Skip to main content

What Secureframe configures in your Microsoft GCC High tenant

Tenant configuration for GCC High

S
Written by Secureframe Engineering

When you connect Microsoft GCC High through Secureframe's guided flow, we establish a boundary for Controlled Unclassified Information (CUI) and then apply a broad set of CMMC security controls across your tenant. This article summarizes what we create during setup and what we configure afterward. If you'd like more detail on any item or the reasoning behind it, just reach out.

Looking for a more detailed list of changes? - please login and go here: Detailed list of secureframe changes

Setup

Secureframe begins by creating the identity boundary for your CUI environment. We create a dedicated administrative unit named "Defense Trust Boundary" and three security groups — CUI Users, IT Admins, and Super Admins. The people you designate are added to the administrative unit and then to their respective group. To centralize emergency access, we assign the Super Admins group the Global Administrator role and then remove that role from each individual Super Admin, so Global Administrator is inherited through the group rather than held by specific people.

For document storage, we create a SharePoint site named "CUI Shared Drive" and grant the CUI Users group access to it. For administration, we create a custom GCC High IT Admin role for the IT Admins group. We also harden sign-in by disabling SMS and voice as authentication methods and enabling Microsoft Authenticator and FIDO2 security keys.

Setup also creates several Conditional Access policies in report-only mode so they can be reviewed before they're enforced. These include requiring MFA for CUI Users, blocking legacy authentication, and requiring a compliant device for CUI access, along with risk-based policies that require MFA for risky sign-ins and a password change for compromised users. We additionally configure a policy that prevents users from approving OAuth data-access requests from applications. Finally, we add a system-use notice that appears at login: "You are accessing a [your organization] production information system that is provided for authorized use only. Use of this system must be in accordance with the company's acceptable use policy and is subject to monitoring and auditing."

Why this matters for CMMC: This establishes the access-control foundation CMMC requires. A scoped administrative boundary and role-based groups let you limit CUI access to authorized people and enforce least privilege and separation of duties (Access Control family). Holding Global Administrator through a controlled break-glass group keeps standing privilege low and makes privileged actions attributable. Requiring phishing-resistant MFA and disabling weak factors meets the multifactor-authentication objective (Identification & Authentication, e.g., IA.L2-3.5.3), and the login system-use notice satisfies the requirement to display a use notification before granting access (AC.L2-3.1.9). Creating the policies in report-only first lets you validate impact before enforcing, so you meet the requirements without locking out authorized users.

Configuration

After setup, Secureframe configures a range of service-specific settings across Microsoft Entra, Exchange Online, Microsoft Defender, Microsoft Purview, SharePoint, Teams, and Intune.

Authentication and passwords

In Microsoft Entra, we confirm the authentication-method posture from setup — SMS and voice disabled, Microsoft Authenticator and FIDO2 enabled — and configure a banned-password list with smart lockout to resist password-guessing attacks. We also disable password expiration on the default domain, in line with current guidance that favors strong, unexpiring passwords backed by MFA over forced rotation.

Why this matters for CMMC: The Identification & Authentication family requires strong authenticator management — multifactor authentication for access to CUI and protection against weak or easily guessed passwords (IA.L2-3.5.x). Phishing-resistant methods, a banned-password list, and smart lockout directly support those objectives, and removing forced expiration aligns with federal guidance (NIST SP 800-63B), which favors long, unique, MFA-backed credentials over rotation that tends to weaken password quality.

Identity, users, and external access

We tighten who can do what in your directory. End users are blocked from registering new applications and from consenting to applications that request access to your data. Guest access is restricted so that only admins and designated guest inviters can invite guests, guests are placed in the Restricted Guest User role, and default cross-tenant B2B collaboration is blocked in both directions.

