This post provides practical, actionable configurations for Active Directory (AD), Azure AD and Identity & Access Management (IAM) to help small businesses meet the requirements of FAR 52.204‑21 and CMMC 2.0 Level 1 control AC.L1‑B.1.II — focusing on authenticating and authorizing users, documenting evidence, and implementing lightweight operational controls.
Implementation overview — what AC.L1‑B.1.II expects
At a high level, AC.L1‑B.1.II requires that only authorized users can access contractor systems and that accounts are identified and managed. For a small business this translates into: unique user identities, basic password and lockout controls, multi‑factor authentication for external access, least privilege role assignments, controlled service accounts, and logging that proves the controls are in place. Evidence should be exportable (GPO backups, Azure AD reports, IAM role assignments, sign‑in logs) for audit or post‑award inspection.
On‑prem Active Directory — concrete settings and examples
For organizations with on‑prem AD, implement and document domain‑level policies in the Default Domain Policy or a clearly named GPO. Recommended baseline values (suitable for Level 1 / FAR basic safeguarding): minimum password length 12, password complexity enabled, maximum password age 365 days (or shorter if desired), account lockout threshold 5 invalid attempts, lockout duration 30 minutes. Example PowerShell to set core domain policy (requires RSAT/AD module):
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.local" -MinPasswordLength 12 -ComplexityEnabled $true -MaxPasswordAge 365.00:00:00 -LockoutThreshold 5 -LockoutDuration 00:30:00
Other practical AD controls: create organizational units (OUs) for service accounts (e.g., OU=ServiceAccounts,OU=Accounts,DC=yourdomain,DC=local) and apply a GPO that disables interactive logon for these accounts; use Group Policy to require smart logon where available; and enable auditing for "Account Logon" and "Account Management" via Advanced Audit Policy Configuration. Collect evidence by exporting the GPO XML and a list of privileged groups (Domain Admins, Enterprise Admins) using:
Get-GPO -Name "Default Domain Policy" | Get-GPOReport -ReportType XML -Path .\DefaultDomainPolicy.xml
Azure AD — quick wins and configuration steps
For cloud or hybrid environments, Azure AD is often the primary identity plane. For small businesses the fastest, lowest‑risk approach is to enable Security Defaults (which enforces MFA for admins and blocks legacy auth) or, if you have a paid license, implement Conditional Access policies that: require MFA for all interactive sign‑ins from outside the corporate network, block legacy authentication protocols, and require compliant or joined devices to access sensitive apps. Create a Conditional Access policy that targets "All Users" but exclude one break‑glass admin account which is monitored and locked down.
Useful Azure actions and evidence: enable Sign‑in logs retention for at least 90 days (or export to a storage account/Log Analytics workspace). To show auditors you met the requirement, export a sign‑in report CSV and a JSON of Conditional Access policies from the Azure portal or via PowerShell/Graph. Example Azure CLI to create a custom RBAC role (used when built‑ins are too broad):
az role definition create --role-definition role.json (where role.json defines the allowed actions, not just Owner/Contributor scopes).
IAM and account lifecycle — least privilege, service accounts, and onboarding/offboarding
IAM is the glue that enforces AC.L1 controls. Practical steps include: implement least‑privilege by creating role groups (e.g., "AppReadOnly", "AppOperator") instead of assigning users to broad roles; avoid use of shared accounts — if a shared service account is required, track it in an inventory and rotate credentials monthly. Where available use Managed Service Accounts (gMSA) for Windows services or Managed Identities for Azure resources to remove static credentials. Document onboarding/offboarding procedures in a single spreadsheet or ticketing system that records account creation date, assigned groups, approver name, and evidence of account removal within X days after termination.
Small businesses can leverage free/low‑cost tools: use Azure AD Free Security Defaults if you don't have Conditional Access, use Microsoft Entra ID logs exported to Log Analytics with a basic tier for centralized retention, and use native AD tools (PowerShell scripts) for automated disabled account cleanup. Evidence artifacts: the onboarding/offboarding log, group membership export (Get-ADGroupMember), and rotation records for service account passwords (store hashes of password change events or change dates).
Monitoring, logging, and proof for auditors
Auditors will want proof that controls are working. Capture and retain: GPO backups, Conditional Access policy exports, Azure AD sign‑in logs, AD security event exports (event IDs for logon failures and successes), and IAM role assignment reports. A simple EDR or SIEM is beneficial but not required for Level 1 — centralizing logs to Azure Log Analytics or a single syslog server simplifies evidence collection. Define a retention policy (e.g., 90 days) and document it in your Compliance Framework artifacts.
Real‑world small business scenarios
Example 1 — 25‑person engineering firm with hybrid AD: enable Security Defaults, apply the AD GPO password/lockout baseline, create a "PrivAdmins" AD group with only 2 members, export GPO and AD group membership weekly, and document onboarding/offboarding in a shared spreadsheet. Example 2 — cloud‑only MSP with Azure subscriptions: enforce Conditional Access MFA for all interactive logins, block legacy auth, use Managed Identities for Azure functions, and rotate service principal secrets using an Azure Key Vault policy and automation runbooks. These are low‑cost, practical measures that meet FAR/CMMC Level 1 expectations.
Risks of not implementing these controls and best practices
If these controls are not implemented, risks include unauthorized access to contractor systems and potential exposure of Federal Contract Information (FCI), which can result in contract penalties, loss of contract eligibility, reputational damage, and downstream supply chain impacts. Best practices: maintain single unique identities, enforce MFA at every external login point, limit administrative membership to a strict list with documented approval, automate evidence collection, and test your offboarding process quarterly by removing a test user and verifying account termination and access removal.
Summary: for FAR 52.204‑21 and CMMC 2.0 Level 1 / AC.L1‑B.1.II you don't need enterprise‑scale tooling — you need well‑documented, enforced identity controls across AD, Azure AD and IAM. Implement domain GPO baselines, enable MFA/Conditional Access, use least privilege and managed identities for service accounts, centralize logging and retention, and produce exportable evidence (GPO XML, sign‑in logs, group membership reports, onboarding/offboarding records) to demonstrate compliance.
