DoD Zero Trust Strategy for the user pillar

The DoD Zero Trust Strategy and Roadmap outlines a path for Department of Defense components and Defense Industrial Base (DIB) partners to adopt a new cybersecurity framework based on Zero Trust principles. Zero Trust eliminates traditional perimeters and trust assumptions, enabling a more efficient architecture that enhances security, user experiences, and mission performance.

This guide has recommendations for the 152 Zero Trust activities in the DoD Zero Trust Capability Execution Roadmap. The sections correspond with the seven pillars of the DoD Zero Trust model.

Use the following links to go to sections of the guide.

1 User

This section has Microsoft guidance and recommendations for DoD Zero Trust activities in the user pillar. To learn more, see Securing identity with Zero Trust.

1.1 User inventory

Microsoft Entra ID is the required identity platform for Microsoft cloud services. Microsoft Entra ID is an identity provider (IdP) and governance platform to support multicloud and hybrid identities. You can use Microsoft Entra ID to govern access to non-Microsoft clouds like Amazon Web Services (AWS), Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI) and more. Microsoft Entra ID uses standard identity protocols, making it a suitable IdP for software as a service (SaaS), modern web applications, desktop and mobile apps, also legacy on-premises applications.

Use Microsoft Entra ID to verify users and nonperson entities (NPE), continuously authorize access to apps and data, govern identities and their entitlements following least-privilege principles, and perform just-in-time (JIT) administration.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 1.1.1 Inventory User
DoD Organizations establish and update a user inventory manually if needed, preparing for automated approach in later stages. Accounts both centrally managed by an IdP/ICAM and locally on systems will be identified and inventoried. Privileged accounts will be identified for future audit and both standard and privileged user accounts local to applications and systems will be identified for future migration and/or decommission.

Outcomes:
- Identified Managed Regular Users
- Identified Managed Privileged Users
- Identified applications using their own user account management for non-administrative and administrative accounts
Microsoft Entra ID
Identify regular and privileged users in your organization using the Microsoft Entra admin center or Microsoft Graph API. User activity is captured in Microsoft Entra ID sign-in and audit logs, which can be integrated with security information event monitoring (SIEM) systems like Microsoft Sentinel.
- Adopt Microsoft Entra ID
- Microsoft Graph API: List Users
- Microsoft Entra activity log integration

Microsoft Entra and Azure roles
Privileged users are identities assigned to Microsoft Entra ID roles, Azure roles, or Microsoft Entra ID security groups that grant privileged access to Microsoft 365, or other applications. We recommend you use cloud-only users for privileged access.
- Built-in roles

Microsoft Defender for Cloud Apps
Use Defender for Cloud Apps to discover unapproved apps using their own identity store.
- Discover and manage shadow IT

Microsoft Defender for Identity
Deploy and configure Microsoft Defender for Identity sensors to build an identity asset inventory for on-premises Active Directory Domain Services environments.
- Microsoft Defender for Identity overview
- Deploy Microsoft Defender for Identity
- Investigate assets

1.2 Conditional user access

Microsoft Entra ID helps your organization implement conditional, dynamic user access. Features that support this capability include Microsoft Entra Conditional Access, Microsoft Entra ID Governance, custom roles, dynamic security groups, app roles, and custom security attributes.

Conditional Access is the real-time Zero Trust policy engine in Microsoft Entra ID. Conditional Access policies use security signals from user, device, application, session, risk, and more to apply adaptive dynamic authorization for resources protected by Microsoft Entra ID.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 1.2.1 Implement App Based Permissions per Enterprise
The DoD enterprise working with the Organizations establishes a basic set of user attributes for authentication and authorization. These are integrated with the "Enterprise Identity Life-Cycle Management Pt1" activity process for a complete enterprise standard. The enterprise Identity, Credential, and Access Management (ICAM) solution is enabled for self-service functionality for adding/updating attributes within the solution. Remaining Privileged Access Management (PAM) activities are fully migrated to PAM solution.

Outcomes:
- Enterprise roles/attributes needed for user authorization to application functions and/or data have been registered with enterprise ICAM
- DoD Enterprise ICAM has self-service attribute/role registration service that enables application owners to add attributes or use existing enterprise attributes
- Privileged activities are fully migrated to PAM
Microsoft Entra Connect
Establish hybrid identity with Microsoft Entra Connect to populate Microsoft Entra ID tenants with user attribute data from current directory systems.
- Microsoft Entra Connect

Microsoft Entra applications
Integrate applications with Microsoft Entra ID. Design application authorization and permissions models using security groups, and app roles. To delegate app management, assign owners to manage app configuration, also register, and assign app roles.
- Integrate apps with Microsoft Entra ID
- Dynamic security groups
- App roles for applications

Microsoft Entra ID Governance
Configure access packages in entitlement management so users can request access to application roles or groups.
- Govern access to apps
- Delegate access package governance

Conditional Access
Configure Conditional Access policies for dynamic authorization to applications and services protected by Microsoft Entra ID. In Conditional Access policies, use custom security attributes and application filters to scope security attribute authorization assigned to application objects, such as sensitivity.
- Conditional Access
- Custom security attributes
- Filter for apps

Privileged Identity Management
Use PIM Discovery and Insights to identify privileged roles and groups. Use PIM to manage discovered privileges and convert user assignments from permanent to eligible.
- PIM Discovery and Insights

Target 1.2.2 Rule Based Dynamic Access Pt1
DoD Organizations utilize the rules from the "Periodic Authentication" activity to build basic rules enabling and disabling privileges dynamically. High-risk user accounts utilize the PAM solution to move to dynamic privileged access using Just-In-Time access and Just Enough-Administration methods.

