DoD Zero Trust Strategy for the user pillar
The DoD Zero Trust Strategy and Roadmap outlines a path for Department of Defense components and Defense Industrial Base (DIB) partners to adopt a new cybersecurity framework based on Zero Trust principles. Zero Trust eliminates traditional perimeters and trust assumptions, enabling a more efficient architecture that enhances security, user experiences, and mission performance.
This guide has recommendations for the 152 Zero Trust activities in the DoD Zero Trust Capability Execution Roadmap. The sections correspond with the seven pillars of the DoD Zero Trust model.
Use the following links to go to sections of the guide.
- Introduction
- User
- Device
- Applications and workloads
- Data
- Network
- Automation and orchestration
- Visibility and analytics
1 User
This section has Microsoft guidance and recommendations for DoD Zero Trust activities in the user pillar. To learn more, see Securing identity with Zero Trust.
1.1 User inventory
Microsoft Entra ID is the required identity platform for Microsoft cloud services. Microsoft Entra ID is an identity provider (IdP) and governance platform to support multicloud and hybrid identities. You can use Microsoft Entra ID to govern access to non-Microsoft clouds like Amazon Web Services (AWS), Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI) and more. Microsoft Entra ID uses standard identity protocols, making it a suitable IdP for software as a service (SaaS), modern web applications, desktop and mobile apps, also legacy on-premises applications.
Use Microsoft Entra ID to verify users and nonperson entities (NPE), continuously authorize access to apps and data, govern identities and their entitlements following least-privilege principles, and perform just-in-time (JIT) administration.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 1.1.1 Inventory UserDoD Organizations establish and update a user inventory manually if needed, preparing for automated approach in later stages. Accounts both centrally managed by an IdP/ICAM and locally on systems will be identified and inventoried. Privileged accounts will be identified for future audit and both standard and privileged user accounts local to applications and systems will be identified for future migration and/or decommission. Outcomes:- Identified Managed Regular Users- Identified Managed Privileged Users- Identified applications using their own user account management for non-administrative and administrative accounts |
Microsoft Entra IDIdentify regular and privileged users in your organization using the Microsoft Entra admin center or Microsoft Graph API. User activity is captured in Microsoft Entra ID sign-in and audit logs, which can be integrated with security information event monitoring (SIEM) systems like Microsoft Sentinel.- Adopt Microsoft Entra ID- Microsoft Graph API: List Users- Microsoft Entra activity log integrationMicrosoft Entra and Azure rolesPrivileged users are identities assigned to Microsoft Entra ID roles, Azure roles, or Microsoft Entra ID security groups that grant privileged access to Microsoft 365, or other applications. We recommend you use cloud-only users for privileged access.- Built-in rolesMicrosoft Defender for Cloud AppsUse Defender for Cloud Apps to discover unapproved apps using their own identity store.- Discover and manage shadow ITMicrosoft Defender for IdentityDeploy and configure Microsoft Defender for Identity sensors to build an identity asset inventory for on-premises Active Directory Domain Services environments.- Microsoft Defender for Identity overview- Deploy Microsoft Defender for Identity- Investigate assets |
1.2 Conditional user access
Microsoft Entra ID helps your organization implement conditional, dynamic user access. Features that support this capability include Microsoft Entra Conditional Access, Microsoft Entra ID Governance, custom roles, dynamic security groups, app roles, and custom security attributes.
Conditional Access is the real-time Zero Trust policy engine in Microsoft Entra ID. Conditional Access policies use security signals from user, device, application, session, risk, and more to apply adaptive dynamic authorization for resources protected by Microsoft Entra ID.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 1.2.1 Implement App Based Permissions per EnterpriseThe DoD enterprise working with the Organizations establishes a basic set of user attributes for authentication and authorization. These are integrated with the "Enterprise Identity Life-Cycle Management Pt1" activity process for a complete enterprise standard. The enterprise Identity, Credential, and Access Management (ICAM) solution is enabled for self-service functionality for adding/updating attributes within the solution. Remaining Privileged Access Management (PAM) activities are fully migrated to PAM solution. Outcomes:- Enterprise roles/attributes needed for user authorization to application functions and/or data have been registered with enterprise ICAM- DoD Enterprise ICAM has self-service attribute/role registration service that enables application owners to add attributes or use existing enterprise attributes- Privileged activities are fully migrated to PAM |
