How to Meet AC.L2-3.1.1

Requirement

AC.L2-3.1.1 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.

Understanding the Requirement

This control requires you to explicitly identify who (users), what (processes or service accounts acting for users), and which (devices and systems) may access your environment—and to prevent access by anything not on those authorized lists. In practice, that means cataloging authorized users, workload identities, and devices; enforcing access so only those authorized subjects can connect; and regularly reviewing and updating authorizations as people change roles, scripts evolve, and devices are added or decommissioned.

Policies and Procedures Needed

Document policies for user onboarding and offboarding, including who can request and approve accounts and how to disable them at termination. Define standards for service accounts and workload identities (who can create them, required approvals, permissions, credential management). Establish device authorization rules (corporate-owned enrollment, bring-your-own-device allowances, and compliance requirements). Implement recurring access reviews for users, groups, guests, and privileged roles. Include procedures for emergency access, account change logging, and periodic reconciliation of accounts and devices against HR and asset records.

Technical Implementation in Microsoft 365

• Authorize and provision users in Entra ID (Azure AD): Create standard and privileged roles in Entra ID; require IT approval and a ticket for new user creation. Use security groups to represent authorized access and assign apps via groups. For offboarding, use a checklist to disable the user, revoke refresh tokens, and remove group memberships immediately at termination time.
• Enforce access with Conditional Access: Create policies that require multi-factor authentication and require device to be marked as compliant for high-value apps (Exchange Online, SharePoint, Teams, Admin portals). Block legacy authentication globally. Restrict access to trusted locations if appropriate, and exclude only a monitored break-glass account.
• Authorize devices with Intune: Require device enrollment into Intune for corporate access. Configure device compliance policies (e.g., encryption on, passcode/Hello for Business, no jailbreak/root). Use enrollment restrictions and corporate identifiers (serial/IMEI/Autopilot) to limit enrollment to corporate devices where possible. Combine with Conditional Access “Require compliant device” to block personal or unmanaged devices.
• Control processes with workload identities: For scripts and automations, create app registrations (service principals) in Entra ID with least-privilege Microsoft Graph or app permissions. Use certificate-based credentials over client secrets. If available, apply Conditional Access for workload identities to protect sensitive enterprise apps and monitor sign-ins for these identities.
• Review and attest access regularly: Use Entra ID Access Reviews to re-certify group memberships (especially for privileged roles and app access) and to remove inactive guests. Schedule quarterly reviews for user groups tied to sensitive applications and for service principals’ permissions.
• Monitor and respond using Audit and Sign-in logs: Enable and regularly review Entra ID Audit and Sign-in logs to detect sign-ins from unmanaged devices, denied Conditional Access events, and anomalous user or workload activity. Use Identity Protection risk policies, if licensed, to auto-remediate risky sign-ins with MFA or block until investigated.

Example in a Small or Medium Business

Contoso Manufacturing has 120 employees and uses Microsoft 365 Business Premium. IT creates a “Corp-Users” group in Entra ID and provisions new hires only after HR submits an approved ticket. Each new account is added to the appropriate groups for email, Teams, and line-of-business apps; contractors are placed into a separate “Contractors” group with limited access. The company enrolls all company laptops and phones into Intune and marks them as corporate. Conditional Access requires MFA and a compliant device for Exchange Online, SharePoint, and Teams, which prevents personal devices from syncing data. A nightly PowerShell job that updates Teams memberships uses an Entra ID app registration with a certificate and only the Graph permissions it needs; its sign-ins are monitored through the Sign-in logs. When an employee leaves, IT disables the account at the effective termination time, revokes tokens, and wipes the device through Intune. Quarterly, managers complete Access Reviews to confirm their team’s group memberships and to remove any unused guest accounts.

Summary

By defining who, what, and which are authorized—and enforcing those decisions with Entra ID groups and roles, Conditional Access, Intune device compliance, properly scoped workload identities, and ongoing access reviews—an SMB can ensure only approved users, processes, and devices reach company resources. Consistent onboarding/offboarding and service account governance keep authorizations accurate over time, while audit and sign-in monitoring provide the visibility to detect and correct exceptions quickly. Together, these policy and technical controls meet the intent of AC.L2-3.1.1.