A.8.2 Privileged Access Rights

What is this control?

ISO 27001 control A.8.2 Privileged Access Rights ensures that access to privileged roles across Microsoft Entra ID, Microsoft 365, and Azure is strictly controlled through a unified Zero Trust framework. The control implements deny-by-default principles, least privilege, and just-in-time access activation via PIM. All privileged roles are eligible-only with no standing access, require strong MFA re-authentication for activation, include mandatory business justification logging, and are time-bound with automatic expiration.

How to implement in Microsoft 365

Implement A.8.2 by enabling Privileged Identity Management in Microsoft Entra ID for all high-impact roles including Global Administrator, Exchange Admin, and SharePoint Admin. Remove all permanent role assignments and convert users to eligible status requiring activation when needed. Configure activation requirements including MFA, business justification or change ticket, and time limits of 4-8 hours.

Enable approval workflows for critical roles like Global Administrator requiring manager or owner approval before activation. Schedule quarterly or biannual access reviews in PIM with managers periodically re-certifying user role eligibility.

What an auditor looks for

Auditors will verify PIM is enabled for all privileged roles. They will check that privileged roles are eligible only and not permanent. Auditors will review audit logs showing activation history with justification and timestamps.

They will verify Conditional Access policies requiring MFA for all administrators with 100% coverage. Auditors will check access review configuration and evidence of recent review cycles. They will verify audit logs demonstrating role activation includes re-authentication via MFA and time-bound access is enforced with automatic expiration.