Configure identity access controls to meet FedRAMP High Impact level

Access control is a major part of achieving a Federal Risk and Authorization Management Program (FedRAMP) High Impact level to operate.

The following list of controls and control enhancements in the access control (AC) family might require configuration in your Microsoft Entra tenant.

Control family Description
AC-2 Account management
AC-6 Least privilege
AC-7 Unsuccessful logon attempts
AC-8 System use notification
AC-10 Concurrent session control
AC-11 Session lock
AC-12 Session termination
AC-20 Use of external information systems

Each row in the following table provides prescriptive guidance to help you develop your organization's response to any shared responsibilities for the control or control enhancement.

Configurations

FedRAMP Control ID and description Microsoft Entra guidance and recommendations
AC-2 ACCOUNT MANAGEMENT

The Organization
(a.) Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];

(b.) Assigns account managers for information system accounts;

(c.) Establishes conditions for group and role membership;

(d.) Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

(e.) Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;

(f.) Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];

(g.) Monitors the use of information system accounts;

(h.) Notifies account managers:
(1.) When accounts are no longer required;
(2.) When users are terminated or transferred; and
(3.) When individual information system usage or need-to-know changes;

(i.) Authorizes access to the information system based on:
(1.) A valid access authorization;
(2.) Intended system usage; and
(3.) Other attributes as required by the organization or associated missions/business functions;

(j.) Reviews accounts for compliance with account management requirements [FedRAMP Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; and

(k.) Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.

Use Microsoft Entra ID to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Microsoft Entra audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Microsoft Entra entitlement management with access reviews to ensure compliance status of accounts.

Provision accounts

  • Plan cloud HR application to Microsoft Entra user provisioning
  • Microsoft Entra Connect Sync: Understand and customize synchronization
  • Add or delete users using Microsoft Entra ID

    Monitor accounts

  • Audit activity reports in the Microsoft Entra admin center
  • Connect Microsoft Entra data to Microsoft Sentinel
  • Tutorial: Stream logs to an Azure event hub

    Review accounts

  • What is Microsoft Entra entitlement management?
  • Create an access review of an access package in Microsoft Entra entitlement management
  • Review access of an access package in Microsoft Entra entitlement management

    Resources

  • Administrator role permissions in Microsoft Entra ID
  • Dynamic Groups in Microsoft Entra ID

                         

  • AC-2(1)
    The organization employs automated mechanisms to support the management of information system accounts.
    Employ automated mechanisms to support management of customer-controlled accounts.

    Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Microsoft Entra ID to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Microsoft Entra ID Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Microsoft Sentinel or Event Hubs.

    Provision

  • Plan cloud HR application to Microsoft Entra user provisioning
  • Microsoft Entra Connect Sync: Understand and customize synchronization
  • What is automated SaaS app user provisioning in Microsoft Entra ID?
  • SaaS app integration tutorials for use with Microsoft Entra ID

    Monitor and audit

  • Investigate risk
  • Audit activity reports in the Microsoft Entra admin center
  • What is Microsoft Sentinel?
  • Microsoft Sentinel: Connect data from Microsoft Entra ID
  • Tutorial: Stream Microsoft Entra logs to an Azure event hub
  • AC-2(2)
    The information system automatically [FedRAMP Selection: disables] temporary and emergency accounts after [FedRAMP Assignment: 24 hours from last use].

    AC-02(3)
    The information system automatically disables inactive accounts after [FedRAMP Assignment: thirty-five (35) days for user accounts].

    AC-2 (3) Additional FedRAMP Requirements and Guidance:
    Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

    Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity.

    Implement account management automation with Microsoft Graph and Microsoft Graph PowerShell. Use Microsoft Graph to monitor sign-in activity and Microsoft Graph PowerShell to take action on accounts in the required time frame.

    Determine inactivity

  • Manage inactive user accounts in Microsoft Entra ID
  • Manage stale devices in Microsoft Entra ID

    Remove or disable accounts

  • Working with users in Microsoft Graph
  • Get a user
  • Update user
  • Delete a user

    Work with devices in Microsoft Graph

  • Get device
  • Update device
  • Delete device

    See, Microsoft Graph PowerShell documentation

  • Get-MgUser
  • Update-MgUser
  • Get-MgDevice
  • Update-MgDevice
  • AC-2(4)
    The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [FedRAMP Assignment: organization and/or service provider system owner].
    Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.

    All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Microsoft Sentinel or Event Hubs to help with notification.

    Audit

  • Audit activity reports in the Microsoft Entra admin center
  • Microsoft Sentinel: Connect data from Microsoft Entra ID

    Notification

  • What is Microsoft Sentinel?
  • Tutorial: Stream Microsoft Entra logs to an Azure event hub
  • AC-2(5)
    The organization requires that users log out when [FedRAMP Assignment: inactivity is anticipated to exceed fifteen (15) minutes].

