The DoD Zero Trust Strategy and Roadmap outlines a path for Department of Defense components and Defense Industrial Base (DIB) partners to adopt a new cybersecurity framework based on Zero Trust principles. Zero Trust eliminates traditional perimeters and trust assumptions, enabling a more efficient architecture that enhances security, user experiences, and mission performance.
This guide has recommendations for the 152 Zero Trust activities in the DoD Zero Trust Capability Execution Roadmap. The sections correspond with the seven pillars of the DoD Zero Trust model.
Use the following links to go to sections of the guide.
This section has Microsoft guidance and recommendations for DoD Zero Trust activities in the user pillar. To learn more, see Securing identity with Zero Trust.
1.1 User inventory
Microsoft Entra ID is the required identity platform for Microsoft cloud services. Microsoft Entra ID is an identity provider (IdP) and governance platform to support multicloud and hybrid identities. You can use Microsoft Entra ID to govern access to non-Microsoft clouds like Amazon Web Services (AWS), Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI) and more. Microsoft Entra ID uses standard identity protocols, making it a suitable IdP for software as a service (SaaS), modern web applications, desktop and mobile apps, also legacy on-premises applications.
Use Microsoft Entra ID to verify users and nonperson entities (NPE), continuously authorize access to apps and data, govern identities and their entitlements following least-privilege principles, and perform just-in-time (JIT) administration.
DoD Activity Description and Outcome
Microsoft guidance and recommendations
Target1.1.1 Inventory User DoD Organizations establish and update a user inventory manually if needed, preparing for automated approach in later stages. Accounts both centrally managed by an IdP/ICAM and locally on systems will be identified and inventoried. Privileged accounts will be identified for future audit and both standard and privileged user accounts local to applications and systems will be identified for future migration and/or decommission.
Outcomes: - Identified Managed Regular Users - Identified Managed Privileged Users - Identified applications using their own user account management for non-administrative and administrative accounts
Microsoft Entra ID Identify regular and privileged users in your organization using the Microsoft Entra admin center or Microsoft Graph API. User activity is captured in Microsoft Entra ID sign-in and audit logs, which can be integrated with security information event monitoring (SIEM) systems like Microsoft Sentinel. - Adopt Microsoft Entra ID - Microsoft Graph API: List Users - Microsoft Entra activity log integration
Microsoft Entra and Azure roles Privileged users are identities assigned to Microsoft Entra ID roles, Azure roles, or Microsoft Entra ID security groups that grant privileged access to Microsoft 365, or other applications. We recommend you use cloud-only users for privileged access. - Built-in roles
Microsoft Defender for Cloud Apps Use Defender for Cloud Apps to discover unapproved apps using their own identity store. - Discover and manage shadow IT
Microsoft Entra ID helps your organization implement conditional, dynamic user access. Features that support this capability include Microsoft Entra Conditional Access, Microsoft Entra ID Governance, custom roles, dynamic security groups, app roles, and custom security attributes.
Conditional Access is the real-time Zero Trust policy engine in Microsoft Entra ID. Conditional Access policies use security signals from user, device, application, session, risk, and more to apply adaptive dynamic authorization for resources protected by Microsoft Entra ID.
DoD Activity Description and Outcome
Microsoft guidance and recommendations
Target1.2.1 Implement App Based Permissions per Enterprise The DoD enterprise working with the Organizations establishes a basic set of user attributes for authentication and authorization. These are integrated with the "Enterprise Identity Life-Cycle Management Pt1" activity process for a complete enterprise standard. The enterprise Identity, Credential, and Access Management (ICAM) solution is enabled for self-service functionality for adding/updating attributes within the solution. Remaining Privileged Access Management (PAM) activities are fully migrated to PAM solution.
