Control: Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.05 - Ensure disabled user accounts do not have read, write, or owner permissions
Configures auditing against a CIS Benchmark item.
Level: 1
Ensure that any roles granting read, write, or owner permissions are removed from disabled Azure user accounts.
While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Removing role assignments from disabled user accounts depends on the context and requirements of each organization and environment.
Disabled accounts should not retain access to resources, as this poses a security risk. Removing role assignments mitigates potential unauthorized access and enforces the principle of least privilege.
Resource Types
This control targets the following resource types:
Policies
This control type relies on these other policies when running actions:
- Azure > CIS v5.0 > Maximum Attestation Duration
- Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.05 - Ensure disabled user accounts do not have read, write, or owner permissions > Attestation
- Azure > CIS v5.0
- Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.05 - Ensure disabled user accounts do not have read, write, or owner permissions
- Azure > CIS v5.0 > 5 - Identity Services
- Azure > CIS v5.0 > 5 - Identity Services > Maximum Attestation Duration
Category
In Your Workspace
Developers
- tmod:@turbot/azure-cisv5-0#/control/types/r050305
- tmod:@turbot/cis#/control/categories/v071606
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv5-0#/control/types/r050305"
Get Controls
Control Type URI
Category URI
GraphQL
CLI