    AC-2 (5) Additional FedRAMP Requirements and Guidance:
    Guidance: Should use a shorter timeframe than AC-12

    Implement device log-out after a 15-minute period of inactivity.

    Implement device lock by using a Conditional Access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.

    Conditional Access

  • Require device to be marked as compliant
  • User sign-in frequency

    MDM policy

  • Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock (Android, iOS, Windows 10).
  • AC-2(7)

    The organization:
    (a.) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
    (b) Monitors privileged role assignments; and
    (c) Takes [FedRAMP Assignment: disables/revokes access within an organization-specified timeframe] when privileged role assignments are no longer appropriate.

    Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.

    Implement Microsoft Entra Privileged Identity Management with access reviews for privileged roles in Microsoft Entra ID to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.

    Administer

  • What is Microsoft Entra Privileged Identity Management?
  • Activation maximum duration

    Monitor

  • Create an access review of Microsoft Entra roles in Privileged Identity Management
  • View audit history for Microsoft Entra roles in Privileged Identity Management
  • Audit activity reports in the Microsoft Entra admin center
  • What is Microsoft Sentinel?
  • Connect data from Microsoft Entra ID
  • Tutorial: Stream Microsoft Entra logs to an Azure event hub
  • AC-2(11)
    The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts].
    Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.

    Create Conditional Access policies to enforce access control decisions across users and devices.

    Conditional Access

  • Create a Conditional Access policy
  • What is Conditional Access?
  • AC-2(12)

    The organization:
    (a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and
    (b) Reports atypical usage of information system accounts to [FedRAMP Assignment: at a minimum, the ISSO and/or similar role within the organization].

    AC-2 (12) (a) and AC-2 (12) (b) Additional FedRAMP Requirements and Guidance:
    Required for privileged accounts.

    Monitor and report customer-controlled accounts with privileged access for atypical usage.

    For help with monitoring of atypical usage, you can stream Microsoft Entra ID Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Microsoft Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.

    ID Protection

  • What is Microsoft Entra ID Protection?
  • Investigate risk
  • Microsoft Entra ID Protection notifications

    Monitor accounts

  • What is Microsoft Sentinel?
  • Audit activity reports in the Microsoft Entra admin center
  • Connect Microsoft Entra data to Microsoft Sentinel
  • Tutorial: Stream logs to an Azure event hub
  • AC-2(13)
    The organization disables accounts of users posing a significant risk in [FedRAMP Assignment: one (1) hour] of discovery of the risk.
    Disable customer-controlled accounts of users that pose a significant risk in one hour.

    In Microsoft Entra ID Protection, configure and enable a user risk policy with the threshold set to High. Create Conditional Access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.

    ID Protection

  • What is Microsoft Entra ID Protection?

    Conditional Access

  • What is Conditional Access?
  • Create a Conditional Access policy
  • Conditional Access: User risk-based Conditional Access
  • Conditional Access: Sign-in risk-based Conditional Access
  • Self-remediation with risk policy
  • AC-6(7)

    The organization:
    (a.) Reviews [FedRAMP Assignment: at a minimum, annually] the privileges assigned to [FedRAMP Assignment: all users with privileges] to validate the need for such privileges; and
    (b.) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.

    Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements.

    Use Microsoft Entra entitlement management with access reviews for privileged users to verify if privileged access is required.

    Access reviews

  • What is Microsoft Entra entitlement management?
  • Create an access review of Microsoft Entra roles in Privileged Identity Management
  • Review access of an access package in Microsoft Entra entitlement management
  • AC-7 Unsuccessful Login Attempts

    The organization:
    (a.) Enforces a limit of [FedRAMP Assignment: not more than three (3)] consecutive invalid logon attempts by a user during a [FedRAMP Assignment: fifteen (15) minutes]; and
    (b.) Automatically [Selection: locks the account/node for a [FedRAMP Assignment: minimum of three (3) hours or until unlocked by an administrator]; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.

    Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period. Lock the account for a minimum of three hours or until unlocked by an administrator.

    Enable custom smart lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements.

    Smart lockout

  • Protect user accounts from attacks with Microsoft Entra smart lockout
  • Manage Microsoft Entra smart lockout values
  • AC-8 System Use Notification

    The information system:
    (a.) Displays to users [Assignment: organization-defined system use notification message or banner (FedRAMP Assignment: see additional Requirements and Guidance)] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
    (1.) Users are accessing a U.S. Government information system;
    (2.) Information system usage may be monitored, recorded, and subject to audit;
    (3.) Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
    (4.) Use of the information system indicates consent to monitoring and recording;

    (b.) Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and

    (c.) For publicly accessible systems:
    (1.) Displays system use information [Assignment: organization-defined conditions (FedRAMP Assignment: see additional Requirements and Guidance)], before granting further access;
    (2.) Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
    (3.) Includes a description of the authorized uses of the system.

    AC-8 Additional FedRAMP Requirements and Guidance:
    Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.
    Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.
    Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.
    Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

    Display and require user acknowledgment of privacy and security notices before granting access to information systems.