Outcomes:
- Access to application’s/service’s functions and/or data are limited to users with appropriate enterprise attributes
- All possible applications use JIT/JEA permissions for administrative users
Microsoft Entra ID
Use Microsoft Entra ID authorization and governance features to limit application access based on user attributes, role assignments, risk, and session details.

See Microsoft guidance in 1.2.1.

Privileged Identity Management
Use PIM for Microsoft Entra and Azure roles. Extend PIM to other Microsoft Entra ID applications with PIM for Groups.
- PIM for Microsoft Entra roles
- PIM for Azure roles
- PIM for Groups

Advanced 1.2.3 Rule Based Dynamic Access Pt2
DoD Organizations expand the development of rules for dynamic access decision making accounting for risk. Solutions used for dynamic access are integrated with cross pillar Machine Learning and Artificial Intelligence functionality enabling automated rule management.

Outcomes:
- Components and services are fully utilizing rules to enable dynamic access to applications and services
- Technology utilized for Rule Based Dynamic Access supports integration with AI/ML tooling
Microsoft Entra ID Protection
Microsoft Entra ID Protection uses machine learning (ML) algorithms to detect users and sign-in risk. Use risk conditions in Conditional Access policies for dynamic access, based on risk level.
- Microsoft Entra ID Protection
- Risk detections
- Risk-based access policies

Microsoft Defender XDR
Microsoft Defender XDR is an extended detection and response (XDR) solution. Deploy Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps and configure integrations.
- Integrate Defender for Endpoint with Defender for Cloud Apps

Advanced 1.2.4 Enterprise Governance roles and permissions Pt1
DoD Organizations federate remaining user and group attributes as appropriate to the Enterprise Identity, Credential, and Access Management (ICAM) solution. The updated attribute set is used to create universal roles for Organizations to use. Core functions of the Identity Provider (IdP) and Identity, Credential, and Access Management (ICAM) solutions are migrated to cloud services and/or environments enabling improved resilience and performance.

Outcomes:
- Component attribute and role data repository federated with enterprise ICAM
- Cloud-based enterprise IdP can be used by cloud and on-premises applications
- Standardized set of roles and permissions are created and aligned to attributes
Microsoft Entra ID
Microsoft Entra ID is a multicloud centrally managed identity, credential, and access management (ICAM) platform and identity provider (IdP). Establish hybrid identity with Microsoft Entra Connect to populate user data in the directory.
- Microsoft Entra ID
- Hybrid identity

Microsoft Entra applications
Integrate applications with Microsoft Entra ID and use dynamic security groups, application roles, and custom security attributes to govern access to applications.
- Manage apps
- Govern app access

Microsoft Entra application proxy
To use Microsoft Entra ID for apps that use legacy authentication protocols, deploy and configure application proxy or integrate secure hybrid access (SHA) partner solutions.
- SHA: Protect legacy apps

Advanced 1.2.5 Enterprise Governance roles and permissions Pt2
DoD Organizations move all possible functions of the Identity Provider (IdP) and Identity, Credential and Access Management (ICAM) solutions to cloud environments. Enclave/DDIL environments local capabilities to support disconnected functions but ultimately are managed by the centralized Identity, Credential and Access Management (ICAM) solutions. Updated roles are now mandated for usage and exceptions are reviewed following a risk-based approach.

Outcomes:
- Majority of components utilize cloud IdP functionality Where possible on-prem IdP is decommissioned
- Permissions and roles are mandated for usage when evaluating attributes
Microsoft Entra applications
Migrate modern applications from Active Directory Federation Services (AD FS) to Microsoft Entra ID and then decommission AD FS infrastructure.
- Migrate app authentication from AD FS to Microsoft Entra ID

Microsoft Entra app provisioning
Move remaining ICAM and application provisioning processes from on-premises identity management systems to Microsoft Entra ID.
- API-driven inbound provisioning
- App provisioning

1.3 Multi-factor authentication

Microsoft Entra ID supports certificate-based authentication (CBA) including DoD Common Access Cards (CAC) and Personal Identity Verification (PIV) without federating with another IdP, for cloud and hybrid (synchronized) users. Microsoft Entra ID supports multiple industry-standard multifactor phishing-resistant passwordless authentication methods including CBA, Windows Hello for Business, FIDO2 security keys, and passkeys.

