Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Microsoft Entra ID Security Technical Implementation Guide

V1R0.1 · · · Released 15 Nov 2024 · 12 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Sort by
b
Microsoft Entra ID must initiate a session lock after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-270200 - SV-270200r1045496_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
ENTR-ID-000030
Vuln IDs
  • V-270200
Rule IDs
  • SV-270200r1045496_rule
Session locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Session locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the Session lock (e.g., via a Bluetooth-enabled Session or dongle). User-initiated Session locking is behavior or policy-based and, as such, requires users to take physical action to initiate the Session lock. Session locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.
Checks: C-74233r1045494_chk

To verify the inactivity timeout is configured for 15 minutes or less, follow the steps outlined below: 1. Sign in to entra.microsoft.com (or .us for a GCCH or DOD tenant). 2. Navigate to Settings >> Domains. 3. Search for "Idle Session Timeout". If the inactivity timeout is not set to 15 minutes or less, this is a finding.

Fix: F-74134r1045495_fix

Sign into entra.microsoft.com. 1. Navigate to Admin >> Settings >> Org Settings >> Security and Privacy tab >> Idle Session Timeout. 2. Select the check box to enable "Turn on to set the period of inactivity". 3. Select custom option, then enter "15". 4. Click "Save".

b
Microsoft Entra ID must automatically disable accounts after a 35-day period of account inactivity.
AC-2 - Medium - CCI-000017 - V-270204 - SV-270204r1045497_rule
RMF Control
AC-2
Severity
M
CCI
CCI-000017
Version
ENTR-ID-000090
Vuln IDs
  • V-270204
Rule IDs
  • SV-270204r1045497_rule
Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications need to track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be hijacked, leading to a data compromise. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality. This policy does not apply to either emergency accounts or infrequently used accounts. Infrequently used accounts are local login administrator accounts used by system administrators when network or normal logon/access is not available. Emergency accounts are administrator accounts created in response to crisis situations. Satisfies: SRG-APP-000025, SRG-APP-000163
Checks: C-74237r1043891_chk

Account authentication is managed by Entra ID. Use the following procedure to discover inactive user accounts in Entra ID (35+ days) via the use of the Graph PowerShell SDK. Installation instructions: https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0. Required roles: At least Global Reader Required tenant license: Entra ID Premium P1 Example PowerShell commands: Connect-MgGraph -Scopes AuditLog.Read.All,User.Read.All -Environment USGov $inactiveDate = (Get-Date).AddDays(-35) $users = Get-MgUser -All:$true -Property Id, DisplayName, UserPrincipalName, UserType, createdDateTime, SignInActivity, AccountEnabled | Where-Object { $_.AccountEnabled -eq $true } $inactiveUsers = $users | Where-Object { ($_.SignInActivity.LastSignInDateTime -lt $inactiveDate) -or ($_.SignInActivity.LastSignInDateTime -eq $null -and $_.CreatedDateTime -lt $inactiveDate) } | Select-Object DisplayName, UserPrincipalName, UserType, createdDateTime, @{Name = 'LastSignInDateTime'; Expression = {($_.SignInActivity).LastSignInDateTime}}, Id | Sort-Object LastSignInDateTime $inactiveUsers | Format-Table -AutoSize If accounts are not disabled after a 35-day period of account inactivity, this is a finding. References: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.users/get-mguser?view=graph-powershell-1.0 https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#properties https://learn.microsoft.com/en-us/graph/api/resources/signinactivity?view=graph-rest-1.0#properties For any PowerShell scripts that are Graph, note Graph end points differ depending on where the tenant is located. - For commercial tenants, graph endpoints are graph.microsoft.com. - For GCC High tenants (IL4), graph endpoints are graph.microsoft.us. - For DOD tenants (IL5), graph endpoints are dod-graph.microsoft.us.

