Configure CMMC Level 2 Access Control (AC) controls
Microsoft Entra ID can help you meet identity-related practice requirements in each Cybersecurity Maturity Model Certification (CMMC) level. To be compliant with requirements in CMMC V2.0 level 2, it's the responsibility of companies performing work with, and on behalf of, the US Dept. of Defense (DoD) to complete other configurations or processes.
In CMMC Level 2, there are 13 domains that have one or more practices related to identity:
- Access Control (AC)
- Audit & Accountability (AU)
- Configuration Management (CM)
- Identification & Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
The remainder of this article provides guidance for the Access Control (AC) domain. There's a table with links to content that provides step-by-step guidance to accomplish the practice.
Access Control (AC)
The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.
| CMMC practice statement and objectives | Microsoft Entra guidance and recommendations |
|---|---|
| AC.L2-3.1.3 Practice statement: Control the flow of CUI in accordance with approved authorizations. Objectives: Determine if: [a.] information flow control policies are defined; [b.] methods and enforcement mechanisms for controlling the flow of CUI are defined; [c.] designated sources and destinations (for example, networks, individuals, and devices) for CUI within the system and between intercfeetonnected systems are identified; [d.] authorizations for controlling the flow of CUI are defined; and [e.] approved authorizations for controlling the flow of CUI are enforced. |
Configure Conditional Access policies to control the flow of CUI from trusted locations, trusted devices, approved applications and require app protection policy. For finer grained authorization to CUI, configure app-enforced restrictions(Exchange/SharePoint Online), App Control (with Microsoft Defender for Cloud Apps), Authentication Context. Deploy Microsoft Entra application proxy to secure access to on-premises applications. Location condition in Microsoft Entra Conditional Access Grant controls in Conditional Access policy - Require device to be marked as compliant Grant controls in Conditional Access policy - Require Microsoft Entra hybrid joined device Grant controls in Conditional Access policy - Require approved client app Grant controls in Conditional Access policy - Require app protection policy Session controls in Conditional Access policy - Application enforced restrictions Protect with Microsoft Defender for Cloud Apps Conditional Access App Control Cloud apps, actions, and authentication context in Conditional Access policy Remote access to on-premises apps using Microsoft Entra application proxy Authentication Context Configuring Authentication context & Assign to Conditional Access Policy Information Protection Know and protect your data; help prevent data loss. Protect your sensitive data with Microsoft Purview Conditional Access Conditional Access for Azure information protection (AIP) Application Proxy Remote access to on-premises apps using Microsoft Entra application proxy |
| AC.L2-3.1.4 Practice statement: Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Objectives: Determine if: [a.] the duties of individuals requiring separation are defined; [b.] responsibilities for duties that require separation are assigned to separate individuals; and [c.] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals. |
Ensuring adequate separation of duties by scoping appropriate access. Configure Entitlement Management Access packages to govern access to applications, groups, Teams and SharePoint sites. Configure Separation of Duties checks within access packages to avoid a user obtaining excessive access. In Microsoft Entra entitlement management, you can configure multiple policies, with different settings for each user community that will need access through an access package. This configuration includes restrictions such that a user of a particular group, or already assigned a different access package, isn't assigned other access packages, by policy. Configure administrative units in Microsoft Entra ID to scope administrative privilege so that administrators with privileged roles are scoped to only have those privileges on limited set of directory objects(users, groups, devices). What is entitlement management? What are access packages and what resources can I manage with them? Configure separation of duties for an access package in Microsoft Entra entitlement management Administrative units in Microsoft Entra ID |
| AC.L2-3.1.5 Practice statement: Employ the principle of least privilege, including specific security functions and privileged accounts. Objectives: Determine if: [a.] privileged accounts are identified; [b.] access to privileged accounts is authorized in accordance with the principle of least privilege; [c.] security functions are identified; and [d.] access to security functions is authorized in accordance with the principle of least privilege. |
