**Facsimile Project – Entra Control Stack Implementation**
Client: Northwind Health Analytics (fictional)
Consultant: Entra Control Stack Consulting 
Industry: Healthcare analytics & patient data visualization
Size: 85 employees, hybrid workforce (HQ + remote)
Primary Compliance Targets: HIPAA, NIST 800-53 Moderate Baseline, CIS Controls v8

**Engagement Context**
Northwind Health Analytics has engaged **Entra Control Stack Consulting** to deploy a full **7-layer Microsoft Entra Control Stack** to establish a secure, resilient, and auditable identity governance environment. This engagement designates **Microsoft Entra ID** as the authoritative identity provider for all corporate and cloud resources.

**Licensing Context**
Northwind is licensed under Microsoft 365 E5, the highest-tier Microsoft cloud productivity and security bundle.

**What is E5?**
A Microsoft 365 subscription tier that includes all standard productivity tools (Word, Excel, Outlook, Teams) plus advanced security, compliance, and analytics capabilities — including Microsoft Entra ID P2.

**Why E5 here?**
E5 natively provides Entra ID P2 features, enabling:

Advanced identity governance
Conditional Access
Privileged Identity Management (PIM)
Risk-based access controls

**Other tiers:**

E1 – Core cloud productivity only, no advanced security features.
E3 – Core productivity and baseline security; supports Conditional Access but lacks Entra ID P2. To match E5’s identity governance capabilities, E3 would require purchasing Entra ID P2 separately.
E5 was selected because it delivers all required Entra Control Stack capabilities without the need for separate add-on licensing.

**Implementation Roadmap**
This project is delivered in seven sequential layers, each building on the last:
 Layer 1 – Authority Definition
 Layer 2 – Scope Boundaries
 Layer 3 – Test Identity Validation
 Layer 4 – External Entry Controls
 Layer 5 – Privilege Channels
 Layer 6 – Device Trust Enforcement
 Layer 7 – Continuous Verification

**Layer 1 – Authority Definition**
Execution in Northwind Tenant
(Consulting Actions – Entra Control Stack Consulting)

**Step 1** – Initial Audit of Tenant Authority (Before Changes)
Signed into **Microsoft Entra Admin Center** with northwind-breakglass-admin (hardware key MFA).
Navigated to Identity → Roles & Administrators → Global Administrator.
**Global Administrator (GA) role assignments at time of audit:**
northwind-breakglass-admin – Break-glass account #1 (emergency-only access)
northwind-seniorit@northwindhealth.com – IT Director (operational GA)
northwind-onboardingadmin – Legacy GA from initial tenant migration (unused, security risk if retained)

**Step 2** – Role Separation & Minimization (Changes Applied)
Removed: northwind-onboardingadmin from GA role membership.
Reason: Legacy migration artifact with no ongoing operational need; removal reduces unnecessary privileged accounts.

Verified: northwind-itsec@northwindhealth.com is assigned Privileged Role Administrator (PRA) role only, with no GA permissions.

**Post-change GA assignments:**
northwind-breakglass-admin – Break-glass account #1
northwind-seniorit@northwindhealth.com – IT Director

**Step 3** – Break-Glass Account Configuration 
Maintained two emergency GA accounts:
Long, randomly generated passwords stored in secured enterprise password vault.
Hardware key MFA enforced.
Exempt from Conditional Access policies to ensure access during tenant-wide outages.
Verified both accounts have no daily operational use and are subject to quarterly integrity checks.

**Break-Glass Account Configuration (Verification & Settings)**

**Navigation Path:**
In Microsoft Entra Admin Center, go to Identity → Roles & Administrators → Global Administrator.
Select each break-glass account (northwind-breakglass-admin and northwind-seniorit@northwindhealth.com).
In the account blade, review Authentication Methods, Conditional Access, and Sign-In Logs to confirm security posture.

**Verified & Applied Settings:**
Password Policy: Long, randomly generated passwords stored in a secured enterprise password vault.
MFA: Hardware key MFA enforced for both accounts.
Conditional Access: Explicitly excluded from all CA policies to ensure accessibility during outages.
Operational Use Policy: Accounts restricted to emergency use only; verified through sign-in logs that no daily operational activity occurs.
Governance Control: Both accounts enrolled in quarterly access review and security posture validation process.

**Step 4** – Governance Documentation
Created and stored an **Authority Register** in a restricted-access SharePoint governance site.
Includes current GA & PRA assignments.
Decision authority chain for all tenant-level role changes.
Escalation process for emergency GA access.
Audit schedule (quarterly and post-incident reviews).

**Step 5 – Verification & Logging**
Reviewed Entra Audit Logs for the past 90 days.
**Confirmed:**
No unauthorized role assignments.
No GA role changes outside documented approvals.

Logged changes made during this engagement for compliance traceability.

