Configure CMMC Level 2 Access Control (AC) controls

Microsoft Entra ID can help you meet identity-related practice requirements in each Cybersecurity Maturity Model Certification (CMMC) level. To be compliant with requirements in CMMC V2.0 level 2, it's the responsibility of companies performing work with, and on behalf of, the US Dept. of Defense (DoD) to complete other configurations or processes.

In CMMC Level 2, there are 13 domains that have one or more practices related to identity:

  • Access Control (AC)
  • Audit & Accountability (AU)
  • Configuration Management (CM)
  • Identification & Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Risk Assessment (RA)
  • Security Assessment (CA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

The remainder of this article provides guidance for the Access Control (AC) domain. There's a table with links to content that provides step-by-step guidance to accomplish the practice.

Access Control (AC)

The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.

CMMC practice statement and objectives Microsoft Entra guidance and recommendations
AC.L2-3.1.3

Practice statement: Control the flow of CUI in accordance with approved authorizations.

Objectives:
Determine if:
[a.] information flow control policies are defined;
[b.] methods and enforcement mechanisms for controlling the flow of CUI are defined;
[c.] designated sources and destinations (for example, networks, individuals, and devices) for CUI within the system and between intercfeetonnected systems are identified;
[d.] authorizations for controlling the flow of CUI are defined; and
[e.] approved authorizations for controlling the flow of CUI are enforced.
Configure Conditional Access policies to control the flow of CUI from trusted locations, trusted devices, approved applications and require app protection policy. For finer grained authorization to CUI, configure app-enforced restrictions(Exchange/SharePoint Online), App Control (with Microsoft Defender for Cloud Apps), Authentication Context. Deploy Microsoft Entra application proxy to secure access to on-premises applications.
Location condition in Microsoft Entra Conditional Access
Grant controls in Conditional Access policy - Require device to be marked as compliant
Grant controls in Conditional Access policy - Require Microsoft Entra hybrid joined device
Grant controls in Conditional Access policy - Require approved client app
Grant controls in Conditional Access policy - Require app protection policy
Session controls in Conditional Access policy - Application enforced restrictions
Protect with Microsoft Defender for Cloud Apps Conditional Access App Control
Cloud apps, actions, and authentication context in Conditional Access policy
Remote access to on-premises apps using Microsoft Entra application proxy

Authentication Context
Configuring Authentication context & Assign to Conditional Access Policy

Information Protection
Know and protect your data; help prevent data loss.
Protect your sensitive data with Microsoft Purview

Conditional Access
Conditional Access for Azure information protection (AIP)

Application Proxy
Remote access to on-premises apps using Microsoft Entra application proxy
AC.L2-3.1.4

Practice statement: Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Objectives:
Determine if:
[a.] the duties of individuals requiring separation are defined;
[b.] responsibilities for duties that require separation are assigned to separate individuals; and
[c.] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
Ensuring adequate separation of duties by scoping appropriate access. Configure Entitlement Management Access packages to govern access to applications, groups, Teams and SharePoint sites. Configure Separation of Duties checks within access packages to avoid a user obtaining excessive access. In Microsoft Entra entitlement management, you can configure multiple policies, with different settings for each user community that will need access through an access package. This configuration includes restrictions such that a user of a particular group, or already assigned a different access package, isn't assigned other access packages, by policy.

Configure administrative units in Microsoft Entra ID to scope administrative privilege so that administrators with privileged roles are scoped to only have those privileges on limited set of directory objects(users, groups, devices).
What is entitlement management?
What are access packages and what resources can I manage with them?
Configure separation of duties for an access package in Microsoft Entra entitlement management
Administrative units in Microsoft Entra ID
AC.L2-3.1.5

Practice statement: Employ the principle of least privilege, including specific security functions and privileged accounts.

Objectives:
Determine if:
[a.] privileged accounts are identified;
[b.] access to privileged accounts is authorized in accordance with the principle of least privilege;
[c.] security functions are identified; and
[d.] access to security functions is authorized in accordance with the principle of least privilege.
You're responsible for implementing and enforcing the rule of least privilege. This action can be accomplished with Privileged Identity Management for configuring enforcement, monitoring, and alerting. Set requirements and conditions for role membership.

Once privileged accounts are identified and managed, use Entitlement Lifecycle Management and Access reviews to set, maintain and audit adequate access. Use the MS Graph API to discover and monitor directory roles.