You're responsible for implementing and enforcing the rule of least privilege. This action can be accomplished with Privileged Identity Management for configuring enforcement, monitoring, and alerting. Set requirements and conditions for role membership. Once privileged accounts are identified and managed, use Entitlement Lifecycle Management and Access reviews to set, maintain and audit adequate access. Use the MS Graph API to discover and monitor directory roles. Assign roles Assign Microsoft Entra roles in PIM Assign Azure resource roles in Privileged Identity Management Assign eligible owners and members for PIM for Groups Set role settings Configure Microsoft Entra role settings in PIM Configure Azure resource role settings in PIM Configure PIM for Groups settings in PIM Set up alerts Security alerts for Microsoft Entra roles in PIM Configure security alerts for Azure resource roles in Privileged Identity Management |
| AC.L2-3.1.6 Practice statement: Use non-privileged accounts or roles when accessing non security functions. Objectives: Determine if: [a.] non security functions are identified; and [b.] users are required to use non-privileged accounts or roles when accessing non security functions. AC.L2-3.1.7 Practice statement: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. Objectives: Determine if: [a.] privileged functions are defined; [b.] non-privileged users are defined; [c.] non-privileged users are prevented from executing privileged functions; and [d.] the execution of privileged functions is captured in audit logs. |
Requirements in AC.L2-3.1.6 and AC.L2-3.1.7 complement each other. Require separate accounts for privilege and non-privileged use. Configure Privileged Identity Management (PIM) to bring just-in-time(JIT) privileged access and remove standing access. Configure role based Conditional Access policies to limit access to productivity application for privileged users. For highly privileged users, secure devices as part of the privileged access story. All privileged actions are captured in the Microsoft Entra audit logs. Securing privileged access overview Configure Microsoft Entra role settings in PIM Users and groups in Conditional Access policy Why are privileged access devices important |
| AC.L2-3.1.8 Practice statement: Limit unsuccessful sign-on attempts. Objectives: Determine if: [a.] the means of limiting unsuccessful sign-on attempts is defined; and [b.] the defined means of limiting unsuccessful sign-on attempts is implemented. |
Enable custom smart lock-out settings. Configure lock-out threshold and lock-out duration in seconds to implement these requirements. Protect user accounts from attacks with Microsoft Entra smart lockout Manage Microsoft Entra smart lockout values |
| AC.L2-3.1.9 Practice statement: Provide privacy and security notices consistent with applicable CUI rules. Objectives: Determine if: [a.] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and [b.] privacy and security notices are displayed. |
With Microsoft Entra ID, you can deliver notification or banner messages for all apps that require and record acknowledgment before granting access. You can granularly target these terms of use policies to specific users (Member or Guest). You can also customize them per application via Conditional Access policies. Conditional Access What is Conditional Access in Microsoft Entra ID? Terms of use Microsoft Entra terms of use View report of who has accepted and declined |
| AC.L2-3.1.10 Practice statement: Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. Objectives: Determine if: [a.] the period of inactivity after which the system initiates a session lock is defined; [b.] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and [c.] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity. |
Implement device lock by using a Conditional Access policy to restrict access to compliant or Microsoft Entra hybrid joined devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Microsoft Intune, Configuration Manager, or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate. Require device to be marked as compliant Grant controls in Conditional Access policy - Require Microsoft Entra hybrid joined device User sign-in frequency Configure devices for maximum minutes of inactivity until the screen locks (Android, iOS, Windows 10). |
| AC.L2-3.1.11 Practice statement: Terminate (automatically) a user session after a defined condition. Objectives: Determine if: [a.] conditions requiring a user session to terminate are defined; and [b.] a user session is automatically terminated after any of the defined conditions occur. |
Enable Continuous Access Evaluation (CAE) for all supported applications. For application that don't support CAE, or for conditions not applicable to CAE, implement policies in Microsoft Defender for Cloud Apps to automatically terminate sessions when conditions occur. Additionally, configure Microsoft Entra ID Protection to evaluate user and sign-in Risk. Use Conditional Access with Microsoft Entra ID Protection to allow user to automatically remediate risk. Continuous access evaluation in Microsoft Entra ID Control cloud app usage by creating policies What is Microsoft Entra ID Protection? |
| AC.L2-3.1.12 Practice statement: Monitor and control remote access sessions. Objectives: Determine if: [a.] remote access sessions are permitted; [b.] the types of permitted remote access are identified; [c.] remote access sessions are controlled; and [d.] remote access sessions are monitored. |