**Outcome**
Layer 1 has successfully established a minimal, verified, and secured authority chain for tenant governance. The environment now has:
Only essential GA accounts in place.
Clearly separated PRA responsibilities.
Documented governance ownership and recovery procedures.
This provides a stable and auditable root of trust for all downstream Entra Control Stack layers.

**Entry Control Stack Mapping – Layer 1: Authority Definition**
**Governance Linkage & Compliance Rationale**

**1. NIST 800-53**
What NIST 800-53 Is:
The National Institute of Standards and Technology (NIST) Special Publication 800-53 is a U.S. federal standard that defines security and privacy controls for federal information systems, but it’s widely adopted by private organizations as a best-practice baseline. It organizes controls into families (e.g., Access Control, Audit, Identification and Authentication) and uses identifiers like AC-1 (Access Control Policy and Procedures).

**Relevant Controls for Layer 1 – Authority Definition**

**AC-1 – Access Control Policy and Procedures**
Requires organizations to develop, document, and disseminate an access control policy, and to review/update it periodically.
Relevance: The Authority Definition layer is your access control root policy — it defines who has the highest level of authority (Global Administrator) and how those roles are governed.

**AC-2 – Account Management**
Requires managing accounts (creation, modification, disabling, removal) and reviewing them periodically.
Relevance: Step 1 & Step 2 of Layer 1 — auditing existing GA accounts, removing legacy or unused ones, and assigning PRA — is directly aligned with AC-2.

**AC-3 – Access Enforcement**
Requires enforcing approved authorizations for logical access.
Relevance: Ensuring only vetted, documented GA and PRA accounts can perform tenant-wide changes enforces the “root of trust” for all downstream Entra Control Stack layers.

**2. CIS Controls v8**
What CIS Controls Are:
The Center for Internet Security (CIS) Controls are a prioritized set of 18 security controls designed to protect organizations from the most pervasive cyber threats. CIS v8 is the latest version.
Relevant Control for Layer 1 – Authority Definition:
Control 5.2 – Securely Manage Service Provider Accounts
Requires securing and managing accounts with service providers (including cloud admin accounts), enforcing MFA, and restricting privileges.
**Relevance: Global Administrator in Entra ID is a service provider account to Microsoft 365.** Layer 1’s process — removing legacy GA, enforcing hardware MFA, and documenting PRA separation — is exactly what CIS 5.2 prescribes.

**3. HIPAA Security Rule 164.308(a)(3) – Workforce Security**
What HIPAA Is:
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule sets standards for protecting electronic protected health information (ePHI). Even if an organization isn’t in healthcare, HIPAA-style controls are often referenced for identity governance maturity.
What 164.308(a)(3) Requires:
Implement policies and procedures to ensure all workforce members have appropriate access to ePHI — and to prevent access by those who don’t need it.
Includes processes for authorization, establishment, modification, and termination of access.
**Relevance to Layer 1:**
In Entra Control Stack terms, Authority Definition is the “who holds the keys” stage — ensuring that the workforce members who can make system-wide identity decisions (GA/PRA) are properly authorized, that unused accounts are terminated, and that emergency access is documented and controlled. This prevents over-provisioned admin accounts from inadvertently or maliciously exposing sensitive systems or data.

**How It All Connects**
Layer 1 of the Entra Control Stack — Authority Definition — is not just a technical setup task; it’s a governance anchor point that fulfills core compliance requirements in multiple frameworks:

**Business Value**
Minimizes the blast radius of a privileged account compromise, ensures proper separation of duties, and creates a documented authority structure that survives personnel turnover. This foundational control directly supports compliance objectives, operational resilience, and incident recovery readiness.


**Layer 2 – Scope Boundaries**
**Objective**
Define and validate the administrative control boundaries within the Microsoft Entra ID environment for the Northwind tenant. This ensures all delegated administrative rights remain confined to intended organizational, departmental, or service-specific limits, preventing unauthorized influence over unrelated resources.

**Execution – Northwind Tenant**
**Consulting Actions – Entra Control Stack (ECS) Consulting**

**Step 1 – Audit Existing Administrative Units (AUs)**
Sign in as Northwind-BreakGlass-Admin (hardware key MFA enforced).

Navigate to:
Entra Admin Center → Identity → Administrative Units

Findings at time of audit:

**AU – Northwind-Helpdesk**
Members: Tier 1 Support Staff, assigned Helpdesk Administrator role.
Scope: All users in US region except executives.

**AU – Northwind-Research**
Members: R&D division staff and lab devices, assigned User Administrator role for R&D IT lead.
Scope: Restricted to R&D users and devices only.

**AU – Northwind-Global-Services**
Members: CloudOps team.
Scope Issue: AU contains high-value service accounts not meant for standard delegated admins (exclusion violation).

**Step 2 – Align AUs to Organizational Boundaries**
Actions Taken:
Removed high-value service accounts from Northwind-Global-Services AU **(moved to protected exclusion list).**
Created AU – Northwind-Finance for finance department personnel, scoped to finance users only.
Archived Northwind-Research AU (no longer active after R&D migration to partner-managed tenancy).