You can create Conditional Access policies to enforce authentication strength and dynamically authorize access based on user, device, and environment conditions, including risk level.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 1.3.1 Organizational MFA/IDP
DoD Organizations procure and implement a centralized Identity Provider (IdP) solution and Multi-Factor (MFA) solution. The IdP and MFA solution may be combined in a single application or separated as needed assuming automated integration is supported by both solutions. Both IdP and MFA support integration with the Enterprise PKI capability and enable key pairs to be signed by the trusted root certificate authorities. Mission/Task-Critical applications and services are utilizing the IdP and MFA solution for management of users and groups.

Outcomes:
- Component is using IdP with MFA for critical applications/services
- Components have implemented an Identity Provider (IdP) that enables DoD PKI multifactor authentication
- Organizational Standardized PKI for critical services
Microsoft Entra authentication methods
Configure Microsoft Entra CBA using DoD PKI. Set the global protection level to single-factor authentication. Create rules for each DoD issuing CA, or Policy OID, to identify DoD PKI as multi-factor authentication protection level. After configuration, users sign into Microsoft Entra with a DoD CAC.
- Authentication in Microsoft Entra ID
- Microsoft Entra CBA
- Configure CBA

Staged rollout
Use a staged rollout to migrate user authentication from an on-premises federation service to Microsoft Entra CBA.

See Microsoft guidance in 1.2.4.

Microsoft Entra authentication strength
Create a new authentication strength named DoD CAC. Choose certificate-based authentication (multifactor). Configure advanced options and select certificate issuers for DoD PKI.
- Authentication strength
- Custom authentication strengths

Microsoft Intune
Microsoft Entra supports two methods to use certificates on a mobile device: derived credentials (on-device certificates), and hardware security keys. To use DoD PKI-derived credentials on managed mobile devices, use Intune to deploy DISA Purebred.
- Derived credentials
- CBA on iOS devices
- CBA on Android devices

Advanced 1.3.2 Alternative Flexible MFA Pt1
DoD Organization’s Identity Provider (IdP) supports alternative methods of multi-factor authentication complying with Cyber Security requirements (e.g., FIPS 140-2, FIPS 197, etc.). Alternative tokens can be used for application-based authentication. Multi-Factor options support Biometric capability and can be managed using a self-service approach. Where possible multi-factor provider(s) is moved to cloud services instead of being hosted on-premises.

Outcomes:
- IdP provides user self-service alternative token
- IdP provides alt token MFA for approved applications per policy
Microsoft Entra authentication methods
Configure Microsoft Entra authentication methods for users to register passkeys (FIDO2 security keys). Use optional settings to configure a key restriction policy for keys compliant with FIPS 140-2.
- Passwordless security key sign-in
- Authentication methods

Temporary access pass
Configure a temporary access pass (TAP) for users to register alternate passwordless authenticators without a CAC.
- Configure TAP

Conditional Access
Create a Conditional Access policy to require authentication strength: DoD CAC for security info registration. The policy requires CAC to register other authenticators like FIDO2 security keys.
- Security info registration

See Microsoft guidance in 1.3.1.

Windows Hello for Business
Use Windows Hello for Business with a PIN or biometric gesture for Windows sign-in. Use device management policies for Windows Hello for Business enrollment for enterprise-provided Windows devices.
- Windows Hello for Business

Advanced 1.3.3 Alternative Flexible MFA Pt2
Alternative tokens utilize user activity patterns from cross pillar activities such as "User Activity Monitoring (UAM) and User & Entity Behavior Analytics (UEBA)" to assist with access decision making (e.g., not grant access when pattern deviation occurs). This functionality is further extended onto Biometric enabled alternative tokens as well.

Outcome:
- User Activity Patterns Implemented
Microsoft Entra ID Protection
Microsoft Entra ID Protection uses machine learning (ML) and threat intelligence to detect risky users and sign-in events. Use the sign-in and user risk conditions to target Conditional Access policies to risk levels. Start with baseline protection requiring MFA for risky sign-ins.
- Microsoft Entra ID Protection
- Deploy Identity Protection

Conditional Access
Create a set of risk-based Conditional Access policies that use grant and session controls to require stronger protection as risk increases.
- Configure and enable risk policies
- Conditional Access: Session
- Conditional Access: Grant

Risk-based Conditional Access policy examples:

Medium sign-in risk
- Require authentication strength: phishing-resistant MFA
- Require compliant device
- Sign-in frequency: 1 hour

High sign-in risk
- Require authentication strength: phishing-resistant MFA
- Require compliant device
- Sign-in frequency: every time

High user risk
- Require authentication strength: phishing-resistant MFA
- Require compliant device
- Sign-in frequency: every time

Microsoft Sentinel
Configure a Sentinel analytics rule and playbook to create an incident for Entra ID Protection alerts when user risk is high.
- Microsoft Entra ID Protection connector for Sentinel
- User:revokeSignInSessions

1.4 Privileged access management

Microsoft Entra ID Governance enables PAM features including just-in-time (JIT) administration, entitlement management, and periodic access reviews. Microsoft Entra Privileged Identity Management (PIM) helps you discover how roles are assigned in your organization. Use PIM to convert permanent role assignments JIT, customize role assignment and activation requirements, also schedule access reviews.

