Ensure that all the external accounts that have write permissions to your Microsoft Azure subscription(s) are monitored for review and audit purposes using the Microsoft Defender for Cloud service.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
External accounts with write privileges should be monitored, audited, and eventually removed from your Azure subscription(s) in order to prevent unauthorized access to your cloud resources. By monitoring and reviewing all the external accounts with write permissions using Microsoft Defender for Cloud, you can adhere to Azure security best practices and enforce a strict access policy. This should reduce the risk of a compromised external account being used to gain access to the cloud resources deployed within your subscription. When the monitoring of the privileged external accounts is enabled, Microsoft Defender for Cloud will flag these accounts so you can audit them and choose whether or not to proceed with their removal.
Audit
To determine if the monitoring of privileged external accounts is enabled within Microsoft Defender for Cloud settings, perform the following operations:
Remediation / Resolution
To start monitoring all the external accounts that have write permissions to your Microsoft Azure subscription(s), perform the following operations:
References
- Azure Official Documentation
- Microsoft Defender for Cloud documentation
- What is Microsoft Defender for Cloud?
- Azure Policy built-in policy definitions
- Manage security policies
- Azure Command Line Interface (CLI) Documentation
- az
- az account get-access-token