Microsoft Entra ID must notify system administrators (SAs) and the information system security officer (ISSO) when privileges are being requested.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-270255	SRG-APP-000292	ENTR-ID-000835	SV-270255r1085626_rule	2025-03-17	1

Description
When application accounts are modified, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Description

When application accounts are modified, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

ℹ️ Check
Verify PIM is in use with email notifications going to the SA and ISSO when privileges are requested. 1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. 2. Search for "Microsoft Entra Privileged Identity Management". 3. Navigate to "Management" and select "Microsoft Entra roles". 4. Expand the "Manage" menu and select roles. 5. For each role that is either active or eligible perform the following: a. Select the role. b. Navigate to role settings. c. Under "Send notifications when eligible members activate this role:" Verify the SA and ISSO email addresses are listed under "Additional recipients" for the type "Role activation alert". If the SA and ISSO are not set up to receive email notification when privileges are requested through PIM, this is a finding.

ℹ️ Check

Verify PIM is in use with email notifications going to the SA and ISSO when privileges are requested. 1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. 2. Search for "Microsoft Entra Privileged Identity Management". 3. Navigate to "Management" and select "Microsoft Entra roles". 4. Expand the "Manage" menu and select roles. 5. For each role that is either active or eligible perform the following: a. Select the role. b. Navigate to role settings. c. Under "Send notifications when eligible members activate this role:" Verify the SA and ISSO email addresses are listed under "Additional recipients" for the type "Role activation alert". If the SA and ISSO are not set up to receive email notification when privileges are requested through PIM, this is a finding.

✔️ Fix
Configure PIM to email notifications to the SA and ISSO when privileges are requested. 1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. 2. Search for "Microsoft Entra Privileged Identity Management". 3. Navigate to "Management" and select "Microsoft Entra roles". 4. Expand the "Manage" menu and select roles. 5. For each role that is either active or eligible perform the following: a. Select the role. b. Navigate to role settings. c. Select "Edit". d. Navigate to the "Notification" tab. e. Under "Send notifications when eligible members activate this role:" add the SA and ISSO email addresses under "Additional recipients". f. Select "Update".

✔️ Fix

Configure PIM to email notifications to the SA and ISSO when privileges are requested. 1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. 2. Search for "Microsoft Entra Privileged Identity Management". 3. Navigate to "Management" and select "Microsoft Entra roles". 4. Expand the "Manage" menu and select roles. 5. For each role that is either active or eligible perform the following: a. Select the role. b. Navigate to role settings. c. Select "Edit". d. Navigate to the "Notification" tab. e. Under "Send notifications when eligible members activate this role:" add the SA and ISSO email addresses under "Additional recipients". f. Select "Update".