Fix: F-74138r1043892_fix

Sign in to the Microsoft Entra admin center as at least a Reports Reader. Browse to Identity >> Users >> All users. Select a user from the list. In the "My Feed" area of the user's Overview, locate the Sign-ins tile. Authentication is managed by Entra ID. Use the following procedure to disable inactive user accounts in Entra ID via the use of the Graph PowerShell SDK. Installation instructions: https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0 Required roles: Global Administrator Install the Microsoft Graph PowerShell SDK. Install-Module Microsoft.Graph -Scope CurrentUser Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All", "SignInActivity.Read.All" # Set the inactivity threshold (in days) $inactivityThreshold = 35 # Get the current date $currentDate = Get-Date # Get all users and their last sign-in activity $users = Get-MgUser -All -Property "DisplayName", "SignInActivity" # Filter for inactive users $inactiveUsers = $users | Where-Object { $_.SignInActivity.LastSignInDateTime -lt ($currentDate.AddDays(-$inactivityThreshold)) } # Disable inactive users foreach ($user in $inactiveUsers) { Set-MgUser -UserId $user.Id -AccountEnabled $false Write-Host "Disabled user: $($user.DisplayName)" } References: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.users/update-mguser?view=graph-powershell-1.0 https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http For any PowerShell scripts that are Graph, note Graph end points differ depending on where the tenant is located. - For commercial tenants, graph endpoints are graph.microsoft.com. - For GCC High tenants (IL4), graph endpoints are graph.microsoft.us. - For DOD tenants (IL5), graph endpoints are dod-graph.microsoft.us.

b
Microsoft Entra ID must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
AC-7 - Medium - CCI-000044 - V-270208 - SV-270208r1045521_rule
RMF Control
AC-7
Severity
M
CCI
CCI-000044
Version
ENTR-ID-000140
Vuln IDs
  • V-270208
Rule IDs
  • SV-270208r1045521_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Checks: C-74241r1045498_chk

Verify Entra ID is configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. 1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. 2. Browse to Security >> Security Center >> Authentication methods >> Password protection. 3. Verify the Lockout Threshold has been set to "3" and Lockout duration is set to "900" or more. If Entra ID is not configured to enforce the limit of three consecutive invalid logon attempts with a lockout period of 15 minutes, this is a finding.

Fix: F-74142r1045521_fix

To configure account lockout settings, complete these steps: Required procedure: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout 1. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator. 2. Browse to Protection >> Authentication methods >> Password protection. 3. Set the Lockout threshold to "3". The default is 10 for Azure Public tenants and 3 for Azure U.S. Government tenants. 4. Set the Lockout duration in seconds, to the length in seconds of each lockout. The default is 900 seconds (15 minutes). Note: If the first sign-in after a lockout period has expired fails, the account locks out again. If an account locks repeatedly, the lockout duration increases. ================================ This can be viewed in the Entra ID audit logs. 1. Log in to the Entra ID tenant with GA permissions. 2. Scroll down to the Monitoring section and select "Audit Logs". 3. All events related to user creation, modification, etc. will be displayed.

b
Microsoft Entra ID must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the application.
AC-8 - Medium - CCI-000048 - V-270209 - SV-270209r1045500_rule
RMF Control
AC-8
Severity
M
CCI
CCI-000048
Version
ENTR-ID-000150
Vuln IDs
  • V-270209
Rule IDs
  • SV-270209r1045500_rule
Display of the DOD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for applications that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." Satisfies: SRG-APP-000068, SRG-APP-000069, SRG-APP-000070
Checks: C-74242r1043906_chk

Verify Entra ID has been configured to display the DOD logon banner when a user logs on. 1. Sign in to the Microsoft Entra admin center as a Global Administrator. 2. Browse to or search "Company Branding". 3. Browse to the "Sign-in form" tab and review the required DOD banner text in the "Sign-in page text". Note: This field is limited to 1024 characters. If the DOD logon banner text is not present in the "Sign-in page text" field, this is a finding.

Fix: F-74143r1043907_fix

To create the standard DOD banner in Entra ID, complete these steps: 1. Sign in to the Microsoft Entra admin center as a Global Administrator. 2. Browse to or search "Company Branding". 3. Select "Customize" under "Default sign-in experience". 4. Browse to the "Sign-in form" tab and place the required DOD banner text in the "Sign-in page text". Note: This field is limited to 1024 characters. 5. Click "Create".

b
Microsoft Entra ID must be configured to transfer logs to another server for storage, analysis, and reporting.
AU-9 - Medium - CCI-001348 - V-270227 - SV-270227r1045503_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001348
Version
ENTR-ID-000370
Vuln IDs
  • V-270227
Rule IDs
  • SV-270227r1045503_rule
Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to ensure the audit records will be retained in the event of a catastrophic system failure. This also ensures a compromise of the information system being audited does not result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions.
Checks: C-74260r1045501_chk