Microsoft Entra ConnectEstablish hybrid identity with Microsoft Entra Connect to populate Microsoft Entra ID tenants with user attribute data from current directory systems.- Microsoft Entra ConnectMicrosoft Entra applicationsIntegrate applications with Microsoft Entra ID. Design application authorization and permissions models using security groups, and app roles. To delegate app management, assign owners to manage app configuration, also register, and assign app roles.- Integrate apps with Microsoft Entra ID- Dynamic security groups- App roles for applicationsMicrosoft Entra ID GovernanceConfigure access packages in entitlement management so users can request access to application roles or groups.- Govern access to apps- Delegate access package governanceConditional AccessConfigure Conditional Access policies for dynamic authorization to applications and services protected by Microsoft Entra ID. In Conditional Access policies, use custom security attributes and application filters to scope security attribute authorization assigned to application objects, such as sensitivity.- Conditional Access- Custom security attributes- Filter for appsPrivileged Identity ManagementUse PIM Discovery and Insights to identify privileged roles and groups. Use PIM to manage discovered privileges and convert user assignments from permanent to eligible.- PIM Discovery and Insights |
Target 1.2.2 Rule Based Dynamic Access Pt1DoD Organizations utilize the rules from the "Periodic Authentication" activity to build basic rules enabling and disabling privileges dynamically. High-risk user accounts utilize the PAM solution to move to dynamic privileged access using Just-In-Time access and Just Enough-Administration methods. Outcomes:- Access to application’s/service’s functions and/or data are limited to users with appropriate enterprise attributes- All possible applications use JIT/JEA permissions for administrative users |
Microsoft Entra IDUse Microsoft Entra ID authorization and governance features to limit application access based on user attributes, role assignments, risk, and session details.See Microsoft guidance in 1.2.1.Privileged Identity ManagementUse PIM for Microsoft Entra and Azure roles. Extend PIM to other Microsoft Entra ID applications with PIM for Groups.- PIM for Microsoft Entra roles- PIM for Azure roles- PIM for Groups |
Advanced 1.2.3 Rule Based Dynamic Access Pt2DoD Organizations expand the development of rules for dynamic access decision making accounting for risk. Solutions used for dynamic access are integrated with cross pillar Machine Learning and Artificial Intelligence functionality enabling automated rule management. Outcomes:- Components and services are fully utilizing rules to enable dynamic access to applications and services- Technology utilized for Rule Based Dynamic Access supports integration with AI/ML tooling |
Microsoft Entra ID ProtectionMicrosoft Entra ID Protection uses machine learning (ML) algorithms to detect users and sign-in risk. Use risk conditions in Conditional Access policies for dynamic access, based on risk level.- Microsoft Entra ID Protection- Risk detections- Risk-based access policiesMicrosoft Defender XDRMicrosoft Defender XDR is an extended detection and response (XDR) solution. Deploy Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps and configure integrations.- Integrate Defender for Endpoint with Defender for Cloud Apps |
Advanced 1.2.4 Enterprise Governance roles and permissions Pt1DoD Organizations federate remaining user and group attributes as appropriate to the Enterprise Identity, Credential, and Access Management (ICAM) solution. The updated attribute set is used to create universal roles for Organizations to use. Core functions of the Identity Provider (IdP) and Identity, Credential, and Access Management (ICAM) solutions are migrated to cloud services and/or environments enabling improved resilience and performance. Outcomes:- Component attribute and role data repository federated with enterprise ICAM- Cloud-based enterprise IdP can be used by cloud and on-premises applications- Standardized set of roles and permissions are created and aligned to attributes |
Microsoft Entra IDMicrosoft Entra ID is a multicloud centrally managed identity, credential, and access management (ICAM) platform and identity provider (IdP). Establish hybrid identity with Microsoft Entra Connect to populate user data in the directory.- Microsoft Entra ID- Hybrid identityMicrosoft Entra applicationsIntegrate applications with Microsoft Entra ID and use dynamic security groups, application roles, and custom security attributes to govern access to applications.- Manage apps- Govern app accessMicrosoft Entra application proxyTo use Microsoft Entra ID for apps that use legacy authentication protocols, deploy and configure application proxy or integrate secure hybrid access (SHA) partner solutions.- SHA: Protect legacy apps |
Advanced 1.2.5 Enterprise Governance roles and permissions Pt2DoD Organizations move all possible functions of the Identity Provider (IdP) and Identity, Credential and Access Management (ICAM) solutions to cloud environments. Enclave/DDIL environments local capabilities to support disconnected functions but ultimately are managed by the centralized Identity, Credential and Access Management (ICAM) solutions. Updated roles are now mandated for usage and exceptions are reviewed following a risk-based approach. Outcomes:- Majority of components utilize cloud IdP functionality Where possible on-prem IdP is decommissioned- Permissions and roles are mandated for usage when evaluating attributes |
Microsoft Entra applicationsMigrate modern applications from Active Directory Federation Services (AD FS) to Microsoft Entra ID and then decommission AD FS infrastructure.- Migrate app authentication from AD FS to Microsoft Entra IDMicrosoft Entra app provisioningMove remaining ICAM and application provisioning processes from on-premises identity management systems to Microsoft Entra ID.- API-driven inbound provisioning- App provisioning |
1.3 Multi-factor authentication
Microsoft Entra ID supports certificate-based authentication (CBA) including DoD Common Access Cards (CAC) and Personal Identity Verification (PIV) without federating with another IdP, for cloud and hybrid (synchronized) users. Microsoft Entra ID supports multiple industry-standard multifactor phishing-resistant passwordless authentication methods including CBA, Windows Hello for Business, FIDO2 security keys, and passkeys.
