Configure identity access controls to meet FedRAMP High Impact level

Article
10/23/2023

Access control is a major part of achieving a Federal Risk and Authorization Management Program (FedRAMP) High Impact level to operate.

The following list of controls and control enhancements in the access control (AC) family might require configuration in your Microsoft Entra tenant.

Control family	Description
AC-2	Account management
AC-6	Least privilege
AC-7	Unsuccessful logon attempts
AC-8	System use notification
AC-10	Concurrent session control
AC-11	Session lock
AC-12	Session termination
AC-20	Use of external information systems

Each row in the following table provides prescriptive guidance to help you develop your organization's response to any shared responsibilities for the control or control enhancement.

Configurations

FedRAMP Control ID and description	Microsoft Entra guidance and recommendations
AC-2 ACCOUNT MANAGEMENT The Organization (a.) Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; (b.) Assigns account managers for information system accounts; (c.) Establishes conditions for group and role membership; (d.) Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; (e.) Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; (f.) Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; (g.) Monitors the use of information system accounts; (h.) Notifies account managers: (1.) When accounts are no longer required; (2.) When users are terminated or transferred; and (3.) When individual information system usage or need-to-know changes; (i.) Authorizes access to the information system based on: (1.) A valid access authorization; (2.) Intended system usage; and (3.) Other attributes as required by the organization or associated missions/business functions; (j.) Reviews accounts for compliance with account management requirements [FedRAMP Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; and (k.) Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.	Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access. Use Microsoft Entra ID to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Microsoft Entra audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Microsoft Entra entitlement management with access reviews to ensure compliance status of accounts. Provision accounts Plan cloud HR application to Microsoft Entra user provisioning Microsoft Entra Connect Sync: Understand and customize synchronization Add or delete users using Microsoft Entra ID Monitor accounts Audit activity reports in the Microsoft Entra admin center Connect Microsoft Entra data to Microsoft Sentinel Tutorial: Stream logs to an Azure event hub Review accounts What is Microsoft Entra entitlement management? Create an access review of an access package in Microsoft Entra entitlement management Review access of an access package in Microsoft Entra entitlement management Resources Administrator role permissions in Microsoft Entra ID Dynamic Groups in Microsoft Entra ID
AC-2(1) The organization employs automated mechanisms to support the management of information system accounts.	Employ automated mechanisms to support management of customer-controlled accounts. Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Microsoft Entra ID to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Microsoft Entra ID Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Microsoft Sentinel or Event Hubs. Provision Plan cloud HR application to Microsoft Entra user provisioning Microsoft Entra Connect Sync: Understand and customize synchronization What is automated SaaS app user provisioning in Microsoft Entra ID? SaaS app integration tutorials for use with Microsoft Entra ID Monitor and audit Investigate risk Audit activity reports in the Microsoft Entra admin center What is Microsoft Sentinel? Microsoft Sentinel: Connect data from Microsoft Entra ID Tutorial: Stream Microsoft Entra logs to an Azure event hub
AC-2(2) The information system automatically [FedRAMP Selection: disables] temporary and emergency accounts after [FedRAMP Assignment: 24 hours from last use]. AC-02(3) The information system automatically disables inactive accounts after [FedRAMP Assignment: thirty-five (35) days for user accounts]. AC-2 (3) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.	Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity. Implement account management automation with Microsoft Graph and Microsoft Graph PowerShell. Use Microsoft Graph to monitor sign-in activity and Microsoft Graph PowerShell to take action on accounts in the required time frame. Determine inactivity Manage inactive user accounts in Microsoft Entra ID Manage stale devices in Microsoft Entra ID Remove or disable accounts Working with users in Microsoft Graph Get a user Update user Delete a user Work with devices in Microsoft Graph Get device Update device Delete device See, Microsoft Graph PowerShell documentation Get-MgUser Update-MgUser Get-MgDevice Update-MgDevice
AC-2(4) The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [FedRAMP Assignment: organization and/or service provider system owner].	Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts. All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Microsoft Sentinel or Event Hubs to help with notification. Audit Audit activity reports in the Microsoft Entra admin center Microsoft Sentinel: Connect data from Microsoft Entra ID Notification What is Microsoft Sentinel? Tutorial: Stream Microsoft Entra logs to an Azure event hub
AC-2(5) The organization requires that users log out when [FedRAMP Assignment: inactivity is anticipated to exceed fifteen (15) minutes]. AC-2 (5) Additional FedRAMP Requirements and Guidance: Guidance: Should use a shorter timeframe than AC-12	Implement device log-out after a 15-minute period of inactivity. Implement device lock by using a Conditional Access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate. Conditional Access Require device to be marked as compliant User sign-in frequency MDM policy Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock (Android, iOS, Windows 10).