Verify Microsoft Entra ID sign-in logs are updated in Microsoft Sentinel or equivalent SIEM. Verify the Connected Status is "green" with Last Log Received within the past hour. 1. Sign in to the Microsoft Entra admin center as a Global Administrator. 2. Browse to "Diagnostic settings". 3. Select "Edit settings" for the entry that has an established log analytics workspace. 4. Review the selected log categories. The minimum required categories are: - SigninLogs. - AuditLogs. - ServicePrincipalSignInLogs. - ManagedIdentitySignInLogs. - UserRiskEvents. - RiskyUsers. - RiskyServicePrincipals. - ServicePrincipalRiskEvents. If there is not an entry established to offload logs to a log analytic workspace and the minimum log categories are not selected, this is a finding.

Fix: F-74161r1045502_fix

Configure the Microsoft Entra to transfer Microsoft Entra server logs to another server for storage, analysis, and reporting at least every seven days. 1. Sign in to the Microsoft Entra admin center as a Global Administrator. 2. Browse to "Diagnostic settings". 3. Select "+ Add diagnostic settings". 4. Selected at least required categories: - SigninLogs. - AuditLogs. - ServicePrincipalSignInLogs. - ManagedIdentitySignInLogs. - UserRiskEvents. - RiskyUsers. - RiskyServicePrincipals. - ServicePrincipalRiskEvents. 5. Select "Send to Log Analytics workspace". For details on establishing a log analytics workspace, reference the DOD365 TCG.

b
Microsoft Entra ID must be configured to use a DOD Central Directory Service to provide multifactor authentication (MFA) for network access to privileged and nonprivileged accounts.
IA-2 - Medium - CCI-000765 - V-270233 - SV-270233r1045506_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000765
Version
ENTR-ID-000440
Vuln IDs
  • V-270233
Rule IDs
  • SV-270233r1045506_rule
Without the use of MFA, the ease of access to privileged functions is greatly increased. MFA requires the use of two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). Satisfies: SRG-APP-000149, SRG-APP-000150, SRG-APP-000154, SRG-APP-000155
Checks: C-74266r1045504_chk

Verify user accounts require MFA. 1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator. 2. Browse to Security Center >> Conditional Access. 3. Select "View all policies" under "Policy Snapshot" and find the MFA policy. 4. Confirm "Enable policy" is set to "On". 5. Confirm "All users" is selected under the "Include" section of the Users option of the policy. 6. Confirm any exclusions listed under the "Exclude" section of the Users option are documented with the authorizing official (AO). If the MFA policy is not set to "On" with "All users" selected and any exclusions are not documented with the AO, this is a finding.

Fix: F-74167r1045505_fix

Account authentication is managed by Entra ID. The following steps will create a Conditional Access policy to require all users to use MFA: 1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator. 2. In the search bar, search for "Conditional Access". 3. Select "Create new policy". 4. Give the policy a name. It is recommended that organizations create a meaningful standard for the names of policies. 5. Under "Assignments", select "Users" or "workload identities". a. Under "Include", select "All users". b. Under "Exclude", select "Users" and "groups", and then choose the organization's emergency access or break-glass accounts. 6. Navigate to Target resources >> Cloud apps >> Include. Select "All cloud apps". a. Under "Exclude", select any applications that do not require MFA. 7. Navigate to Access controls >> Grant. Select "Grant access, Require multifactor authentication", and then click "Select". 8. Confirm the settings and set "Enable policy" to "Report-only". 9. Select "Create" to enable the policy. 10. After confirming the policy, deploy the policy by either moving the "Enable" policy toggle from "Report-only" to "On" or alternately, deploying the policy using a Conditional Access template.

b
Microsoft Entra ID must enforce a 60-day maximum password lifetime restriction.
Medium - CCI-004066 - V-270239 - SV-270239r1045509_rule
RMF Control
Severity
M
CCI
CCI-004066
Version
ENTR-ID-000610
Vuln IDs
  • V-270239
Rule IDs
  • SV-270239r1045509_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. This requirement does not include emergency administration accounts, which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.
Checks: C-74272r1045507_chk