Conditional Access enforces authentication strength, risk level, and compliant Privileged Access Workstation (PAW) device for privileged access. Administrative actions in Microsoft Entra ID are recorded in the Microsoft Entra audit logs.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target1.4.1 Implement System and Migrate Privileged Users Pt1
DoD Organizations procure and implement a Privileged Access Management (PAM) solution to support all critical privileged use cases. Application/Service integration points are identified to determine status of support for the PAM solution. Applications/Services that easily integrate with PAM solution are transitioned over to using solution versus static and direct privileged permissions.

Outcomes:
- Privilege Access Management (PAM) tooling is implemented
- Applications and devices that support and don't support PAM tools identified
- Applications that support PAM, now use PAM for controlling emergency/built-in accounts
Privileged Identity Management
Deploy PIM to protect Microsoft Entra ID and Azure roles. Use PIM Discovery and Insights to identify privileged roles and groups. Use PIM to manage discovered privileges and convert user assignments from permanent to eligible.
- PIM overview
- Discovery and Insights for roles
- Azure resources

Microsoft Intune
Deploy Intune-managed PAW for Microsoft Entra, Microsoft 365, and Azure administration.
- Privileged access strategy

Conditional Access
Use Conditional Access policy to require compliant devices. To enforce PAW, use device filters in the Conditional Access compliant-device grant control.
- Filters for devices

Target 1.4.2 Implement System and Migrate Privileged Users Pt2
DoD Organizations utilize the inventory of supported and unsupported Applications/Services for integration with privileged access management (PAM) solution to extend integrations. PAM is integrated with the more challenging Applications/Services to maximize PAM solution coverage. Exceptions are managed in a risk-based methodical approach with the goal of migration off and/or decommissioning Applications/Services that don't support PAM solutions.

Outcome:
- Privileged activities are migrated to PAM and access is fully managed
Privileged Identity Management
Use privilege access groups and PIM for Groups to extend just-in-time (JIT) access beyond Microsoft Entra ID and Azure. Use the security groups in Microsoft 365, Microsoft Defender XDR, or mapped to privileged role claims for non-Microsoft applications integrated with Microsoft Entra ID.
- Role-assignable groups
- Bring groups into PIM
- User and group assignements to an app

Conditional Access
Use protected actions to add another layer of protection when administrators perform actions requiring highly privileged permissions in Microsoft Entra ID. For instance, manage Conditional Access policies and cross-tenant access settings.
- Protected actions

Create a Conditional Access policy for users with active Microsoft Entra role membership. Require authentication strength: phishing resistant MFA and compliant device. Use device filters to require compliant PAWs.
- Require MFA for administrators
- Filter for devices

Advanced 1.4.3 Real Time Approvals & JIT/JEA Analytics Pt1
Identification of necessary attributes (Users, Groups, etc.) are automated and integrated into the Privileged Access Management (PAM) solution. Privilege access requests are migrated to the PAM solution for automated approvals and denials.

Outcomes:
- Identified accounts, applications, devices, and data of concern (of greatest risk to DoD mission)
- Using PAM tools, applied JIT/JEA access to high-risk accounts
- Privileged access requests are automated as appropriate
Privileged Identity Mangement
Identify high-risk roles in your environment such as Microsoft Entra roles, Azure roles like Owner and User Access Administrator, also privileged security groups.
- Best practices for roles
- Privileged roles

Configure PIM role settings to require approval.
- Azure resource role settings
- Microsoft Entra role settings
- PIM for Groups settings

Microsoft Entra ID Governance
Use access packages to manage security groups for role eligibility. This mechanism manages eligible admins; it adds self-service requests, approvals, and access reviews for role eligibility.
- Entitlement mangement

Create role-assignable groups for privileged roles to configure eligibility requests and approvals. Create a catalog named Privileged Role Eligible Admins. Add role-assignable groups as resources.
- Role-assignable groups
- Create and manage resource catalogs

Create access packages for role-assignable groups in the Privileged Role Eligible Admins catalog. You can require approval when users request eligibility in entitlement management, require approval upon activation in PIM, or both.
- Access packages

Advanced 1.4.4 Real Time Approvals & JIT/JEA Analytics Pt2
DoD Organizations integrate User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions with the Privileged Access Management (PAM) solution providing user pattern analytics for decision making.

Outcome:
- UEBA or similar analytics system integrated with PAM tools for JIT/JEA account approvals
Conditional Access
Define an authentication context for privileged access. Create one or more Conditional Access policies that target the privileged access authentication context. Use risk conditions in the policy and apply grant and session controls for privileged access. We recommend you require authentication strength: phishing-resistant MFA, compliant privileged access workstation.
- Configure authentication context

See Microsoft guidance in 1.4.1.

