PR.AC-4(b)Key Measure

Access to critical information is identified and managed

Protect · Access Control

Fully Automated

Compliance Score

68%

Partially Compliant

Documentation Maturity

3/ 5

Target: 2.5

Implementation Maturity

3/ 5

Target: 2.5

Control Description

The organization has identified which information and systems are critical, and access to these is specifically controlled and monitored.

Microsoft Graph API Endpoints Used

GET /roleManagement/directory/roleAssignmentsGET /admin/sharepoint/settings

Required Permissions

RoleManagement.Read.DirectorySharePointTenantSettings.Read.All

Findings (1)

13/20 items compliant

Severity	Finding	Recommendation
medium	Improvement needed: Access to critical information is identified and managed Current implementation does not fully meet the requirements of PR.AC-4(b).	Identify critical systems and data repositories. Restrict access to these resources to authorized personnel only. Enable access logging for critical resources. Review access lists quarterly.

Severity

Finding

medium

Improvement needed: Access to critical information is identified and managed

Current implementation does not fully meet the requirements of PR.AC-4(b).

Remediation Guidance

Identify critical systems and data repositories. Restrict access to these resources to authorized personnel only. Enable access logging for critical resources. Review access lists quarterly.