Configure identity access controls to meet FedRAMP High Impact level
Access control is a major part of achieving a Federal Risk and Authorization Management Program (FedRAMP) High Impact level to operate.
The following list of controls and control enhancements in the access control (AC) family might require configuration in your Microsoft Entra tenant.
|AC-7||Unsuccessful logon attempts|
|AC-8||System use notification|
|AC-10||Concurrent session control|
|AC-20||Use of external information systems|
Each row in the following table provides prescriptive guidance to help you develop your organization's response to any shared responsibilities for the control or control enhancement.
|FedRAMP Control ID and description||Microsoft Entra guidance and recommendations|
|AC-2 ACCOUNT MANAGEMENT
(b.) Assigns account managers for information system accounts;
(c.) Establishes conditions for group and role membership;
(d.) Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
(e.) Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
(f.) Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
(g.) Monitors the use of information system accounts;
(h.) Notifies account managers:
(i.) Authorizes access to the information system based on:
(j.) Reviews accounts for compliance with account management requirements [FedRAMP Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; and
(k.) Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
|Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.
Use Microsoft Entra ID to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Microsoft Entra audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Microsoft Entra entitlement management with access reviews to ensure compliance status of accounts.
The organization employs automated mechanisms to support the management of information system accounts.
|Employ automated mechanisms to support management of customer-controlled accounts.
Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Microsoft Entra ID to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Microsoft Entra ID Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Microsoft Sentinel or Event Hubs.
Monitor and audit
The information system automatically [FedRAMP Selection: disables] temporary and emergency accounts after [FedRAMP Assignment: 24 hours from last use].
AC-2 (3) Additional FedRAMP Requirements and Guidance:
|Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity.
Implement account management automation with Microsoft Graph and Microsoft Graph PowerShell. Use Microsoft Graph to monitor sign-in activity and Microsoft Graph PowerShell to take action on accounts in the required time frame.
Remove or disable accounts
Work with devices in Microsoft Graph
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [FedRAMP Assignment: organization and/or service provider system owner].
|Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.
All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Microsoft Sentinel or Event Hubs to help with notification.
The organization requires that users log out when [FedRAMP Assignment: inactivity is anticipated to exceed fifteen (15) minutes].
AC-2 (5) Additional FedRAMP Requirements and Guidance:
|Implement device log-out after a 15-minute period of inactivity.
Implement device lock by using a Conditional Access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.
|Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.
Implement Microsoft Entra Privileged Identity Management with access reviews for privileged roles in Microsoft Entra ID to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.
The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts].
|Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.
Create Conditional Access policies to enforce access control decisions across users and devices.
AC-2 (12) (a) and AC-2 (12) (b) Additional FedRAMP Requirements and Guidance:
|Monitor and report customer-controlled accounts with privileged access for atypical usage.
For help with monitoring of atypical usage, you can stream Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Microsoft Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.
The organization disables accounts of users posing a significant risk in [FedRAMP Assignment: one (1) hour] of discovery of the risk.
|Disable customer-controlled accounts of users that pose a significant risk in one hour.
In Microsoft Entra ID Protection, configure and enable a user risk policy with the threshold set to High. Create Conditional Access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.
|Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements.
Use Microsoft Entra entitlement management with access reviews for privileged users to verify if privileged access is required.
|AC-7 Unsuccessful Login Attempts
|Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period. Lock the account for a minimum of three hours or until unlocked by an administrator.
Enable custom smart lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements.
|AC-8 System Use Notification
The information system:
(b.) Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
(c.) For publicly accessible systems:
AC-8 Additional FedRAMP Requirements and Guidance:
|Display and require user acknowledgment of privacy and security notices before granting access to information systems.
|AC-10 Concurrent Session Control
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [FedRAMP Assignment: three (3) sessions for privileged access and two (2) sessions for non-privileged access].
|Limit concurrent sessions to three sessions for privileged access and two for nonprivileged access.
Currently, users connect from multiple devices, sometimes simultaneously. Limiting concurrent sessions leads to a degraded user experience and provides limited security value. A better approach to address the intent behind this control is to adopt a zero-trust security posture. Conditions are explicitly validated before a session is created and continually validated throughout the life of a session.
In addition, use the following compensating controls.
Use Conditional Access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign-in restrictions at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments.
Use Privileged Identity Management to further restrict and control privileged accounts.
Configure smart account lockout for invalid sign-in attempts.
See AC-12 for more session reevaluation and risk mitigation guidance.
|AC-11 Session Lock
The information system:
(a) Prevents further access to the system by initiating a session lock after [FedRAMP Assignment: fifteen (15) minutes] of inactivity or upon receiving a request from a user; and
(b) Retains the session lock until the user reestablishes access using established identification and authentication procedures.
|Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user. Retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated.
Implement device lock by using a Conditional Access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.
|AC-12 Session Termination
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
|Automatically terminate user sessions when organizational defined conditions or trigger events occur.
Implement automatic user session reevaluation with Microsoft Entra features such as risk-based Conditional Access and continuous access evaluation. You can implement inactivity conditions at a device level as described in AC-11.
The information system:
(a.) Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and
(b.) Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
AC-8 Additional FedRAMP Requirements and Guidance:
|Provide a logout capability for all sessions and display an explicit logout message.
All Microsoft Entra ID surfaced web interfaces provide a logout capability for user-initiated communications sessions. When SAML applications are integrated with Microsoft Entra ID, implement single sign-out.
|AC-20 Use of External Information Systems
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
(a.) Access the information system from external information systems; and
(b.) Process, store, or transmit organization-controlled information using external information systems.
|Establish terms and conditions that allow authorized individuals to access the customer-deployed resources from external information systems such as unmanaged devices and external networks.
Terms and conditions