Executive Introduction

Who this guide is for, how to navigate it, CUI scope, and its relationship to your System Security Plan.

Phase 1: Scoping

Goal

Before configuration, you must understand where your Controlled Unclassified Information (CUI) lives, who interacts with it, and which third parties are responsible for its protection.

Chapter 1: CUI Data Flows & Business Applications

Mapping how CUI enters, moves through, and exits your business applications — email, ERP, SAFE exchange portals, and file shares.

Chapter 2: People, Technology, and Processes

Identifying CUI Assets, Security Protection Assets (SPAs), and CRMAs to define what the assessor will actually examine.

Chapter 3: External Service Provider Management

Inventorying third parties — MSPs, SaaS tools, subcontractors — and validating FedRAMP Moderate Equivalency for each.

Chapter 4: Contractual Ingestion & LOB Strategy

Analyzing DoD contract flow-downs (DFARS 7012) and the process for identifying CUI obligations at the point of contract award.

Chapter 5: Shared Services and Conglomerate Tenants

When a parent company wants one GCC High tenant to serve multiple operating subsidiaries — the three-layer isolation model, the SPA entanglement a C3PAO will find, and when to recommend separate tenants instead.

Chapter 6: Migrating to GCC High

Planning and executing a tenant migration into GCC High — identity re-registration, cross-cloud B2B, CTAS, cross-cloud Teams limits, label re-application, and the ten-phase high-level migration plan.

Phase 2: Identity Architecture

Goal

Secure the "Who" before building the "What." Identity is the perimeter in a cloud-first CUI environment.

Chapter 7: Sovereign Cloud Considerations

The GCC High vs. Commercial decision matrix, AOS-G purchasing constraints, feature parity gaps, and timeline expectations.

Chapter 8: Cloud Strategy

Cloud-only vs. hybrid architecture tradeoffs. Why reducing Active Directory dependency increases security posture for CMMC.

Chapter 9: Phishing-Resistant Authentication

Windows Hello for Business and FIDO2 as the primary MFA mechanism. Eliminating SMS and authenticator app fallbacks for CUI access.

Chapter 10: Directory Synchronization

Entra Connect Sync architecture, filtering strategy for limiting what synchronizes to GCC High, and hybrid identity gotchas.

Chapter 11: Entra Security Settings

Tenant-wide security defaults, legacy authentication blocking, and Entra ID Protection configuration for GCC High.

Chapter 12: Identity Governance

Privileged Identity Management (PIM) for just-in-time elevation, Entitlement Management for access packages, and access review scheduling.

Chapter 13: Cross-Tenant Collaboration

Cross-tenant access settings, B2B limitations in GCC High (cross-cloud B2B off by default), and DNS record requirements.

Chapter 14: Conditional Access

The CMMC baseline policy set: geo-blocking, phishing-resistant MFA enforcement, compliant device requirement, and break-glass account documentation.

Phase 3: Devices

Goal

Define "Where" CUI lives to minimize audit scope. Cloud-managed, Entra-joined devices reduce the attack surface and simplify compliance evidence.

Device Architecture

Chapter 15: Virtual Desktop Strategy

Using Azure Virtual Desktop to contain CUI on session hosts rather than physical endpoints. Screen capture protection, watermarking, and GCC High-specific gaps.

Chapter 16: Foundational Architecture & Design

The Entra Join-only model: why hybrid join adds complexity without compliance benefit for most DIB organizations.

Chapter 17: Provisioning with Windows Autopilot

Zero-touch provisioning for Entra-joined devices. Autopilot profiles, deployment modes, and the GCC High enrollment URL.

Chapter 18: Entra Join — Cloud-Only Deployment

Step-by-step checklist for a greenfield cloud-only deployment: prerequisites, Intune enrollment, Autopilot, and validation.

Chapter 19: Hybrid Deployment

Transition path for organizations with existing on-premises AD. Hybrid Entra Join configuration, co-management, and migration sequencing.

