PR.AC-4(a)Key Measure

Access permissions and authorizations are managed

Protect · Access Control

Fully Automated

Compliance Score

75%

Partially Compliant

Documentation Maturity

3/ 5

Target: 2.5

Implementation Maturity

3/ 5

Target: 2.5

Control Description

Access permissions are defined based on job roles, documented, and regularly reviewed. Permissions are granted through a formal request and approval process.

Microsoft Graph API Endpoints Used

GET /roleManagement/directory/roleAssignmentsGET /roleManagement/directory/roleEligibilitySchedules

Required Permissions

RoleManagement.Read.Directory

Findings (1)

15/20 items compliant

Severity	Finding	Recommendation
medium	Improvement needed: Access permissions and authorizations are managed Current implementation does not fully meet the requirements of PR.AC-4(a).	Document access roles and their associated permissions. Implement role-based access control (RBAC) in Entra ID. Review role assignments quarterly. Use PIM for just-in-time privileged access.

Severity

Finding

medium

Improvement needed: Access permissions and authorizations are managed

Current implementation does not fully meet the requirements of PR.AC-4(a).

Remediation Guidance

Document access roles and their associated permissions. Implement role-based access control (RBAC) in Entra ID. Review role assignments quarterly. Use PIM for just-in-time privileged access.