You can create Conditional Access policies to enforce authentication strength and dynamically authorize access based on user, device, and environment conditions, including risk level.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 1.3.1 Organizational MFA/IDPDoD Organizations procure and implement a centralized Identity Provider (IdP) solution and Multi-Factor (MFA) solution. The IdP and MFA solution may be combined in a single application or separated as needed assuming automated integration is supported by both solutions. Both IdP and MFA support integration with the Enterprise PKI capability and enable key pairs to be signed by the trusted root certificate authorities. Mission/Task-Critical applications and services are utilizing the IdP and MFA solution for management of users and groups. Outcomes: - Component is using IdP with MFA for critical applications/services- Components have implemented an Identity Provider (IdP) that enables DoD PKI multifactor authentication- Organizational Standardized PKI for critical services |
Microsoft Entra authentication methodsConfigure Microsoft Entra CBA using DoD PKI. Set the global protection level to single-factor authentication. Create rules for each DoD issuing CA, or Policy OID, to identify DoD PKI as multi-factor authentication protection level. After configuration, users sign into Microsoft Entra with a DoD CAC.- Authentication in Microsoft Entra ID- Microsoft Entra CBA- Configure CBAStaged rolloutUse a staged rollout to migrate user authentication from an on-premises federation service to Microsoft Entra CBA.See Microsoft guidance in 1.2.4.Microsoft Entra authentication strengthCreate a new authentication strength named DoD CAC. Choose certificate-based authentication (multifactor). Configure advanced options and select certificate issuers for DoD PKI.- Authentication strength- Custom authentication strengthsMicrosoft IntuneMicrosoft Entra supports two methods to use certificates on a mobile device: derived credentials (on-device certificates), and hardware security keys. To use DoD PKI-derived credentials on managed mobile devices, use Intune to deploy DISA Purebred.- Derived credentials - CBA on iOS devices - CBA on Android devices |
Advanced 1.3.2 Alternative Flexible MFA Pt1DoD Organization’s Identity Provider (IdP) supports alternative methods of multi-factor authentication complying with Cyber Security requirements (e.g., FIPS 140-2, FIPS 197, etc.). Alternative tokens can be used for application-based authentication. Multi-Factor options support Biometric capability and can be managed using a self-service approach. Where possible multi-factor provider(s) is moved to cloud services instead of being hosted on-premises. Outcomes:- IdP provides user self-service alternative token- IdP provides alt token MFA for approved applications per policy |
Microsoft Entra authentication methodsConfigure Microsoft Entra authentication methods for users to register passkeys (FIDO2 security keys). Use optional settings to configure a key restriction policy for keys compliant with FIPS 140-2. - Passwordless security key sign-in - Authentication methodsTemporary access passConfigure a temporary access pass (TAP) for users to register alternate passwordless authenticators without a CAC. - Configure TAPConditional AccessCreate a Conditional Access policy to require authentication strength: DoD CAC for security info registration. The policy requires CAC to register other authenticators like FIDO2 security keys. - Security info registrationSee Microsoft guidance in 1.3.1. Windows Hello for BusinessUse Windows Hello for Business with a PIN or biometric gesture for Windows sign-in. Use device management policies for Windows Hello for Business enrollment for enterprise-provided Windows devices. - Windows Hello for Business |
Advanced 1.3.3 Alternative Flexible MFA Pt2Alternative tokens utilize user activity patterns from cross pillar activities such as "User Activity Monitoring (UAM) and User & Entity Behavior Analytics (UEBA)" to assist with access decision making (e.g., not grant access when pattern deviation occurs). This functionality is further extended onto Biometric enabled alternative tokens as well. Outcome:- User Activity Patterns Implemented |
Microsoft Entra ID ProtectionMicrosoft Entra ID Protection uses machine learning (ML) and threat intelligence to detect risky users and sign-in events. Use the sign-in and user risk conditions to target Conditional Access policies to risk levels. Start with baseline protection requiring MFA for risky sign-ins. - Microsoft Entra ID Protection - Deploy Identity ProtectionConditional AccessCreate a set of risk-based Conditional Access policies that use grant and session controls to require stronger protection as risk increases. - Configure and enable risk policies - Conditional Access: Session - Conditional Access: Grant Risk-based Conditional Access policy examples: Medium sign-in risk - Require authentication strength: phishing-resistant MFA - Require compliant device - Sign-in frequency: 1 hour High sign-in risk - Require authentication strength: phishing-resistant MFA - Require compliant device - Sign-in frequency: every time High user risk - Require authentication strength: phishing-resistant MFA - Require compliant device - Sign-in frequency: every timeMicrosoft SentinelConfigure a Sentinel analytics rule and playbook to create an incident for Entra ID Protection alerts when user risk is high. - Microsoft Entra ID Protection connector for Sentinel - User:revokeSignInSessions |
1.4 Privileged access management
Microsoft Entra ID Governance enables PAM features including just-in-time (JIT) administration, entitlement management, and periodic access reviews. Microsoft Entra Privileged Identity Management (PIM) helps you discover how roles are assigned in your organization. Use PIM to convert permanent role assignments JIT, customize role assignment and activation requirements, also schedule access reviews.