**Post-change AU set:**
Northwind-Helpdesk – US users except executives.
Northwind-Finance – Finance department only.
Northwind-Global-Services – CloudOps team without protected service accounts.

**Step 3 – Audit & Correct Scoped Role Assignments**
Navigated to:
Entra Admin Center → Identity → Roles & Administrators
For each role with delegated assignments, confirmed the scope was AU-based, not tenant-wide:
Helpdesk Administrator → Scoped to Northwind-Helpdesk AU only.
User Administrator (Finance IT Lead) → Scoped to Northwind-Finance AU only.
Removed one misconfigured Authentication Policy Administrator role that was globally assigned instead of AU-restricted.

**Step 4 – Configure & Verify Exclusion Lists (Detailed)**
**What is an Exclusion List?**
An exclusion list is a maintained record (not a live Entra object) of accounts and identities that should never fall under the control of standard delegated administrators or within the membership of Administrative Units (AUs).
It is not an AU itself — instead, it’s a governance artifact stored in a secure location (here, a restricted-access SharePoint governance site).
Think of it as a “do not delegate” list for your most sensitive identities.

**Why This Exists in Layer 2**
Even if you have good AU segmentation, a delegated admin with control over high-value accounts could cause major damage. **The exclusion list is the “belt and suspenders” control that ensures no one except Tier 0 operators (Global Admins, Privileged Role Admins, etc.) can ever manage those identities.**

**Populating the Exclusion List in Northwind**
**1. Executive Accounts**
CEO, CFO, CTO accounts — high-impact if compromised.
These accounts should only be manageable by a very limited number of top-level admins.

**2. Break Glass Accounts**
All emergency GA accounts (e.g., Northwind-BreakGlass-Admin)
Must remain operational even during Conditional Access outages — controlling them should be tightly restricted.

**3. Tier 0 Service Principals**
Service Principals are identities used by apps or services, not by humans.
Tier 0 means they have full, tenant-wide or security boundary–wide authority.
Examples: Service Principals used for Entra-to-Azure cross-tenant sync, security monitoring tools, identity provisioning services.
Compromising these is effectively equivalent to compromising a Global Administrator.

**4. CSP Linkage Accounts**
CSP = Cloud Solution Provider.
If your tenant is managed in part by a CSP partner, they may have special delegated admin accounts that can control tenant resources.
These accounts, if compromised, give an outsider tenant-wide control — they must be excluded from delegated scopes.

**5. Azure Subscription Owners**
Identities with Owner rights at the Azure subscription level can create, delete, and control nearly all Azure resources (including Entra integrations).
These are Tier 0 identities in the cloud resource layer and must be kept out of standard admin scopes in Entra ID.

**How the Exclusion List is Applied**
**Governance Location**
Stored as a document in a restricted-access SharePoint governance site.
Access limited to Global Administrators and security governance leads.

**Enforcement Checks**
No AU Membership: Confirm none of the exclusion list identities are members of any AU used for delegated admin purposes.
No Scoped Role Assignments: Confirm no delegated admin has a role assignment scoped to these accounts.

**Ongoing Validation**
Quarterly review to catch accidental scope creep.
Semi-annual audit after any org restructure or role reassignment.

**Why This Matters in Scope Boundaries**
If a Helpdesk Administrator’s AU accidentally contains a Break Glass account, they could reset its password — and take over the tenant.
Exclusion lists guarantee that your highest-value identities are untouchable by all but the absolute minimum set of Tier 0 administrators.

**Entra Control Stack Mapping – Layer 2 (Scope Boundaries)**
**Governance Linkage:**

**NIST 800-53**
AC-2 – Account Management: Enforces role scoping to limit admin accounts to intended boundaries.
AC-3 – Access Enforcement: Ensures exclusion list enforcement so restricted accounts remain under Tier 0 control.
AC-5 – Separation of Duties: Supports delegated admin segmentation through Administrative Units.

**CIS Controls v8**
5.4 – Restrict Administrator Privileges to Dedicated Administrative Accounts: Matches Layer 2 principle of AU scoping and exclusion lists.
5.5 – Use Administrative Accounts for Administrative Activities Only: Reinforces AU design and separation from sensitive accounts.

**HIPAA Security Rule**
164.308(a)(4) – Information Access Management: Restricts who can access or modify high-value healthcare data in accordance with least privilege.
164.308(a)(3) – Workforce Security: Ensures workforce members only receive the level of administrative control necessary for their role.

**Outcome**
Eliminated scope creep by ensuring all delegated admin roles are AU-scoped.
Removed high-value accounts from general admin control, reducing risk from compromised delegated accounts.
Established quarterly review process for AU memberships and role scopes.

**Business Value**
Implementing strict scope boundaries reduces the blast radius of any compromised delegated admin account, supports regulatory compliance (HIPAA, NIST, CIS), and creates a scalable governance model as the organization grows or restructures.


