Manage Identity and Access

Objective

Manage identities and establish access control policies and procedures for management of administrative privileges.

Prevent use of Legacy Authentication Protocols
Configure Azure AD Password Protection in accordance with the Implementation Strategy for GC Password Guidance (accessible only on the Government of Canada network)
Configure break glass accounts in Azure AD
Leverage Federated authentication where available

If using ADFS, consider the following:

Configure ADFS to use Azure MFA as the primary authentication mechanism
Configure ADFS to Block Legacy Authentication from the Extranet
Configure ADFS Web Application Proxy Extranet Lockout
Install trusted certificate on the ADFS server
Implement additional security settings in ADFS to mitigate man-in-the-middle attacks

Implement a mechanism for uniquely identifying and authenticating organizational users, non-organizational users (if applicable), and processes (for example, username and password)
Ensure multifactor authentication is enabled for all users in administrative roles
Ensure that between two and four global admins are designated
Implement role-based access and use roles with least privileges where possible (e.g. use non-global administrative roles)
Configure Office 365 Global Administrator role members
Use dedicated accounts to perform Administrative Tasks
Control Access to Azure AD administration portal
Ensure modern authentication for SharePoint applications is required
Ensure modern authentication for Teams (formerly Skype for Business Online) is enabled
Ensure modern authentication for Exchange Online is enabled
Configure password policy in accordance with GC Password Guidance.
Disable guest user access by default. Add only the minimum number of accounts, if needed, in conformance to an approved guest user policy and procedures including ensuring that a secure sharing environment has been established.
Regularly review reports for all administrative accounts and access reports, in accordance with the Enable logging and monitoring guardrail

Consider enabling Identity Protection (additional licensing required)
Consider controlling administrative tasks with privileged access management (additional licensing required)
Investigate just-in-time access to enable administrative access on an as an when required basis (additional licensing required)
Limit disclosure of sensitive GC information to support personnel. If access to data is required, leverage the customer lockbox feature (additional licensing required)
Determine access restrictions and configuration requirements for GC-issued endpoint devices, including those of non-privileged and privileged users, and configure access restrictions accordingly

Confirm that a privileged account management plan and process has been documented.
Confirm password policy aligns with GC Password Guidance (accessible only on the Government of Canada network) as appropriate.

Directive on Security Management - Appendix B: Mandatory Procedures for Information Technology Security Control, subsections B.2.3.1, B.2.3.2.4
SPIN 2017-01, subsection 6.2.3
CSE Top 10 #3
Refer to CCCS ITSP.30.031 V2 User Authentication Guidance for Information Technology Systems
Refer to the Guideline on Cloud Authentication
Refer to the Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain (accessible only on the Government of Canada network)
Related security controls: AC‑2, AC‑2(1), AC‑3, AC‑5, AC‑6, AC‑6(5), AC‑6(10), AC‑7, AC‑9, AC‑19, AC‑20(3), IA‑2, IA‑2(1), IA‑2(2), IA‑2(11), IA‑4, IA‑5, IA‑5(1), IA‑5(6), IA‑5(7), IA‑5(13), IA‑6, IA‑8