Configure identity access controls to meet FedRAMP High Impact level
Access control is a major part of achieving a Federal Risk and Authorization Management Program (FedRAMP) High Impact level to operate.
The following list of controls and control enhancements in the access control (AC) family might require configuration in your Azure Active Directory (Azure AD) tenant.
|AC-07||Unsuccessful logon attempts|
|AC-08||System use notification|
|AC-10||Concurrent session control|
|AC-20||Use of external information systems|
Each row in the following table provides prescriptive guidance to help you develop your organization's response to any shared responsibilities for the control or control enhancement.
|Control ID||Customer responsibilities and guidance|
|AC-02||Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.
Use Azure AD to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Azure AD audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts.
|AC-02(1)||Employ automated mechanisms to support management of customer-controlled accounts.
Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Azure AD to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Azure AD Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Microsoft Sentinel or Event Hubs.
Monitor and audit
|Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity.
Implement account management automation with Microsoft Graph and Azure AD PowerShell. Use Microsoft Graph to monitor sign-in activity and Azure AD PowerShell to take action on accounts within the required time frame.
Remove or disable accounts
Work with devices in Microsoft Graph
|AC-02(4)||Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.
All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Microsoft Sentinel or Event Hubs to help with notification.
|AC-02(5)||Implement device log-out after a 15-minute period of inactivity.
Implement device lock by using a conditional access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.
|AC-02(7)||Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.
Implement Azure AD Privileged Identity Management with access reviews for privileged roles in Azure AD to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.
|AC-02(11)||Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.
Create conditional access policies to enforce access control decisions across users and devices.
|AC-02(12)||Monitor and report customer-controlled accounts with privileged access for atypical usage.
For help with monitoring of atypical usage, you can stream Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Microsoft Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.
|AC-02(13)||Disable customer-controlled accounts of users that pose a significant risk within one hour.
In Azure AD Identity Protection, configure and enable a user risk policy with the threshold set to High. Create conditional access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.
|AC-06(7)||Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements.
Use Azure AD entitlement management with access reviews for privileged users to verify if privileged access is required.
|AC-07||Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period. Lock the account for a minimum of three hours or until unlocked by an administrator.
Enable custom smart lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements.
|AC-08||Display and require user acknowledgment of privacy and security notices before granting access to information systems.
|AC-10||Limit concurrent sessions to three sessions for privileged access and two for nonprivileged access.
Nowadays, users connect from multiple devices, sometimes simultaneously. Limiting concurrent sessions leads to a degraded user experience and provides limited security value. A better approach to address the intent behind this control is to adopt a zero-trust security posture. Conditions are explicitly validated before a session is created and continually validated throughout the life of a session.
In addition, use the following compensating controls.
Use conditional access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign-in restrictions at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments.
Use Privileged Identity Management to further restrict and control privileged accounts.
Configure smart account lockout for invalid sign-in attempts.
See AC-12 for more session reevaluation and risk mitigation guidance.
|Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user. Retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated.
Implement device lock by using a conditional access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.
|AC-12||Automatically terminate user sessions when organizational defined conditions or trigger events occur.
Implement automatic user session reevaluation with Azure AD features such as risk-based conditional access and continuous access evaluation. You can implement inactivity conditions at a device level as described in AC-11.
|AC-12(1)||Provide a logout capability for all sessions and display an explicit logout message.
All Azure AD surfaced web interfaces provide a logout capability for user-initiated communications sessions. When SAML applications are integrated with Azure AD, implement single sign-out.
|Establish terms and conditions that allow authorized individuals to access the customer-deployed resources from external information systems such as unmanaged devices and external networks.
Terms and conditions