Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
technological Preventive Protect High Priority

A.8.18 Use of Privileged Utility Programs

M365 Admin Path: Microsoft Entra admin center > Identity governance > Privileged Identity Management; Azure Portal > Privileged access groups

Evidence Source: Microsoft Graph - PIM Audit, Purview

What is A.8.18 Use of Privileged Utility Programs?

ISO 27001 control A.8.18 Use of Privileged Utility Programs restricts and tightly controls the use of utility programs capable of overriding system and application controls. The control implements the principle of least privilege through just-in-time elevation, time-limited access, and comprehensive audit logging. It prevents unauthorised access, privilege escalation, and security control bypass while ensuring complete accountability for administrative actions.

How to implement A.8.18 in Microsoft 365

Implement A.8.18 by deploying Microsoft Intune Endpoint Privilege

Implement A.8.18 by deploying Microsoft Intune Endpoint Privilege Management or Account Protection profiles to remove standard users from local Administrators group. Enable Local Administrator Password Solution with passwords escrowed in Entra ID for emergency break-glass access.

Implement Microsoft Entra Privileged Identity Management for all

Implement Microsoft Entra Privileged Identity Management for all privileged directory roles using eligible rather than permanent assignments. Configure PIM activation requirements including MFA, business justification, approval workflows for high-privilege roles, and maximum 8-hour time limits.

Restrict permanent privileged access to maximum 2 break-glass

Restrict permanent privileged access to maximum 2 break-glass accounts only. Enable Microsoft Purview Unified Audit Log to capture all administrative operations.

What an auditor checks for A.8.18

  • Auditors will verify EPM, LAPS, or Account Protection profiles are deployed removing local admin rights from standard users.
  • They will check PIM eligibility schedules show all privileged roles use eligible rather than permanent assignments.
  • Auditors will verify PIM activation history demonstrates MFA, business justification, and approval workflows are enforced.
  • They will check permanent privileged assignments are limited to 2 or fewer documented break-glass accounts.
  • Auditors will verify Purview Unified Audit Log is enabled and capturing administrative events with queryable sample records.

What your auditor expects for A.8.18

  • privileged utility program controls including just-in-time access via PIM
  • privileged access workstation requirements
  • administrative tool usage restrictions

See how your organisation scores against A.8.18 and all 93 ISO 27001 controls.

Get Your Free Assessment