Outcomes: - Enterprise roles/attributes needed for user authorization to application functions and/or data have been registered with enterprise ICAM - DoD Enterprise ICAM has self-service attribute/role registration service that enables application owners to add attributes or use existing enterprise attributes - Privileged activities are fully migrated to PAM
Microsoft Entra Connect Establish hybrid identity with Microsoft Entra Connect to populate Microsoft Entra ID tenants with user attribute data from current directory systems. - Microsoft Entra Connect
Microsoft Entra applications Integrate applications with Microsoft Entra ID. Design application authorization and permissions models using security groups, and app roles. To delegate app management, assign owners to manage app configuration, also register, and assign app roles. - Integrate apps with Microsoft Entra ID - Dynamic security groups - App roles for applications
Conditional Access Configure Conditional Access policies for dynamic authorization to applications and services protected by Microsoft Entra ID. In Conditional Access policies, use custom security attributes and application filters to scope security attribute authorization assigned to application objects, such as sensitivity. - Conditional Access - Custom security attributes - Filter for apps
Privileged Identity Management Use PIM Discovery and Insights to identify privileged roles and groups. Use PIM to manage discovered privileges and convert user assignments from permanent to eligible. - PIM Discovery and Insights
Target1.2.2 Rule Based Dynamic Access Pt1 DoD Organizations utilize the rules from the "Periodic Authentication" activity to build basic rules enabling and disabling privileges dynamically. High-risk user accounts utilize the PAM solution to move to dynamic privileged access using Just-In-Time access and Just Enough-Administration methods.
Outcomes: - Access to application’s/service’s functions and/or data are limited to users with appropriate enterprise attributes - All possible applications use JIT/JEA permissions for administrative users
Microsoft Entra ID Use Microsoft Entra ID authorization and governance features to limit application access based on user attributes, role assignments, risk, and session details.
Advanced1.2.3 Rule Based Dynamic Access Pt2 DoD Organizations expand the development of rules for dynamic access decision making accounting for risk. Solutions used for dynamic access are integrated with cross pillar Machine Learning and Artificial Intelligence functionality enabling automated rule management.
Outcomes: - Components and services are fully utilizing rules to enable dynamic access to applications and services - Technology utilized for Rule Based Dynamic Access supports integration with AI/ML tooling
Microsoft Entra ID Protection Microsoft Entra ID Protection uses machine learning (ML) algorithms to detect users and sign-in risk. Use risk conditions in Conditional Access policies for dynamic access, based on risk level. - Microsoft Entra ID Protection - Risk detections - Risk-based access policies
Microsoft Defender XDR Microsoft Defender XDR is an extended detection and response (XDR) solution. Deploy Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps and configure integrations. - Integrate Defender for Endpoint with Defender for Cloud Apps
Advanced1.2.4 Enterprise Governance roles and permissions Pt1 DoD Organizations federate remaining user and group attributes as appropriate to the Enterprise Identity, Credential, and Access Management (ICAM) solution. The updated attribute set is used to create universal roles for Organizations to use. Core functions of the Identity Provider (IdP) and Identity, Credential, and Access Management (ICAM) solutions are migrated to cloud services and/or environments enabling improved resilience and performance.
Outcomes: - Component attribute and role data repository federated with enterprise ICAM - Cloud-based enterprise IdP can be used by cloud and on-premises applications - Standardized set of roles and permissions are created and aligned to attributes
Microsoft Entra ID Microsoft Entra ID is a multicloud centrally managed identity, credential, and access management (ICAM) platform and identity provider (IdP). Establish hybrid identity with Microsoft Entra Connect to populate user data in the directory. - Microsoft Entra ID - Hybrid identity
Microsoft Entra applications Integrate applications with Microsoft Entra ID and use dynamic security groups, application roles, and custom security attributes to govern access to applications. - Manage apps - Govern app access
Microsoft Entra application proxy To use Microsoft Entra ID for apps that use legacy authentication protocols, deploy and configure application proxy or integrate secure hybrid access (SHA) partner solutions. - SHA: Protect legacy apps
Advanced1.2.5 Enterprise Governance roles and permissions Pt2 DoD Organizations move all possible functions of the Identity Provider (IdP) and Identity, Credential and Access Management (ICAM) solutions to cloud environments. Enclave/DDIL environments local capabilities to support disconnected functions but ultimately are managed by the centralized Identity, Credential and Access Management (ICAM) solutions. Updated roles are now mandated for usage and exceptions are reviewed following a risk-based approach.
Outcomes: - Majority of components utilize cloud IdP functionality Where possible on-prem IdP is decommissioned - Permissions and roles are mandated for usage when evaluating attributes
Microsoft Entra app provisioning Move remaining ICAM and application provisioning processes from on-premises identity management systems to Microsoft Entra ID. - API-driven inbound provisioning - App provisioning
1.3 Multi-factor authentication
Microsoft Entra ID supports certificate-based authentication (CBA) including DoD Common Access Cards (CAC) and Personal Identity Verification (PIV) without federating with another IdP, for cloud and hybrid (synchronized) users. Microsoft Entra ID supports multiple industry-standard multifactor phishing-resistant passwordless authentication methods including CBA, Windows Hello for Business, FIDO2 security keys, and passkeys.