AC-2(7) The organization: (a.) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; (b) Monitors privileged role assignments; and (c) Takes [FedRAMP Assignment: disables/revokes access within an organization-specified timeframe] when privileged role assignments are no longer appropriate.	Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate. Implement Microsoft Entra Privileged Identity Management with access reviews for privileged roles in Microsoft Entra ID to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring. Administer What is Microsoft Entra Privileged Identity Management? Activation maximum duration Monitor Create an access review of Microsoft Entra roles in Privileged Identity Management View audit history for Microsoft Entra roles in Privileged Identity Management Audit activity reports in the Microsoft Entra admin center What is Microsoft Sentinel? Connect data from Microsoft Entra ID Tutorial: Stream Microsoft Entra logs to an Azure event hub
AC-2(11) The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts].	Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances. Create Conditional Access policies to enforce access control decisions across users and devices. Conditional Access Create a Conditional Access policy What is Conditional Access?
AC-2(12) The organization: (a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and (b) Reports atypical usage of information system accounts to [FedRAMP Assignment: at a minimum, the ISSO and/or similar role within the organization]. AC-2 (12) (a) and AC-2 (12) (b) Additional FedRAMP Requirements and Guidance: Required for privileged accounts.	Monitor and report customer-controlled accounts with privileged access for atypical usage. For help with monitoring of atypical usage, you can stream Microsoft Entra ID Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Microsoft Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions. ID Protection What is Microsoft Entra ID Protection? Investigate risk Microsoft Entra ID Protection notifications Monitor accounts What is Microsoft Sentinel? Audit activity reports in the Microsoft Entra admin center Connect Microsoft Entra data to Microsoft Sentinel Tutorial: Stream logs to an Azure event hub
AC-2(13) The organization disables accounts of users posing a significant risk in [FedRAMP Assignment: one (1) hour] of discovery of the risk.	Disable customer-controlled accounts of users that pose a significant risk in one hour. In Microsoft Entra ID Protection, configure and enable a user risk policy with the threshold set to High. Create Conditional Access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts. ID Protection What is Microsoft Entra ID Protection? Conditional Access What is Conditional Access? Create a Conditional Access policy Conditional Access: User risk-based Conditional Access Conditional Access: Sign-in risk-based Conditional Access Self-remediation with risk policy
AC-6(7) The organization: (a.) Reviews [FedRAMP Assignment: at a minimum, annually] the privileges assigned to [FedRAMP Assignment: all users with privileges] to validate the need for such privileges; and (b.) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.	Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements. Use Microsoft Entra entitlement management with access reviews for privileged users to verify if privileged access is required. Access reviews What is Microsoft Entra entitlement management? Create an access review of Microsoft Entra roles in Privileged Identity Management Review access of an access package in Microsoft Entra entitlement management
AC-7 Unsuccessful Login Attempts The organization: (a.) Enforces a limit of [FedRAMP Assignment: not more than three (3)] consecutive invalid logon attempts by a user during a [FedRAMP Assignment: fifteen (15) minutes]; and (b.) Automatically [Selection: locks the account/node for a [FedRAMP Assignment: minimum of three (3) hours or until unlocked by an administrator]; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.	Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period. Lock the account for a minimum of three hours or until unlocked by an administrator. Enable custom smart lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements. Smart lockout Protect user accounts from attacks with Microsoft Entra smart lockout Manage Microsoft Entra smart lockout values
AC-8 System Use Notification The information system: (a.) Displays to users [Assignment: organization-defined system use notification message or banner (FedRAMP Assignment: see additional Requirements and Guidance)] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (1.) Users are accessing a U.S. Government information system; (2.) Information system usage may be monitored, recorded, and subject to audit; (3.) Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and (4.) Use of the information system indicates consent to monitoring and recording; (b.) Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and (c.) For publicly accessible systems: (1.) Displays system use information [Assignment: organization-defined conditions (FedRAMP Assignment: see additional Requirements and Guidance)], before granting further access; (2.) Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (3.) Includes a description of the authorized uses of the system. AC-8 Additional FedRAMP Requirements and Guidance: Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO. Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.	Display and require user acknowledgment of privacy and security notices before granting access to information systems. With Microsoft Entra ID, you can deliver notification or banner messages for all apps that require and record acknowledgment before granting access. You can granularly target these terms of use policies to specific users (Member or Guest). You can also customize them per application via Conditional Access policies. Terms of use Microsoft Entra terms of use View report of who has accepted and declined