Why this matters for CMMC: Access Control requires you to limit system access to authorized users and to control the flow of CUI, including connections to external systems (AC.L2-3.1.x, including external-connection controls). Blocking user app registration and consent prevents unsanctioned applications from gaining access to CUI, and restricting guest invitations, guest privileges, and cross-tenant collaboration ensures external access to your environment is allowed only where it's explicitly authorized.

Conditional access

Beyond the setup policies, we add a fuller set of Conditional Access policies in Microsoft Entra: blocking legacy authentication, requiring MFA for CUI Users, requiring a compliant or managed device, enforcing a one-hour session timeout, blocking high-risk sign-ins and high-risk users, blocking device code flow, and requiring phishing-resistant MFA for administrators. We also create a "System Use Notice" terms-of-use statement and require users to accept it at login.

Why this matters for CMMC: These policies enforce Access Control and System & Communications Protection at the point of sign-in. Requiring MFA and a compliant device for CUI access, and blocking legacy protocols that cannot satisfy MFA (SC.L2-3.13.8), keep access limited to authorized users on trusted devices. Limiting session lifetime supports session-termination requirements, phishing-resistant MFA for administrators reinforces privileged-access control, and the terms-of-use acceptance reinforces the system-use-notification requirement (AC.L2-3.1.9). The risk-based policies support System & Information Integrity and Incident Response by reacting to compromised credentials and risky sign-ins.

Privileged access

To protect your most sensitive roles, we harden Privileged Identity Management activation for Tier-0 directory roles so that activating them requires approval, MFA, and a justification, with a two-hour activation cap.

Why this matters for CMMC: Access Control requires least privilege and tight control of privileged accounts (AC.L2-3.1.5 through 3.1.7). Time-bound, approval-gated, MFA-protected activation for your most powerful (Tier-0) roles ensures administrative rights are granted only when needed and are fully attributable, which reduces standing privilege and supports accountability for privileged use.

Apps and services

We reduce unnecessary exposure by disabling the Cortana service principal, disabling Microsoft Forms (per user, via licensing), and disabling Microsoft Bookings tenant-wide. We also set a 15-minute idle timeout for web sessions.

Why this matters for CMMC: Configuration Management requires the principle of least functionality — providing only essential capabilities and disabling nonessential services (CM.L2-3.4.6 and 3.4.7). Turning off unused services such as Cortana, Forms, and Bookings reduces the attack surface and the number of unsanctioned data paths, and the short web-session idle timeout enforces session termination after inactivity (AC.L2-3.1.11).

Email security

In Exchange Online and Microsoft Defender, we apply extensive email protections. Mail-flow rules encrypt CUI-labeled email (in audit mode to start), block external auto-forwarding, and block mailbox forwarding to external recipients. We configure an outbound TLS partner connector and route CUI mail through it, disable auto-forwarding on the default remote domain, disable SMTP client authentication tenant-wide, and disable POP and IMAP on the default mailbox plan. For each custom domain, we provision a DKIM key pair and CNAME selectors (with signing left disabled until you publish the records).

On the Defender side, we configure aggressive anti-phishing with quarantine actions and add your SSO domains as targeted-domain protection; enable Safe Attachments with dynamic delivery, extend Safe Attachments to SharePoint, OneDrive, and Teams, and turn on Safe Links scanning across email, Teams, and Office. The default malware filter blocks roughly fifty executable and script attachment types and enables zero-hour auto-purge with admin notifications. The default connection filter clears any IP allow-list and disables the safe-list, and the default content filter quarantines high-confidence spam, tightens inbound anti-spam thresholds, clears sender allow-lists, and enables phishing zero-hour auto-purge. We also bootstrap Microsoft's recommended presets — the EOP Standard preset for anti-spam, anti-phishing, and anti-malware, and the ATP Strict preset for Safe Attachments and Safe Links — and normalize the preset rules to apply to all recipients.