You can create Conditional Access policies to enforce authentication strength and dynamically authorize access based on user, device, and environment conditions, including risk level.
DoD Activity Description and Outcome
Microsoft guidance and recommendations
Target1.3.1 Organizational MFA/IDP DoD Organizations procure and implement a centralized Identity Provider (IdP) solution and Multi-Factor (MFA) solution. The IdP and MFA solution may be combined in a single application or separated as needed assuming automated integration is supported by both solutions. Both IdP and MFA support integration with the Enterprise PKI capability and enable key pairs to be signed by the trusted root certificate authorities. Mission/Task-Critical applications and services are utilizing the IdP and MFA solution for management of users and groups.
Outcomes: - Component is using IdP with MFA for critical applications/services - Components have implemented an Identity Provider (IdP) that enables DoD PKI multifactor authentication - Organizational Standardized PKI for critical services
Microsoft Entra authentication methods Configure Microsoft Entra CBA using DoD PKI. Set the global protection level to single-factor authentication. Create rules for each DoD issuing CA, or Policy OID, to identify DoD PKI as multi-factor authentication protection level. After configuration, users sign into Microsoft Entra with a DoD CAC. - Authentication in Microsoft Entra ID - Microsoft Entra CBA - Configure CBA
Staged rollout Use a staged rollout to migrate user authentication from an on-premises federation service to Microsoft Entra CBA.
Microsoft Entra authentication strength Create a new authentication strength named DoD CAC. Choose certificate-based authentication (multifactor). Configure advanced options and select certificate issuers for DoD PKI. - Authentication strength - Custom authentication strengths
Microsoft Intune Microsoft Entra supports two methods to use certificates on a mobile device: derived credentials (on-device certificates), and hardware security keys. To use DoD PKI-derived credentials on managed mobile devices, use Intune to deploy DISA Purebred. - Derived credentials - CBA on iOS devices - CBA on Android devices
Advanced1.3.2 Alternative Flexible MFA Pt1 DoD Organization’s Identity Provider (IdP) supports alternative methods of multi-factor authentication complying with Cyber Security requirements (e.g., FIPS 140-2, FIPS 197, etc.). Alternative tokens can be used for application-based authentication. Multi-Factor options support Biometric capability and can be managed using a self-service approach. Where possible multi-factor provider(s) is moved to cloud services instead of being hosted on-premises.
Outcomes: - IdP provides user self-service alternative token - IdP provides alt token MFA for approved applications per policy
Microsoft Entra authentication methods Configure Microsoft Entra authentication methods for users to register passkeys (FIDO2 security keys). Use optional settings to configure a key restriction policy for keys compliant with FIPS 140-2. - Passwordless security key sign-in - Authentication methods
Temporary access pass Configure a temporary access pass (TAP) for users to register alternate passwordless authenticators without a CAC. - Configure TAP
Conditional Access Create a Conditional Access policy to require authentication strength: DoD CAC for security info registration. The policy requires CAC to register other authenticators like FIDO2 security keys. - Security info registration
See Microsoft guidance in 1.3.1.
Windows Hello for Business Use Windows Hello for Business with a PIN or biometric gesture for Windows sign-in. Use device management policies for Windows Hello for Business enrollment for enterprise-provided Windows devices. - Windows Hello for Business
Advanced1.3.3 Alternative Flexible MFA Pt2 Alternative tokens utilize user activity patterns from cross pillar activities such as "User Activity Monitoring (UAM) and User & Entity Behavior Analytics (UEBA)" to assist with access decision making (e.g., not grant access when pattern deviation occurs). This functionality is further extended onto Biometric enabled alternative tokens as well.
Outcome: - User Activity Patterns Implemented
Microsoft Entra ID Protection Microsoft Entra ID Protection uses machine learning (ML) and threat intelligence to detect risky users and sign-in events. Use the sign-in and user risk conditions to target Conditional Access policies to risk levels. Start with baseline protection requiring MFA for risky sign-ins. - Microsoft Entra ID Protection - Deploy Identity Protection
Microsoft Entra ID Governance enables PAM features including just-in-time (JIT) administration, entitlement management, and periodic access reviews. Microsoft Entra Privileged Identity Management (PIM) helps you discover how roles are assigned in your organization. Use PIM to convert permanent role assignments JIT, customize role assignment and activation requirements, also schedule access reviews.