Chapter 20: Windows Hello for Business Setup

End-to-end WHfB provisioning: prerequisites, Intune policy configuration, and troubleshooting common enrollment failures.

Chapter 21: AVD — Dedicated Sovereign Tenant

Personal host pool architecture, VM sizing, Nerdio, and CMMC control mapping for a 20-user greenfield deployment.

Chapter 22: AVD — Enclave in Existing Tenant

Device extension attributes, Conditional Access, and DLP to enforce an isolated CUI enclave inside a GCC High tenant you already own.

Chapter 23: AVD — Privileged Admin Workstation

Managed identities and phishing-resistant AVD sessions for zero-credential administrative operations — solving the FIDO2 gap in Teams, SharePoint, and Exchange PowerShell modules.

Chapter 24: Shared PC Mode

Kiosk and shared workstation configuration for non-dedicated endpoint environments.

Chapter 25: Migrating to Entra Join

Phased migration from domain-joined to cloud-managed endpoints without disrupting users.

Device Operations

Chapter 26: Modern Endpoint Operations

The operational model for a cloud-managed device fleet: update rings, compliance policy cadence, and the Intune admin workflow.

Chapter 27: Device Lifecycle & Onboarding

Onboarding new hires, reprovisioning returned devices, and retiring endpoints — including the sanitization evidence trail for MP.L2-3.8.3.

Chapter 28: Mobile Device Management & App Protection

Mobile enrollment models for iOS and Android — MDM and MAM postures, Company Portal vs. Authenticator broker behavior, BYOD strategy, and Play Integrity device attestation.

Chapter 29: Open Intune Baseline Deployment

Layered OIB deployment for CMMC Level 2 — IntuneManagement tool import, GCC High modifications, CMMC control mapping matrix, compliance policies, USB device control, update rings, and Wi-Fi configuration.

Chapter 30: Intune Diagnostics & Audit Evidence

Pulling compliance reports, device configuration state, and policy assignment evidence in the format C3PAO assessors request.

Chapter 31: Defender for Endpoint and the Endpoint Security baseline

MDE onboarding plus the 12 Layer 1 Endpoint Security policies (ASR, AV, BitLocker, WHfB + Cloud Kerberos Trust, LAPS, Local Admins, Firewall, EDR, Exploit Protection, Device Control / Removable Media). CMMC practice mapping, server-fork guidance, and Microsoft Sentinel integration.

Chapter 32: M365 Apps Deployment via ODT

Why the built-in M365 Apps policy fails and how to package a Win32 Intune app using the Office Deployment Tool — with channel control, app exclusions, detection rules, and Company Portal deployment guidance.

Chapter 33: Intune RBAC & Governance

Intune RBAC role design, scope tags, and assignment filters — delegation model and tagging taxonomy for a well-governed Intune environment.

Chapter 34: Entra Device Hygiene

Identifying and removing stale or duplicate Entra device objects at scale — trust type priority ranking, two-phase disable-then-delete process, pre-imaging checklist, and BitLocker key preservation.

Chapter 35: GPO-to-Intune Migration

Top-down approach for migrating Group Policy estates into a structured Intune policy architecture using the Open Intune Baseline taxonomy, Group Policy Analytics, and a five-tier policy hierarchy.

Phase 4: Data Protection

Goal

Encrypt and tag CUI wherever it travels — files, email, Teams messages, and structured data in Azure SQL — so that label-based controls follow the data, not the location.

Information Protection Architecture

Chapter 36: Data Protection Requirements

CMMC and NIST SP 800-171 control mapping for the information protection domain. CUI label taxonomy design.

Chapter 37: Asset Inventory

Content Explorer for labeled cloud content, the Purview Information Protection Scanner for on-premises shares, and Intune device inventory for auditors.

Chapter 38: Compliance Manager Assessment

Using Microsoft Purview Compliance Manager to run a CMMC Level 2 gap assessment and generate improvement action evidence.