Why this matters for CMMC: Email is a primary path for CUI to leave your boundary and for threats to enter, so these controls support System & Communications Protection and System & Information Integrity. Blocking external forwarding, disabling legacy mail protocols, and routing CUI over TLS protect the confidentiality and integrity of CUI in transit (SC.L2-3.13.8 and 3.13.11). Anti-phishing, Safe Attachments and Safe Links, and strict malware and spam filtering provide the malicious-code protection and monitoring CMMC expects (SI.L2-3.14.x), and DKIM helps protect message authenticity.

Audit, labeling, and data loss prevention

In Microsoft Purview, we enable unified audit log ingestion and mailbox auditing for all users, and set unified audit log retention to twelve months. We create a CUI sensitivity label and label policy, and a data loss prevention policy that blocks external sharing of CUI-labeled content. We also set up protection alerts for high-severity events (administrator role changes and malware detection) and medium-severity events (DLP rule matches and external sharing invitations).

Why this matters for CMMC: The Audit & Accountability family requires you to create, protect, and retain audit records sufficient to monitor activity and investigate incidents (AU.L2-3.3.1 and 3.3.2), which is why we enable unified and mailbox auditing and retain logs for twelve months. Sensitivity labeling and DLP support Media Protection and Access Control by marking CUI and preventing its unauthorized sharing, and the protection alerts support the Incident Response family by surfacing high-risk events for timely detection and handling.

SharePoint and OneDrive

In the SharePoint admin center, we restrict external sharing to existing guests only, default sharing links to specific people with view-only permission, lock the allowed sharing domains to an empty allow-list, and require a 30-day expiry on external sharing links. We block downloads and sync from unmanaged devices and enable a one-hour idle session sign-out with a five-minute warning. We also disable Microsoft Loop, disable self-service site creation tenant-wide, and block custom scripts.

Why this matters for CMMC: These settings govern how CUI stored in SharePoint and OneDrive can be shared and accessed, supporting Access Control's limits on CUI flow and external sharing (AC.L2-3.1.3, 3.1.20, and 3.1.22). Restricting external sharing, blocking downloads and sync from unmanaged devices, and enforcing idle sign-out keep CUI inside the authorized boundary and on compliant devices, while disabling custom scripts and self-service site creation reduces configuration risk in line with least-functionality requirements.

Microsoft Teams

In the Teams admin center, we configure meeting and app policies for a controlled collaboration environment. Federated access uses empty allow and block lists, and the global meeting policy auto-admits only people in your organization (PSTN callers cannot bypass the lobby), blocks anonymous users from starting or joining, blocks external participants from taking control, and blocks cloud recording. The live-events policy sets broadcast recording to user override. We block third-party file services (Dropbox, Box, Google Drive, ShareFile, and Egnyte) and email-into-channel, and we restrict apps through permission and setup policies so that global, default, and private catalog apps are limited to an allowed-app list and sideloading is disabled.

Why this matters for CMMC: Teams is a real-time collaboration and data-sharing surface, so these policies enforce Access Control over who can participate and what can be shared (AC.L2-3.1.x) and least functionality over what apps and integrations are available (CM.L2-3.4.x). Controlling meeting admission, anonymous join, external control, recording, and federation keeps CUI discussions limited to authorized participants, and blocking third-party storage and unapproved apps prevents CUI from flowing to unsanctioned services.

Device compliance

In Microsoft Intune, we create a Windows 10/11 device compliance policy ("Secureframe CMMC Compliance Policy - Windows") that requires Secure Boot, BitLocker encryption, a device password, and Microsoft Defender.

Why this matters for CMMC: CMMC requires that devices accessing CUI meet an established security baseline (Configuration Management, CM.L2-3.4.1 and 3.4.2) and that only compliant, managed devices connect. This compliance policy defines that baseline — Secure Boot, disk encryption, a device password, and active malware protection — so the "require compliant device" Conditional Access policy has a standard to enforce. Together they deliver device-based access control and protect CUI at rest through encryption.

Did this answer your question?