    With Microsoft Entra ID, you can deliver notification or banner messages for all apps that require and record acknowledgment before granting access. You can granularly target these terms of use policies to specific users (Member or Guest). You can also customize them per application via Conditional Access policies.

    Terms of use

  • Microsoft Entra terms of use
  • View report of who has accepted and declined
  • AC-10 Concurrent Session Control
    The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [FedRAMP Assignment: three (3) sessions for privileged access and two (2) sessions for non-privileged access].
    Limit concurrent sessions to three sessions for privileged access and two for nonprivileged access.

    Currently, users connect from multiple devices, sometimes simultaneously. Limiting concurrent sessions leads to a degraded user experience and provides limited security value. A better approach to address the intent behind this control is to adopt a zero-trust security posture. Conditions are explicitly validated before a session is created and continually validated throughout the life of a session.

    In addition, use the following compensating controls.

    Use Conditional Access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign-in restrictions at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments.

    Use Privileged Identity Management to further restrict and control privileged accounts.

    Configure smart account lockout for invalid sign-in attempts.

    Implementation guidance

    Zero trust

  • Securing identity with Zero Trust
  • Continuous access evaluation in Microsoft Entra ID

    Conditional Access

  • What is Conditional Access in Microsoft Entra ID?
  • Require device to be marked as compliant
  • User sign-in frequency

    Device policies

  • Other smart card Group Policy settings and registry keys
  • Microsoft Endpoint Manager overview

    Resources

  • What is Microsoft Entra Privileged Identity Management?
  • Protect user accounts from attacks with Microsoft Entra smart lockout

    See AC-12 for more session reevaluation and risk mitigation guidance.

  • AC-11 Session Lock
    The information system:
    (a) Prevents further access to the system by initiating a session lock after [FedRAMP Assignment: fifteen (15) minutes] of inactivity or upon receiving a request from a user; and
    (b) Retains the session lock until the user reestablishes access using established identification and authentication procedures.

    AC-11(1)
    The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

    Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user. Retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated.

    Implement device lock by using a Conditional Access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.

    Conditional Access

  • Require device to be marked as compliant
  • User sign-in frequency

    MDM policy

  • Configure devices for maximum minutes of inactivity until the screen locks (Android, iOS, Windows 10).
  • AC-12 Session Termination
    The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
    Automatically terminate user sessions when organizational defined conditions or trigger events occur.

    Implement automatic user session reevaluation with Microsoft Entra features such as risk-based Conditional Access and continuous access evaluation. You can implement inactivity conditions at a device level as described in AC-11.

    Resources

  • Sign-in risk-based Conditional Access
  • User risk-based Conditional Access
  • Continuous access evaluation
  • AC-12(1)
    The information system:
    (a.) Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and
    (b.) Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.

    AC-8 Additional FedRAMP Requirements and Guidance:
    Guidance: Testing for logout functionality (OTG-SESS-006) Testing for logout functionality

    Provide a logout capability for all sessions and display an explicit logout message.

    All Microsoft Entra ID surfaced web interfaces provide a logout capability for user-initiated communications sessions. When SAML applications are integrated with Microsoft Entra ID, implement single sign-out.

    Logout capability

  • When the user selects Sign-out everywhere, all current issued tokens are revoked.

    Display message
    Microsoft Entra ID automatically displays a message after user-initiated logout.

    Screenshot that shows an access control message.

    Resources

  • View and search your recent sign-in activity from the My Sign-Ins page
  • Single Sign-Out SAML Protocol
  • AC-20 Use of External Information Systems
    The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
    (a.) Access the information system from external information systems; and
    (b.) Process, store, or transmit organization-controlled information using external information systems.

    AC-20(1)
    The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
    (a.) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or
    (b.) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

    Establish terms and conditions that allow authorized individuals to access the customer-deployed resources from external information systems such as unmanaged devices and external networks.

    Require terms of use acceptance for authorized users who access resources from external systems. Implement Conditional Access policies to restrict access from external systems. Conditional Access policies might be integrated with Defender for Cloud Apps to provide controls for cloud and on-premises applications from external systems. Mobile application management in Intune can protect organization data at the application level, including custom apps and store apps, from managed devices that interact with external systems. An example would be accessing cloud services. You can use app management on organization-owned devices and personal devices.

    Terms and conditions

  • Terms of use: Microsoft Entra ID

    Conditional Access

  • Require device to be marked as compliant
  • Conditions in Conditional Access policy: Device state (preview)
  • Protect with Microsoft Defender for Cloud Apps Conditional Access App Control
  • Location condition in Microsoft Entra Conditional Access

    MDM

  • What is Microsoft Intune?
  • What is Defender for Cloud Apps?
  • What is app management in Microsoft Intune?

    Resource

  • Integrate on-premises apps with Defender for Cloud Apps
  • Next steps