Identity and access management overview
How do Microsoft online services protect production systems from unauthorized or malicious access?
Microsoft online services are designed to allow Microsoft's engineers to operate services without accessing customer content. By default, Microsoft engineers have Zero Standing Access (ZSA) to customer content and no privileged access to the production environment. Microsoft online services use a Just-In-Time (JIT), Just-Enough-Access (JEA) model to provide service team engineers with temporary privileged access to production environments when such access is required to support Microsoft online services. The JIT access model replaces traditional, persistent administrative access with a process for engineers to request temporary elevation into privileged roles when required.
Engineers assigned to a service team to support production services request eligibility for a service team account through an identity and access management solution. The request for eligibility triggers a series of personnel checks to ensure the engineer has passed all cloud screening requirements, completed necessary training, and received appropriate management approval prior to account creation. Only after meeting all eligibility requirements can a service team account be created for the requested environment. To maintain eligibility for a service team account, personnel must go through role-based training annually and rescreening every two years. Failure to complete or pass these checks result in eligibilities automatically being revoked.
Service team accounts don’t grant any standing administrator privileges or access to customer content. When an engineer requires additional access to support Microsoft online services, they request temporary elevated access to the resources they require using an access management tool called Lockbox. Lockbox restricts elevated access to the minimum privileges, resources, and time needed to complete the assigned task. If an authorized reviewer approves the JIT access request, the engineer is granted temporary access with only the privileges necessary to complete their assigned work. This temporary access requires multi-factor authentication and is automatically revoked after the approved period expires.
JEA is enforced by eligibilities and Lockbox roles at the time of request for JIT access. Only requests for access to assets within the scope of the engineer's eligibilities are accepted and passed on to the approver. Lockbox automatically rejects JIT requests that are outside the scope of the engineer's eligibilities and Lockbox roles, including requests that exceed allowed thresholds.
How do Microsoft online services use role-based access control (RBAC) with Lockbox to enforce least privilege?
Service team accounts don’t grant any standing administrator privileges or access to customer content. JIT requests for limited administrator privileges are managed through Lockbox. Lockbox uses RBAC to limit the types of JIT elevation requests engineers can make, providing an additional layer of protection to enforce least privilege. RBAC also helps enforce separation of duties by limiting service team accounts to appropriate roles. Engineers supporting a service are granted membership to security groups based on their role. Membership in a security group doesn’t grant any privileged access. Instead, security groups allow engineers to use Lockbox to request JIT elevation when required for supporting the system. The specific JIT requests an engineer can make are limited by their security group memberships.
How do Microsoft online services handle remote access to production systems?
Microsoft online services system components are housed in datacenters geographically separated from the operations teams. Datacenter personnel don’t have logical access to Microsoft online services systems. As a result, Microsoft service team personnel manage the environment through remote access. Service team personnel who require remote access to support Microsoft online services are only granted remote access after approval from an authorized manager. All remote access uses FIPS 140-2 compatible TLS for secure remote connections.
Microsoft online services use Secure Admin Workstations (SAW) for service team remote access to help protect Microsoft online service environments from compromise. These workstations are designed to prevent intentional or unintentional loss of production data, including locking down USB ports and limiting the software available on the Secure Admin Workstation to what is required for supporting the environment. Secure Admin Workstations are closely tracked and monitored to detect and prevent malicious or inadvertent compromise of customer data by Microsoft engineers.
Privileged access by Microsoft personnel follows a specific path through Microsoft-controlled TSGs with two-factor authentication. All access and activities through TSGs are closely monitored, and alerts and reports are used to identify any anomalous connections. Service teams also implement trend-based monitoring to ensure service health and detect abnormal usage patterns.
How does Customer Lockbox add additional protection for customer content?
Customers can add an additional level of access control to their content by enabling Customer Lockbox. When a Lockbox elevation request involves access to customer content, Customer Lockbox requires approval from the customer as a final step in the approval workflow. This process gives organizations the option to approve or deny these requests and provides direct access control to the customer. If the customer rejects a Customer Lockbox request, access to the requested content is denied. If the customer doesn’t reject or approve the request within a certain period, then the request will expire automatically without Microsoft obtaining access to customer content. If the customer approves the request, then Microsoft's temporary access to customer content will be logged, auditable, and revoked automatically after the time assigned to complete the troubleshooting operation expires.
Related external regulations & certifications
Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to identity and access control.
Azure and Dynamics 365
| External audits | Section | Latest report date |
|---|---|---|
| ISO 27001/27002 Statement of Applicability Certificate |
A.9.1: Business requirements of access control A.9.2: User access management A.9.3: User responsibilities A.9.4: System and application access control A.15.1: Information security in supplier relationships |
November 6, 2023 |
| ISO 27017 Statement of Applicability Certificate |
A.9.1: Business requirements of access control A.9.2: User access management A.9.3: User responsibilities A.9.4: System and application access control A.15.1: Information security in supplier relationships |
November 6, 2023 |
| SOC 1 SOC 2 SOC 3 |
OA-2: Provisioning access OA-7: JIT access OA-21: Secure Admin Workstations and MFA |
November 17, 2023 |
Microsoft 365
| External audits | Section | Latest report date |
|---|---|---|
| FedRAMP (Office 365) | AC-2: Account management AC-3: Access enforcement AC-5: Separation of duties AC-6: Least privilege AC-17: Remote access |
July 31, 2023 |
| ISO 27001/27002/27017 Statement of Applicability Certification (27001/27002) Certification (27017) |
A.9.1: Business requirements of access control A.9.2: User access management A.9.3: User responsibilities A.9.4: System and application access control A.15.1: Information security in supplier relationships |
March 2024 |
| SOC 1 | CA-33: Account modification CA-34: User authentication CA-35: Privileged access CA-36: Remote access CA-57: Customer Lockbox Microsoft management approval CA-58: Customer Lockbox service requests CA-59: Customer Lockbox notifications CA-61: JIT review and approval |
January 23, 2024 |
| SOC 2 | CA-32: Shared account policy CA-33: Account modification CA-34: User authentication CA-35: Privileged access CA-36: Remote access CA-53: Third-party monitoring CA-56: Customer Lockbox customer approval CA-57: Customer Lockbox Microsoft management approval CA-58: Customer Lockbox service requests CA-59: Customer Lockbox notifications CA-61: JIT review and approval |
January 23, 2024 |
| SOC 3 | CUEC-15: Customer Lockbox requests | January 23, 2024 |
Resources
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for