Configure identity access controls to meet FedRAMP High Impact level

Access control is a major part of achieving a Federal Risk and Authorization Management Program (FedRAMP) High Impact level to operate.

The following list of controls and control enhancements in the access control (AC) family might require configuration in your Azure Active Directory (Azure AD) tenant.

Control family Description
AC-02 Account management
AC-06 Least privilege
AC-07 Unsuccessful logon attempts
AC-08 System use notification
AC-10 Concurrent session control
AC-11 Session lock
AC-12 Session termination
AC-20 Use of external information systems

Each row in the following table provides prescriptive guidance to help you develop your organization's response to any shared responsibilities for the control or control enhancement.

Configurations

Control ID Customer responsibilities and guidance
AC-02 Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.

Use Azure AD to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Azure AD audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts.

Provision accounts

  • Plan cloud HR application to Azure Active Directory user provisioning
  • Azure AD Connect sync: Understand and customize synchronization
  • Add or delete users using Azure Active Directory

    Monitor accounts

  • Audit activity reports in the Azure Active Directory portal
  • Connect Azure Active Directory data to Microsoft Sentinel
  • Tutorial: Stream logs to an Azure event hub

    Review accounts

  • What is Azure AD entitlement management?
  • Create an access review of an access package in Azure AD entitlement management
  • Review access of an access package in Azure AD entitlement management

    Resources

  • Administrator role permissions in Azure Active Directory
  • Dynamic Groups in Azure AD
  • AC-02(1) Employ automated mechanisms to support management of customer-controlled accounts.

    Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Azure AD to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Azure AD Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Microsoft Sentinel or Event Hubs.

    Provision

  • Plan cloud HR application to Azure Active Directory user provisioning
  • Azure AD Connect sync: Understand and customize synchronization
  • What is automated SaaS app user provisioning in Azure AD?
  • SaaS app integration tutorials for use with Azure AD

    Monitor and audit

  • Investigate risk
  • Audit activity reports in the Azure Active Directory portal
  • What is Microsoft Sentinel?
  • Microsoft Sentinel: Connect data from Azure Active Directory
  • Tutorial: Stream Azure Active Directory logs to an Azure event hub
  • AC-02(2)
    AC-02(3)
    Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity.

    Implement account management automation with Microsoft Graph and Azure AD PowerShell. Use Microsoft Graph to monitor sign-in activity and Azure AD PowerShell to take action on accounts within the required time frame.

    Determine inactivity

  • Manage inactive user accounts in Azure AD
  • Manage stale devices in Azure AD

    Remove or disable accounts

  • Working with users in Microsoft Graph
  • Get a user
  • Update user
  • Delete a user

    Work with devices in Microsoft Graph

  • Get device
  • Update device
  • Delete device

    Use Azure AD PowerShell

  • Get-AzureADUser
  • Set-AzureADUser
  • Get-AzureADDevice
  • Set-AzureADDevice
  • AC-02(4) Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.

    All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Microsoft Sentinel or Event Hubs to help with notification.

    Audit

  • Audit activity reports in the Azure Active Directory portal
  • Microsoft Sentinel: Connect data from Azure Active Directory

    Notification

  • What is Microsoft Sentinel?
  • Tutorial: Stream Azure Active Directory logs to an Azure event hub
  • AC-02(5) Implement device log-out after a 15-minute period of inactivity.

    Implement device lock by using a conditional access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.

    Conditional access

  • Require device to be marked as compliant
  • User sign-in frequency

    MDM policy

  • Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock (Android, iOS, Windows 10).
  • AC-02(7) Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.

    Implement Azure AD Privileged Identity Management with access reviews for privileged roles in Azure AD to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.

    Administer

  • What is Azure AD Privileged Identity Management?
  • Activation maximum duration

    Monitor

  • Create an access review of Azure AD roles in Privileged Identity Management
  • View audit history for Azure AD roles in Privileged Identity Management
  • Audit activity reports in the Azure Active Directory portal
  • What is Microsoft Sentinel?
  • Connect data from Azure Active Directory
  • Tutorial: Stream Azure Active Directory logs to an Azure event hub
  • AC-02(11) Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.

    Create conditional access policies to enforce access control decisions across users and devices.

    Conditional access

  • Create a conditional access policy
  • What is conditional access?
  • AC-02(12) Monitor and report customer-controlled accounts with privileged access for atypical usage.

    For help with monitoring of atypical usage, you can stream Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Microsoft Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.

    Identity protection

  • What is Azure AD Identity Protection?
  • Investigate risk
  • Azure Active Directory Identity Protection notifications

    Monitor accounts

  • What is Microsoft Sentinel?
  • Audit activity reports in the Azure Active Directory portal
  • Connect Azure Active Directory data to Microsoft Sentinel
  • Tutorial: Stream logs to an Azure event hub
  • AC-02(13) Disable customer-controlled accounts of users that pose a significant risk within one hour.

