Microsoft Entra ID

NIST SP 800-63B §4.2: "AAL2 provides high confidence that the claimant controls authenticator(s) bound to the subscriber's account. Proof of possession and control of two distinct authentication factors is required through secure authentication protocol(s). Approved cryptographic techniques are required at AAL2 and above." §4.3: "AAL3 provides very high confidence that the claimant controls authenticator(s) bound to the subscriber's account. Authentication at AAL3 is based on proof of possession of a key through a cryptographic protocol. AAL3 authentication SHALL use a hardware-based authenticator and an authenticator that provides verifier impersonation resistance." §4.2.3: "At AAL2, authentication of the subscriber SHALL be repeated at least once per 12 hours during an extended usage session. Reauthentication SHALL be repeated following any period of inactivity lasting 30 minutes or longer." Entra ID supports AAL2 with MFA and AAL3 with FIDO2/WebAuthn security keys.

DoD security requirements for Entra ID. Covers MFA enforcement, conditional access policies, privileged access management, and audit logging.

Security baseline including Entra ID configuration. 140+ controls across identity, collaboration, and device management.

Official hardening guide covering security defaults, conditional access, Privileged Identity Management, and identity protection.

SOC 2 CC6.1: "The entity implements logical access security software, infrastructure, and architectures over protected information assets." CC6.2: "Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users." CC6.3: "The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles." Entra ID implements centralized identity governance aligned with SOC 2 access control requirements. Source: AICPA Trust Services Criteria.

ISO 27001:2022 A.5.15: "Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements." A.5.16: "The full lifecycle of identities shall be managed." A.5.18: "Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization topic-specific policy." Entra ID supports ISO 27001 identity and access management requirements through Conditional Access and PIM. Source: ISO/IEC 27001:2022 Annex A.

CISA SCuBA provides security baselines with specific policy IDs and MITRE ATT&CK mappings. MS.AAD.1.1v1: "Legacy authentication SHALL be blocked" (T1110 Brute Force, T1078 Valid Accounts). MS.AAD.2.1v1: "Users detected as high risk SHALL be blocked." MS.AAD.3.1v1: "Phishing-resistant MFA SHALL be enforced for all users." MS.AAD.3.6v1: "Phishing-resistant MFA SHALL be required for highly privileged roles." MS.AAD.7.1v1: "A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role." Required for BOD 25-01 compliance. Source: CISA SCuBA Project.