Conditional Access enforces authentication strength, risk level, and compliant Privileged Access Workstation (PAW) device for privileged access. Administrative actions in Microsoft Entra ID are recorded in the Microsoft Entra audit logs.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target1.4.1 Implement System and Migrate Privileged Users Pt1DoD Organizations procure and implement a Privileged Access Management (PAM) solution to support all critical privileged use cases. Application/Service integration points are identified to determine status of support for the PAM solution. Applications/Services that easily integrate with PAM solution are transitioned over to using solution versus static and direct privileged permissions. Outcomes: - Privilege Access Management (PAM) tooling is implemented - Applications and devices that support and don't support PAM tools identified - Applications that support PAM, now use PAM for controlling emergency/built-in accounts |
Privileged Identity Management Deploy PIM to protect Microsoft Entra ID and Azure roles. Use PIM Discovery and Insights to identify privileged roles and groups. Use PIM to manage discovered privileges and convert user assignments from permanent to eligible. - PIM overview - Discovery and Insights for roles - Azure resources Microsoft Intune Deploy Intune-managed PAW for Microsoft Entra, Microsoft 365, and Azure administration. - Privileged access strategy Conditional Access Use Conditional Access policy to require compliant devices. To enforce PAW, use device filters in the Conditional Access compliant-device grant control. - Filters for devices |
Target 1.4.2 Implement System and Migrate Privileged Users Pt2DoD Organizations utilize the inventory of supported and unsupported Applications/Services for integration with privileged access management (PAM) solution to extend integrations. PAM is integrated with the more challenging Applications/Services to maximize PAM solution coverage. Exceptions are managed in a risk-based methodical approach with the goal of migration off and/or decommissioning Applications/Services that don't support PAM solutions. Outcome: - Privileged activities are migrated to PAM and access is fully managed |
Privileged Identity ManagementUse privilege access groups and PIM for Groups to extend just-in-time (JIT) access beyond Microsoft Entra ID and Azure. Use the security groups in Microsoft 365, Microsoft Defender XDR, or mapped to privileged role claims for non-Microsoft applications integrated with Microsoft Entra ID. - Role-assignable groups - Bring groups into PIM - User and group assignements to an app Conditional AccessUse protected actions to add another layer of protection when administrators perform actions requiring highly privileged permissions in Microsoft Entra ID. For instance, manage Conditional Access policies and cross-tenant access settings. - Protected actions Create a Conditional Access policy for users with active Microsoft Entra role membership. Require authentication strength: phishing resistant MFA and compliant device. Use device filters to require compliant PAWs. - Require MFA for administrators - Filter for devices |
Advanced 1.4.3 Real Time Approvals & JIT/JEA Analytics Pt1Identification of necessary attributes (Users, Groups, etc.) are automated and integrated into the Privileged Access Management (PAM) solution. Privilege access requests are migrated to the PAM solution for automated approvals and denials. Outcomes: - Identified accounts, applications, devices, and data of concern (of greatest risk to DoD mission) - Using PAM tools, applied JIT/JEA access to high-risk accounts - Privileged access requests are automated as appropriate |
Privileged Identity MangementIdentify high-risk roles in your environment such as Microsoft Entra roles, Azure roles like Owner and User Access Administrator, also privileged security groups. - Best practices for roles - Privileged roles Configure PIM role settings to require approval. - Azure resource role settings - Microsoft Entra role settings - PIM for Groups settings Microsoft Entra ID Governance Use access packages to manage security groups for role eligibility. This mechanism manages eligible admins; it adds self-service requests, approvals, and access reviews for role eligibility. - Entitlement mangement Create role-assignable groups for privileged roles to configure eligibility requests and approvals. Create a catalog named Privileged Role Eligible Admins. Add role-assignable groups as resources. - Role-assignable groups - Create and manage resource catalogs Create access packages for role-assignable groups in the Privileged Role Eligible Admins catalog. You can require approval when users request eligibility in entitlement management, require approval upon activation in PIM, or both. - Access packages |
Advanced 1.4.4 Real Time Approvals & JIT/JEA Analytics Pt2DoD Organizations integrate User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions with the Privileged Access Management (PAM) solution providing user pattern analytics for decision making. Outcome: - UEBA or similar analytics system integrated with PAM tools for JIT/JEA account approvals |
Conditional Access Define an authentication context for privileged access. Create one or more Conditional Access policies that target the privileged access authentication context. Use risk conditions in the policy and apply grant and session controls for privileged access. We recommend you require authentication strength: phishing-resistant MFA, compliant privileged access workstation. - Configure authentication context See Microsoft guidance in 1.4.1. To block privileged access when sign-in risk is high, create more Conditional Access policies that target privileged access authentication context with a condition for high sign-in risk. Repeat this step with a policy for high user risk. - Policy deployment Privileged Identity Management Configure PIM role settings to require authentication context. This setting enforces Conditional Access policies for the chosen authentication context upon role activation. - Require authentication context |
1.5 Identity federation and user credentialing
Microsoft Entra ID plays a key role in identity lifecycle management (ILM). A Microsoft Entra tenant is a hyperscale cloud directory service, identity, credential and access management (ICAM) solution, and identity provider (IdP). It supports inter-directory provisioning and app provisioning to manage the lifecycle of internal users in Microsoft Entra ID and other apps.