Conditional Access enforces authentication strength, risk level, and compliant Privileged Access Workstation (PAW) device for privileged access. Administrative actions in Microsoft Entra ID are recorded in the Microsoft Entra audit logs.
DoD Activity Description and Outcome
Microsoft guidance and recommendations
Target1.4.1 Implement System and Migrate Privileged Users Pt1 DoD Organizations procure and implement a Privileged Access Management (PAM) solution to support all critical privileged use cases. Application/Service integration points are identified to determine status of support for the PAM solution. Applications/Services that easily integrate with PAM solution are transitioned over to using solution versus static and direct privileged permissions.
Outcomes: - Privilege Access Management (PAM) tooling is implemented - Applications and devices that support and don't support PAM tools identified - Applications that support PAM, now use PAM for controlling emergency/built-in accounts
Privileged Identity Management Deploy PIM to protect Microsoft Entra ID and Azure roles. Use PIM Discovery and Insights to identify privileged roles and groups. Use PIM to manage discovered privileges and convert user assignments from permanent to eligible. - PIM overview - Discovery and Insights for roles - Azure resources
Microsoft Intune Deploy Intune-managed PAW for Microsoft Entra, Microsoft 365, and Azure administration. - Privileged access strategy
Conditional Access Use Conditional Access policy to require compliant devices. To enforce PAW, use device filters in the Conditional Access compliant-device grant control. - Filters for devices
Target1.4.2 Implement System and Migrate Privileged Users Pt2 DoD Organizations utilize the inventory of supported and unsupported Applications/Services for integration with privileged access management (PAM) solution to extend integrations. PAM is integrated with the more challenging Applications/Services to maximize PAM solution coverage. Exceptions are managed in a risk-based methodical approach with the goal of migration off and/or decommissioning Applications/Services that don't support PAM solutions.
Outcome: - Privileged activities are migrated to PAM and access is fully managed
Privileged Identity Management Use privilege access groups and PIM for Groups to extend just-in-time (JIT) access beyond Microsoft Entra ID and Azure. Use the security groups in Microsoft 365, Microsoft Defender XDR, or mapped to privileged role claims for non-Microsoft applications integrated with Microsoft Entra ID. - Role-assignable groups - Bring groups into PIM - User and group assignements to an app
Conditional Access Use protected actions to add another layer of protection when administrators perform actions requiring highly privileged permissions in Microsoft Entra ID. For instance, manage Conditional Access policies and cross-tenant access settings. - Protected actions
Create a Conditional Access policy for users with active Microsoft Entra role membership. Require authentication strength: phishing resistant MFA and compliant device. Use device filters to require compliant PAWs. - Require MFA for administrators - Filter for devices
Advanced1.4.3 Real Time Approvals & JIT/JEA Analytics Pt1 Identification of necessary attributes (Users, Groups, etc.) are automated and integrated into the Privileged Access Management (PAM) solution. Privilege access requests are migrated to the PAM solution for automated approvals and denials.
Outcomes: - Identified accounts, applications, devices, and data of concern (of greatest risk to DoD mission) - Using PAM tools, applied JIT/JEA access to high-risk accounts - Privileged access requests are automated as appropriate
Privileged Identity Mangement Identify high-risk roles in your environment such as Microsoft Entra roles, Azure roles like Owner and User Access Administrator, also privileged security groups. - Best practices for roles - Privileged roles
Microsoft Entra ID Governance Use access packages to manage security groups for role eligibility. This mechanism manages eligible admins; it adds self-service requests, approvals, and access reviews for role eligibility. - Entitlement mangement
Create role-assignable groups for privileged roles to configure eligibility requests and approvals. Create a catalog named Privileged Role Eligible Admins. Add role-assignable groups as resources. - Role-assignable groups - Create and manage resource catalogs
Create access packages for role-assignable groups in the Privileged Role Eligible Admins catalog. You can require approval when users request eligibility in entitlement management, require approval upon activation in PIM, or both. - Access packages
Advanced1.4.4 Real Time Approvals & JIT/JEA Analytics Pt2 DoD Organizations integrate User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions with the Privileged Access Management (PAM) solution providing user pattern analytics for decision making.
Outcome: - UEBA or similar analytics system integrated with PAM tools for JIT/JEA account approvals
Conditional Access Define an authentication context for privileged access. Create one or more Conditional Access policies that target the privileged access authentication context. Use risk conditions in the policy and apply grant and session controls for privileged access. We recommend you require authentication strength: phishing-resistant MFA, compliant privileged access workstation. - Configure authentication context
See Microsoft guidance in 1.4.1.
