How do you implement A.5.3 in Microsoft 365?

A.5.3 Segregation of Duties can be implemented in Microsoft 365 using Microsoft Entra admin center > Identity governance > Privileged Identity Management. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.5.3?

Auditors verify that A.5.3 Segregation of Duties is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.5.3: Segregation of Duties — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001 control A.5.3 Segregation of Duties requires organisations to separate conflicting duties and areas of responsibility to reduce the risk of fraud, error, and intentional or unintentional bypassing of security controls. This ensures that no single individual can access, modify, or use assets without authorisation or detection. For Microsoft 365 environments, segregation is implemented through Microsoft Entra Privileged Identity Management (PIM) for temporal separation, separate development and production tenants, Azure DevOps branch protection requiring peer review, and read-only roles for audit personnel.

How to implement in Microsoft 365

Implement A.5.3 through technical and process controls. Configure Microsoft Entra PIM so all administrators operate with standard user rights by default and must activate privileged roles Just-in-Time with justification. This provides temporal segregation for personnel who hold multiple roles.

Maintain a dedicated Test Tenant for development, testing, and staging activities with complete logical separation from production. Configure Azure DevOps branch protection on main branches requiring Pull Request with at least one independent reviewer approval, technically blocking direct commits. Assign GRC/audit personnel permanent read-only roles (Global Reader, Security Reader) allowing them to review configurations without modification capability.

Document conflicting role pairs and compensating controls in a segregation of duties matrix.

What an auditor looks for

Auditors will verify that no standing privileged access exists (except documented break-glass and Microsoft first-party service principals) by reviewing PIM eligibility reports. They will check that actionable standing access by user accounts is zero. Auditors will confirm GRC/audit team members hold only read-only role assignments (Global Reader, Security Reader) and cannot modify controls they audit.

They will review Azure DevOps branch policies to verify main branch protection with mandatory PR approval from independent reviewers. Auditors will request documentation of dev/test/prod tenant architecture showing logical separation of environments.

M365 capabilities that implement this control

Microsoft Purview Information Barriers

What is this control?

How to implement in Microsoft 365

What an auditor looks for

Related controls

M365 capabilities that implement this control