microsoft Entra security groups for custom scenarios where group membership represents privileged access to CDE applications or resources. Manage rules for dynamic membership groups
Configure an automatic assignment policy for an access package in entitlement management
Configure separation of duties for an access package in entitlement management
PIM for Groups
7.2.5.1 All access by application and system accounts and related access privileges are reviewed as follows:
Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).
The application/system access remains appropriate for the function being performed.
Any inappropriate access is addressed.
Management acknowledges that access remains appropriate.
Best practices when reviewing service accounts permissions. Governing Microsoft Entra service accounts
Govern on-premises service accounts
7.2.6 All user access to query repositories of stored cardholder data is restricted as follows:
Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges.
Only the responsible administrator(s) can directly access or query repositories of stored card-holder data (CHD).
Modern applications enable programmatic methods that restrict access to data repositories.
Integrate applications with Microsoft Entra ID using modern authentication protocols such as OAuth and OpenID connect (OIDC). OAuth 2.0 and OIDC protocols on the Microsoft identity platform
Define application-specific roles to model privileged and nonprivileged user access. Assign users or groups to roles. Add app roles to your application and receive them in the token
For APIs exposed by your application, define OAuth scopes to enable user and administrator consent. Scopes and permissions in the Microsoft identity platform
Model privileged and non-privileged access to the repositories with the following approach and avoid direct repository access. If administrators and operators require access, grant it per the underlying platform. For instance, ARM IAM assignments in Azure, Access Control Lists (ACLs) windows, etc.
See architecture guidance that includes securing application platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) in Azure. Azure Architecture Center

7.3 Access to system components and data is managed via an access control system(s).

PCI-DSS Defined approach requirements Microsoft Entra guidance and recommendations
7.3.1 An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components. Integrate access to applications in the CDE with Microsoft Entra ID as an access control system authentication and authorization. Conditional Access policies, with application assignments control access to applications. What is Conditional Access?
Assign users and groups to an application
7.3.2 The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function. Integrate access to applications in the CDE with Microsoft Entra ID as an access control system authentication and authorization. Conditional Access policies, with application assignments control access to applications. What is Conditional Access?
Assign users and groups to an application
7.3.3 The access control system(s) is set to “deny all” by default. Use Conditional Access to block access based on access request conditions such as group membership, applications, network location, credential strength, etc. Conditional Access: Block access
Misconfigured block policy might contribute to unintentional lockouts. Design an emergency access strategy. Manage emergency access admin accounts in Microsoft Entra ID

Next steps

PCI-DSS requirements 3, 4, 9, and 12 aren't applicable to Microsoft Entra ID, therefore there are no corresponding articles. To see all requirements, go to pcisecuritystandards.org: Official PCI Security Standards Council Site.

To configure Microsoft Entra ID to comply with PCI-DSS, see the following articles.