CyFun Tracker
PR.AC-4(d)Key Measure

Administrator privileges are not used for daily tasks

Protect · Access Control

Fully Automated

Compliance Score

35%

Non-Compliant

Documentation Maturity

2/ 5
x

Target: 2.5

Implementation Maturity

2/ 5
x

Target: 2.5

Control Description

Personnel with administrative access use separate, dedicated admin accounts for privileged tasks. Daily activities (email, browsing) are performed with standard user accounts.

Microsoft Graph API Endpoints Used

GET /roleManagement/directory/roleAssignmentsGET /usersGET /auditLogs/signIns

Required Permissions

RoleManagement.Read.DirectoryUser.Read.AllAuditLog.Read.All
Findings (1)
7/20 items compliant
SeverityFinding
high

Improvement needed: Administrator privileges are not used for daily tasks

Current implementation does not fully meet the requirements of PR.AC-4(d).

Remediation Guidance

Create dedicated admin accounts (e.g., admin-john@company.com) separate from daily-use accounts. Admin accounts should not have mailboxes or Microsoft 365 licenses. Use Privileged Identity Management (PIM) for just-in-time access.