Assign roles
Assign Microsoft Entra roles in PIM
Assign Azure resource roles in Privileged Identity Management
Assign eligible owners and members for PIM for Groups

Set role settings
Configure Microsoft Entra role settings in PIM
Configure Azure resource role settings in PIM
Configure PIM for Groups settings in PIM

Set up alerts
Security alerts for Microsoft Entra roles in PIM
Configure security alerts for Azure resource roles in Privileged Identity Management
AC.L2-3.1.6

Practice statement: Use non-privileged accounts or roles when accessing non security functions.

Objectives:
Determine if:
[a.] non security functions are identified; and
[b.] users are required to use non-privileged accounts or roles when accessing non security functions.

AC.L2-3.1.7

Practice statement: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

Objectives:
Determine if:
[a.] privileged functions are defined;
[b.] non-privileged users are defined;
[c.] non-privileged users are prevented from executing privileged functions; and
[d.] the execution of privileged functions is captured in audit logs.
Requirements in AC.L2-3.1.6 and AC.L2-3.1.7 complement each other. Require separate accounts for privilege and non-privileged use. Configure Privileged Identity Management (PIM) to bring just-in-time(JIT) privileged access and remove standing access. Configure role based Conditional Access policies to limit access to productivity application for privileged users. For highly privileged users, secure devices as part of the privileged access story. All privileged actions are captured in the Microsoft Entra audit logs.
Securing privileged access overview
Configure Microsoft Entra role settings in PIM
Users and groups in Conditional Access policy
Why are privileged access devices important
AC.L2-3.1.8

Practice statement: Limit unsuccessful sign-on attempts.

Objectives:
Determine if:
[a.] the means of limiting unsuccessful sign-on attempts is defined; and
[b.] the defined means of limiting unsuccessful sign-on attempts is implemented.
Enable custom smart lock-out settings. Configure lock-out threshold and lock-out duration in seconds to implement these requirements.
Protect user accounts from attacks with Microsoft Entra smart lockout
Manage Microsoft Entra smart lockout values
AC.L2-3.1.9

Practice statement: Provide privacy and security notices consistent with applicable CUI rules.

Objectives:
Determine if:
[a.] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and
[b.] privacy and security notices are displayed.
With Microsoft Entra ID, you can deliver notification or banner messages for all apps that require and record acknowledgment before granting access. You can granularly target these terms of use policies to specific users (Member or Guest). You can also customize them per application via Conditional Access policies.

Conditional Access
What is Conditional Access in Microsoft Entra ID?

Terms of use
Microsoft Entra terms of use
View report of who has accepted and declined
AC.L2-3.1.10

Practice statement: Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Objectives:
Determine if:
[a.] the period of inactivity after which the system initiates a session lock is defined;
[b.] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and
[c.] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
Implement device lock by using a Conditional Access policy to restrict access to compliant or Microsoft Entra hybrid joined devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Microsoft Intune, Configuration Manager, or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.
Require device to be marked as compliant
Grant controls in Conditional Access policy - Require Microsoft Entra hybrid joined device
User sign-in frequency

Configure devices for maximum minutes of inactivity until the screen locks (Android, iOS, Windows 10).
AC.L2-3.1.11

Practice statement: Terminate (automatically) a user session after a defined condition.

Objectives:
Determine if:
[a.] conditions requiring a user session to terminate are defined; and
[b.] a user session is automatically terminated after any of the defined conditions occur.
Enable Continuous Access Evaluation (CAE) for all supported applications. For application that don't support CAE, or for conditions not applicable to CAE, implement policies in Microsoft Defender for Cloud Apps to automatically terminate sessions when conditions occur. Additionally, configure Microsoft Entra ID Protection to evaluate user and sign-in Risk. Use Conditional Access with Microsoft Entra ID Protection to allow user to automatically remediate risk.
Continuous access evaluation in Microsoft Entra ID
Control cloud app usage by creating policies
What is Microsoft Entra ID Protection?
AC.L2-3.1.12

Practice statement: Monitor and control remote access sessions.

Objectives:
Determine if:
[a.] remote access sessions are permitted;
[b.] the types of permitted remote access are identified;
[c.] remote access sessions are controlled; and
[d.] remote access sessions are monitored.
In today’s world, users access cloud-based applications almost exclusively remotely from unknown or untrusted networks. It's critical to securing this pattern of access to adopt zero trust principals. To meet these controls requirements in a modern cloud world we must verify each access request explicitly, implement least privilege and assume breach.

