This post provides a practical, audit-focused checklist and implementation guidance for deploying multifactor authentication (MFA) specifically for external network nonlocal maintenance access—aligned to NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 Control MA.L2-3.7.5—using Azure AD and Okta as primary identity platforms.
Why MFA for external nonlocal maintenance matters (risks if you don't)
Remote maintenance by third parties (MSPs, vendors, contractors) is a high-risk vector for unauthorized access, lateral movement, and exfiltration of Controlled Unclassified Information (CUI). Without MFA you face credential compromise, replayed sessions, and straightforward account takeover leading to ransomware, supply-chain breaches, and loss of contracts or regulatory penalties. MFA—ideally phishing-resistant factors—reduces the likelihood an attacker using stolen credentials can successfully authenticate into critical systems used for maintenance.
Planning & scoping checklist (Compliance Framework specifics)
Define scope, roles and evidence
1) Identify all nonlocal maintenance activities (VPN access, RDP/SSH to jump hosts, cloud admin consoles, vendor portals). 2) Catalog vendor/contractor identities: guest B2B accounts, native user accounts, service accounts. 3) Map which business systems contain CUI and must be protected under MA.L2-3.7.5. 4) Determine acceptable MFA methods (prioritize FIDO2/WebAuthn, hardware tokens, or vendor-specific push with device binding). 5) Define audit evidence: Conditional Access/Sign-on policy exports, authentication logs, vendor access register, and vendor contracts acknowledging MFA requirement.
Azure AD implementation checklist (technical steps)
Create a Conditional Access policy named "Require MFA - External Nonlocal Maintenance"; target: user group(s) for external vendors, privileged maintenance roles and any service accounts used for remote maintenance. Assign cloud apps to include management planes (Azure Management, Office 365 admin where applicable), and the SAML/OAuth app used by your VPN (or use Azure AD Application Proxy). Conditions: block legacy authentication clients, enable "Client apps" to include browser and mobile/desktop; add location conditions if you want to restrict to specific vendor IP ranges. Grant controls: Require multi-factor authentication (and optionally require device to be marked compliant). For the strongest posture, enforce session controls: disable persistent browser session, set Sign-in frequency to re-prompt for MFA before each maintenance shift (e.g., every 8 hours) and enforce "Require reauthentication for sensitive actions". Use Azure AD B2B for partner onboarding so external identities are managed and subject to your CA policies. Configure emergency "break glass" accounts outside CA but document their use, protected by hardware MFA and strict monitoring. Export Conditional Access policy and sign-in logs (Microsoft Sentinel or a SIEM) as audit evidence.
Okta implementation checklist (technical steps)
Create an Okta Sign-On Policy targeted to a dedicated "External_Maintenance" group. Add a Network Zone for known vendor IPs (and mark others as untrusted). Require MFA as a sign-on rule using phishing-resistant factors: WebAuthn (FIDO2), YubiKey, or Okta Verify with Push + Device Trust; avoid SMS and voice where possible. For VPN integrations, use Okta as the RADIUS or SAML IdP and enforce MFA on the VPN application sign-on policy. Enable Adaptive MFA so anomalous signals (new device, new IP, risk scoring) escalate to stronger factors. Use Okta System Log and forward to your SIEM for retention; include Okta's "System Log Export" for auditors. Document factor enrollment status for vendor accounts and revoke device tokens when contracts end.
Network & session hardening for maintenance sessions
Do not grant direct permanent admin access. Require remote maintenance to happen through hardened jump hosts or bastion services (e.g., Azure Bastion or an approved jump server) that themselves require MFA. Implement Just-In-Time (JIT) access workflows (Azure PIM or a ticketed workflow) to limit the maintenance window and scope. Use session recording and command auditing on jump hosts (session recordings for RDP/SSH) and retain logs for your retention period. For SMBs: if you use an MSP, require that the MSP authenticates via your identity provider (B2B) rather than sharing vendor accounts, and require MFA to the jump host before granting access to any production resource.
Operational controls, monitoring, and audit evidence
Operationalize: maintain a vendor access registry (who, why, start/end dates, MFA method), require contractual language enforcing MFA, and perform vendor onboarding and offboarding checklists that include MFA enrollment and device revocation. Configure alerts in your SIEM for MFA bypass attempts, failed MFA challenges, and privileged logins from unexpected regions. For audits, collect: policy exports (Conditional Access & Okta sign-on rules), sign-in logs showing successful MFA for vendor accounts, device inventory showing enrolled keys, and change tickets authorizing maintenance sessions. Regularly (quarterly) test vendor access through tabletop exercises and live penetration tests simulating stolen credentials to validate MFA enforcement.
Small business real-world example
Example: A 50-employee manufacturing company uses an MSP for PLC updates and server patches. Implementation steps they followed: (1) onboarded MSP technicians as Azure AD B2B guest users in a group "MSP_Techs"; (2) created an Azure Conditional Access policy requiring MFA and blocking legacy auth for that group; (3) forced maintenance through an Azure Bastion host protected by CA MFA and Intune-compliant device checks; (4) required the MSP to use FIDO2 tokens for privileged sessions; (5) logged sign-ins into Microsoft Sentinel, and retained 1 year of logs for audits. Result: the company reduced removable vendor-access risk, provided concrete evidence to customers, and met MA.L2-3.7.5 expectations.
Summary: To meet MA.L2-3.7.5 you must require strong, monitored MFA for any external nonlocal maintenance. Implement scoped identity policies (Azure AD Conditional Access and Okta Sign-On/Adaptive MFA), use phishing-resistant factors, enforce access via jump hosts or VPNs with JIT access, and retain logs and documented procedures for audits. Follow the checklist above, prioritize vendor onboarding/offboarding and monitoring, and prefer hardware or FIDO2 factors to minimize the risk of account takeover during maintenance activities.