Verify the Entra ID password expiration time period has been changed to 60 days. Interview the site Intune and/or Entra ID system administrator and verify the script shown in the Fix has been run. If the Entra ID password expiration time period has been changed to 60 days, this is a finding. Note: It is not possible to view the current value for the password expiration time (the Entra ID default is 90). An administrator can check the maximum password age of their Entra ID tenant by using the Graph PowerShell SDK module and using the "Get-MgDomain" command by using the script located here: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdomain?view=graph-powershell-1.0 Note: For any PowerShell scripts that are Graph, note Graph end points differ depending on where the tenant is located. - For commercial tenants, graph endpoints are graph.microsoft.com. - For GCC High tenants (IL4), graph endpoints are graph.microsoft.us. - For DOD tenants (IL5), graph endpoints are dod-graph.microsoft.us.

Fix: F-74173r1045508_fix

Change the default Entra ID password expiration time period to 60 days by using the Graph script located here: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.users/update-mguser Use the "Get-MgDomain" command, and update it to 60 days using the "Update-MgDomain -DomainId <DomainName> -PasswordValidityPeriodInDays 60" command. Note: For any PowerShell scripts that are Graph, note Graph end points differ depending on where the tenant is located. - For commercial tenants, graph endpoints are graph.microsoft.com. - For GCC High tenants (IL4), graph endpoints are graph.microsoft.us. - For DOD tenants (IL5), graph endpoints are dod-graph.microsoft.us.

b
Microsoft Entra ID must notify system administrators (SAs) and the information system security officer (ISSO) when privileges are being requested.
AC-2 - Medium - CCI-000015 - V-270255 - SV-270255r1045530_rule
RMF Control
AC-2
Severity
M
CCI
CCI-000015
Version
ENTR-ID-000835
Vuln IDs
  • V-270255
Rule IDs
  • SV-270255r1045530_rule
When application accounts are modified, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-74288r1045510_chk

Verify PIM is in use with email notifications going to the SA and ISSO when privileges are requested. 1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. 2. Search for "Microsoft Entra Privileged Identity Management". 3. Navigate to "Management" and select "Microsoft Entra roles". 4. Expand the "Manage" menu and select roles. 5. For each role that is either active or eligible perform the following: a. Select the role. b. Navigate to role settings. c. Under "Send notifications when eligible members activate this role:" Verify the SA and ISSO email addresses are listed under "Additional recipients" for the type "Role activation alert". If the SA and ISSO are not set up to receive email notification when privileges are requested through PIM, this is a finding.

Fix: F-74189r1045511_fix

Configure PIM to email notifications to the SA and ISSO when privileges are requested. 1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. 2. Search for "Microsoft Entra Privileged Identity Management". 3. Navigate to "Management" and select "Microsoft Entra roles". 4. Expand the "Manage" menu and select roles. 5. For each role that is either active or eligible perform the following: a. Select the role. b. Navigate to role settings. c. Select "Edit". d. Navigate to the "Notification" tab. e. Under "Send notifications when eligible members activate this role:" add the SA and ISSO email addresses under "Additional recipients". f. Select "Update".

b
Microsoft Entra ID must automatically terminate a user session after an organization-defined period of user inactivity.
AC-12 - Medium - CCI-002361 - V-270256 - SV-270256r1045515_rule
RMF Control
AC-12
Severity
M
CCI
CCI-002361
Version
ENTR-ID-000860
Vuln IDs
  • V-270256
Rule IDs
  • SV-270256r1045515_rule
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination ends all processes associated with a user's logical session except those processes specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific application system functionality where the system owner, data owner, or organization requires additional assurance. Based upon requirements and events specified by the data or application owner, the application developer must incorporate logic into the application that will provide a control mechanism that disconnects users upon the defined event trigger. The methods for incorporating this requirement will be determined and specified on a case-by-case basis during the application design and development stages.
Checks: C-74289r1045513_chk

To verify the inactivity timeout is configured for 15 minutes or less, complete the following steps: 1. Sign in to entra.microsoft.com (or .us if you are a GCCH or DOD tenant). 2. Navigate to Admin &gt;&gt; Settings &gt;&gt; Org Settings &gt;&gt; Security and Privacy tab &gt;&gt; Idle Session Timeout. 3. Select the check box to enable "Turn on to set the period of inactivity". 4. Select custom option, then verify it has been set to "15". If the inactivity timeout is not set to 15 minutes or less, this is a finding.

