Configure CMMC Level 2 Identification and Authentication (IA) controls
Microsoft Entra ID helps you meet identity-related practice requirements in each Cybersecurity Maturity Model Certification (CMMC) level. To complete other configurations or processes to be compliant with CMMC V2.0 level 2 requirements, is the responsibility of companies performing work with, and on behalf of, the US Dept. of Defense (DoD).
CMMC Level 2 has 13 domains that have one or more practices related to identity. The domains are:
- Access Control (AC)
- Audit & Accountability (AU)
- Configuration Management (CM)
- Identification & Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
The remainder of this article provides guidance for the Identification and Authorization (IA) domain. There's a table with links to content that provides step-by-step guidance to accomplish the practice.
Identification & Authentication
The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.
|CMMC practice statement and objectives
|Microsoft Entra guidance and recommendations
Practice statement: Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
[a.] privileged accounts are identified;
[b.] multifactor authentication is implemented for local access to privileged accounts;
[c.] multifactor authentication is implemented for network access to privileged accounts; and
[d.] multifactor authentication is implemented for network access to non-privileged accounts.
|The following items are definitions for the terms used for this control area:
Breaking down the previous requirement means:
You're responsible for configuring Conditional Access to require multifactor authentication. Enable Microsoft Entra authentication methods that meet AAL2 and higher.
Grant controls in Conditional Access policy
Achieve NIST authenticator assurance levels with Microsoft Entra ID
Authentication methods and features
Practice statement: Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
[a.] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.
|All Microsoft Entra authentication methods at AAL2 and above are replay resistant.
Achieve NIST authenticator assurance levels with Microsoft Entra ID
Practice statement: Prevent reuse of identifiers for a defined period.
[a.] a period within which identifiers can't be reused is defined; and
[b.] reuse of identifiers is prevented within the defined period.
|All user, group, device object globally unique identifiers (GUIDs) are guaranteed unique and non-reusable for the lifetime of the Microsoft Entra tenant.
user resource type - Microsoft Graph v1.0
group resource type - Microsoft Graph v1.0
device resource type - Microsoft Graph v1.0
Practice statement: Disable identifiers after a defined period of inactivity.
[a.] a period of inactivity after which an identifier is disabled is defined; and
[b.] identifiers are disabled after the defined period of inactivity.
|Implement account management automation with Microsoft Graph and Microsoft Graph PowerShell SDK. Use Microsoft Graph to monitor sign-in activity and Microsoft Graph PowerShell SDK to take action on accounts within the required time frame.
Manage inactive user accounts in Microsoft Entra ID
Manage stale devices in Microsoft Entra ID
Remove or disable accounts
Working with users in Microsoft Graph
Get a user
Delete a user
Work with devices in Microsoft Graph
Use the Microsoft Graph PowerShell SDK
Objectives: Enforce a minimum password complexity and change of characters when new passwords are created.
[a.] password complexity requirements are defined;
[b.] password change of character requirements are defined;
[c.] minimum password complexity requirements as defined are enforced when new passwords are created; and
[d.] minimum password change of character requirements as defined are enforced when new passwords are created.
Practice statement: Prohibit password reuse for a specified number of generations.
[a.] the number of generations during which a password cannot be reused is specified; and
[b.] reuse of passwords is prohibited during the specified number of generations.
|We strongly encourage passwordless strategies. This control is only applicable to password authenticators, so removing passwords as an available authenticator renders this control not applicable.
Per NIST SP 800-63 B Section 5.1.1: Maintain a list of commonly used, expected, or compromised passwords.
With Microsoft Entra password protection, default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. To support your business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.
For customers that require strict password character change, password reuse and complexity requirements use hybrid accounts configured with Password-Hash-Sync. This action ensures the passwords synchronized to Microsoft Entra ID inherit the restrictions configured in Active Directory password policies. Further protect on-premises passwords by configuring on-premises Microsoft Entra Password Protection for Active Directory Domain Services.
NIST Special Publication 800-63 B
NIST Special Publication 800-53 Revision 5 (IA-5 - Control enhancement (1)
Eliminate bad passwords using Microsoft Entra password protection
What is password hash synchronization with Microsoft Entra ID?
Practice statement: Allow temporary password use for system logons with an immediate change to a permanent password.
[a.] an immediate change to a permanent password is required when a temporary password is used for system sign-on.
|A Microsoft Entra user initial password is a temporary single use password that once successfully used is immediately required to be changed to a permanent password. Microsoft strongly encourages the adoption of passwordless authentication methods. Users can bootstrap Passwordless authentication methods using Temporary Access Pass (TAP). TAP is a time and use limited passcode issued by an admin that satisfies strong authentication requirements. Use of passwordless authentication along with the time and use limited TAP completely eliminates the use of passwords (and their reuse).
Add or delete users
Configure a Temporary Access Pass in Microsoft Entra ID to register Passwordless authentication methods
Practice statement: Store and transmit only cryptographically protected passwords.
[a.] passwords are cryptographically protected in storage; and
[b.] passwords are cryptographically protected in transit.
|Secret Encryption at Rest:
In addition to disk level encryption, when at rest, secrets stored in the directory are encrypted using the Distributed Key Manager(DKM). The encryption keys are stored in Microsoft Entra core store and in turn are encrypted with a scale unit key. The key is stored in a container that is protected with directory ACLs, for highest privileged users and specific services. The symmetric key is typically rotated every six months. Access to the environment is further protected with operational controls and physical security.
Encryption in Transit:
To assure data security, Directory Data in Microsoft Entra ID is signed and encrypted while in transit between data centers within a scale unit. The data is encrypted and unencrypted by the Microsoft Entra core store tier, which resides inside secured server hosting areas of the associated Microsoft data centers.
Customer-facing web services are secured with the Transport Layer Security (TLS) protocol.
For more information, download Data Protection Considerations - Data Security. On page 15, there are more details.
Demystifying Password Hash Sync (microsoft.com)
Microsoft Entra Data Security Considerations
Practice statement: Obscure feedback of authentication information.
[a.] authentication information is obscured during the authentication process.
|By default, Microsoft Entra ID obscures all authenticator feedback.