PR.AC-1Key Measure

Identities and credentials are issued, managed, verified, revoked, and audited

Protect · Access Control

Fully Automated

Compliance Score

78%

Partially Compliant

Documentation Maturity

4/ 5

Target: 2.5

Implementation Maturity

4/ 5

Target: 2.5

Control Description

The organization manages the full lifecycle of user identities and credentials: provisioning, authentication requirements, regular reviews, and timely deprovisioning when access is no longer needed.

Microsoft Graph API Endpoints Used

GET /usersGET /domains/{domainName}GET /directoryRoles/members

Required Permissions

User.Read.AllDirectory.Read.AllDomain.Read.All

Findings (1)

15/20 items compliant

Severity	Finding	Recommendation
medium	Improvement needed: Identities and credentials are issued, managed, verified, revoked, and audited Current implementation does not fully meet the requirements of PR.AC-1.	Disable or delete accounts for departed employees within 24 hours. Enforce strong password policies (minimum 12 characters). Review user accounts quarterly. Implement self-service password reset with MFA verification.

Severity

Finding

medium

Improvement needed: Identities and credentials are issued, managed, verified, revoked, and audited

Current implementation does not fully meet the requirements of PR.AC-1.

Remediation Guidance

Disable or delete accounts for departed employees within 24 hours. Enforce strong password policies (minimum 12 characters). Review user accounts quarterly. Implement self-service password reset with MFA verification.