Fix: F-74190r1045514_fix

Sign in to Microsoft DOD tenant or entra.microsoft.com. 1. Search "Portal settings", then go to "Signing out + Notifications". 2. Set "When do you want users signed out" to 15 minutes. 3. Click "Save".

b
Microsoft Entra ID must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
AC-7 - Medium - CCI-002238 - V-270261 - SV-270261r1045517_rule
RMF Control
AC-7
Severity
M
CCI
CCI-002238
Version
ENTR-ID-000940
Vuln IDs
  • V-270261
Rule IDs
  • SV-270261r1045517_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Checks: C-74294r1044062_chk

Verify Entra ID is configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. 1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. 2. Browse to Protection &gt;&gt; Authentication methods &gt;&gt; Password protection. 3. Verify the Lockout Threshold has been set to "3" and Lockout duration is set to 900 or more. If Entra ID is not configured to enforce the limit of three consecutive invalid logon attempts with a lockout period of 15 minutes, this is a finding.

Fix: F-74195r1045516_fix

Administrator account authentication is managed by Entra ID. To configure account lockout settings, complete these steps: 1. Log on to entra.microsoft.com. 2. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator. 3. Browse to Protection >> Authentication methods >> Password protection. 4. Set the Lockout threshold to "3". The default is 10 for Azure Public tenants and 3 for Azure U.S. Government tenants. 5. Set the Lockout duration in seconds, to the length in seconds of each lockout. The default is 900 seconds (15 minutes). Note: If the first sign-in after a lockout period also fails, the account locks out again. If an account locks repeatedly, the lockout duration increases. ================================ This can be viewed in the Entra ID audit logs. 1. Log into the Entra ID tenant with GA permissions. 2. Scroll down to the Monitoring section and select "Audit Logs". 3. All events related to user creation, modification, etc., will be displayed. https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout

b
Microsoft Entra ID must be configured to transfer UEM server logs to another server for storage, analysis, and reporting.
AU-4 - Medium - CCI-001851 - V-270262 - SV-270262r1045519_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
ENTR-ID-000950
Vuln IDs
  • V-270262
Rule IDs
  • SV-270262r1045519_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.
Checks: C-74295r1044065_chk

Verify the site is scheduling audit log backups at least every seven days. Since, at this time, offloading Entra ID audit logs is a manual process, verify the site is periodically (at least every seven days) offloading Entra ID logs. If Microsoft Entra ID is not set to transfer server logs to another server for storage, analysis, and reporting at least every seven days, this is a finding.

Fix: F-74196r1045518_fix

To manually offload audit logs to an audit log management server, follow these instructions: 1. Log in to Microsoft Entra admin center entra.microsoft.com and search for "audit logs" and select "download". 2. Select "Groups". 3. Select "Audit Logs". 4. Select "Download". This exports a .csv file with audit data. Other methods can be used to archive the .csv files.

b
Entra ID must utilize Privileged Identity Management (PIM).
AC-2 - Medium - CCI-001682 - V-270335 - SV-270335r1045520_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001682
Version
ENTR-ID-001900
Vuln IDs
  • V-270335
Rule IDs
  • SV-270335r1045520_rule
Emergency accounts are administrator accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency account is normally a different account created for use by vendors or system maintainers. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.
Checks: C-74368r1044284_chk

Verify PIM is in use with just-in-time (JIT) access and employing the principle of least privilege access. 1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. 2. Search for "Microsoft Entra Privileged Identity Management". 3. Navigate to "Management" and select "Microsoft Entra roles". 4. Expand the "Manage" menu and select "Assignments". 5. Select the "Active assignments" tab and for each privileged role, verify there are no roles with an end time of "Permanent". If any privileged roles are present with an end time of "Permanent", this is a finding.

Fix: F-74269r1044285_fix

Configure PIM to just-in-time (JIT) access and employ the principle of least privilege access. When assigning privileged roles to accounts, select the assignment type of "Eligible".