Microsoft Entra ID Governance features help you manage the access lifecycle for entitlements like apps, Microsoft Teams, and security group membership. Entitlement management can also be used to onboard and govern external guests. You can block access and remove guest user objects when their last access package is removed. To understand how your organization can migrate ILM functions to Microsoft Entra ID, see Road to the cloud.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 1.5.1 Organizational Identity Life-Cycle ManagementDoD Organizations establish a process for life cycle management of users both privileged and standard. Utilizing the Organizational Identity Provider (IdP) the process is implemented and followed by the maximum number of users. Any users who fall outside of the standard process are approved through risk-based exceptions to be evaluated regularly for decommission. Outcome: - Standardized Identity Lifecycle Process |
Microsoft Entra IDStandardize account lifecycle for identities, including users, administrators, external users, and application identities (Service Principals).- Identity lifecycle management - Identity and access management opsMicrosoft Entra ID GovernanceEstablish regular access reviews for privileged users and applications in a tenant.- Access reviews |
Target 1.5.2 Enterprise Identity Life-Cycle Management Pt1The DoD Enterprise works with Organizations to review and align the existing Identity Lifecycle Processes, policy, and standards. A finalized agreed upon policy and supporting process are developed and followed by the DoD Organizations. Utilizing the centralized or federated Identity Provider (IdP) and Identity & Access Management (IdAM) solutions, DoD Organizations implement the Enterprise Lifecycle Management process for the maximum number of identities, groups, and permissions. Exceptions to the policy are managed in a risk based methodical approach. Outcomes:- Automated Identity Lifecycle Processes- Integrated with Enterprise ICAM process and tools |
Microsoft Entra IDIf your organization uses Active Directory, synchronize users to Microsoft Entra ID with Microsoft Entra Connect Sync or Microsoft Entra Connect Cloud Sync. Note: Don’t synchronize privileged Active Directory accounts, or assign privileged cloud roles, to synchronized accounts.- Connect Sync- Cloud Sync- Protect Microsoft 365 from on-premises attacks- Reduce attack surface areaPrivileged Identity Management Manage administrative access with PIM. Establish an access review cadence for privileged Microsoft Entra and Azure roles.- Privileged accountsMicrosoft Entra authentication methodsUse cloud-based phishing-resistant MFA methods. Set up Microsoft Entra certificate-based authentication (CBA) with DoD Common Access Cards (CACs) to register other passwordless credentials.See Microsoft guidance in 1.3.2. |
Advanced 1.5.3 Enterprise Identity Life-Cycle Management Pt2DoD Organizations further integrate the critical automation functions of the Identity Provider (IdP) and Identity, Credential and Access Management (ICAM) solutions following the Enterprise Lifecycle Management process to enable Enterprise automation and analytics. Identity Lifecycle Management primary processes are integrated into the cloud-based Enterprise ICAM solution. Outcomes:- Integration w/ Critical IDM/IDP functions- Primary ILM functions are cloud based |
Microsoft Entra ID GovernanceUse entitlement management and access reviews to manage your organization’s user access lifecycles and external guest identity lifecycles. - Entitlement management- External user access governanceManaged identitiesUse managed identities for Azure resources and Workload ID federation to reduce the risk of managing application credentials.- Managed identities- Workload identity federationApplication management policyConfigure app management policies to control the credential types added to applications in your tenant. Use the passwordAddition restriction to require certificate credentials for applications.- App methods API- App authentication certificate credentials |
Advanced 1.5.4 Enterprise Identity Life-Cycle Management Pt3DoD Organizations integrate remaining Identity Lifecycle Management processes with the Enterprise Identity, Credential and Access Management solution. Enclave/DDIL environments while still authorized to operate integrate with the Enterprise ICAM using local connectors to the cloud environment. Outcomes:- All ILM functions moved to cloud as appropriate- Integration with all IDM/IDP functions |
Microsoft Entra app provisioningUse Microsoft Entra app provisioning to synchronize identities to SCIM, SQL, LDAP, PowerShell, and web services applications. Use the API-driven app to provision users into disparate Active Directory instances.- Provision apps- On-premises app provisioning- Configure API-driven provisioning app |
1.6 Behavioral, contextual ID, and biometrics
Microsoft Entra ID Protection helps you detect, remediate, and prevent identity threats by using machine learning (ML) and threat intelligence. This feature detects real-time risks during user sign-in and offline risks calculated over time. Risks include token anomalies, unusual sign-in properties, impossible travel, suspicious user behavior, and more.
Identity protection is integrated with Microsoft Defender XDR to show identity risks detected by other components in the Microsoft Defender product family.