**Layer 3 – Test Identity Validation**
**Objective**
Validate that the administrative scope boundaries and role assignments established in Layer 2 function correctly under realistic operating conditions. This ensures delegated permissions, AU segmentation, and exclusion lists are actively enforced, not just documented.

**Step 1 – Prepare Test Accounts**
Role: Tenant Global Administrator (setup phase only)
Scope: Full tenant (temporary use for test preparation)
**Action:**
Created TestAdmin-AU account inside the “Finance Department” Administrative Unit.
Created TestUser-External account with no AU membership.
Labeled both accounts clearly in Display Name and UPN (prefix TEST_) to prevent operational confusion.
Assigned TestAdmin-AU the “User Administrator” role scoped exclusively to the Finance AU.
Ensured TestUser-External retained default member privileges only.

**Result**: Two isolated test identities ready for controlled scope validation.

**Step 2 – Execute Scoped Action Tests**
Role: TestAdmin-AU (delegated role within Finance AU)
Scope: Finance AU only
**Action:**
Performed password reset on a user inside the Finance AU — Success (expected).
Attempted password reset on a user outside the Finance AU — Access Denied (expected).
Attempted group membership modification for a group in the AU — Success (expected).
Attempted the same modification for a group outside AU — Access Denied (expected).
**Result: AU boundaries enforced as designed. No cross-scope administrative impact detected.**

**Step 3 – Validate Exclusion List Enforcement**
Role: TestAdmin-AU (delegated role)
Scope: Finance AU only
**Action:**
Identified high-value accounts from exclusion list (executives, break-glass accounts, Tier 0 service principals, CSP-linked accounts, Azure subscription owners).
Attempted direct management action (password reset, role change) on an executive account — Access Denied.
Verified all excluded accounts were absent from AU membership and not impacted by scoped role permissions.
**Result:** Exclusion list intact and functional. No unauthorized access possible to high-value accounts.

**Step 4 – Capture and Review Evidence**
Role: Tenant Global Administrator (review phase)
Scope: Full tenant
**Action:**
Enabled sign-in and audit logs prior to testing.
Used Azure AD Sign-In Logs to confirm:
Successful actions occurred only within permitted AU scope.
Denied actions were blocked at the identity provider level.
Archived evidence (log exports + test summary) in governance repository for compliance.
**Result:** Full evidentiary record maintained, satisfying governance linkage for NIST AC-6 (Least Privilege) and ISO 27001 A.9.2.3 (Management of Privileged Access Rights).

**Governance & Operational Notes**
Why this matters: Scope boundaries without testing are theoretical. This process proves controls work.
Common failure point: Test accounts gain “temporary” extra rights and bypass the very boundaries being validated.
Audit frequency: After any AU restructuring, role reassignment, or Conditional Access policy change.
Memory mnemonic: TAL — Test Accounts, Access Simulation, Log Verification.

**Governance Mapping – Layer 3 (Test Identity Validation)**
NIST AC-6 (Least Privilege): Validates that administrative rights are limited to the defined scope and cannot be extended through misconfiguration.

NIST AU-6 (Audit Review, Analysis, and Reporting): Uses sign-in and audit logs to confirm enforcement and maintain compliance evidence.

ISO/IEC 27001 A.9.2.3 (Management of Privileged Access Rights): Ensures privileged accounts are controlled, scoped, and tested for boundary integrity.

ISO/IEC 27001 A.12.4.1 (Event Logging): Confirms security-relevant events are logged and reviewed during scope validation tests.

CIS Control 5.2 (Securely Manage Service Accounts): Protects excluded high-value accounts (break-glass, service principals) from delegated admin actions.

**Zero Trust Principle** – Verify Explicitly: Requires active proof that scope boundaries enforce intended controls before trust is granted.

**Layer 4 – External Entry Controls**
**Purpose**
Lock down and continuously monitor all inbound pathways into the tenant to ensure only authorized, verified, and appropriately restricted external identities gain access. External access — from partners, contractors, or other tenants — is a high-risk vector. Without strict governance, guest accounts and cross-tenant connections can become stealth entry points.

**Step-by-Step Execution**
**Step 1** – Establish or Review B2B Guest Access Configuration
Navigation: Microsoft Entra admin center → Identity → External identities → External collaboration settings**
**Configuration:**
Default to least privilege — block invitations by non-admins
Require approval for all guest additions
Enable automatic expiration for inactive guest accounts

**Validation:**
Export current guest list and check against approved business cases
Confirm expiration policies are applied to all guest accounts

**Step 2 – Implement or Confirm Cross-Tenant Access Restrictions**
Navigation: Microsoft Entra admin center → External identities → Cross-tenant access settings

**Configuration:**
Identify all active cross-tenant trust relationships
Document business justification for each
Restrict inbound permissions to only necessary apps and user groups
Block all unnecessary outbound trust

**Validation:**
Review access logs to confirm only authorized inbound trust events
Verify no new trust connections exist without documentation

