Configure additional controls to achieve FedRAMP High Impact level

The following list of controls (and control enhancements) might require configuration in your Azure Active Directory (Azure AD) tenant.

Each row in the following tables provides prescriptive guidance. This guidance helps you in developing your organization's response to any shared responsibilities regarding the control or control enhancement.

Audit and accountability

The guidance in the following table pertains to:

  • AU-02 Audit events
  • AU-03 Content of audit
  • AU-06 Audit review, analysis, and reporting
Control ID and subpart Customer responsibilities and guidance
AU-02
AU-03
AU-03(1)
AU-03(2)
Ensure the system is capable of auditing events defined in AU-02 Part a. Coordinate with other entities within the organization's subset of auditable events to support after-the-fact investigations. Implement centralized management of audit records.

All account lifecycle operations (account creation, modification, enabling, disabling, and removal actions) are audited within the Azure AD audit logs. All authentication and authorization events are audited within Azure AD sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a security information and event management (SIEM) solution such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions.

Audit events

  • Audit activity reports in the Azure Active Directory portal
  • Sign-in activity reports in the Azure Active Directory portal
  • How To: Investigate risk

    SIEM integrations

  • Microsoft Sentinel : Connect data from Azure Active Directory (Azure AD)
  • Stream to Azure event hub and other SIEMs
  • AU-06
    AU-06(1)
    AU-06(3)
    AU-06(4)
    AU-06(5)
    AU-06(6)
    AU-06(7)
    AU-06(10)
    Review and analyze audit records at least once each week to identify inappropriate or unusual activity, and report findings to appropriate personnel.

    The preceding guidance provided for AU-02 and AU-03 allows for weekly review of audit records and reporting to appropriate personnel. You can't meet these requirements by using only Azure AD. You must also use a SIEM solution such as Microsoft Sentinel. For more information, see What is Microsoft Sentinel?.

    Incident response

    The guidance in the following table pertains to:

    • IR-04 Incident handling

    • IR-05 Incident monitoring

    Control ID and subpart Customer responsibilities and guidance
    IR-04
    IR-04(1)
    IR-04(2)
    IR-04(3)
    IR-04(4)
    IR-04(6)
    IR-04(8)
    IR-05
    IR-05(1)
    Implement incident handling and monitoring capabilities. This includes Automated Incident Handling, Dynamic Reconfiguration, Continuity of Operations, Information Correlation, Insider Threats, Correlation with External Organizations, and Incident Monitoring and Automated Tracking.

    The audit logs record all configuration changes. Authentication and authorization events are audited within the sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a SIEM solution, such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions. Automate dynamic reconfiguration based on events within the SIEM by using Microsoft Graph or Azure AD PowerShell.

    Audit events

  • Audit activity reports in the Azure Active Directory portal
  • Sign-in activity reports in the Azure Active Directory portal
  • How To: Investigate risk

    SIEM integrations

  • Microsoft Sentinel : Connect data from Azure Active Directory (Azure AD)
  • Stream to Azure event hub and other SIEMs

    Dynamic reconfiguration

  • AzureAD Module
  • Overview of Microsoft Graph
  • Personnel security

    The guidance in the following table pertains to:

    • PS-04 Personnel termination
    Control ID and subpart Customer responsibilities and guidance
    PS-04
    PS-04(2)
    Automatically notify personnel responsible for disabling access to the system.

    Disable accounts and revoke all associated authenticators and credentials within 8 hours.

    Configure provisioning (including disablement upon termination) of accounts in Azure AD from external HR systems, on-premises Active Directory, or directly in the cloud. Terminate all system access by revoking existing sessions.

    Account provisioning

  • See detailed guidance in AC-02.

    Revoke all associated authenticators

  • Revoke user access in an emergency in Azure Active Directory
  • System and information integrity

    The guidance in the following table pertains to:

    • SI-04 Information system monitoring
    Control ID and subpart Customer responsibilities and guidance
    SI-04
    SI-04(1)
    Implement information system-wide monitoring, and the intrusion detection system.

    Include all Azure AD logs (Audit, Sign-in, Identity Protection) within the information system monitoring solution.

    Stream Azure AD logs into a SIEM solution (see IA-04).

    Next steps

    Configure access controls

    Configure identification and authentication controls

    Configure other controls