To block privileged access when sign-in risk is high, create more Conditional Access policies that target privileged access authentication context with a condition for high sign-in risk. Repeat this step with a policy for high user risk.
- Policy deployment

Privileged Identity Management
Configure PIM role settings to require authentication context. This setting enforces Conditional Access policies for the chosen authentication context upon role activation.
- Require authentication context

1.5 Identity federation and user credentialing

Microsoft Entra ID plays a key role in identity lifecycle management (ILM). A Microsoft Entra tenant is a hyperscale cloud directory service, identity, credential and access management (ICAM) solution, and identity provider (IdP). It supports inter-directory provisioning and app provisioning to manage the lifecycle of internal users in Microsoft Entra ID and other apps.

Microsoft Entra ID Governance features help you manage the access lifecycle for entitlements like apps, Microsoft Teams, and security group membership. Entitlement management can also be used to onboard and govern external guests. You can block access and remove guest user objects when their last access package is removed. To understand how your organization can migrate ILM functions to Microsoft Entra ID, see Road to the cloud.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 1.5.1 Organizational Identity Life-Cycle Management
DoD Organizations establish a process for life cycle management of users both privileged and standard. Utilizing the Organizational Identity Provider (IdP) the process is implemented and followed by the maximum number of users. Any users who fall outside of the standard process are approved through risk-based exceptions to be evaluated regularly for decommission.

Outcome:
- Standardized Identity Lifecycle Process
Microsoft Entra ID
Standardize account lifecycle for identities, including users, administrators, external users, and application identities (Service Principals).
- Identity lifecycle management
- Identity and access management ops

Microsoft Entra ID Governance
Establish regular access reviews for privileged users and applications in a tenant.
- Access reviews

Target 1.5.2 Enterprise Identity Life-Cycle Management Pt1
The DoD Enterprise works with Organizations to review and align the existing Identity Lifecycle Processes, policy, and standards. A finalized agreed upon policy and supporting process are developed and followed by the DoD Organizations. Utilizing the centralized or federated Identity Provider (IdP) and Identity & Access Management (IdAM) solutions, DoD Organizations implement the Enterprise Lifecycle Management process for the maximum number of identities, groups, and permissions. Exceptions to the policy are managed in a risk based methodical approach.

Outcomes:
- Automated Identity Lifecycle Processes
- Integrated with Enterprise ICAM process and tools
Microsoft Entra ID
If your organization uses Active Directory, synchronize users to Microsoft Entra ID with Microsoft Entra Connect Sync or Microsoft Entra Connect Cloud Sync. Note: Don’t synchronize privileged Active Directory accounts, or assign privileged cloud roles, to synchronized accounts.
- Connect Sync
- Cloud Sync
- Protect Microsoft 365 from on-premises attacks
- Reduce attack surface area

Privileged Identity Management
Manage administrative access with PIM. Establish an access review cadence for privileged Microsoft Entra and Azure roles.
- Privileged accounts

Microsoft Entra authentication methods
Use cloud-based phishing-resistant MFA methods. Set up Microsoft Entra certificate-based authentication (CBA) with DoD Common Access Cards (CACs) to register other passwordless credentials.

See Microsoft guidance in 1.3.2.

Advanced 1.5.3 Enterprise Identity Life-Cycle Management Pt2
DoD Organizations further integrate the critical automation functions of the Identity Provider (IdP) and Identity, Credential and Access Management (ICAM) solutions following the Enterprise Lifecycle Management process to enable Enterprise automation and analytics. Identity Lifecycle Management primary processes are integrated into the cloud-based Enterprise ICAM solution.

Outcomes:
- Integration w/ Critical IDM/IDP functions
- Primary ILM functions are cloud based
Microsoft Entra ID Governance
Use entitlement management and access reviews to manage your organization’s user access lifecycles and external guest identity lifecycles.
- Entitlement management
- External user access governance

Managed identities
Use managed identities for Azure resources and Workload ID federation to reduce the risk of managing application credentials.
- Managed identities
- Workload identity federation

Application management policy
Configure app management policies to control the credential types added to applications in your tenant. Use the passwordAddition restriction to require certificate credentials for applications.
- App methods API
- App authentication certificate credentials

Advanced 1.5.4 Enterprise Identity Life-Cycle Management Pt3
DoD Organizations integrate remaining Identity Lifecycle Management processes with the Enterprise Identity, Credential and Access Management solution. Enclave/DDIL environments while still authorized to operate integrate with the Enterprise ICAM using local connectors to the cloud environment.

Outcomes:
- All ILM functions moved to cloud as appropriate
- Integration with all IDM/IDP functions

Microsoft Entra app provisioning
Use Microsoft Entra app provisioning to synchronize identities to SCIM, SQL, LDAP, PowerShell, and web services applications. Use the API-driven app to provision users into disparate Active Directory instances.
- Provision apps
- On-premises app provisioning
- Configure API-driven provisioning app

1.6 Behavioral, contextual ID, and biometrics

Microsoft Entra ID Protection helps you detect, remediate, and prevent identity threats by using machine learning (ML) and threat intelligence. This feature detects real-time risks during user sign-in and offline risks calculated over time. Risks include token anomalies, unusual sign-in properties, impossible travel, suspicious user behavior, and more.

Identity protection is integrated with Microsoft Defender XDR to show identity risks detected by other components in the Microsoft Defender product family.

To learn more, see What are risk detections?