Configure named locations to delineate internal vs external networks. Configure Conditional Access app control to route access via Microsoft Defender for Cloud Apps. Configure Defender for Cloud Apps to control and monitor all sessions.
Zero Trust Deployment Guide for Microsoft Entra ID
Location condition in Microsoft Entra Conditional Access
Deploy Cloud App Security Conditional Access App Control for Microsoft Entra apps
What is Microsoft Defender for Cloud Apps?
Monitor alerts raised in Microsoft Defender for Cloud Apps
AC.L2-3.1.13

Practice statement: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

Objectives:
Determine if:
[a.] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
[b.] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
All Microsoft Entra customer-facing web services are secured with the Transport Layer Security (TLS) protocol and are implemented using FIPS-validated cryptography.
Microsoft Entra Data Security Considerations (microsoft.com)
AC.L2-3.1.14

Practice statement: Route remote access via managed access control points.

Objectives:
Determine if:
[a.] managed access control points are identified and implemented; and
[b.] remote access is routed through managed network access control points.
Configure named locations to delineate internal vs external networks. Configure Conditional Access app control to route access via Microsoft Defender for Cloud Apps. Configure Defender for Cloud Apps to control and monitor all sessions. Secure devices used by privileged accounts as part of the privileged access story.
Location condition in Microsoft Entra Conditional Access
Session controls in Conditional Access policy
Securing privileged access overview
AC.L2-3.1.15

Practice statement: Authorize remote execution of privileged commands and remote access to security-relevant information.

Objectives:
Determine if:
[a.] privileged commands authorized for remote execution are identified;
[b.] security-relevant information authorized to be accessed remotely is identified;
[c.] the execution of the identified privileged commands via remote access is authorized; and
[d.] access to the identified security-relevant information via remote access is authorized.
Conditional Access is the Zero Trust control plane to target policies for access to your apps when combined with authentication context. You can apply different policies in those apps. Secure devices used by privileged accounts as part of the privileged access story. Configure Conditional Access policies to require the use of these secured devices by privileged users when performing privileged commands.
Cloud apps, actions, and authentication context in Conditional Access policy
Securing privileged access overview
Filter for devices as a condition in Conditional Access policy
AC.L2-3.1.18

Practice statement: Control connection of mobile devices.

Objectives:
Determine if:
[a.] mobile devices that process, store, or transmit CUI are identified;
[b.] mobile device connections are authorized; and
[c.] mobile device connections are monitored and logged.
Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to enforce mobile device configuration and connection profile. Configure Conditional Access policies to enforce device compliance.

Conditional Access
Require device to be marked as compliant
Require Microsoft Entra hybrid joined device

InTune
Device compliance policies in Microsoft Intune
What is app management in Microsoft Intune?
AC.L2-3.1.19

Practice statement: Encrypt CUI on mobile devices and mobile computing platforms.

Objectives:
Determine if:
[a.] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
[b.] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
Managed Device
Configure Conditional Access policies to enforce compliant or Microsoft Entra hybrid joined device and to ensure managed devices are configured appropriately via device management solution to encrypt CUI.

Unmanaged Device
Configure Conditional Access policies to require app protection policies.
Grant controls in Conditional Access policy - Require device to be marked as compliant
Grant controls in Conditional Access policy - Require Microsoft Entra hybrid joined device
Grant controls in Conditional Access policy - Require app protection policy
AC.L2-3.1.21

Practice statement: Limit use of portable storage devices on external systems.

Objectives:
Determine if:
[a.] the use of portable storage devices containing CUI on external systems is identified and documented;
[b.] limits on the use of portable storage devices containing CUI on external systems are defined; and
[c.] the use of portable storage devices containing CUI on external systems is limited as defined.
Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to control the use of portable storage devices on systems. Configure policy settings on the Windows device to completely prohibit or restrict use of portable storage at the OS level. For all other devices where you may be unable to granularly control access to portable storage block download entirely with Microsoft Defender for Cloud Apps. Configure Conditional Access policies to enforce device compliance.

Conditional Access
Require device to be marked as compliant
Require Microsoft Entra hybrid joined device
Configure authentication session management

Intune
Device compliance policies in Microsoft Intune
Restrict USB devices using administrative templates in Microsoft Intune

Microsoft Defender for Cloud Apps
Create session policies in Defender for Cloud Apps

Next steps