To learn more, see What are risk detections?
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 1.6.1 Implement User & Entity Behavior Analytics(UEBA) and User Activity Monitoring (UAM) tooling DoD Organizations procure and implement User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions. Initial integration point with Enterprise IdP is completed enabling future usage in decision making. Outcome:- UEBA and UAM functionality is implemented for Enterprise IDP |
Microsoft Entra ID ProtectionDeploy Microsoft Entra ID Protection to get real-time and offline risk detentions for users and sign-in events. Extend identity risk detections to application identities (Service Principals) using Microsoft Entra Workload ID, Workload Identities Premium edition.- Secure workload identities- Risk-based policy for workload identitiesSee Microsoft guidance in 1.3.3.Microsoft Defender for Cloud AppsDeploy Defender for Cloud Apps and configure integrations with Microsoft Defender for Endpoint and external solutions. Configure anomaly detection policies in Defender for Cloud Apps.- Integrate Defender for Endpoint with Defender for Cloud Apps- External solution integrations- Detect suspicious user activity with UEBAMicrosoft Defender for EndpointOnboard endpoints to Defender for Endpoint. Configure integrations between Defender for Endpoint and Microsoft Intune.- Defender for Endpoint and other solutionsMicrosoft IntuneConfigure integrations with Defender for Endpoint and use Defender for Endpoint machine risk score in your device compliance policy.- Defender for Endpoint rulesConditional AccessCreate Conditional Access policies to require compliant devices. Before access is granted, the control requires a device marked as compliant in Microsoft Intune. Integration between Defender for Endpoint and Intune provides an overall picture of device health and risk level based on the compliance state.- Compliance policies to set rules for Inune managed devicesMicrosoft SentinelConnect data sources to Sentinel and enable UEBA for audit logs, sign-in logs, Azure activity, and security events.- Enable UEBA- Advanced threats with UEBA |
Advanced 1.6.2 User Activity Monitoring Pt1DoD Organizations integrate User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions with Organizational Identity Providers (IdP) for extended visibility as needed. Analytics and data generated by UEBA and UAM for critical applications and services are integrated with the Just-in-Time and Just-Enough-Access solution improving decision making further. Outcomes: - UEBA is integrated with Org IDPs as appropriate- UEBA is integrated with JIT/JEA for critical services |
Privileged Identity ManagementDeploy PIM and onboard privileged roles. Define authentication context for privileged access. Use risk conditions in the authentication context and configure PIM role settings to require authentication context upon activation.See Microsoft guidance in 1.4.4.Microsoft SentinelConnect data sources to Sentinel and enable UEBA for audit logs, sign in logs, Azure activity, and security events.- Enable UEBA- Advanced threats with UEBAMicrosoft Defender for Cloud AppsMonitor and control sessions to cloud applications with Defender for Cloud Apps.- Protect apps with App Control- Session policies- Investigate risky users |
Advanced 1.6.3 User Activity Monitoring Pt2DoD Organizations continue the analytics usage from User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions by using generated data for all monitored applications and services when decision making occurs in the Just-in-Time and Just-Enough-Access solution. Outcome:- UEBA/Entity Monitoring is integrated with JIT/JEA for all services |
Privileged Identity ManagementUse PIM for Groups to extend just-in-time (JIT) access to applications using app roles. Assign groups, managed by PIM, to the privileged app roles.- PIM for Groups- Add app roles to an app |
1.7 Least privileged access
Access to applications using Microsoft Entra ID is deny-by-default. Microsoft Entra ID Governance features like entitlement management and access reviews ensure access is time-bound, aligns to the principle of least privilege, and enforces controls for separation of duties.
