Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
organisational Preventive Identify High Priority

A.5.3 Segregation of Duties

M365 Admin Path: Microsoft Entra admin center > Identity governance > Privileged Identity Management

Evidence Source: Microsoft Graph (Entra ID PIM, Role Assignments, Group Memberships)

What is A.5.3 Segregation of Duties?

ISO 27001 control A.5.3 Segregation of Duties requires organisations to separate conflicting duties and areas of responsibility to reduce the risk of fraud, error, and intentional or unintentional bypassing of security controls. This ensures that no single individual can access, modify, or use assets without authorisation or detection. For Microsoft 365 environments, segregation is implemented through Microsoft Entra Privileged Identity Management (PIM) for temporal separation, separate development and production tenants, Azure DevOps branch protection requiring peer review, and read-only roles for audit personnel.

How to implement A.5.3 in Microsoft 365

Implement A.5.3 through technical and process controls

Implement A.5.3 through technical and process controls. Configure Microsoft Entra PIM so all administrators operate with standard user rights by default and must activate privileged roles Just-in-Time with justification. This provides temporal segregation for personnel who hold multiple roles.

Maintain a dedicated Test Tenant for development

Maintain a dedicated Test Tenant for development, testing, and staging activities with complete logical separation from production. Configure Azure DevOps branch protection on main branches requiring Pull Request with at least one independent reviewer approval, technically blocking direct commits. Assign GRC/audit personnel permanent read-only roles (Global Reader, Security Reader) allowing them to review configurations without modification capability.

Document conflicting role pairs and compensating controls in

Document conflicting role pairs and compensating controls in a segregation of duties matrix.

What an auditor checks for A.5.3

  • Auditors will verify that no standing privileged access exists (except documented break-glass and Microsoft first-party service principals) by reviewing PIM eligibility reports.
  • They will check that actionable standing access by user accounts is zero.
  • Auditors will confirm GRC/audit team members hold only read-only role assignments (Global Reader, Security Reader) and cannot modify controls they audit.
  • They will review Azure DevOps branch policies to verify main branch protection with mandatory PR approval from independent reviewers.
  • Auditors will request documentation of dev/test/prod tenant architecture showing logical separation of environments.

What your auditor expects for A.5.3

  • Evidence of duty segregation including PIM temporal segregation
  • GRC read-only role verification
  • DevOps branch policies
  • tenant architecture documentation

See how your organisation scores against A.5.3 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Information Barriers Info Gov

Microsoft Purview Information Barriers