    In Azure AD Identity Protection, configure and enable a user risk policy with the threshold set to High. Create conditional access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.

    Identity protection

  • What is Azure AD Identity Protection?

    Conditional access

  • What is conditional access?
  • Create a conditional access policy
  • Conditional access: User risk-based conditional access
  • Conditional access: Sign-in risk-based conditional access
  • Self-remediation with risk policy
  • AC-06(7) Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements.

    Use Azure AD entitlement management with access reviews for privileged users to verify if privileged access is required.

    Access reviews

  • What is Azure AD entitlement management?
  • Create an access review of Azure AD roles in Privileged Identity Management
  • Review access of an access package in Azure AD entitlement management
  • AC-07 Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period. Lock the account for a minimum of three hours or until unlocked by an administrator.

    Enable custom smart lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements.

    Smart lockout

  • Protect user accounts from attacks with Azure Active Directory smart lockout
  • Manage Azure AD smart lockout values
  • AC-08 Display and require user acknowledgment of privacy and security notices before granting access to information systems.

    With Azure AD, you can deliver notification or banner messages for all apps that require and record acknowledgment before granting access. You can granularly target these terms of use policies to specific users (Member or Guest). You can also customize them per application via conditional access policies.

    Terms of use

  • Azure Active Directory terms of use
  • View report of who has accepted and declined
  • AC-10 Limit concurrent sessions to three sessions for privileged access and two for nonprivileged access.

    Nowadays, users connect from multiple devices, sometimes simultaneously. Limiting concurrent sessions leads to a degraded user experience and provides limited security value. A better approach to address the intent behind this control is to adopt a zero-trust security posture. Conditions are explicitly validated before a session is created and continually validated throughout the life of a session.

    In addition, use the following compensating controls.

    Use conditional access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign-in restrictions at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments.

    Use Privileged Identity Management to further restrict and control privileged accounts.

    Configure smart account lockout for invalid sign-in attempts.

    Implementation guidance

    Zero trust

  • Securing identity with Zero Trust
  • Continuous access evaluation in Azure AD

    Conditional access

  • What is conditional access in Azure AD?
  • Require device to be marked as compliant
  • User sign-in frequency

    Device policies

  • Use PowerShell scripts on Windows 10 devices in Intune
  • Other smart card Group Policy settings and registry keys
  • Microsoft Endpoint Manager overview

    Resources

  • What is Azure AD Privileged Identity Management?
  • Protect user accounts from attacks with Azure Active Directory smart lockout

    See AC-12 for more session reevaluation and risk mitigation guidance.

  • AC-11
    AC-11(1)
    Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user. Retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated.

    Implement device lock by using a conditional access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.

    Conditional access

  • Require device to be marked as compliant
  • User sign-in frequency

    MDM policy

  • Configure devices for maximum minutes of inactivity until the screen locks (Android, iOS, Windows 10).
  • AC-12 Automatically terminate user sessions when organizational defined conditions or trigger events occur.

    Implement automatic user session reevaluation with Azure AD features such as risk-based conditional access and continuous access evaluation. You can implement inactivity conditions at a device level as described in AC-11.

    Resources

  • Sign-in risk-based conditional access
  • User risk-based conditional access
  • Continuous access evaluation
  • AC-12(1) Provide a logout capability for all sessions and display an explicit logout message.

    All Azure AD surfaced web interfaces provide a logout capability for user-initiated communications sessions. When SAML applications are integrated with Azure AD, implement single sign-out.

    Logout capability

  • When the user selects Sign-out everywhere, all current issued tokens are revoked.

    Display message
    Azure AD automatically displays a message after user-initiated logout.

    Screenshot that shows an access control message.

    Resources

  • View and search your recent sign-in activity from the My Sign-Ins page
  • Single Sign-Out SAML Protocol
  • AC-20
    AC-20(1)
    Establish terms and conditions that allow authorized individuals to access the customer-deployed resources from external information systems such as unmanaged devices and external networks.

    Require terms of use acceptance for authorized users who access resources from external systems. Implement conditional access policies to restrict access from external systems. Conditional access policies might also be integrated with Defender for Cloud Apps to provide controls for cloud and on-premises applications from external systems. Mobile application management in Intune can protect organization data at the application level, including custom apps and store apps, from managed devices that interact with external systems. An example would be accessing cloud services. You can use app management on organization-owned devices and personal devices.

    Terms and conditions

  • Terms of use: Azure Active Directory

    Conditional access

  • Require device to be marked as compliant
  • Conditions in conditional access policy: Device state (preview)
  • Protect with Microsoft Defender for Cloud Apps Conditional Access App Control
  • Location condition in Azure Active Directory conditional access

    MDM

  • What is Microsoft Intune?
  • What is Defender for Cloud Apps?
  • What is app management in Microsoft Intune?

    Resource

  • Integrate on-premises apps with Defender for Cloud Apps
  • Next steps