How do you implement A.5.15 in Microsoft 365?

A.5.15 Access Control can be implemented in Microsoft 365 using Microsoft Entra admin centre > Protection > Conditional Access. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.5.15?

Auditors verify that A.5.15 Access Control is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.5.15: Access Control — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001 control A.5.15 Access Control ensures authorised access and prevents unauthorised access to information and assets through Zero Trust, Deny-by-Default, Least Privilege, and Role-Based Access Control principles. The control enforces identity verification via Conditional Access with MFA, device compliance, and risk checks, privileged access via PIM with Just-in-Time activation, and emergency access via break-glass accounts. All access is treated as untrusted until explicitly verified.

How to implement in Microsoft 365

Implement A.5.15 by deploying Microsoft Entra Conditional Access policies requiring MFA, Intune device compliance, and user risk assessment for all access. Configure PIM to deny standing admin access with all privileged roles assigned as Eligible only. Enforce Just-in-Time role activation via PIM requiring justification and time-limited access.

Configure break-glass accounts with permanent Active roles for emergency access. Exclude break-glass accounts from standard Conditional Access including MFA and device compliance to ensure access during outages. Stream all access logs to Microsoft Sentinel for centralised monitoring.

What an auditor looks for

Auditors will verify that Conditional Access policies are active for MFA, device compliance, and risk assessment. They will check PIM configuration showing all privileged roles are assigned as Eligible rather than Active for standard users. Auditors will review break-glass account configuration with permanent active roles via PIM Groups.

They will verify Conditional Access exclusions for break-glass accounts. Auditors will confirm Sentinel data connectors are connected for Entra ID, PIM, and FortiAnalyzer logs. They will review PIM audit logs showing JIT activations with justifications.

A.5.17
A.8.5

M365 capabilities that implement this control

CIS M365 v6.0.1 authentication hardening: device code flow, enrollment frequency, authenticator settings, email OTP, session controls

Conditional Access policies for standard users (MFA, device compliance, guest access, risk-based controls)

Conditional Access policies for administrators (enhanced MFA, risk-based CA, session controls, location restrictions)

Conditional Access policies requiring device compliance

Discover, remediate, and govern non-human identities including service principals, managed identities, and workload identity federation

Entra Agent ID registration, agent lifecycle policies with human sponsor requirement, CA for AI workloads

What is this control?

How to implement in Microsoft 365

What an auditor looks for

Related controls

M365 capabilities that implement this control