Azure-SecurityCenter-Monitor-External-Accounts-with-Write-Permissions

Severity : High

Description: This control ensures that external accounts with write permissions are either monitored using Azure Security Center or removed. External accounts feature allows people outside of your organization to access your apps and resources while letting them sign in using whatever identity they prefer (their private email account). Thus external accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. Enabling the identityRemoveExternalAccountWithWritePermissionsMonitoring policy can help monitor external accounts with write permissions within an Azure subscription.

Remediation Steps:

Perform following to enable alerts notification to administrators :

1. Login to Azure Portal using https://portal.azure.com.

2. Navigate to Microsoft Defender for Cloud.

3. Under Management, Select Environment settings.

4. Select the subscription to be remediated.

5. Select Security Policy.

6. Select the initiative assignment ASC Default (Subscription ID).

7. Select the Parameters tab and uncheck the checkbox, Only show parameters that require input.

8. Search for External accounts with write permissions should be removed from your subscription.

9. Select AuditIfNotExists from the dropdown.

10. Select Review + Save.

11. Select Save.

Important:

Reference:

• What are security policies, initiatives, and recommendations?

• Govern access for external users in Azure AD entitlement management