AC-10 Concurrent Session Control The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [FedRAMP Assignment: three (3) sessions for privileged access and two (2) sessions for non-privileged access].	Limit concurrent sessions to three sessions for privileged access and two for nonprivileged access. Currently, users connect from multiple devices, sometimes simultaneously. Limiting concurrent sessions leads to a degraded user experience and provides limited security value. A better approach to address the intent behind this control is to adopt a zero-trust security posture. Conditions are explicitly validated before a session is created and continually validated throughout the life of a session. In addition, use the following compensating controls. Use Conditional Access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign-in restrictions at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. Use Privileged Identity Management to further restrict and control privileged accounts. Configure smart account lockout for invalid sign-in attempts. Implementation guidance Zero trust Securing identity with Zero Trust Continuous access evaluation in Microsoft Entra ID Conditional Access What is Conditional Access in Microsoft Entra ID? Require device to be marked as compliant User sign-in frequency Device policies Other smart card Group Policy settings and registry keys Microsoft Endpoint Manager overview Resources What is Microsoft Entra Privileged Identity Management? Protect user accounts from attacks with Microsoft Entra smart lockout See AC-12 for more session reevaluation and risk mitigation guidance.
AC-11 Session Lock The information system: (a) Prevents further access to the system by initiating a session lock after [FedRAMP Assignment: fifteen (15) minutes] of inactivity or upon receiving a request from a user; and (b) Retains the session lock until the user reestablishes access using established identification and authentication procedures. AC-11(1) The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.	Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user. Retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated. Implement device lock by using a Conditional Access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate. Conditional Access Require device to be marked as compliant User sign-in frequency MDM policy Configure devices for maximum minutes of inactivity until the screen locks (Android, iOS, Windows 10).
AC-12 Session Termination The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].	Automatically terminate user sessions when organizational defined conditions or trigger events occur. Implement automatic user session reevaluation with Microsoft Entra features such as risk-based Conditional Access and continuous access evaluation. You can implement inactivity conditions at a device level as described in AC-11. Resources Sign-in risk-based Conditional Access User risk-based Conditional Access Continuous access evaluation
AC-12(1) The information system: (a.) Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and (b.) Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. AC-8 Additional FedRAMP Requirements and Guidance: Guidance: Testing for logout functionality (OTG-SESS-006) Testing for logout functionality	Provide a logout capability for all sessions and display an explicit logout message. All Microsoft Entra ID surfaced web interfaces provide a logout capability for user-initiated communications sessions. When SAML applications are integrated with Microsoft Entra ID, implement single sign-out. Logout capability When the user selects Sign-out everywhere, all current issued tokens are revoked. Display message Microsoft Entra ID automatically displays a message after user-initiated logout. Resources View and search your recent sign-in activity from the My Sign-Ins page Single Sign-Out SAML Protocol
AC-20 Use of External Information Systems The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: (a.) Access the information system from external information systems; and (b.) Process, store, or transmit organization-controlled information using external information systems. AC-20(1) The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: (a.) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or (b.) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.	Establish terms and conditions that allow authorized individuals to access the customer-deployed resources from external information systems such as unmanaged devices and external networks. Require terms of use acceptance for authorized users who access resources from external systems. Implement Conditional Access policies to restrict access from external systems. Conditional Access policies might be integrated with Defender for Cloud Apps to provide controls for cloud and on-premises applications from external systems. Mobile application management in Intune can protect organization data at the application level, including custom apps and store apps, from managed devices that interact with external systems. An example would be accessing cloud services. You can use app management on organization-owned devices and personal devices. Terms and conditions Terms of use: Microsoft Entra ID Conditional Access Require device to be marked as compliant Conditions in Conditional Access policy: Device state (preview) Protect with Microsoft Defender for Cloud Apps Conditional Access App Control Location condition in Microsoft Entra Conditional Access MDM What is Microsoft Intune? What is Defender for Cloud Apps? What is app management in Microsoft Intune? Resource Integrate on-premises apps with Defender for Cloud Apps

