3.1.7 — Log the Admin Work

The One-Liner

Two sides of the same coin: block standard users from doing admin things, and log everything when admins do admin things.

What It Says

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

What It Actually Means

This requirement has two parts, and you need both:

Part 1 — Prevention. Standard users are technically blocked from performing admin functions. Not by policy. By the system. A regular user tries to change a security setting and gets “Access Denied.”

Part 2 — Detection. Every time an admin function is performed, it’s logged with who did it, what they did, and when. If someone accidentally gets elevated privileges, your monitoring catches it.

The assessor will check both: that standard users can’t do admin things, and that when admin things do happen, there’s a record.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are privileged functions defined?	Documented list of what counts as an admin action
2	Are non-privileged users defined?	You know who the standard users are
3	Are standard users blocked from privileged functions?	The system prevents it technically
4	Are privileged function executions logged?	Every admin action captured with who, what, when

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, least privilege procedures, system security plan, list of privileged functions and user assignments, system configuration, audit logs showing privileged actions

People they’ll talk to: Personnel defining least privilege, security staff, system developers

Live demos they’ll ask for: “Log in as a standard user and try to run an admin command — show me the block. Now show me the audit log entry for the last admin action.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Can you identify who performed privileged functions at any particular time?”
• “Are the privileged system functions documented?”
• “Show me that a standard user is blocked from executing admin functions.”
• “Show me audit logs capturing privileged function execution.”

Real-World Example

A contractor uses Entra ID role assignments to restrict admin functions. A standard user attempting to access the Azure AD admin portal gets ‘You don’t have access.’ Meanwhile, all admin actions are logged in the Entra audit log. The security officer runs a weekly report of all privileged actions. Last month, a standard user was accidentally added to a privileged group — the EDR solution flagged it immediately because admin-level activity came from a non-admin account.

---

Where Companies Trip Up

No logging of admin actions. Privileged functions happen but there’s no audit trail. You need both prevention AND detection.

Local admin on workstations. Users have local admin rights, meaning they can execute privileged functions freely.

Logs exist but nobody reads them. Logging without monitoring is security theater. Someone has to review the logs.

---

How to Talk About This

To a CEO or Board

Every admin action in our environment is logged — who did it, what they did, and when. Standard users are blocked from admin functions. If someone gets elevated access they shouldn’t have, our monitoring catches it immediately.

To an Engineering Team

RBAC via Entra ID. Standard users get ‘Access Denied’ on admin portals. All privileged actions logged in Entra audit log + Sentinel. Weekly privileged action review. EDR flags admin-level activity from non-admin accounts.

---

Connected Requirements

Requirement	Why it matters here
3.1.5 — Minimum Necessary	The foundational principle
3.1.6 — Two Hats, Two Accounts	Admins using standard accounts for everyday work
3.3.1 — Log Everything	Creating and retaining the audit logs

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: AC.L2-3.1.7 | SPRS Weight: 1 point | POA&M Eligible: Yes