Use Microsoft Entra built-in roles to assign least privilege permissions by task. Administrative Units let you scope resource-based permissions for Microsoft Entra ID users and devices.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 1.7.1 Deny User by Default PolicyDoD Organizations audit internal user and group usage for permissions and revoke permissions when possible. This activity includes the revocation and/or decommission of excess permissions and access for application/service-based identities and groups. Where possible static privileged users are decommissioned or reduced permissions preparing for future rule/dynamic based access. Outcomes:- Applications updated to deny by default to functions/data requiring specific roles/attributes for access- Reduced default permissions levels are implemented- Applications/services have reviewed/audited all privileged users and removed those users who don't need that level of access |
Microsoft Entra IDReview and restrict default user and guest permissions in Microsoft Entra ID. Restrict user consent to applications and review current consent in your organization.- Default user permissions- Restrict user consent permissionsMicrosoft Entra applicationsAccess to Microsoft Entra apps is denied by default. Microsoft Entra ID verifies entitlements and applies Conditional Access policies to authorize resource access.- Integrate apps- App integrationMicrosoft Entra ID GovernanceUse the entitlement management identity governance feature to manage identity and access lifecycles. Find automated access request workflows, access assignments, reviews, and expiration.- Entitlement management- Access reviewsCustom rolesUse Microsoft Entra ID built-in roles for resource management. However, if roles don’t meet organizational needs, or to minimize privileges for your administrative users, create a custom role. Grant custom roles granular permissions to manage users, groups, devices, applications and more.- Custom rolesAdministrative unitsAn administrative unit is a Microsoft Entra resource that contains other Microsoft Entra resources, such as users, groups, or devices. Use administrative units to delegate permissions to a subset of administrators, based on organizational structure.- Administrative units- Restricted management administrative units- Create or delete administrative unitsPrivileged Identity MangementUse PIM Discovery and Insights to manage privileges and reduce the number of administrators. Configure PIM alerts when privileged roles are assigned outside PIM.- Privileged access for hybrid and cloud- Security alerts for Microsoft Entra roles- Security alerts for Azure rolesMicrosoft Defender for Cloud AppsReview permissions granted to applications. Investigate risky OAuth applications in Defender for Cloud Apps.- Review permissions granted to apps- Investigate risky OAuth appsMicrosoft SentinelUse PIM to assign Azure roles for Sentinel access and periodically audit queries and activities.- Audit queries and activities |
1.8 Continuous authentication
Microsoft Entra ID uses short- and long-lived tokens to authenticate users periodically to applications and services that Microsoft Entra protects. Microsoft Entra ID has the Continuous access evaluation (CAE) mechanism to improve the standard protocol. The policy engine responds to environmental changes in near-real-time and enforces adaptive access policies.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 1.8.1 Single AuthenticationDoD Organizations employ basic authentication processes to authenticate users and NPEs at least once per session (e.g., logon). Importantly users being authenticated are managed by the parallel activity "Organizational MFA/IDP" with the Organizational Identity Provider (IdP) versus using application/service-based identities and groups. Outcome:- Authentication Implemented across applications per session |
Microsoft Entra IDMicrosoft Entra ID is a centralized identity provider (IdP) that facilitates single sign-on (SSO) between Microsoft cloud applications and applications your organization uses.- Microsoft Entra IDSingle sign-onThe single sign-on (SSO) authentication method allows users to use their Microsoft Entra ID credentials to authenticate applications and services. The apps can be SaaS, custom line-of-business applications, or on-premises applications. Use Microsoft Entra authentication and Zero Trust capabilities to enable secure and easy access to applications.- What is SSO?- Microsoft Entra integrations with authentication protocolsMicrosoft Entra app provisioningMicrosoft Entra app provisioning creates, updates, and removes user, roles, and groups in SaaS applications, and custom or on-premises applications. Use Microsoft Entra ID as the centralized identity source for apps. Minimize application or service identities and users.- Automated provisioning- App provisioningMicrosoft Entra ID WorkloadService Principals and managed identities are nonperson entity (NPE) identities in Microsoft Entra. Use Service Principals for automated (non-interactive) access to APIs protected by Microsoft Entra.- Workload identities- Service Principals in Microsoft Entra ID |
Target 1.8.2 Periodic AuthenticationDoD Organizations enable period authentication requirements for applications and services. Traditionally these are based on duration and/or duration timeout but other period-based analytics can be used to mandate re-authentication of user sessions. Outcome:- Authentication implemented multiple times per session based on security attributes |
Microsoft Entra applicationsMicrosoft Entra applications automatically manage session refresh without user interaction.See Microsoft guidance in 1.8.1.Conditional AccessConfigure the sign-in frequency session control in Conditional Access to re-authenticate user sessions. Use the feature when sign-ins are risky, or a user device is unmanaged or non-compliant.- Configure authentication session management- Access policies in Defender for Cloud Apps |
Advanced 1.8.3 Continuous Authentication Pt1DoD Organizations’ applications/service utilize multiple session authentications based on security attributes and access requested. Privilege changes and associational transaction requests required additional levels of authentication such as Multi-Factor Authentication (MFA) pushes to users. Outcome:- Transaction authentication implemented per session based on security attributes |
