PR.AC-4(c)Key Measure
Least privilege access is enforced
Protect · Access Control
Fully Automated
Compliance Score
45%
Non-CompliantDocumentation Maturity
2/ 5
x
Target: 2.5
Implementation Maturity
2/ 5
x
Target: 2.5
Control Description
Users are granted only the minimum permissions necessary to perform their job functions. Excessive permissions are identified and removed.
Microsoft Graph API Endpoints Used
GET /roleManagement/directory/roleAssignmentsGET /policies/authorizationPolicyRequired Permissions
RoleManagement.Read.DirectoryPolicy.Read.All
Findings (1)
9/20 items compliant
| Severity | Finding | Recommendation |
|---|---|---|
| high | Improvement needed: Least privilege access is enforced Current implementation does not fully meet the requirements of PR.AC-4(c). | Audit all Global Administrator accounts — limit to maximum 2-4. Remove standing privileged access; use PIM for time-limited elevation. Restrict default user permissions in Entra ID. Disable self-service group creation if not needed. |
Remediation Guidance
Audit all Global Administrator accounts — limit to maximum 2-4. Remove standing privileged access; use PIM for time-limited elevation. Restrict default user permissions in Entra ID. Disable self-service group creation if not needed.