Microsoft Intune service must notify system administrators and the information system security officer (ISSO) for account removal actions.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-267375	SRG-APP-000294-UEM-000168	MSIN-24-000850	SV-267375r1025809_rule	2024-10-04	1

Description
When application accounts are removed, user accessibility is affected. Accounts are used for identifying users or for identifying the application processes themselves. Sending notification of account removal events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference: PP-MDM-411065, PP-MDM-412000

Description

When application accounts are removed, user accessibility is affected. Accounts are used for identifying users or for identifying the application processes themselves. Sending notification of account removal events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference: PP-MDM-411065, PP-MDM-412000

ℹ️ Check
Verify the ISSO is alerted when accounts are removed in Entra ID. Account management is managed by Entra ID. Intune cannot be configured to not use Entra ID. Event monitoring and alerting in Entra ID may be implemented through various methods including log aggregation and the use of monitoring tools. Determine how the site has implemented this requirement. It is recommended that Entra ID be configured to download audit logs to a log management server and the log management server be configured to alert the ISSO when accounts are removed. If the ISSO is not alerted when accounts are removed in Entra ID, this is a finding.

ℹ️ Check

Verify the ISSO is alerted when accounts are removed in Entra ID. Account management is managed by Entra ID. Intune cannot be configured to not use Entra ID. Event monitoring and alerting in Entra ID may be implemented through various methods including log aggregation and the use of monitoring tools. Determine how the site has implemented this requirement. It is recommended that Entra ID be configured to download audit logs to a log management server and the log management server be configured to alert the ISSO when accounts are removed. If the ISSO is not alerted when accounts are removed in Entra ID, this is a finding.

✔️ Fix
Account management is managed by Entra ID. Intune cannot be configured to not use Entra ID. Event monitoring and alerting may be implemented through various methods including log aggregation and the use of monitoring tools. It is recommended that Entra ID be configured to download audit logs to a log management server (https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-download-logs) and the log management server be configured to alert the ISSO when accounts are removed.

✔️ Fix

Account management is managed by Entra ID. Intune cannot be configured to not use Entra ID. Event monitoring and alerting may be implemented through various methods including log aggregation and the use of monitoring tools. It is recommended that Entra ID be configured to download audit logs to a log management server (https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-download-logs) and the log management server be configured to alert the ISSO when accounts are removed.