To block privileged access when sign-in risk is high, create more Conditional Access policies that target privileged access authentication context with a condition for high sign-in risk. Repeat this step with a policy for high user risk. - Policy deployment
Privileged Identity Management Configure PIM role settings to require authentication context. This setting enforces Conditional Access policies for the chosen authentication context upon role activation. - Require authentication context
1.5 Identity federation and user credentialing
Microsoft Entra ID plays a key role in identity lifecycle management (ILM). A Microsoft Entra tenant is a hyperscale cloud directory service, identity, credential and access management (ICAM) solution, and identity provider (IdP). It supports inter-directory provisioning and app provisioning to manage the lifecycle of internal users in Microsoft Entra ID and other apps.
Microsoft Entra ID Governance features help you manage the access lifecycle for entitlements like apps, Microsoft Teams, and security group membership. Entitlement management can also be used to onboard and govern external guests. You can block access and remove guest user objects when their last access package is removed. To understand how your organization can migrate ILM functions to Microsoft Entra ID, see Road to the cloud.
DoD Activity Description and Outcome
Microsoft guidance and recommendations
Target1.5.1 Organizational Identity Life-Cycle Management DoD Organizations establish a process for life cycle management of users both privileged and standard. Utilizing the Organizational Identity Provider (IdP) the process is implemented and followed by the maximum number of users. Any users who fall outside of the standard process are approved through risk-based exceptions to be evaluated regularly for decommission.
Outcome: - Standardized Identity Lifecycle Process
Microsoft Entra ID Governance Establish regular access reviews for privileged users and applications in a tenant. - Access reviews
Target1.5.2 Enterprise Identity Life-Cycle Management Pt1 The DoD Enterprise works with Organizations to review and align the existing Identity Lifecycle Processes, policy, and standards. A finalized agreed upon policy and supporting process are developed and followed by the DoD Organizations. Utilizing the centralized or federated Identity Provider (IdP) and Identity & Access Management (IdAM) solutions, DoD Organizations implement the Enterprise Lifecycle Management process for the maximum number of identities, groups, and permissions. Exceptions to the policy are managed in a risk based methodical approach.
Outcomes: - Automated Identity Lifecycle Processes - Integrated with Enterprise ICAM process and tools
Microsoft Entra ID If your organization uses Active Directory, synchronize users to Microsoft Entra ID with Microsoft Entra Connect Sync or Microsoft Entra Connect Cloud Sync. Note: Don’t synchronize privileged Active Directory accounts, or assign privileged cloud roles, to synchronized accounts. - Connect Sync - Cloud Sync - Protect Microsoft 365 from on-premises attacks - Reduce attack surface area
Privileged Identity Management Manage administrative access with PIM. Establish an access review cadence for privileged Microsoft Entra and Azure roles. - Privileged accounts
Microsoft Entra authentication methods Use cloud-based phishing-resistant MFA methods. Set up Microsoft Entra certificate-based authentication (CBA) with DoD Common Access Cards (CACs) to register other passwordless credentials.
Advanced1.5.3 Enterprise Identity Life-Cycle Management Pt2 DoD Organizations further integrate the critical automation functions of the Identity Provider (IdP) and Identity, Credential and Access Management (ICAM) solutions following the Enterprise Lifecycle Management process to enable Enterprise automation and analytics. Identity Lifecycle Management primary processes are integrated into the cloud-based Enterprise ICAM solution.
Outcomes: - Integration w/ Critical IDM/IDP functions - Primary ILM functions are cloud based
Microsoft Entra ID Governance Use entitlement management and access reviews to manage your organization’s user access lifecycles and external guest identity lifecycles. - Entitlement management - External user access governance
Managed identities Use managed identities for Azure resources and Workload ID federation to reduce the risk of managing application credentials. - Managed identities - Workload identity federation
Application management policy Configure app management policies to control the credential types added to applications in your tenant. Use the passwordAddition restriction to require certificate credentials for applications. - App methods API - App authentication certificate credentials
Advanced1.5.4 Enterprise Identity Life-Cycle Management Pt3 DoD Organizations integrate remaining Identity Lifecycle Management processes with the Enterprise Identity, Credential and Access Management solution. Enclave/DDIL environments while still authorized to operate integrate with the Enterprise ICAM using local connectors to the cloud environment.