In today’s world, users access cloud-based applications almost exclusively remotely from unknown or untrusted networks. It's critical to securing this pattern of access to adopt zero trust principals. To meet these controls requirements in a modern cloud world we must verify each access request explicitly, implement least privilege and assume breach. Configure named locations to delineate internal vs external networks. Configure Conditional Access app control to route access via Microsoft Defender for Cloud Apps. Configure Defender for Cloud Apps to control and monitor all sessions. Zero Trust Deployment Guide for Microsoft Entra ID Location condition in Microsoft Entra Conditional Access Deploy Cloud App Security Conditional Access App Control for Microsoft Entra apps What is Microsoft Defender for Cloud Apps? Monitor alerts raised in Microsoft Defender for Cloud Apps |
| AC.L2-3.1.13 Practice statement: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. Objectives: Determine if: [a.] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and [b.] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented. |
All Microsoft Entra customer-facing web services are secured with the Transport Layer Security (TLS) protocol and are implemented using FIPS-validated cryptography. Microsoft Entra Data Security Considerations (microsoft.com) |
| AC.L2-3.1.14 Practice statement: Route remote access via managed access control points. Objectives: Determine if: [a.] managed access control points are identified and implemented; and [b.] remote access is routed through managed network access control points. |
Configure named locations to delineate internal vs external networks. Configure Conditional Access app control to route access via Microsoft Defender for Cloud Apps. Configure Defender for Cloud Apps to control and monitor all sessions. Secure devices used by privileged accounts as part of the privileged access story. Location condition in Microsoft Entra Conditional Access Session controls in Conditional Access policy Securing privileged access overview |
| AC.L2-3.1.15 Practice statement: Authorize remote execution of privileged commands and remote access to security-relevant information. Objectives: Determine if: [a.] privileged commands authorized for remote execution are identified; [b.] security-relevant information authorized to be accessed remotely is identified; [c.] the execution of the identified privileged commands via remote access is authorized; and [d.] access to the identified security-relevant information via remote access is authorized. |
Conditional Access is the Zero Trust control plane to target policies for access to your apps when combined with authentication context. You can apply different policies in those apps. Secure devices used by privileged accounts as part of the privileged access story. Configure Conditional Access policies to require the use of these secured devices by privileged users when performing privileged commands. Cloud apps, actions, and authentication context in Conditional Access policy Securing privileged access overview Filter for devices as a condition in Conditional Access policy |
| AC.L2-3.1.18 Practice statement: Control connection of mobile devices. Objectives: Determine if: [a.] mobile devices that process, store, or transmit CUI are identified; [b.] mobile device connections are authorized; and [c.] mobile device connections are monitored and logged. |
Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to enforce mobile device configuration and connection profile. Configure Conditional Access policies to enforce device compliance. Conditional Access Require device to be marked as compliant Require Microsoft Entra hybrid joined device InTune Device compliance policies in Microsoft Intune What is app management in Microsoft Intune? |
| AC.L2-3.1.19 Practice statement: Encrypt CUI on mobile devices and mobile computing platforms. Objectives: Determine if: [a.] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and [b.] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms. |
Managed Device Configure Conditional Access policies to enforce compliant or Microsoft Entra hybrid joined device and to ensure managed devices are configured appropriately via device management solution to encrypt CUI. Unmanaged Device Configure Conditional Access policies to require app protection policies. Grant controls in Conditional Access policy - Require device to be marked as compliant Grant controls in Conditional Access policy - Require Microsoft Entra hybrid joined device Grant controls in Conditional Access policy - Require app protection policy |
| AC.L2-3.1.21 Practice statement: Limit use of portable storage devices on external systems. Objectives: Determine if: [a.] the use of portable storage devices containing CUI on external systems is identified and documented; [b.] limits on the use of portable storage devices containing CUI on external systems are defined; and [c.] the use of portable storage devices containing CUI on external systems is limited as defined. |
Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to control the use of portable storage devices on systems. Configure policy settings on the Windows device to completely prohibit or restrict use of portable storage at the OS level. For all other devices where you may be unable to granularly control access to portable storage block download entirely with Microsoft Defender for Cloud Apps. Configure Conditional Access policies to enforce device compliance. Conditional Access Require device to be marked as compliant Require Microsoft Entra hybrid joined device Configure authentication session management Intune Device compliance policies in Microsoft Intune Restrict USB devices using administrative templates in Microsoft Intune Microsoft Defender for Cloud Apps Create session policies in Defender for Cloud Apps |