Requirement
AC.L2-3.1.2 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.
Understanding the Requirement
This control requires you to define what each role in your organization is allowed to do and then enforce those limits in your systems. Users should only access the information and functions needed for their job (for example, specific SharePoint sites or applications), and administrative privileges must be restricted to a small set of authorized personnel. In practice, you document allowed transactions/functions by role, implement those permissions using security groups and role assignments, and periodically verify that access matches job duties.
Policies and Procedures Needed
Establish role-based access control (RBAC) in policy, with procedures for onboarding/offboarding, group-based access assignment, and approval workflows. Include device authorization (who can access from what devices), privileged access management, and governance for service accounts and guest users. Define how often access reviews occur, who performs them, and how exceptions are requested, approved, and documented. Require removal of excess access when roles change and formalize incident response if unauthorized access is detected.
Technical Implementation in Microsoft 365
- Model roles with groups in Entra ID (Azure AD): Create role-based security groups (e.g., HR, Finance, Developers). Use dynamic groups (department/jobTitle attributes) where possible to automate membership. Assign these groups to Microsoft 365 resources (SharePoint sites, Teams, Planner, Applications) and app roles so users inherit only the permissions required.
- Enforce least privilege for admins with Entra ID Privileged Identity Management (PIM): Limit administrative roles to the minimum set (e.g., SharePoint Admin vs. Global Admin). Require just-in-time elevation, MFA on activation, approval workflows, and time-bound sessions. Use PIM access reviews to routinely re-certify admin role eligibility and remove unused privileges.
- Control application access with Entra ID enterprise app assignments: Assign users/groups to specific SaaS and line-of-business apps and app roles. Disable user consent to apps; route consent through admins. Use Conditional Access to require MFA and compliant devices for sensitive apps and to block legacy authentication.
- Gate access by device posture with Intune and Conditional Access: Configure Intune device compliance policies (encryption, OS version, password, Defender). Create Conditional Access policies that allow access to Microsoft 365 only from compliant or app-protected devices, require MFA for riskier scenarios, and block from unsupported locations. Apply stricter policies to privileged roles.
- Secure data paths by scoping resource permissions: Use SharePoint site-level permissions mapped to your Entra ID groups; avoid giving users direct permissions. Lock down sensitive sites (e.g., HR, Payroll) to dedicated groups and use private Teams where appropriate. For mailbox and calendar permissions, grant access via groups and audited admin roles only.
- Review and monitor access with Access Reviews, Audit Logs, and Identity Protection: Schedule recurring Access Reviews for key groups, apps, and privileged roles; require resource owners to attest. Monitor Entra ID Audit Logs and Microsoft 365 unified audit logs for group changes, role assignments, and site permission modifications; set alerts. Enable Identity Protection to detect risky sign-ins and users; auto-remediate with MFA challenges or access blocking.
Example in a Small or Medium Business
Contoso Health (120 employees) defines roles for HR, Clinical, Finance, and Engineering and creates matching groups in Entra ID. When two new hires start—one in HR and one as a developer—HR triggers an onboarding workflow that assigns each person to the correct Entra ID group based on department, which automatically grants access to the HR or Engineering SharePoint sites and Teams. The HR group has access to the HR site and an HR application registered in Entra ID; the Engineering group has access to Dev tools but no HR resources. Conditional Access requires MFA for both users and only permits access from Intune-compliant devices; the developer’s personal device is blocked until enrolled and compliant. Admin roles are limited via PIM, so the IT lead activates SharePoint Admin just-in-time when needed, with approval and a 2-hour time limit. Monthly Access Reviews prompt the HR manager and Engineering lead to confirm their group memberships; when the developer transitions to a new project, the lead removes access directly in the review. Audit Logs show all permission changes, and Identity Protection flags a risky sign-in attempt to the HR app from an unfamiliar location, which Conditional Access blocks pending MFA.
Summary
Meeting AC.L2-3.1.2 means defining allowable transactions and functions by role and enforcing them with Microsoft 365’s identity, device, and resource controls. Entra ID groups and app assignments deliver least-privilege access; PIM restricts and governs admin rights; Intune and Conditional Access ensure only trusted, compliant devices and authenticated users connect; and Access Reviews, Audit Logs, and Identity Protection provide continuous validation and monitoring. Together, these policy and technical measures ensure users can perform their jobs while access to other systems and functions remains appropriately limited.