**Step 3 – Configure or Validate Conditional Access for Guest Accounts**

Navigation: Microsoft Entra admin center → Protection → Conditional Access

**Configuration:**
Require MFA for all guest accounts (prefer phishing-resistant methods)
Apply location and device compliance restrictions
Require acceptance of current Terms of Use before access or renewal

**Validation:**
Simulate guest login from risky location to confirm access is blocked
Review sign-in logs for policy application results

**Governance Mapping (Bullet Format)**
**Core Entra Elements → Governance Linkage**

**B2B Guest Access Policies**
CIS Microsoft Entra Benchmark 1.3 – Restrict guest invitations
ISO 27001 A.9.4.1 – Restriction of access rights
NIST AC-3 – Access enforcement

**Cross-Tenant Access Settings**
CIS Microsoft Entra Benchmark 1.4 – Manage cross-tenant collaboration
ISO 27001 A.13.1.1 – Network controls
NIST AC-20 – Use of external systems

**Conditional Access for Guests**
CIS Microsoft Entra Benchmark 1.6 – Enforce MFA for external accounts
ISO 27001 A.9.4.2 – Secure log-on procedures
NIST IA-2 – Identification and authentication

**Governance and Operational Notes**
Why this layer matters: Most breaches involving external accounts are due to poor guest governance, over-permissive trust settings, or weak Conditional Access enforcement.
Common failure point: Orphaned guest accounts from old projects that retain excessive access.
Audit frequency: Quarterly guest review; immediate review after adding cross-tenant connections.

**Business Value**
By securing B2B, cross-tenant, and Conditional Access configurations in tandem, you create a three-gate model where external actors must clear multiple, independent controls before gaining tenant entry. This sharply reduces the chance of a single misconfiguration leading to compromise, and it produces a clean, auditable trail for compliance reviews.

**Layer 5 – Privileged Channels**
**Purpose**
Constrain and monitor every pathway by which administrative privilege is granted, elevated, and used. This ensures the principle of least privilege is continuously enforced, while allowing secure, temporary elevation when operational needs arise.
Unchecked privilege assignment is one of the highest-impact risks in identity governance. This layer funnels all privilege through secure, auditable channels, reducing accidental over-provisioning and preventing deliberate misuse.

**Core Entra Elements**
**1. Role-Assignable Groups (RAGs)**

**Definition and Purpose**
A Role-Assignable Group is a special type of security group in Microsoft Entra that can hold directory roles as a group-level assignment. Once a group is flagged as "role-assignable," any role assigned to the group automatically applies to all its members.
This structure eliminates direct user-to-role assignments—instead, every privileged role flows through a managed group, giving you:
Centralized control of role membership
A single point for auditing
Easier enforcement of approval workflows and Conditional Access policies

**Key Distinction from Administrative Units (AUs)**
Administrative Units control scope — limiting what resources an admin can manage.
RAGs control delivery — defining how privileged roles are granted and through which container.
They are complementary but separate: you might have a Password Administrator role in a RAG whose members are further restricted by AU scoping.

**Best Practice Structure**
One RAG per high-impact role (e.g., RAG_GlobalAdmins, RAG_SecurityAdmins, RAG_PrivilegedRoleAdmins).
Never lump multiple privileged roles into a single RAG — separation ensures least privilege and makes reviews more precise.
Apply RAGs to all high-risk roles to ensure no direct user assignments exist.

**Operational Steps for a New Tenant**
Identify high-risk roles (Global Admin, Privileged Role Admin, Security Admin, etc.).
Create a dedicated security group for each, marking it as role-assignable.
Assign the directory role to the group (not to individual users).
Manage group membership through PIM, Access Packages, or other governance processes.

**Operational Steps for an Existing Tenant**
Audit all current role assignments.
Migrate direct user-to-role assignments into appropriate RAGs.
Lock down RAG ownership — only a minimal, approved set of users should manage membership.
Monitor membership changes as part of your monthly privilege review.

**Governance Benefits**
Audit Efficiency: A single group to check per role.
Revocation Speed: Removing a user from the RAG instantly removes the role.
Policy Enforcement: All role grants are subject to the same approval, MFA, and Conditional Access requirements.

**2. Privileged Identity Management (PIM) for Just-in-Time (JIT) Elevation**
Requires eligible role holders to activate privileges only when needed, backed by approval workflows, MFA, and time-bound activation.
Eliminates standing privilege, drastically reducing attack surface.
Creates a comprehensive audit trail for every elevation event.

**3. Access Packages for Controlled Role Grants**
Delivered through Entra ID Governance, combining role assignments and resource access into a single requestable package.
Enforces documented approvals, conditional access requirements, and expiry dates.
Ideal for bundling related permissions under one governance policy.

**Key Actions**
A. Establish or Confirm Role-Assignable Group Usage
**New tenant:** Place all high-impact roles (Global Admin, Privileged Role Admin, Security Admin, etc.) into RAGs before assignment.
**Existing tenant:** Audit all direct role assignments; migrate eligible assignments into RAGs.