FedRAMP Control ID and description

Microsoft Entra guidance and recommendations

AC-2 ACCOUNT MANAGEMENT

The Organization
(a.) Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];

(b.) Assigns account managers for information system accounts;

(c.) Establishes conditions for group and role membership;

(d.) Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

(e.) Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;

(f.) Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];

(g.) Monitors the use of information system accounts;

(h.) Notifies account managers:
(1.) When accounts are no longer required;
(2.) When users are terminated or transferred; and
(3.) When individual information system usage or need-to-know changes;

(i.) Authorizes access to the information system based on:
(1.) A valid access authorization;
(2.) Intended system usage; and
(3.) Other attributes as required by the organization or associated missions/business functions;

(j.) Reviews accounts for compliance with account management requirements [FedRAMP Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; and

(k.) Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.

Use Microsoft Entra ID to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Microsoft Entra audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Microsoft Entra entitlement management with access reviews to ensure compliance status of accounts.

Provision accounts

Plan cloud HR application to Microsoft Entra user provisioning

Microsoft Entra Connect Sync: Understand and customize synchronization

Add or delete users using Microsoft Entra ID

Monitor accounts

Audit activity reports in the Microsoft Entra admin center

Connect Microsoft Entra data to Microsoft Sentinel

Tutorial: Stream logs to an Azure event hub

Review accounts

What is Microsoft Entra entitlement management?

Create an access review of an access package in Microsoft Entra entitlement management

Review access of an access package in Microsoft Entra entitlement management

Resources

Administrator role permissions in Microsoft Entra ID

Dynamic Groups in Microsoft Entra ID

AC-2(1)
The organization employs automated mechanisms to support the management of information system accounts.

Employ automated mechanisms to support management of customer-controlled accounts.

Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Microsoft Entra ID to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Microsoft Entra ID Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Microsoft Sentinel or Event Hubs.

Provision

Plan cloud HR application to Microsoft Entra user provisioning

Microsoft Entra Connect Sync: Understand and customize synchronization

What is automated SaaS app user provisioning in Microsoft Entra ID?

SaaS app integration tutorials for use with Microsoft Entra ID

Monitor and audit

Investigate risk

Audit activity reports in the Microsoft Entra admin center

What is Microsoft Sentinel?

Microsoft Sentinel: Connect data from Microsoft Entra ID

Tutorial: Stream Microsoft Entra logs to an Azure event hub

AC-2(2)
The information system automatically [FedRAMP Selection: disables] temporary and emergency accounts after [FedRAMP Assignment: 24 hours from last use].

AC-02(3)
The information system automatically disables inactive accounts after [FedRAMP Assignment: thirty-five (35) days for user accounts].

AC-2 (3) Additional FedRAMP Requirements and Guidance:
Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity.

Implement account management automation with Microsoft Graph and Microsoft Graph PowerShell. Use Microsoft Graph to monitor sign-in activity and Microsoft Graph PowerShell to take action on accounts in the required time frame.

Determine inactivity

Manage inactive user accounts in Microsoft Entra ID

Manage stale devices in Microsoft Entra ID

Remove or disable accounts

Working with users in Microsoft Graph

Get a user

Update user

Delete a user

Work with devices in Microsoft Graph

Get device

Update device

Delete device

See, Microsoft Graph PowerShell documentation

AC-2(4)
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [FedRAMP Assignment: organization and/or service provider system owner].

Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.

All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Microsoft Sentinel or Event Hubs to help with notification.

Audit

Audit activity reports in the Microsoft Entra admin center

Microsoft Sentinel: Connect data from Microsoft Entra ID

Notification

What is Microsoft Sentinel?

Tutorial: Stream Microsoft Entra logs to an Azure event hub

AC-2(5)
The organization requires that users log out when [FedRAMP Assignment: inactivity is anticipated to exceed fifteen (15) minutes].

AC-2 (5) Additional FedRAMP Requirements and Guidance:
Guidance: Should use a shorter timeframe than AC-12

Implement device log-out after a 15-minute period of inactivity.

Implement device lock by using a Conditional Access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.

Conditional Access

Require device to be marked as compliant

User sign-in frequency

MDM policy

Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock (Android, iOS, Windows 10).