Outcomes: - All ILM functions moved to cloud as appropriate - Integration with all IDM/IDP functions
Microsoft Entra app provisioning Use Microsoft Entra app provisioning to synchronize identities to SCIM, SQL, LDAP, PowerShell, and web services applications. Use the API-driven app to provision users into disparate Active Directory instances. - Provision apps - On-premises app provisioning - Configure API-driven provisioning app
1.6 Behavioral, contextual ID, and biometrics
Microsoft Entra ID Protection helps you detect, remediate, and prevent identity threats by using machine learning (ML) and threat intelligence. This feature detects real-time risks during user sign-in and offline risks calculated over time. Risks include token anomalies, unusual sign-in properties, impossible travel, suspicious user behavior, and more.
Identity protection is integrated with Microsoft Defender XDR to show identity risks detected by other components in the Microsoft Defender product family.
Target1.6.1 Implement User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) tooling DoD Organizations procure and implement User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions. Initial integration point with Enterprise IdP is completed enabling future usage in decision making.
Outcome: - UEBA and UAM functionality is implemented for Enterprise IDP
Microsoft Entra ID Protection Deploy Microsoft Entra ID Protection to get real-time and offline risk detentions for users and sign-in events. Extend identity risk detections to application identities (Service Principals) using Microsoft Entra Workload ID, Workload Identities Premium edition. - Secure workload identities - Risk-based policy for workload identities
Microsoft Defender for Endpoint Onboard endpoints to Defender for Endpoint. Configure integrations between Defender for Endpoint and Microsoft Intune. - Defender for Endpoint and other solutions
Microsoft Intune Configure integrations with Defender for Endpoint and use Defender for Endpoint machine risk score in your device compliance policy. - Defender for Endpoint rules
Conditional Access Create Conditional Access policies to require compliant devices. Before access is granted, the control requires a device marked as compliant in Microsoft Intune. Integration between Defender for Endpoint and Intune provides an overall picture of device health and risk level based on the compliance state. - Compliance policies to set rules for Inune managed devices
Microsoft Sentinel Connect data sources to Sentinel and enable UEBA for audit logs, sign-in logs, Azure activity, and security events. - Enable UEBA - Advanced threats with UEBA
Advanced1.6.2 User Activity Monitoring Pt1 DoD Organizations integrate User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions with Organizational Identity Providers (IdP) for extended visibility as needed. Analytics and data generated by UEBA and UAM for critical applications and services are integrated with the Just-in-Time and Just-Enough-Access solution improving decision making further.
Outcomes: - UEBA is integrated with Org IDPs as appropriate - UEBA is integrated with JIT/JEA for critical services
Privileged Identity Management Deploy PIM and onboard privileged roles. Define authentication context for privileged access. Use risk conditions in the authentication context and configure PIM role settings to require authentication context upon activation.
Microsoft Sentinel Connect data sources to Sentinel and enable UEBA for audit logs, sign in logs, Azure activity, and security events. - Enable UEBA - Advanced threats with UEBA
Advanced1.6.3 User Activity Monitoring Pt2 DoD Organizations continue the analytics usage from User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions by using generated data for all monitored applications and services when decision making occurs in the Just-in-Time and Just-Enough-Access solution.
Outcome: - UEBA/Entity Monitoring is integrated with JIT/JEA for all services
Privileged Identity Management Use PIM for Groups to extend just-in-time (JIT) access to applications using app roles. Assign groups, managed by PIM, to the privileged app roles. - PIM for Groups - Add app roles to an app
1.7 Least privileged access
Access to applications using Microsoft Entra ID is deny-by-default. Microsoft Entra ID Governance features like entitlement management and access reviews ensure access is time-bound, aligns to the principle of least privilege, and enforces controls for separation of duties.
Use Microsoft Entra built-in roles to assign least privilege permissions by task. Administrative Units let you scope resource-based permissions for Microsoft Entra ID users and devices.
DoD Activity Description and Outcome
Microsoft guidance and recommendations
Target1.7.1 Deny User by Default Policy DoD Organizations audit internal user and group usage for permissions and revoke permissions when possible. This activity includes the revocation and/or decommission of excess permissions and access for application/service-based identities and groups. Where possible static privileged users are decommissioned or reduced permissions preparing for future rule/dynamic based access.