**B. Implement or Verify PIM Workflows**
Require MFA and approval (manager/security team) for all JIT activations of high-risk roles.
Set activation durations to operational minimum (typically 1–4 hours).
Review PIM logs monthly for unusual activation patterns.

**C. Configure or Validate Access Packages**
Use Access Packages for administrative access requests.
Audit all active packages quarterly, ensuring scope and duration match business needs.
Remove or update packages that grant excessive or outdated access.

**D. Remove Standing Privileges**
Identify and remove all permanent admin role assignments unless required for break-glass access.
Replace with PIM eligibility or Access Packages to reintroduce access in a controlled, auditable manner.

**Operational Notes & Governance Guidance**
**Why it Matters:**
Privilege misuse often stems from over-assignment, privilege creep, or dormant accounts with unexpired admin roles. By enforcing privileged channels, you remove these latent vulnerabilities.

**Common Failure Points:**
Direct user-to-role assignments outside RAGs.
“Temporary” elevated privileges that remain indefinitely.

**Audit Frequency:**
Monthly: PIM activation review.
Quarterly: Full privileged role and Access Package review.

**Memory Cue:**
RPA – Role-Assignable Groups, PIM, Access Packages. If privilege doesn’t pass through RPA, it’s not under proper control.

**Layer 5 Add-on: Northwind Health Analytics Context**

**Client Context**
Northwind Health Analytics operates in a multi-tenant healthcare data environment with high regulatory exposure (HIPAA, HITECH) and multiple vendor integrations. Current privileged access is concentrated in a small set of IT admins, but assignments are made directly to user accounts, bypassing Role-Assignable Groups (RAGs). Privileged Identity Management (PIM) is partially enabled for Global Administrators but without consistent activation approval workflows. No Access Packages are currently in use.

**Consultant Observations**

**Role-Assignable Groups (RAGs)**
No RAGs exist; all directory roles are assigned at the user level.
This increases lateral movement risk if any one privileged account is compromised.
It also limits the ability to audit and rotate privilege assignments in bulk.

**Privileged Identity Management (PIM)**
Configured for Global Admin only.
Security Admin and Privileged Role Admin roles remain persistent with no time-bound activation.
No justification requirement is enforced at activation.

**Access Packages & Governance Flows**
No centralized access package structure exists for privileged access scenarios.
This limits policy-driven, approval-based provisioning of high-impact roles.

**Emergency Access Accounts (Break Glass)**
One emergency account exists but is not excluded from Conditional Access policies.
Testing and validation drills have not been performed in the past 12 months.

**Consultant Recommendations**
Deploy Role-Assignable Groups for all high-impact roles (Global Admin, Privileged Role Admin, Security Admin) before making any further direct assignments.
Create one RAG per role type; do not combine all privileged roles into a single RAG.
Scope each RAG’s membership to relevant Administrative Units where possible.
Expand PIM Coverage
Apply just-in-time activation to all RAGs containing privileged roles.
Require approval from a separate senior administrator for activation.
Enforce justification notes and reduce default activation duration to 2 hours.
Introduce Access Packages for controlled onboarding into RAG membership.
Use catalog structures aligned with administrative boundaries (e.g., “Clinical Systems Privilege Catalog”).
Require multi-stage approval for package assignment.

Harden Break Glass Accounts (Move them outside Conditional Access enforcement.)
Log all sign-ins in a separate monitoring stream.
Perform quarterly drills to ensure availability.
Audt and Monitor Privileged Channels quarterly to confirm: No direct role assignments exist for high-impact roles.
All privileged activations are time-bound, approved, and logged.

**Layer 5 Add-On #2 – Privileged Channels (Project-Aligned)**

**Context:**
In our role as Entra Control Stack Consulting for Northwind Health Analytics, Layer 5 covers the privileged access channels into the Microsoft Entra tenant and associated Azure/M365 services. The goal is to reduce the attack surface of high-value accounts (e.g., Global Administrator, Privileged Role Administrator, Security Administrator) while aligning these controls with governance frameworks (NIST AC-2, CIS Control 5, HIPAA §164.312(a)(1)).

**Purpose in This Engagement**
Layer 5 secures the “keys to the kingdom” — the paths and entities with elevated control over identity, access, and tenant-wide configuration. For Northwind, our task is to ensure all privileged channels are:
Mapped to their operational risk
Segmented into enforceable boundaries
Continuously monitored with automated alerting

**Core Entry Elements (Aligned to Project)**

1. Role-Assignable Groups (RAGs)
Consultant Action: Consolidate all high-impact directory roles into Microsoft Entra Role-Assignable Groups (Global Admin, Privileged Role Admin, Security Admin).
Tenant Implementation: Create one RAG per privileged role; assign eligible users via group membership only.