Continuous access evaluationCAE is based on an OpenID standard that improves time-based token expiration and refresh mechanisms to achieve a timelier response to policy violations. CAE requires a fresh access token in response to critical events, like a user moving from a trusted network location to one that’s untrusted. Implement CAE with client applications and the back-end service APIs.- Continuous access evaluation- Critical event evaluationsMicrosoft Office applications that use Microsoft Graph API, Outlook Online API, and SharePoint Online API support CAE. Develop applications with the latest Microsoft Authentication Libraries (MSAL) to access CAE-enabled APIs.- CAE for Microsoft 365- CAE enabled APIs in appsConditional AccessDefine and use Conditional Access authentication context to protect sensitive SharePoint sites, Microsoft Teams, Microsoft Defender for Cloud Apps protected applications, PIM role activation, and custom applications.- Authentication context- Policy for SharePoint sites and OneDrive- Session policies in Defender for Cloud Apps- Require authentication context for PIM roles- Authentication context guidanceUse protected actions to add another layer of protection when administrators perform actions requiring highly privileged permissions in Microsoft Entra ID, like manage Conditional Access policies and cross-tenant access settings. Protect user actions like registering security info and joining devices.- Protected actions- Target resourcePrivileged Identity ManagementRequire authentication context for PIM role activation.See Microsoft guidance in 1.4.4. |
Advanced1.8.4 Continuous Authentication Pt2DoD Organizations continue usage of transaction-based authentication to include integration such as user patterns. Outcome:- Transaction authentication implemented per session based on security attributes, including user patterns |
Microsoft Entra ID ProtectionWhen Microsoft Entra ID Protection detects anomalous, suspicious, or risky behavior, the user risk level increases. Create Conditional Access policies using risk conditions, increasing protections with risk level.- Risk detectionsSee Microsoft guidance in 1.3.3.Continuous access evaluationRisk level increase is a critical CAE event. Services that implement CAE, for example Exchange Online API, require the client (Outlook), to re-authenticate for the next transaction. Conditional Access policies for the increased risk level are satisfied before Microsoft Entra ID issues a new access token for Exchange Online access.- Critical event evaluation |
1.9 Integrated ICAM platform
Microsoft Entra ID supports certificate authentication with certificates issued by an external public key infrastructure (PKI) for user and nonperson entities (NPE). NPEs in Microsoft Entra ID are application and device identities. Microsoft Entra External ID cross-tenant access settings help multitenant organizations, like the DoD, collaborate seamlessly across tenants.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 1.9.1 Enterprise PKI/IDP Pt1The DoD Enterprise works with Organizations to implement Enterprise Public Key Infrastructure (PKI) and Identity Provider (IdP) solutions in a centralized and/or federated fashion. The Enterprise PKI solution utilizes a single or set of Enterprise level Root Certificate Authorities (CA) which can then be trusted by Organizations to build Intermediate CA’s off. The Identity Provider solution may either be a single solution or federated set of Organizational IdPs with standard level of access across Organizations and standardized set of attributes. Organizations’ IdPs and PKI Certificated Authorities are integrated with the Enterprise IdP and PKI solutions. Outcomes:- Components are using IdP with MFA for all applications/services- Organizational MFA/PKI integrated with Enterprise MFA/PKI- Organizational Standardized PKI for all services |
Microsoft Entra ID authentication methodsUse authentication methods policy in Microsoft Entra ID to control user authentication methods.- Microsoft Entra CBASee Microsoft guidance in 1.3.1.Authentication strengthUse authentication strength to control user access to resources.- Authentication strengthMicrosoft Entra External IDConfigure cross-tenant access for DoD Microsoft Entra ID tenants. Use trust settings to accept MFA and compliant device claims for external identities from trusted DoD tenants.- Cross-tenant accessApplication management policyThe tenant app management policy is a framework to implement security best practices for applications in the tenant. Use the policy to restrict application credentials to certificates issued by a trusted PKI.To create a certificate chain of trust, add a new certificate authority (CA) collection to intermediate and root CA certificates for your enterprise PKI.- certificateBasedApplicationConfiguration resource typeTo create an application management policy to require certificates issued by trusted CAs, configure restrictions to disallow passwordAddition and require trustedCertificateauthority. Specify the trusted CA collection ID you created.- App authentication methods APIMicrosoft IntuneIntune supports private and public-key cryptography standards (PKCS) certificates.- PKCS certificates |
Advanced 1.9.2 Enterprise PKI/IDP Pt2DoD Organizations enable Biometric support in the Identity Provider (IdP) for mission/task-critical applications and services as appropriate. Biometric functionality is moved from Organizational solutions to the enterprise. Organizational Multi-Factor (MFA) and Public Key Infrastructure (PKI) is decommissioned and migrated to the Enterprise as appropriate. Outcomes:- Critical Organizational Services Integrated w/ Biometrics- Decommission organizational MFA/PKI as appropriate in lieu of enterprise MFA/PKI- Enterprise Biometric Functions Implemented |
Microsoft Entra IDMicrosoft supports biometrics in several components compatible with Microsoft Entra ID authentication.Authentication methodsMicrosoft Entra ID supports hardware passkeys (FIDO2 security keys) that use presence or fingerprint.- FIDO security keysWindows Hello for BusinessWindows Hello for Business uses biometric gestures like fingerprint and face scan.- Identity protection profile settingsMacOSMacOS devices have biometrics, like Touch ID, to sign in with a device-bound credential.- SSO plug-in for Apple devicesMicrosoft AuthenticatorMobile devices and Authenticator use touch and face for passwordless authentication. Passkey support is another phishing-resistant authentication method in Authenticator.- Authenticator- Passwordless sign-in- Enhanced phishing-resistant authentication |
Advanced 1.9.3 Enterprise PKI/IDP Pt3DoD Organizations integrate the remaining applications/services with Biometrics functionalities. Alternative Multi-Factor (MFA) tokens can be used. Outcome:- All Organizational Services Integrate w/ Biometrics |
Microsoft Entra Verified IDDecentralized identity scenarios using Verified ID can require face verification upon credential presentation. - Verfied ID- Face Check |
Next steps
Configure Microsoft cloud services for the DoD Zero Trust Strategy:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for