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 1.6.1 Implement User & Entity Behavior Analytics
(UEBA) and User Activity Monitoring (UAM) tooling DoD Organizations procure and implement User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions. Initial integration point with Enterprise IdP is completed enabling future usage in decision making.

Outcome:
- UEBA and UAM functionality is implemented for Enterprise IDP
Microsoft Entra ID Protection
Deploy Microsoft Entra ID Protection to get real-time and offline risk detentions for users and sign-in events. Extend identity risk detections to application identities (Service Principals) using Microsoft Entra Workload ID, Workload Identities Premium edition.
- Secure workload identities
- Risk-based policy for workload identities

See Microsoft guidance in 1.3.3.

Microsoft Defender for Cloud Apps
Deploy Defender for Cloud Apps and configure integrations with Microsoft Defender for Endpoint and external solutions. Configure anomaly detection policies in Defender for Cloud Apps.
- Integrate Defender for Endpoint with Defender for Cloud Apps
- External solution integrations
- Detect suspicious user activity with UEBA

Microsoft Defender for Endpoint
Onboard endpoints to Defender for Endpoint. Configure integrations between Defender for Endpoint and Microsoft Intune.
- Defender for Endpoint and other solutions

Microsoft Intune
Configure integrations with Defender for Endpoint and use Defender for Endpoint machine risk score in your device compliance policy.
- Defender for Endpoint rules

Conditional Access
Create Conditional Access policies to require compliant devices. Before access is granted, the control requires a device marked as compliant in Microsoft Intune. Integration between Defender for Endpoint and Intune provides an overall picture of device health and risk level based on the compliance state.
- Compliance policies to set rules for Inune managed devices

Microsoft Sentinel
Connect data sources to Sentinel and enable UEBA for audit logs, sign-in logs, Azure activity, and security events.
- Enable UEBA
- Advanced threats with UEBA

Advanced 1.6.2 User Activity Monitoring Pt1
DoD Organizations integrate User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions with Organizational Identity Providers (IdP) for extended visibility as needed. Analytics and data generated by UEBA and UAM for critical applications and services are integrated with the Just-in-Time and Just-Enough-Access solution improving decision making further.

Outcomes:
- UEBA is integrated with Org IDPs as appropriate
- UEBA is integrated with JIT/JEA for critical services
Privileged Identity Management
Deploy PIM and onboard privileged roles. Define authentication context for privileged access. Use risk conditions in the authentication context and configure PIM role settings to require authentication context upon activation.

See Microsoft guidance in 1.4.4.

Microsoft Sentinel
Connect data sources to Sentinel and enable UEBA for audit logs, sign in logs, Azure activity, and security events.
- Enable UEBA
- Advanced threats with UEBA

Microsoft Defender for Cloud Apps
Monitor and control sessions to cloud applications with Defender for Cloud Apps.
- Protect apps with App Control
- Session policies
- Investigate risky users

Advanced 1.6.3 User Activity Monitoring Pt2
DoD Organizations continue the analytics usage from User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions by using generated data for all monitored applications and services when decision making occurs in the Just-in-Time and Just-Enough-Access solution.

Outcome:
- UEBA/Entity Monitoring is integrated with JIT/JEA for all services
Privileged Identity Management
Use PIM for Groups to extend just-in-time (JIT) access to applications using app roles. Assign groups, managed by PIM, to the privileged app roles.
- PIM for Groups
- Add app roles to an app

1.7 Least privileged access

Access to applications using Microsoft Entra ID is deny-by-default. Microsoft Entra ID Governance features like entitlement management and access reviews ensure access is time-bound, aligns to the principle of least privilege, and enforces controls for separation of duties.

Use Microsoft Entra built-in roles to assign least privilege permissions by task. Administrative Units let you scope resource-based permissions for Microsoft Entra ID users and devices.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 1.7.1 Deny User by Default Policy
DoD Organizations audit internal user and group usage for permissions and revoke permissions when possible. This activity includes the revocation and/or decommission of excess permissions and access for application/service-based identities and groups. Where possible static privileged users are decommissioned or reduced permissions preparing for future rule/dynamic based access.

Outcomes:
- Applications updated to deny by default to functions/data requiring specific roles/attributes for access
- Reduced default permissions levels are implemented
- Applications/services have reviewed/audited all privileged users and removed those users who don't need that level of access
Microsoft Entra ID
Review and restrict default user and guest permissions in Microsoft Entra ID. Restrict user consent to applications and review current consent in your organization.
- Default user permissions
- Restrict user consent permissions

Microsoft Entra applications
Access to Microsoft Entra apps is denied by default. Microsoft Entra ID verifies entitlements and applies Conditional Access policies to authorize resource access.
- Integrate apps
- App integration

Microsoft Entra ID Governance
Use the entitlement management identity governance feature to manage identity and access lifecycles. Find automated access request workflows, access assignments, reviews, and expiration.
- Entitlement management
- Access reviews

Custom roles
Use Microsoft Entra ID built-in roles for resource management. However, if roles don’t meet organizational needs, or to minimize privileges for your administrative users, create a custom role. Grant custom roles granular permissions to manage users, groups, devices, applications and more.
- Custom roles

