Objective
Add a new scanner rule to detect Azure subscriptions where Privileged Identity Management (PIM) is not configured for admin roles.
Background
Without PIM, admin roles are permanently assigned with no just-in-time access controls. This means any compromised admin account has constant unrestricted access with no time limit or approval workflow.
Real-World Breach Scenario
In the 2020 SolarWinds attack, threat actors leveraged permanently assigned privileged accounts to move laterally across Azure AD tenants undetected. PIM would have limited the blast radius by restricting admin access to approved time windows only.
Compliance Mapping
- CIS Azure Benchmark: 1.14
- NIST CSF: PR.AC-4
- ISO 27001: A.9.2.3
- SOC 2: CC6.3
Deliverables
Severity
HIGH
Category
Identity
Objective
Add a new scanner rule to detect Azure subscriptions where Privileged Identity Management (PIM) is not configured for admin roles.
Background
Without PIM, admin roles are permanently assigned with no just-in-time access controls. This means any compromised admin account has constant unrestricted access with no time limit or approval workflow.
Real-World Breach Scenario
In the 2020 SolarWinds attack, threat actors leveraged permanently assigned privileged accounts to move laterally across Azure AD tenants undetected. PIM would have limited the blast radius by restricting admin access to approved time windows only.
Compliance Mapping
Deliverables
scanner/rules/az_idn_004.py— scan() function using Microsoft Graph APIplaybooks/cli/fix_az_idn_004.sh— enable PIM for admin rolescompliance/frameworks/cis_azure_benchmark.json— add AZ-IDN-004 entrycompliance/frameworks/nist_csf.json— add AZ-IDN-004 entrycompliance/frameworks/iso27001.json— add AZ-IDN-004 entrycompliance/frameworks/soc2.json— add AZ-IDN-004 entrySeverity
HIGH
Category
Identity