AC-2(7)

The organization:
(a.) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [FedRAMP Assignment: disables/revokes access within an organization-specified timeframe] when privileged role assignments are no longer appropriate.

Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.

Implement Microsoft Entra Privileged Identity Management with access reviews for privileged roles in Microsoft Entra ID to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.

Administer

What is Microsoft Entra Privileged Identity Management?

Activation maximum duration

Monitor

Create an access review of Microsoft Entra roles in Privileged Identity Management

View audit history for Microsoft Entra roles in Privileged Identity Management

Audit activity reports in the Microsoft Entra admin center

What is Microsoft Sentinel?

Connect data from Microsoft Entra ID

Tutorial: Stream Microsoft Entra logs to an Azure event hub

AC-2(11)
The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts].

Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.

Create Conditional Access policies to enforce access control decisions across users and devices.

Conditional Access

Create a Conditional Access policy

What is Conditional Access?

AC-2(12)

The organization:
(a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and
(b) Reports atypical usage of information system accounts to [FedRAMP Assignment: at a minimum, the ISSO and/or similar role within the organization].

AC-2 (12) (a) and AC-2 (12) (b) Additional FedRAMP Requirements and Guidance:
Required for privileged accounts.

Monitor and report customer-controlled accounts with privileged access for atypical usage.

For help with monitoring of atypical usage, you can stream Microsoft Entra ID Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Microsoft Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.

ID Protection

What is Microsoft Entra ID Protection?

Investigate risk

Microsoft Entra ID Protection notifications

Monitor accounts

What is Microsoft Sentinel?

Audit activity reports in the Microsoft Entra admin center

Connect Microsoft Entra data to Microsoft Sentinel

Tutorial: Stream logs to an Azure event hub

AC-2(13)
The organization disables accounts of users posing a significant risk in [FedRAMP Assignment: one (1) hour] of discovery of the risk.

Disable customer-controlled accounts of users that pose a significant risk in one hour.

In Microsoft Entra ID Protection, configure and enable a user risk policy with the threshold set to High. Create Conditional Access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.

ID Protection

What is Microsoft Entra ID Protection?

Conditional Access

What is Conditional Access?

Create a Conditional Access policy

Conditional Access: User risk-based Conditional Access

Conditional Access: Sign-in risk-based Conditional Access

Self-remediation with risk policy

AC-6(7)

The organization:
(a.) Reviews [FedRAMP Assignment: at a minimum, annually] the privileges assigned to [FedRAMP Assignment: all users with privileges] to validate the need for such privileges; and
(b.) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.

Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements.

Use Microsoft Entra entitlement management with access reviews for privileged users to verify if privileged access is required.

Access reviews

What is Microsoft Entra entitlement management?

Create an access review of Microsoft Entra roles in Privileged Identity Management

Review access of an access package in Microsoft Entra entitlement management

AC-7 Unsuccessful Login Attempts

The organization:
(a.) Enforces a limit of [FedRAMP Assignment: not more than three (3)] consecutive invalid logon attempts by a user during a [FedRAMP Assignment: fifteen (15) minutes]; and
(b.) Automatically [Selection: locks the account/node for a [FedRAMP Assignment: minimum of three (3) hours or until unlocked by an administrator]; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.

Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period. Lock the account for a minimum of three hours or until unlocked by an administrator.

Enable custom smart lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements.

Smart lockout

Protect user accounts from attacks with Microsoft Entra smart lockout

Manage Microsoft Entra smart lockout values

AC-8 System Use Notification

The information system:
(a.) Displays to users [Assignment: organization-defined system use notification message or banner (FedRAMP Assignment: see additional Requirements and Guidance)] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
(1.) Users are accessing a U.S. Government information system;
(2.) Information system usage may be monitored, recorded, and subject to audit;
(3.) Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
(4.) Use of the information system indicates consent to monitoring and recording;

(b.) Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and

(c.) For publicly accessible systems:
(1.) Displays system use information [Assignment: organization-defined conditions (FedRAMP Assignment: see additional Requirements and Guidance)], before granting further access;
(2.) Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
(3.) Includes a description of the authorized uses of the system.

AC-8 Additional FedRAMP Requirements and Guidance:
Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.
Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.
Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.
Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

Display and require user acknowledgment of privacy and security notices before granting access to information systems.