Outcomes: - Applications updated to deny by default to functions/data requiring specific roles/attributes for access - Reduced default permissions levels are implemented - Applications/services have reviewed/audited all privileged users and removed those users who don't need that level of access
Microsoft Entra ID Review and restrict default user and guest permissions in Microsoft Entra ID. Restrict user consent to applications and review current consent in your organization. - Default user permissions - Restrict user consent permissions
Microsoft Entra applications Access to Microsoft Entra apps is denied by default. Microsoft Entra ID verifies entitlements and applies Conditional Access policies to authorize resource access. - Integrate apps - App integration
Microsoft Entra ID Governance Use the entitlement management identity governance feature to manage identity and access lifecycles. Find automated access request workflows, access assignments, reviews, and expiration. - Entitlement management - Access reviews
Custom roles Use Microsoft Entra ID built-in roles for resource management. However, if roles don’t meet organizational needs, or to minimize privileges for your administrative users, create a custom role. Grant custom roles granular permissions to manage users, groups, devices, applications and more. - Custom roles
Microsoft Sentinel Use PIM to assign Azure roles for Sentinel access and periodically audit queries and activities. - Audit queries and activities
1.8 Continuous authentication
Microsoft Entra ID uses short- and long-lived tokens to authenticate users periodically to applications and services that Microsoft Entra protects. Microsoft Entra ID has the Continuous access evaluation (CAE) mechanism to improve the standard protocol. The policy engine responds to environmental changes in near-real-time and enforces adaptive access policies.
DoD Activity Description and Outcome
Microsoft guidance and recommendations
Target1.8.1 Single Authentication DoD Organizations employ basic authentication processes to authenticate users and NPEs at least once per session (e.g., logon). Importantly users being authenticated are managed by the parallel activity "Organizational MFA/IDP" with the Organizational Identity Provider (IdP) versus using application/service-based identities and groups.
Outcome: - Authentication Implemented across applications per session
Microsoft Entra ID Microsoft Entra ID is a centralized identity provider (IdP) that facilitates single sign-on (SSO) between Microsoft cloud applications and applications your organization uses. - Microsoft Entra ID
Single sign-on The single sign-on (SSO) authentication method allows users to use their Microsoft Entra ID credentials to authenticate applications and services. The apps can be SaaS, custom line-of-business applications, or on-premises applications. Use Microsoft Entra authentication and Zero Trust capabilities to enable secure and easy access to applications. - What is SSO? - Microsoft Entra integrations with authentication protocols
Microsoft Entra app provisioning Microsoft Entra app provisioning creates, updates, and removes user, roles, and groups in SaaS applications, and custom or on-premises applications. Use Microsoft Entra ID as the centralized identity source for apps. Minimize application or service identities and users. - Automated provisioning - App provisioning
Microsoft Entra ID Workload Service Principals and managed identities are nonperson entity (NPE) identities in Microsoft Entra. Use Service Principals for automated (non-interactive) access to APIs protected by Microsoft Entra. - Workload identities - Service Principals in Microsoft Entra ID
Target1.8.2 Periodic Authentication DoD Organizations enable period authentication requirements for applications and services. Traditionally these are based on duration and/or duration timeout but other period-based analytics can be used to mandate re-authentication of user sessions.
Outcome: - Authentication implemented multiple times per session based on security attributes
Microsoft Entra applications Microsoft Entra applications automatically manage session refresh without user interaction.
Advanced1.8.3 Continuous Authentication Pt1 DoD Organizations’ applications/service utilize multiple session authentications based on security attributes and access requested. Privilege changes and associational transaction requests required additional levels of authentication such as Multi-Factor Authentication (MFA) pushes to users.
Outcome: - Transaction authentication implemented per session based on security attributes
Continuous access evaluation CAE is based on an OpenID standard that improves time-based token expiration and refresh mechanisms to achieve a timelier response to policy violations. CAE requires a fresh access token in response to critical events, like a user moving from a trusted network location to one that’s untrusted. Implement CAE with client applications and the back-end service APIs. - Continuous access evaluation - Critical event evaluations
Microsoft Office applications that use Microsoft Graph API, Outlook Online API, and SharePoint Online API support CAE. Develop applications with the latest Microsoft Authentication Libraries (MSAL) to access CAE-enabled APIs. - CAE for Microsoft 365 - CAE enabled APIs in apps
Use protected actions to add another layer of protection when administrators perform actions requiring highly privileged permissions in Microsoft Entra ID, like manage Conditional Access policies and cross-tenant access settings. Protect user actions like registering security info and joining devices. - Protected actions - Target resource
Privileged Identity Management Require authentication context for PIM role activation.
Advanced1.8.4 Continuous Authentication Pt2 DoD Organizations continue usage of transaction-based authentication to include integration such as user patterns.