Chapter 39: Purview Deployment Blueprint

Phased rollout sequence for sensitivity labels, DLP, and auto-labeling across a GCC High tenant.

Chapter 40: Structured Data Governance

Purview Data Map for Azure SQL classification, Power BI Row-Level Security to restore source system access controls, and Copilot grounding governance.

Information Protection Implementation

Chapter 41: Sensitive Information Types & Classifiers

Built-in and trainable classifiers for CUI detection. Custom SITs for business-specific patterns.

Chapter 42: Sensitivity Labels

Label taxonomy design, encryption configuration, and auto-labeling policy for GCC High sovereign endpoints.

Chapter 43: Data Loss Prevention Policies

DLP policy scope for Exchange, SharePoint, OneDrive, Teams, and endpoints — with CMMC control mapping and GCC High sovereign endpoint notes.

Chapter 44: Incident Response & Insider Risk

Purview Insider Risk Management for data exfiltration detection, alert triage workflow, and HR connector integration.

Chapter 45: Information Protection Scanner

On-premises file share scanning with the Purview AIP scanner: deployment, scan rule configuration, and SQL audit queries.

Chapter 46: CAB Runbook — Sensitivity Labels & DLP

Change Advisory Board submission template for deploying a sensitivity label taxonomy and foundational DLP policies — including implementation plan, validation checklist, rollback procedures, and risk register.

Chapter 47: Secure Collaboration

Sensitivity labels in Teams and SharePoint, external sharing controls, and the Teams Voice constraint in GCC High (no Calling Plans — Direct Routing required).

Phase 5: Microsoft 365 Security

Goal

Prove to auditors that you are watching. Active monitoring satisfies AU and IR domain controls and generates the continuous-monitoring evidence required for CMMC assessment.

Chapter 48: Threat Defense

Unified threat detection across endpoint, email, identity, and cloud apps. Defender for Cloud Apps shadow IT discovery and App Governance for OAuth risk.

Chapter 49: SIEM Strategy

Microsoft Sentinel architecture for GCC High: missing data connectors, custom log ingestion workarounds, and KQL alert rules for AU.L2-3.3.1.

Chapter 50: Audit Readiness

Purview Audit Premium for MailItemsAccessed forensics, diagnostic settings for 1-year log retention, and the audit evidence package structure for a C3PAO assessment.

Appendices

Goal

Reference material for implementation and assessment. Each appendix is designed to be extracted as a standalone deliverable for your SSP or C3PAO evidence package.

Appendix A: CMMC Level 2 Control Matrix

All 110 CMMC Level 2 practices mapped to the Microsoft technology that satisfies each control, with chapter cross-references.

Appendix B: Intune Baseline Configurations

Verbatim Open Intune Baseline (OIB) policy exports — ASR, Exploit Protection, Defender for Endpoint, BitLocker, Windows Hello for Business, LAPS, banner, session lock, removable media, and telemetry.

Appendix C: Licensing & Compliance Matrix

G3 vs. G5 feature comparison mapped to CMMC Level 2 practices. Covers Defender XDR workloads, Purview compliance features, Intune compliance posture, and the E5 Security add-on middle ground.

Appendix D: AVD Deployment & Operations

AVD Deployment Runbook — Step-by-step runbook from empty subscription to 20 Entra-joined, Intune-enrolled session hosts: VNet, Azure Firewall, UDR, host pool, Entra SSO configuration, and validation.
AVD Firewall Reference — Azure Firewall application and network rule collections for GCC High AVD, with customer rule template and troubleshooting KQL.
AVD Deployment Timeline — Phased 65-hour implementation guide for a greenfield 20-VM personal pool deployment.

Security Assessments

Goal

Assess an existing Microsoft 365 and Azure tenant against a structured 53-check posture framework aligned to Microsoft's published Zero Trust Assessment. For organizations evaluating their current tenant before (or instead of) following the implementation chapters of the book.