**Governance Mapping:**

NIST AC-2: Controlled assignment of administrative privileges
CIS 5.1: Establish and maintain an inventory of administrative accounts
HIPAA §164.312(a)(1): Unique user identification

**2. Privileged Identity Management (PIM) Activation Rules**
Consultant Action: Enforce Just-in-Time (JIT) elevation for all RAG members using PIM.
Tenant Implementation: Require MFA on activation, set approval workflow for elevation, log every activation to a secure audit repository.

**Governance Mapping:**

NIST AC-2(3): Disable accounts when not in use
CIS 5.4: Require MFA for all administrative access

**3. Emergency Access Accounts (“Break Glass”)**
Consultant Action: Create two emergency accounts exempt from Conditional Access but monitored 24/7.
Tenant Implementation: Store credentials offline in a tamper-evident location, with quarterly usage audits.

**Governance Mapping:**
NIST IR-4: Incident handling
CIS 5.2: Use dedicated administrative accounts

**4. Administrative Unit (AU) Scope Enforcement**
Consultant Action: Restrict privileged accounts to relevant AUs wherever possible to enforce least privilege.
Tenant Implementation: Test cross-AU role assignment to validate scope boundaries.

**Governance Mapping:**
NIST AC-6: Least privilege
CIS 6.5: Restrict access to sensitive data based on business need

**5. Audit and Alert Rules for Privileged Channels**
Consultant Action: Create alerts for:
Addition/removal of RAG members
PIM activation events
Sign-ins from anomalous geolocations
Tenant Implementation: Route alerts to SOC mailbox and Microsoft Sentinel for correlation.

**Governance Mapping:**
NIST AU-6: Audit review, analysis, and reporting
CIS 8.2: Ensure logging of administrative activities

**Business Value for Northwind**
By enforcing this Layer 5 structure, Northwind:
Reduces the probability of privilege escalation by limiting the number of standing admins.
Gains auditable, reportable compliance for HIPAA and internal audit requirements.
Establishes a repeatable privileged access framework that can be extended to future mergers or partner integrations.

**Layer 6 – Device Trust Enforcement**

**Purpose**
Ensure that only secure, compliant endpoints can access sensitive resources or perform administrative actions.
Device trust enforcement ensures that authentication decisions factor in the security state of the endpoint itself, not just the user’s credentials. This reduces the risk of compromised or unmanaged devices being used as a foothold into the tenant, especially for privileged operations.

**Execution – Northwind Tenant**

**Consulting Actions – Entra Control Stack Consulting**

**Step 1 – Configure Microsoft Intune Device Compliance Policies**
**Navigation:** Microsoft Endpoint Manager admin center → Devices → Compliance policies → Policies.

**Actions Taken:**
Created baseline compliance policies for all corporate endpoints, requiring:
OS version at or above defined security baseline (Windows 11 22H2 or later for Windows devices; macOS 13+ for Macs).
Device encryption enabled (BitLocker/FileVault).
Secure Boot enabled.
Real time protection with Microsoft Defender Antivirus active.
No critical security patches older than 30 days.

**Established tiered compliance standards:**
Admin workstations: stricter requirements, including mandatory TPM 2.0, verified Secure Boot, and EDR (Endpoint Detection and Response) enrollment.
General user devices: baseline encryption, AV, and patch compliance.
Configured non-compliance actions: immediate block from accessing sensitive resources and initiation of remediation notifications.

**Step 2** – Enforce Conditional Access (CA) for Compliant or Hybrid-Joined Devices
Navigation: Microsoft Entra admin center → Protection → Conditional Access → Policies.

**Actions Taken:**
Implemented CA policy “Privileged Access – Compliant Devices Only” to require:
Device compliance or hybrid Azure AD join for all privileged role activations through PIM.
MFA challenge before session start.
Device platform restriction (Windows/macOS corporate-managed only).
Location-based restriction (North America corporate network ranges for admin accounts).
Added session controls for unmanaged devices:
Block download of sensitive files in SharePoint/OneDrive.
Require app-enforced restrictions in Microsoft 365 web apps.

**Step 3 – Validate Device Identity in Sign-In Logs**
Navigation: Microsoft Entra admin center → Monitoring → Sign-in logs.

**Actions Taken:**
Enabled device detail capture in sign-in logs to record Device ID, join type (Hybrid, Azure AD joined), and compliance status for each authentication.
Configured monthly SOC review of sign-in logs for:
Privileged account activations from devices not in compliance inventory.
Sign-ins from non-compliant devices or unmanaged browsers.
Geographic anomalies tied to device access.
Created a Device Trust Audit Report template stored in governance SharePoint for monthly compliance review.

**Governance Mapping – Layer 6 (Device Trust Enforcement)**

**NIST 800-53**
AC-19 – Access Control for Mobile Devices: Ensures only secure devices can connect to organizational systems.
AC-20 – Use of External Systems: Restricts access from unmanaged/external devices.
CM-6 – Configuration Settings: Mandates baseline security settings for devices accessing sensitive resources.