Outcome: - Transaction authentication implemented per session based on security attributes, including user patterns
Microsoft Entra ID Protection When Microsoft Entra ID Protection detects anomalous, suspicious, or risky behavior, the user risk level increases. Create Conditional Access policies using risk conditions, increasing protections with risk level. - Risk detections
Continuous access evaluation Risk level increase is a critical CAE event. Services that implement CAE, for example Exchange Online API, require the client (Outlook), to re-authenticate for the next transaction. Conditional Access policies for the increased risk level are satisfied before Microsoft Entra ID issues a new access token for Exchange Online access. - Critical event evaluation
1.9 Integrated ICAM platform
Microsoft Entra ID supports certificate authentication with certificates issued by an external public key infrastructure (PKI) for user and nonperson entities (NPE). NPEs in Microsoft Entra ID are application and device identities. Microsoft Entra External ID cross-tenant access settings help multitenant organizations, like the DoD, collaborate seamlessly across tenants.
DoD Activity Description and Outcome
Microsoft guidance and recommendations
Target1.9.1 Enterprise PKI/IDP Pt1 The DoD Enterprise works with Organizations to implement Enterprise Public Key Infrastructure (PKI) and Identity Provider (IdP) solutions in a centralized and/or federated fashion. The Enterprise PKI solution utilizes a single or set of Enterprise level Root Certificate Authorities (CA) which can then be trusted by Organizations to build Intermediate CA’s off. The Identity Provider solution may either be a single solution or federated set of Organizational IdPs with standard level of access across Organizations and standardized set of attributes. Organizations’ IdPs and PKI Certificated Authorities are integrated with the Enterprise IdP and PKI solutions.
Outcomes: - Components are using IdP with MFA for all applications/services - Organizational MFA/PKI integrated with Enterprise MFA/PKI - Organizational Standardized PKI for all services
Microsoft Entra ID authentication methods Use authentication methods policy in Microsoft Entra ID to control user authentication methods. - Microsoft Entra CBA
Authentication strength Use authentication strength to control user access to resources. - Authentication strength
Microsoft Entra External ID Configure cross-tenant access for DoD Microsoft Entra ID tenants. Use trust settings to accept MFA and compliant device claims for external identities from trusted DoD tenants. - Cross-tenant access
Application management policy The tenant app management policy is a framework to implement security best practices for applications in the tenant. Use the policy to restrict application credentials to certificates issued by a trusted PKI.
To create an application management policy to require certificates issued by trusted CAs, configure restrictions to disallow passwordAddition and require trustedCertificateauthority. Specify the trusted CA collection ID you created. - App authentication methods API
Microsoft Intune Intune supports private and public-key cryptography standards (PKCS) certificates. - PKCS certificates
Advanced1.9.2 Enterprise PKI/IDP Pt2 DoD Organizations enable Biometric support in the Identity Provider (IdP) for mission/task-critical applications and services as appropriate. Biometric functionality is moved from Organizational solutions to the enterprise. Organizational Multi-Factor (MFA) and Public Key Infrastructure (PKI) is decommissioned and migrated to the Enterprise as appropriate.
Outcomes: - Critical Organizational Services Integrated w/ Biometrics - Decommission organizational MFA/PKI as appropriate in lieu of enterprise MFA/PKI - Enterprise Biometric Functions Implemented
Microsoft Entra ID Microsoft supports biometrics in several components compatible with Microsoft Entra ID authentication.
Authentication methods Microsoft Entra ID supports hardware passkeys (FIDO2 security keys) that use presence or fingerprint. - FIDO security keys
Windows Hello for Business Windows Hello for Business uses biometric gestures like fingerprint and face scan. - Identity protection profile settings
MacOS MacOS devices have biometrics, like Touch ID, to sign in with a device-bound credential. - SSO plug-in for Apple devices
Advanced1.9.3 Enterprise PKI/IDP Pt3 DoD Organizations integrate the remaining applications/services with Biometrics functionalities. Alternative Multi-Factor (MFA) tokens can be used.
Outcome: - All Organizational Services Integrate w/ Biometrics
Microsoft Entra Verified ID Decentralized identity scenarios using Verified ID can require face verification upon credential presentation. - Verfied ID - Face Check
Next steps
Configure Microsoft cloud services for the DoD Zero Trust Strategy:
This module examines how Microsoft Entra Privileged Identity Management (PIM) ensures users in your organization have just the right privileges to perform the tasks they need to accomplish.