With Microsoft Entra ID, you can deliver notification or banner messages for all apps that require and record acknowledgment before granting access. You can granularly target these terms of use policies to specific users (Member or Guest). You can also customize them per application via Conditional Access policies.

Microsoft Entra terms of use

View report of who has accepted and declined

AC-10 Concurrent Session Control
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [FedRAMP Assignment: three (3) sessions for privileged access and two (2) sessions for non-privileged access].

Limit concurrent sessions to three sessions for privileged access and two for nonprivileged access.

Currently, users connect from multiple devices, sometimes simultaneously. Limiting concurrent sessions leads to a degraded user experience and provides limited security value. A better approach to address the intent behind this control is to adopt a zero-trust security posture. Conditions are explicitly validated before a session is created and continually validated throughout the life of a session.

In addition, use the following compensating controls.

Use Conditional Access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign-in restrictions at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments.

Use Privileged Identity Management to further restrict and control privileged accounts.

Configure smart account lockout for invalid sign-in attempts.

Implementation guidance

Zero trust

Securing identity with Zero Trust

Continuous access evaluation in Microsoft Entra ID

Conditional Access

What is Conditional Access in Microsoft Entra ID?

Require device to be marked as compliant

User sign-in frequency

Device policies

Other smart card Group Policy settings and registry keys

Microsoft Endpoint Manager overview

Resources

What is Microsoft Entra Privileged Identity Management?

Protect user accounts from attacks with Microsoft Entra smart lockout

See AC-12 for more session reevaluation and risk mitigation guidance.

AC-11 Session Lock
The information system:
(a) Prevents further access to the system by initiating a session lock after [FedRAMP Assignment: fifteen (15) minutes] of inactivity or upon receiving a request from a user; and
(b) Retains the session lock until the user reestablishes access using established identification and authentication procedures.

AC-11(1)
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user. Retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated.

Implement device lock by using a Conditional Access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.

Conditional Access

Require device to be marked as compliant

User sign-in frequency

MDM policy

Configure devices for maximum minutes of inactivity until the screen locks (Android, iOS, Windows 10).

AC-12 Session Termination
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].

Automatically terminate user sessions when organizational defined conditions or trigger events occur.

Implement automatic user session reevaluation with Microsoft Entra features such as risk-based Conditional Access and continuous access evaluation. You can implement inactivity conditions at a device level as described in AC-11.

Resources

Sign-in risk-based Conditional Access

User risk-based Conditional Access

Continuous access evaluation

AC-12(1)
The information system:
(a.) Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and
(b.) Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.

AC-8 Additional FedRAMP Requirements and Guidance:
Guidance: Testing for logout functionality (OTG-SESS-006) Testing for logout functionality

Provide a logout capability for all sessions and display an explicit logout message.

All Microsoft Entra ID surfaced web interfaces provide a logout capability for user-initiated communications sessions. When SAML applications are integrated with Microsoft Entra ID, implement single sign-out.

Logout capability

When the user selects Sign-out everywhere, all current issued tokens are revoked.

Display message
Microsoft Entra ID automatically displays a message after user-initiated logout.

Screenshot that shows an access control message.

Resources

View and search your recent sign-in activity from the My Sign-Ins page

Single Sign-Out SAML Protocol

AC-20 Use of External Information Systems
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
(a.) Access the information system from external information systems; and
(b.) Process, store, or transmit organization-controlled information using external information systems.

AC-20(1)
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a.) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or
(b.) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

Establish terms and conditions that allow authorized individuals to access the customer-deployed resources from external information systems such as unmanaged devices and external networks.

Require terms of use acceptance for authorized users who access resources from external systems. Implement Conditional Access policies to restrict access from external systems. Conditional Access policies might be integrated with Defender for Cloud Apps to provide controls for cloud and on-premises applications from external systems. Mobile application management in Intune can protect organization data at the application level, including custom apps and store apps, from managed devices that interact with external systems. An example would be accessing cloud services. You can use app management on organization-owned devices and personal devices.

Terms and conditions

Conditional Access

Require device to be marked as compliant

Conditions in Conditional Access policy: Device state (preview)

Protect with Microsoft Defender for Cloud Apps Conditional Access App Control

Location condition in Microsoft Entra Conditional Access

MDM

What is Microsoft Intune?

What is Defender for Cloud Apps?

What is app management in Microsoft Intune?

Resource

Integrate on-premises apps with Defender for Cloud Apps