Control: 2.3.1 Ensure the Account Provisioning Activity report is reviewed at least weekly
Description
The Account Provisioning Activity report details any account provisioning that was attempted by an external application.
If the organization doesn't usually use a third party provider to manage accounts, any entry on the list is likely illicit. However, if the organization uses a third party provider, it is recommended to monitor transaction volumes and look for new or unusual third party applications that may be managing users. If anything unusual is observed, the provider should be contacted to determine the legitimacy of the action.
Remediation
To review the Account Provisioning Activity report:
- Navigate to
Microsoft 365 Defenderhttps://security.microsoft.com. - Click on
Audit. - Set
ActivitiestoAdded userforUser administration activities. - Set
Start DateandEnd Date. - Click
Search. - Review.
To review Account Provisioning Activity report using PowerShell:
- Connect to Exchange Online using
Connect-ExchangeOnline. - Run the following Exchange Online PowerShell command:
$startDate = ((Get-date).AddDays(-7)).ToShortDateString()$endDate = (Get-date).ToShortDateString()Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate | Where-Object{ $_.Operations -eq "add user." }
- Review the output.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v300_2_3_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v300_2_3_1 --shareSQL
This control uses a named query:
azuread_account_provisioning_activity_report_reviewed