Administrative units
An administrative unit is a Microsoft Entra resource that contains other Microsoft Entra resources, such as users, groups, or devices. Use administrative units to delegate permissions to a subset of administrators, based on organizational structure.
- Administrative units
- Restricted management administrative units
- Create or delete administrative units

Privileged Identity Mangement
Use PIM Discovery and Insights to manage privileges and reduce the number of administrators. Configure PIM alerts when privileged roles are assigned outside PIM.
- Privileged access for hybrid and cloud
- Security alerts for Microsoft Entra roles
- Security alerts for Azure roles

Microsoft Defender for Cloud Apps
Review permissions granted to applications. Investigate risky OAuth applications in Defender for Cloud Apps.
- Review permissions granted to apps
- Investigate risky OAuth apps

Microsoft Sentinel
Use PIM to assign Azure roles for Sentinel access and periodically audit queries and activities.
- Audit queries and activities

1.8 Continuous authentication

Microsoft Entra ID uses short- and long-lived tokens to authenticate users periodically to applications and services that Microsoft Entra protects. Microsoft Entra ID has the Continuous access evaluation (CAE) mechanism to improve the standard protocol. The policy engine responds to environmental changes in near-real-time and enforces adaptive access policies.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 1.8.1 Single Authentication
DoD Organizations employ basic authentication processes to authenticate users and NPEs at least once per session (e.g., logon). Importantly users being authenticated are managed by the parallel activity "Organizational MFA/IDP" with the Organizational Identity Provider (IdP) versus using application/service-based identities and groups.

Outcome:
- Authentication Implemented across applications per session
Microsoft Entra ID
Microsoft Entra ID is a centralized identity provider (IdP) that facilitates single sign-on (SSO) between Microsoft cloud applications and applications your organization uses.
- Microsoft Entra ID

Single sign-on
The single sign-on (SSO) authentication method allows users to use their Microsoft Entra ID credentials to authenticate applications and services. The apps can be SaaS, custom line-of-business applications, or on-premises applications. Use Microsoft Entra authentication and Zero Trust capabilities to enable secure and easy access to applications.
- What is SSO?
- Microsoft Entra integrations with authentication protocols

Microsoft Entra app provisioning
Microsoft Entra app provisioning creates, updates, and removes user, roles, and groups in SaaS applications, and custom or on-premises applications. Use Microsoft Entra ID as the centralized identity source for apps. Minimize application or service identities and users.
- Automated provisioning
- App provisioning

Microsoft Entra ID Workload
Service Principals and managed identities are nonperson entity (NPE) identities in Microsoft Entra. Use Service Principals for automated (non-interactive) access to APIs protected by Microsoft Entra.
- Workload identities
- Service Principals in Microsoft Entra ID

Target 1.8.2 Periodic Authentication
DoD Organizations enable period authentication requirements for applications and services. Traditionally these are based on duration and/or duration timeout but other period-based analytics can be used to mandate re-authentication of user sessions.

Outcome:
- Authentication implemented multiple times per session based on security attributes
Microsoft Entra applications
Microsoft Entra applications automatically manage session refresh without user interaction.

See Microsoft guidance in 1.8.1.

Conditional Access
Configure the sign-in frequency session control in Conditional Access to re-authenticate user sessions. Use the feature when sign-ins are risky, or a user device is unmanaged or non-compliant.
- Configure authentication session management
- Access policies in Defender for Cloud Apps
Advanced 1.8.3 Continuous Authentication Pt1
DoD Organizations’ applications/service utilize multiple session authentications based on security attributes and access requested. Privilege changes and associational transaction requests required additional levels of authentication such as Multi-Factor Authentication (MFA) pushes to users.

Outcome:
- Transaction authentication implemented per session based on security attributes
Continuous access evaluation
CAE is based on an OpenID standard that improves time-based token expiration and refresh mechanisms to achieve a timelier response to policy violations. CAE requires a fresh access token in response to critical events, like a user moving from a trusted network location to one that’s untrusted. Implement CAE with client applications and the back-end service APIs.
- Continuous access evaluation
- Critical event evaluations

Microsoft Office applications that use Microsoft Graph API, Outlook Online API, and SharePoint Online API support CAE. Develop applications with the latest Microsoft Authentication Libraries (MSAL) to access CAE-enabled APIs.
- CAE for Microsoft 365
- CAE enabled APIs in apps

Conditional Access
Define and use Conditional Access authentication context to protect sensitive SharePoint sites, Microsoft Teams, Microsoft Defender for Cloud Apps protected applications, PIM role activation, and custom applications.
- Authentication context
- Policy for SharePoint sites and OneDrive
- Session policies in Defender for Cloud Apps
- Require authentication context for PIM roles
- Authentication context guidance

Use protected actions to add another layer of protection when administrators perform actions requiring highly privileged permissions in Microsoft Entra ID, like manage Conditional Access policies and cross-tenant access settings. Protect user actions like registering security info and joining devices.
- Protected actions
- Target resource

Privileged Identity Management
Require authentication context for PIM role activation.