**CIS Controls v8**
4.1 – Establish and Maintain a Secure Configuration Process for End-User Devices.
4.6 – Restrict Unapproved Assets from Connecting to the Network.
6.7 – Require MFA for All Administrative Access.

**HIPAA Security Rule**
§164.312(a)(1) – Access Control: Enforces technical policies to allow only authorized devices to access ePHI.
§164.308(a)(3) – Workforce Security: Limits access to authorized personnel using compliant equipment.

**Outcome**
Northwind now enforces that all privileged role activations and sensitive resource access originate only from compliant, trusted devices. Any attempt from a non-compliant or unmanaged device is automatically blocked. Device trust is verified through:
Tiered compliance standards.
Conditional Access tied to compliance and join state.
Audit and review of Device IDs in sign-in logs.
This closes a major identity governance gap by tying device assurance directly to identity assurance.

**Business Value**
By integrating endpoint compliance into authentication decisions, Northwind:
Reduces the attack surface for privileged access abuse.
Meets HIPAA and NIST requirements for secure device access.
Gains a proactive alerting and review process for device-based risks.
Establishes a scalable framework for securing new device types or platforms in the future.

**Layer 7 – Continuous Verification**
**Purpose**
Maintain ongoing assurance that identities, devices, and access patterns remain within acceptable security risk thresholds for Northwind Health Analytics.
In this final Entra Control Stack layer, security shifts from a one-time validation model to a dynamic, always-on posture. Every sign-in, privilege elevation, and access request is evaluated in context using risk analytics, automated reviews, and correlated threat intelligence. This enables Northwind’s IT and security teams to detect and respond to anomalies in near real time, preventing prolonged attacker dwell time and catching privilege creep before it impacts operations or compliance.

**Execution in the Northwind Tenant**

**(Consulting Actions – Entra Control Stack Consulting)**

**Step 1 – Configure Risk-Based Conditional Access (CA) Policies**
Navigation: Microsoft Entra admin center → Protection → Identity Protection → Risk Policies.
Enabled Sign-in Risk Policy and User Risk Policy for all accounts, with stricter enforcement for privileged identities.

**Enforcement Rules:**
Low Risk – Require MFA.
Medium/High Risk – Block sign-in or require secure password reset.
Tuned thresholds to minimize false positives while maintaining strong response to risky logins.
Tested by simulating high-risk sign-ins from suspicious IP ranges; verified that privileged accounts were blocked until MFA was satisfied.

**Result**: Risk-based CA is actively tied to operational enforcement, not just alerting.

**Step 2 – Integrate Microsoft Defender for Identity and Microsoft Sentinel**
Defender for Identity deployed on Northwind’s on-premises Active Directory domain controllers and connected to Entra ID for hybrid threat visibility.
Microsoft Sentinel integrated via Defender for Identity and Entra ID connectors.

**Developed Sentinel analytics rules to detect:**
Lateral movement patterns.
Unusual Kerberos ticket activity.
Multiple failed elevation attempts in Privileged Identity Management (PIM).
Alerts routed to the Northwind SOC mailbox and logged in a dedicated Sentinel incident queue.
**Result: Privileged account misuse or advanced attack behaviors are correlated across cloud and on-premises identity systems in near real time.**

**Step 3 – Implement Automated Access Reviews**
Established quarterly reviews for all privileged role assignments.
Monthly reviews for high-sensitivity security groups (e.g., “Clinical Data Access”).
Annual reviews for general M365 app access.

**Configured delegated review ownership:**
IT Security Manager reviews privileged roles.
Department heads review business group memberships.
Follow-up process defined for non-responses: reviewers receive reminders; unresolved reviews escalate to compliance officer.
**Result:** Privilege creep is identified and remediated quickly, maintaining least privilege.

**Governance Mapping**
**NIST 800-53**
AC-2: Account management with ongoing review and automated deprovisioning.
CA-7: Continuous monitoring of information system security controls.
IR-5: Incident monitoring with defined alerting workflows.

**CIS Controls v8**
5.3: Configure systems to issue alerts on administrative activities.
8.2: Ensure logging of security-relevant events.
8.8: Conduct regular access reviews.

**HIPAA Security Rule**
164.308(a)(1)(ii)(D): Information system activity review.
164.312(b): Audit controls for tracking access to ePHI.

**Operational Notes & Business Value**
**Why this matters for Northwind:**
Healthcare analytics involves constant changes in user roles, device states, and data access patterns. Continuous verification ensures that identity security is not a “set-and-forget” process but a living control that adapts to evolving risk.

**Common failure point**: Organizations enable risk detection but fail to link it to enforcement, allowing risky sign-ins to go unmitigated.

**Audit Frequency:**
Conditional Access risk policies – Quarterly review.
Sentinel correlation rules – Monthly fine-tuning.
Access review adherence – Tracked and reported quarterly to compliance leadership.

**Business Impact:**
Reduced time-to-detect for identity-based threats.
Minimized privilege creep across the organization.
Strengthened HIPAA compliance posture through documented, repeatable verification processes.