See Microsoft guidance in 1.4.4.

Advanced1.8.4 Continuous Authentication Pt2
DoD Organizations continue usage of transaction-based authentication to include integration such as user patterns.

Outcome:
- Transaction authentication implemented per session based on security attributes, including user patterns
Microsoft Entra ID Protection
When Microsoft Entra ID Protection detects anomalous, suspicious, or risky behavior, the user risk level increases. Create Conditional Access policies using risk conditions, increasing protections with risk level.
- Risk detections

See Microsoft guidance in 1.3.3.

Continuous access evaluation
Risk level increase is a critical CAE event. Services that implement CAE, for example Exchange Online API, require the client (Outlook), to re-authenticate for the next transaction. Conditional Access policies for the increased risk level are satisfied before Microsoft Entra ID issues a new access token for Exchange Online access.
- Critical event evaluation

1.9 Integrated ICAM platform

Microsoft Entra ID supports certificate authentication with certificates issued by an external public key infrastructure (PKI) for user and nonperson entities (NPE). NPEs in Microsoft Entra ID are application and device identities. Microsoft Entra External ID cross-tenant access settings help multitenant organizations, like the DoD, collaborate seamlessly across tenants.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 1.9.1 Enterprise PKI/IDP Pt1
The DoD Enterprise works with Organizations to implement Enterprise Public Key Infrastructure (PKI) and Identity Provider (IdP) solutions in a centralized and/or federated fashion. The Enterprise PKI solution utilizes a single or set of Enterprise level Root Certificate Authorities (CA) which can then be trusted by Organizations to build Intermediate CA’s off. The Identity Provider solution may either be a single solution or federated set of Organizational IdPs with standard level of access across Organizations and standardized set of attributes. Organizations’ IdPs and PKI Certificated Authorities are integrated with the Enterprise IdP and PKI solutions.

Outcomes:
- Components are using IdP with MFA for all applications/services
- Organizational MFA/PKI integrated with Enterprise MFA/PKI
- Organizational Standardized PKI for all services
Microsoft Entra ID authentication methods
Use authentication methods policy in Microsoft Entra ID to control user authentication methods.
- Microsoft Entra CBA

See Microsoft guidance in 1.3.1.

Authentication strength
Use authentication strength to control user access to resources.
- Authentication strength

Microsoft Entra External ID
Configure cross-tenant access for DoD Microsoft Entra ID tenants. Use trust settings to accept MFA and compliant device claims for external identities from trusted DoD tenants.
- Cross-tenant access

Application management policy
The tenant app management policy is a framework to implement security best practices for applications in the tenant. Use the policy to restrict application credentials to certificates issued by a trusted PKI.

To create a certificate chain of trust, add a new certificate authority (CA) collection to intermediate and root CA certificates for your enterprise PKI.
- certificateBasedApplicationConfiguration resource type

To create an application management policy to require certificates issued by trusted CAs, configure restrictions to disallow passwordAddition and require trustedCertificateauthority. Specify the trusted CA collection ID you created.
- App authentication methods API

Microsoft Intune
Intune supports private and public-key cryptography standards (PKCS) certificates.
- PKCS certificates
Advanced 1.9.2 Enterprise PKI/IDP Pt2
DoD Organizations enable Biometric support in the Identity Provider (IdP) for mission/task-critical applications and services as appropriate. Biometric functionality is moved from Organizational solutions to the enterprise. Organizational Multi-Factor (MFA) and Public Key Infrastructure (PKI) is decommissioned and migrated to the Enterprise as appropriate.

Outcomes:
- Critical Organizational Services Integrated w/ Biometrics
- Decommission organizational MFA/PKI as appropriate in lieu of enterprise MFA/PKI
- Enterprise Biometric Functions Implemented
Microsoft Entra ID
Microsoft supports biometrics in several components compatible with Microsoft Entra ID authentication.

Authentication methods
Microsoft Entra ID supports hardware passkeys (FIDO2 security keys) that use presence or fingerprint.
- FIDO security keys

Windows Hello for Business
Windows Hello for Business uses biometric gestures like fingerprint and face scan.
- Identity protection profile settings

MacOS
MacOS devices have biometrics, like Touch ID, to sign in with a device-bound credential.
- SSO plug-in for Apple devices

Microsoft Authenticator
Mobile devices and Authenticator use touch and face for passwordless authentication. Passkey support is another phishing-resistant authentication method in Authenticator.
- Authenticator
- Passwordless sign-in
- Enhanced phishing-resistant authentication

Advanced 1.9.3 Enterprise PKI/IDP Pt3
DoD Organizations integrate the remaining applications/services with Biometrics functionalities. Alternative Multi-Factor (MFA) tokens can be used.

Outcome:
- All Organizational Services Integrate w/ Biometrics

Microsoft Entra Verified ID
Decentralized identity scenarios using Verified ID can require face verification upon credential presentation.
- Verfied ID
- Face Check

Next steps

Configure Microsoft cloud services for the DoD Zero Trust Strategy: