Identity Standards & Compliance — Complete Reference Identity Standards & Compliance — Complete Reference

Bilinguale Referenz zur Umsetzung identitätsbezogener Kontrollen für NIST AAL, CMMC, FedRAMP High, HIPAA, HITRUST, PCI-DSS, DORA und Memorandum 22-09 mit PowerShell- und Graph-Nachweisen. Bilingual reference for implementing identity-related controls for NIST AAL, CMMC, FedRAMP High, HIPAA, HITRUST, PCI-DSS, DORA, and Memorandum 22-09 with PowerShell and Graph evidence.

Framework-Mapping Framework mapping

NIST AAL, CMMC, FedRAMP High, HIPAA, HITRUST, PCI-DSS, DORA und Memorandum 22-09 werden auf Entra-Steuerungen abgebildet. NIST AAL, CMMC, FedRAMP High, HIPAA, HITRUST, PCI-DSS, DORA, and Memorandum 22-09 are mapped to Entra controls.

Nachweisorientiert Evidence-driven

Jeder Abschnitt kombiniert Konfigurationsempfehlungen mit Audit- und Verifikationsbefehlen für PowerShell und Graph. Every section combines configuration guidance with PowerShell and Graph verification commands.

Policy-first Policy-first

Conditional Access, Authentication Strengths, PIM, Logs und Governance bilden den Kern der meisten Identitätsanforderungen. Conditional Access, authentication strengths, PIM, logs, and governance form the core of most identity requirements.

Keine Rechtsberatung Not legal advice

Die Seite hilft beim technischen Design, ersetzt aber weder formale Assessments noch regulatorische Beratung oder ATO-Prozesse. The page helps with technical design, but it does not replace formal assessments, regulatory advice, or ATO processes.

⚠️ Compliance-Hinweis ⚠️ Compliance note

Microsoft Entra kann viele Identitätskontrollen umsetzen oder unterstützen, garantiert aber allein keine Compliance. Prozesse, Dokumentation, Evidenzhaltung, organisatorische Kontrollen und ggf. weitere Microsoft- oder Drittprodukte bleiben erforderlich. Microsoft Entra can implement or support many identity controls, but by itself it does not guarantee compliance. Processes, documentation, evidence retention, organizational controls, and sometimes other Microsoft or third-party products remain necessary.

NIST AAL: Überblick, Authenticatoren und Konfiguration NIST AAL: overview, authenticators, and configuration

NIST SP 800-63B definiert Authenticator Assurance Levels für Authentifizierung. Für Microsoft-Entra-Designs ist vor allem relevant, dass AAL1 Single-Factor zulässt, AAL2 zwei unterschiedliche Faktoren verlangt und AAL3 phishing-resistente hardwaregestützte Kryptographie voraussetzt. NIST SP 800-63B defines authenticator assurance levels for authentication. For Microsoft Entra designs, the key point is that AAL1 allows single factor, AAL2 requires two distinct factors, and AAL3 expects phishing-resistant hardware-backed cryptography.

AAL AAL	Mindestidee Core expectation	Typische Entra-Mittel Typical Entra means	Bemerkung Comment
AAL1 AAL1	Verlässliche Basisauthentifizierung. Reliable baseline authentication.	Passwort, Zertifikat, Windows Hello oder FIDO2 sind möglich. Password, certificate, Windows Hello, or FIDO2 are possible.	Für sensible Behörden- oder Zahlungsworkloads meist nicht ausreichend. Usually not sufficient for sensitive government or payment workloads.
AAL2 AAL2	Zwei Faktoren oder multifaktorielles Kryptomittel. Two factors or a multifactor cryptographic method.	FIDO2, Windows Hello for Business, Passkey, starke Authenticator-Kombinationen. FIDO2, Windows Hello for Business, passkey, or strong Authenticator combinations.	Für viele regulierte Enterprise-Szenarien das praktische Minimum. The practical minimum for many regulated enterprise scenarios.
AAL3 AAL3	Phishing-resistente kryptographische Hardware plus striktere Reauthentication. Phishing-resistant cryptographic hardware plus stricter reauthentication.	FIDO2 Security Keys, WHfB mit geeignetem TPM, Hardware-Zertifikate. FIDO2 security keys, WHfB with a suitable TPM, or hardware certificates.	FIPS-Validierung und Hardwareeigenschaften müssen ausdrücklich geprüft werden. FIPS validation and hardware characteristics must be verified explicitly.

Authenticators und Mapping Authenticators and mapping

Authentifizierungsmethode Authentication method	AAL1 AAL1	AAL2 AAL2	AAL3 AAL3	Hinweis Note
Passwort Password	Ja Yes	Nein No	Nein No	Nur Memorized Secret; eher Baseline oder Übergang. Only a memorized secret; mostly baseline or transitional.
Microsoft Authenticator Phone Sign-In Microsoft Authenticator phone sign-in	Ja Yes	Ja Yes	Nein No	Nicht phishing-resistent, aber für viele AAL2-Szenarien zulässig. Not phishing-resistant but allowed in many AAL2 scenarios.
FIDO2 Security Key FIDO2 security key	Ja Yes	Ja Yes	Ja, wenn FIPS und Hardwareanforderungen erfüllt sind Yes, when FIPS and hardware requirements are met	Goldstandard für phishing-resistente Entra-Authentifizierung. Gold standard for phishing-resistant Entra authentication.
Windows Hello for Business Windows Hello for Business	Ja Yes	Ja Yes	Teilweise abhängig von TPM und FIPS-Nachweis Partially dependent on TPM and FIPS evidence	AAL3 erfordert sorgfältige Hardware- und Zertifizierungsprüfung. AAL3 requires careful hardware and certification validation.
Passkey in Microsoft Authenticator Passkey in Microsoft Authenticator	Ja Yes	Ja Yes	Teilweise / plattformabhängig Partial / platform-dependent	Für AAL3 nur mit passender Plattform- und FIPS-Lage einplanen. Plan for AAL3 only with the right platform and FIPS posture.
Hardware- oder Smartcard-Zertifikat Hardware or smartcard certificate	Ja Yes	Ja Yes	Ja Yes	Stark für Behörden, PIV/CAC und regulierte Workforces. Strong for government, PIV/CAC, and regulated workforces.
SMS SMS	Ja Yes	Bedingt Conditional	Nein No	In regulierten Architekturen meist vermeiden oder nur Übergangspfad. Usually avoid in regulated architectures or use only as a transition path.

AAL1 Konfigurationsleitfaden AAL1 configuration guide

Aktiviere Security Defaults oder eine einfache Basisrichtlinie, wenn noch keine MFA-Architektur existiert. Enable security defaults or a simple baseline policy when no MFA architecture exists yet.
Erzwinge moderne Authentifizierungsprotokolle und blockiere Legacy-Authentifizierung, sobald möglich. Enforce modern authentication protocols and block legacy authentication as soon as possible.
Dokumentiere Ausnahmen, weil AAL1 in vielen Sektoren nur als Übergangsstandard akzeptabel ist. Document exceptions because AAL1 is acceptable only as a transition standard in many sectors.

AAL2 Konfigurationsleitfaden AAL2 configuration guide

Definiere Authentication Strengths und bevorzuge phishing-resistente Methoden wie FIDO2 oder WHfB, selbst wenn AAL2 auch schwächere Kombinationen zulässt. Define authentication strengths and prefer phishing-resistant methods such as FIDO2 or WHfB even though AAL2 also permits weaker combinations.
Erzwinge MFA per Conditional Access auf kritische Apps, Administratoren und risikoreiche Kontexte. Enforce MFA with Conditional Access for critical apps, administrators, and high-risk contexts.
Setze User Sign-In Frequency auf 12 Stunden und kombiniere dies mit Geräte-Sperrlogik nach Inaktivität. Set user sign-in frequency to 12 hours and combine it with device lock behavior after inactivity.
Nutze FIPS-validierte Komponenten, wenn Behörden- oder Vertragsanforderungen dies verlangen. Use FIPS-validated components when government or contract requirements demand it.

AAL3 Konfigurationsleitfaden AAL3 configuration guide

Beschränke zulässige Methoden auf FIDO2, geeignete Hardware-Zertifikate oder WHfB mit dokumentiert passendem TPM-Profil. Restrict permitted methods to FIDO2, suitable hardware certificates, or WHfB with a documented TPM profile.
Verlange phishing-resistente Authentication Strengths über Conditional Access für alle Zielanwendungen im Scope. Require phishing-resistant authentication strengths through Conditional Access for all target applications in scope.
Plane Reauthentication nach 12 Stunden und einen Inaktivitäts-Lock von etwa 15 Minuten auf dem Endgerät. Plan reauthentication after 12 hours and a device inactivity lock of about 15 minutes.
Halte FIPS- und Hardware-Evidenz für Keys, TPMs und Zertifikatsmodule auditierbar bereit. Keep FIPS and hardware evidence for keys, TPMs, and certificate modules auditable.

Komplette NIST-Mapping-Tabelle Complete NIST mapping table

NIST-Thema NIST topic	Entra-Einstellung Entra setting	Nachweis Evidence	Risiko bei Nichtumsetzung Risk if omitted
AAL1 AAL1	Moderne Authentifizierung, Passwortschutz, Basis-Logging Modern authentication, password protection, baseline logging	Sign-in Logs, Legacy Auth Reports Sign-in logs, legacy auth reports	Schwache Ausgangslage für regulatorische Workloads. Weak starting point for regulated workloads.
AAL2 AAL2	MFA-Methoden, Authentication Strengths, CA MFA methods, authentication strengths, Conditional Access	Policy Export, User registration reports Policy export, user registration reports	Unzureichende Verteidigung gegen Account Takeover. Insufficient defense against account takeover.
AAL3 AAL3	Phishing-resistente Hardwaremethoden, FIPS-geprüfte Plattformen Phishing-resistant hardware methods, FIPS-validated platforms	Key inventory, platform evidence, policy JSON Key inventory, platform evidence, policy JSON	Audit-Failures bei High-Assurance-Vorgaben. Audit failures for high assurance requirements.
Reauthentication Reauthentication	Sign-in frequency, OS lock policy Sign-in frequency, OS lock policy	Conditional Access export, Intune policy export Conditional Access export, Intune policy export	Zu lange Sessions ohne Nutzerpräsenz. Sessions remain active too long without user presence.
MitM / Replay resistance MitM / replay resistance	Moderne kryptographische Methoden, OIDC/OAuth, noncebasierte Flows Modern cryptographic methods, OIDC/OAuth, nonce-based flows	Method inventory, app protocol review Method inventory, app protocol review	Credential phishing und Token missbrauch werden wahrscheinlicher. Credential phishing and token misuse become more likely.

PowerShell PowerShell

Connect-MgGraph -Scopes "Policy.Read.All","UserAuthenticationMethod.Read.All","AuditLog.Read.All"

Get-MgPolicyAuthenticationStrengthPolicy |
  Select-Object DisplayName, AllowedCombinations

Get-MgIdentityConditionalAccessPolicy |
  Select-Object DisplayName, State

CMMC: Überblick, Level und Identity-Kontrollen CMMC: overview, levels, and identity controls

CMMC 2.0 reduziert das Modell auf drei Level. Für Entra sind insbesondere Access Control, Identification and Authentication, Audit & Accountability, Configuration Management, System and Information Integrity und angrenzende Domänen relevant. Entra unterstützt diese Bereiche, ersetzt aber nicht Prozess- und Nachweispflichten des Contractors. CMMC 2.0 reduces the model to three levels. For Entra, the key domains are Access Control, Identification and Authentication, Audit & Accountability, Configuration Management, System and Information Integrity, and adjacent domains. Entra supports those areas, but it does not replace the contractor's process and evidence obligations.

Level Level	Charakter Character	Identitätsfokus Identity focus
Level 1 Level 1	Foundational / FCI Foundational / FCI	Grundlegende Zugriffskontrolle, Identifikation und Malware-Schutz. Basic access control, identification, and malware protection.
Level 2 Level 2	Advanced / CUI Advanced / CUI	Stärkere AC-, IA-, AU-, CM- und SI-Kontrollen auf Basis von NIST 800-171. Stronger AC, IA, AU, CM, and SI controls based on NIST 800-171.
Level 3 Level 3	Expert Expert	Liegt weit über Entra allein; zusätzliche systemische und operationelle Maßnahmen nötig. Extends well beyond Entra alone; additional systemic and operational measures are required.

Level 1 Level 1

Praxisfeld Practice area	Entra-Kontrolle Entra control	Warum relevant Why it matters
Basiszugriff Basic access	Sicherheitsgruppen, App-Zuweisungen, Deaktivierung nicht benötigter Konten Security groups, app assignments, disabling unused accounts	Stellt sicher, dass nur berechtigte Personen Systeme nutzen. Ensures only authorized people use systems.
Benutzeridentifikation User identification	Eindeutige Konten, keine geteilten Adminkonten, PIM für Adminrollen Unique accounts, no shared admin accounts, PIM for admin roles	Reduziert Unklarheit und verbessert Verantwortlichkeit. Reduces ambiguity and improves accountability.
Systemintegrität System integrity	MDE-Integrationen, Risk signals, Legacy Auth Block MDE integrations, risk signals, legacy auth block	Hilft beim Erkennen einfacher Angriffsvektoren. Helps detect simple attack vectors.

Level 2 Access Control Level 2 access control

CMMC-Absicht CMMC intent	Empfohlene Entra-Steuerung Recommended Entra control	Nachweisidee Evidence idea
Need-to-know Need-to-know	Gruppenbasiertes RBAC, Access Packages, Access Reviews Group-based RBAC, access packages, access reviews	Group exports, package policies, review results Group exports, package policies, review results
Remote-Zugriff schützen Protect remote access	Conditional Access mit MFA, Compliant Device, Named Locations Conditional Access with MFA, compliant device, named locations	Policy JSON and sign-in logs Policy JSON and sign-in logs
Privilegien minimieren Minimize privileges	PIM, administrative units, getrennte Adminkonten PIM, administrative units, separate admin accounts	PIM reports and role assignment exports PIM reports and role assignment exports
Session-Steuerung Session control	Sign-in frequency, Defender for Cloud Apps Session Controls Sign-in frequency, Defender for Cloud Apps session controls	CA export and MCAS policy export CA export and MCAS policy export

Level 2 Identification and Authentication Level 2 identification and authentication

CMMC-Absicht CMMC intent	Empfohlene Entra-Steuerung Recommended Entra control	Bemerkung Comment
Starke Authentifizierung Strong authentication	Authentication Strengths, FIDO2, WHfB, Certificate Based Authentication Authentication strengths, FIDO2, WHfB, certificate-based authentication	Für CUI-Zugriffe möglichst phishing-resistent umsetzen. Prefer phishing-resistant methods for CUI access.
Eindeutige Identitäten Unique identities	Keine Sammelkonten, strenge Break-Glass-Regeln, Lifecycle-Governance No shared accounts, strict break-glass rules, lifecycle governance	Besonders für Administratoren und Contractor-Konten wichtig. Especially important for administrators and contractor accounts.
Schutz vor kompromittierten Anmeldungen Protection against compromised sign-ins	Identity Protection, riskbasierte CA, Password Protection Identity Protection, risk-based Conditional Access, password protection	Erhöht die Chance, Account-Takeover früh zu stoppen. Increases the chance of stopping account takeover early.

Zusätzliche CMMC-bezogene Kontrollen Additional CMMC-related controls

Domäne Domain	Entra- oder angrenzende Kontrolle Entra or adjacent control	Beitrag Contribution
AU AU	Sign-in Logs, Audit Logs, Purview Audit, Sentinel Sign-in logs, audit logs, Purview Audit, Sentinel	Nachvollziehbarkeit und Ereignisaufklärung. Traceability and event investigation.
CM CM	Change Control für Policies, PIM approval, Admin Center activity logs Change control for policies, PIM approval, admin center activity logs	Kontrollierte Konfigurationsänderungen. Controlled configuration changes.
SI SI	Identity Protection, MDE-Risikosignale, Block Legacy Auth Identity Protection, MDE risk signals, block legacy auth	Erkennung und Eindämmung sicherheitsrelevanter Abweichungen. Detection and containment of security-relevant deviations.

Empfohlene Conditional-Access-Policies Recommended Conditional Access policies

Alle Administratoren: phishing-resistente MFA und compliant device verlangen. All administrators: require phishing-resistant MFA and a compliant device.
Alle Benutzer mit CUI-Zugriff: MFA, Block Legacy Auth, riskbasierte Blockade und begrenzte Named Locations. All users with CUI access: MFA, block legacy auth, risk-based blocking, and constrained named locations.
Contractor- und Partnerzugriff: Terms of Use, Access Reviews, device trust und Session Controls. Contractor and partner access: terms of use, access reviews, device trust, and session controls.

Komplette CMMC-Mapping-Tabelle Complete CMMC mapping table

Bereich Area	Entra-Kernkontrolle Core Entra control	Zusätzliche Microsoft-Dienste Additional Microsoft services	Evidenz Evidence
Level 1 AC Level 1 AC	Gruppen, App-Zuweisung, Konto-Disable Groups, app assignment, account disablement	Intune optional Intune optional	Assignments and disabled account report Assignments and disabled account report
Level 2 AC Level 2 AC	CA, PIM, Access Packages, Reviews Conditional Access, PIM, access packages, reviews	Defender for Cloud Apps Defender for Cloud Apps	Policy export and package evidence Policy export and package evidence
Level 2 IA Level 2 IA	Authentication Strengths, FIDO2, WHfB, CBA Authentication strengths, FIDO2, WHfB, CBA	Intune and endpoint PKI Intune and endpoint PKI	Method registration and policy JSON Method registration and policy JSON
AU AU	Sign-in and audit logs Sign-in and audit logs	Purview Audit, Sentinel Purview Audit, Sentinel	Retention, queries, incident records Retention, queries, incident records
CM CM	Governed change to policies and roles Governed change to policies and roles	PIM approvals PIM approvals	Audit trails for admins Audit trails for admins
SI SI	Identity Protection and risk-based blocking Identity Protection and risk-based blocking	Defender for Endpoint Defender for Endpoint	Risk detections and response timeline Risk detections and response timeline

PowerShell PowerShell

Connect-MgGraph -Scopes "Policy.Read.All","AuditLog.Read.All","RoleManagement.Read.Directory"

Get-MgIdentityConditionalAccessPolicy |
  Select-Object DisplayName, State

Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance |
  Select-Object PrincipalId, RoleDefinitionId, AssignmentType

FedRAMP High: AC, IA, AU, CM und SI FedRAMP High: AC, IA, AU, CM, and SI

FedRAMP High basiert auf einem sehr umfangreichen NIST-800-53-Kontrollkatalog. Die hier relevante Entra-Perspektive konzentriert sich auf jene Teile, die Identität, Authentifizierung, Protokollierung, Konfigurationshygiene und Vorfallreaktion betreffen. Azure oder Azure Government können den Plattformrahmen liefern; die Kundenverantwortung bleibt jedoch für die konkrete Konfiguration bestehen. FedRAMP High is based on a large NIST 800-53 control catalog. The Entra perspective relevant here concentrates on the parts that affect identity, authentication, logging, configuration hygiene, and incident response. Azure or Azure Government can provide the platform frame, but customer responsibility remains for the actual configuration.

Access Control und Identification & Authentication Access control and identification & authentication

Kontrollfamilie Control family	Praktische Entra-Konfiguration Practical Entra configuration	Typischer Nachweis Typical evidence
AC AC	Conditional Access, administrative units, Access Reviews, Entitlement Management, PIM Conditional Access, administrative units, access reviews, entitlement management, PIM	Policy export, role assignments, review logs Policy export, role assignments, review logs
IA IA	Authentication Strengths, phishing-resistente MFA, passwordless, certificate-based auth Authentication strengths, phishing-resistant MFA, passwordless, certificate-based auth	Authentication methods policy and registration status Authentication methods policy and registration status

AU / CM / SI AU / CM / SI

Familie Family	Empfohlene Mittel Recommended means	Ergebnis Outcome
AU AU	Sign-in Logs, Audit Logs, Sentinel, Purview Audit Sign-in logs, audit logs, Sentinel, Purview Audit	Nachvollziehbare Ereigniskette für ATO und Incident Response. Traceable event chain for ATO and incident response.
CM CM	Änderungssteuerung für CA, PIM, Rollen und App-Registrierungen Change control for Conditional Access, PIM, roles, and app registrations	Stabile, dokumentierte und prüfbare Sicherheitskonfiguration. Stable, documented, and auditable security configuration.
SI SI	Identity Protection, riskbasierte CA, Defender-Integrationen Identity Protection, risk-based Conditional Access, Defender integrations	Schnellere Erkennung und Eindämmung auffälliger Identitätsereignisse. Faster detection and containment of abnormal identity events.

Komplette FedRAMP-Mapping-Tabelle Complete FedRAMP mapping table

FedRAMP-Thema FedRAMP topic	Entra-Kontrolle Entra control	Ergänzende Dienste Complementary services	Auditbeleg Audit evidence
AC AC	CA, RBAC, PIM, Access Reviews Conditional Access, RBAC, PIM, access reviews	Intune, Defender for Cloud Apps Intune, Defender for Cloud Apps	Policy JSON and review history Policy JSON and review history
IA IA	FIDO2, WHfB, CBA, Authentication Strengths FIDO2, WHfB, CBA, authentication strengths	Endpoint PKI Endpoint PKI	Method inventory and registration status Method inventory and registration status
AU AU	Sign-in and audit logs Sign-in and audit logs	Sentinel and Purview Sentinel and Purview	Query exports and retention settings Query exports and retention settings
CM CM	Role governance and policy change management Role governance and policy change management	PIM approvals, ticketing PIM approvals, ticketing	Change records and approval chain Change records and approval chain
SI SI	Identity Protection and threat signal integration Identity Protection and threat signal integration	Defender suite Defender suite	Incident timeline and risk reports Incident timeline and risk reports

PowerShell PowerShell

Connect-MgGraph -Scopes "Policy.Read.All","AuditLog.Read.All","IdentityRiskyUser.Read.All"

Get-MgAuditLogSignIn -Top 20 |
  Select-Object CreatedDateTime, UserDisplayName, AppDisplayName, ConditionalAccessStatus

Get-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration |
  Select-Object Id, State

HIPAA / HITRUST: Safeguards und CSF-Konfiguration HIPAA / HITRUST: safeguards and CSF configuration

HIPAA fokussiert technische Safeguards wie Access Controls, Audit Controls, Integrity, Person or Entity Authentication und Transmission Security. HITRUST CSF bündelt HIPAA mit weiteren Normen zu einem prüfbaren Kontrollrahmen. Entra liefert vor allem starke Identität, Nachvollziehbarkeit, Zugriffsgenehmigung und bedingte Autorisierung. HIPAA focuses on technical safeguards such as access controls, audit controls, integrity, person or entity authentication, and transmission security. HITRUST CSF combines HIPAA with other standards into an auditable control framework. Entra primarily contributes strong identity, traceability, access approval, and conditional authorization.

Access control safeguards Access control safeguards

Safeguard Safeguard	Entra-Kontrolle Entra control	Praxisbeispiel Example
Unique user identification Unique user identification	Eindeutige Benutzer, keine geteilten Konten, PIM für Admins Unique users, no shared accounts, PIM for admins	Separate Konten für Klinikpersonal, Dienstleister und Break-Glass. Separate accounts for clinical staff, contractors, and break-glass use.
Emergency access procedure Emergency access procedure	Dokumentierte Break-Glass-Konten, ausgeschlossene CA-Notfallkonten Documented break-glass accounts, excluded emergency accounts	Zwei cloud-only emergency admins mit überwachten Anmeldungen. Two cloud-only emergency admins with monitored sign-ins.
Automatic logoff / session control Automatic logoff / session control	Sign-in frequency, session controls, device lock with Intune Sign-in frequency, session controls, device lock with Intune	Sitzungen für EHR-Zugriff zeitnah erneuern. Renew sessions for EHR access promptly.
Encryption-aware access Encryption-aware access	Conditional Access plus appseitige TLS- und DLP-Kontrollen Conditional Access plus app-side TLS and DLP controls	Nur verwaltete Clients auf geschützte Patientenportale lassen. Allow only managed clients to reach protected patient portals.

Audit controls Audit controls

Ziel Goal	Entra- oder Purview-Funktion Entra or Purview capability	Erwarteter Nachweis Expected evidence
Anmeldeereignisse nachvollziehen Track sign-in events	Sign-in Logs Sign-in logs	Wer, wann, wo, womit und mit welchem Risiko angemeldet war. Who signed in, when, where, with what, and at what risk.
Administrative Änderungen nachvollziehen Track administrative changes	Audit Logs Audit logs	Änderungen an Rollen, Gruppen, Apps oder Policies. Changes to roles, groups, apps, or policies.
Lange Aufbewahrung und eDiscovery Long retention and eDiscovery	Purview Audit Purview Audit	Aufbewahrung, Export und Ermittlungsfähigkeit. Retention, export, and investigation capability.

Weitere Safeguards Other safeguards

Bereich Area	Empfohlene Konfiguration Recommended configuration	Warum Why
Integrity Integrity	Identity Protection, Defender for Cloud Apps, Sensitivity Labels im Gesamtdesign Identity Protection, Defender for Cloud Apps, sensitivity labels in the overall design	Unzulässige Änderungen und missbräuchliche Datenabflüsse schneller erkennen. Detect improper changes and abusive data exfiltration faster.
Person or entity authentication Person or entity authentication	MFA, passwordless, certificates, device trust MFA, passwordless, certificates, device trust	Nachweis, dass die zugreifende Partei tatsächlich legitim ist. Demonstrates that the accessing party is truly legitimate.
Transmission security Transmission security	OIDC/OAuth, TLS, App Proxy oder Reverse Proxy mit moderner Auth OIDC/OAuth, TLS, App Proxy or reverse proxy with modern auth	Schützt ePHI auf dem Übertragungsweg. Protects ePHI in transit.

HITRUST-CSF-Konfiguration HITRUST CSF configuration

HITRUST-Fokus HITRUST focus	Entra-Baustein Entra building block	Hinweis Note
Identity lifecycle Identity lifecycle	Lifecycle Workflows, Access Reviews, Joiner/Mover/Leaver-Prozesse Lifecycle workflows, access reviews, joiner/mover/leaver processes	Wichtig für Mitarbeiter, Dienstleister und klinische Hilfskräfte. Important for employees, contractors, and clinical support staff.
Privileged access Privileged access	PIM, Approval, JIT, Alerting PIM, approval, JIT, alerting	Prüfer erwarten meist klare Nachweise zu Adminzugriffen. Auditors typically expect clear evidence for admin access.
Third-party access Third-party access	B2B, Terms of Use, periodic reviews B2B, terms of use, periodic reviews	Externer Zugriff auf ePHI sollte eng rezertifiziert werden. External access to ePHI should be tightly recertified.

Komplette HIPAA/HITRUST-Mapping-Tabelle Complete HIPAA/HITRUST mapping table

Kontrollziel Control objective	Entra-Kontrolle Entra control	Ergänzende Komponenten Complementary components	Evidenz Evidence
Access control Access control	CA, RBAC, PIM, Access Packages Conditional Access, RBAC, PIM, access packages	Intune, app controls Intune, app controls	Assignments and access review history Assignments and access review history
Audit controls Audit controls	Sign-in logs, audit logs Sign-in logs, audit logs	Purview Audit, Sentinel Purview Audit, Sentinel	Retention configuration and exports Retention configuration and exports
Integrity Integrity	Risk policies, session controls, DLP-adjacent integrations Risk policies, session controls, DLP-adjacent integrations	Purview, Defender for Cloud Apps Purview, Defender for Cloud Apps	Alerts and policy evidence Alerts and policy evidence
Authentication Authentication	MFA, passwordless, CBA MFA, passwordless, CBA	Endpoint management and PKI Endpoint management and PKI	Method inventory and user registration Method inventory and user registration
Transmission security Transmission security	Modern auth and trusted app paths Modern auth and trusted app paths	TLS and app-layer controls TLS and app-layer controls	App configuration and network evidence App configuration and network evidence

PowerShell PowerShell

Connect-MgGraph -Scopes "AuditLog.Read.All","Policy.Read.All","Directory.Read.All"

Get-MgAuditLogDirectoryAudit -Top 25 |
  Select-Object ActivityDateTime, ActivityDisplayName, InitiatedBy

Get-MgIdentityConditionalAccessPolicy |
  Select-Object DisplayName, State

PCI-DSS: Anforderungen 1, 2, 5, 6, 7, 8, 10, 11 und MFA PCI-DSS: requirements 1, 2, 5, 6, 7, 8, 10, 11, and MFA

PCI-DSS v4.0 verlangt ein kohärentes Schutzmodell für das Cardholder Data Environment. Microsoft Entra adressiert nicht jede PCI-Anforderung, ist aber für Identität, Zugriff, Überwachung und starke Authentifizierung zentral. Die größte Falle ist, Entra als einzige Sicherheitskontrolle des CDE zu betrachten. PCI-DSS v4.0 requires a coherent protection model for the cardholder data environment. Microsoft Entra does not address every PCI requirement, but it is central for identity, access, monitoring, and strong authentication. The biggest mistake is treating Entra as the only security control of the CDE.

PCI-Anforderung PCI requirement	Entra-Beitrag Entra contribution	Praktischer Fokus Practical focus
1 Netzwerkkontrollen 1 Network controls	Conditional Access plus Entra Internet Access oder App Proxy im Gesamtdesign Conditional Access plus Entra Internet Access or App Proxy in the overall design	Nur vertrauenswürdige Clients und Standorte zum CDE lassen. Allow only trusted clients and locations into the CDE.
2 Sichere Konfiguration 2 Secure configuration	Governance für App-Registrierungen, Rollen, Legacy Auth, Adminkonten Governance for app registrations, roles, legacy auth, and admin accounts	Standardhärtung für Tenant, Apps und Verzeichniskonfiguration. Baseline hardening for tenant, apps, and directory configuration.
5 Malware-Schutz 5 Malware protection	Gerätesignale, Defender-Integrationen, CA mit compliant device Device signals, Defender integrations, Conditional Access with compliant device	CDE-Zugriff nur von vertrauenswürdigen Endpunkten. Permit CDE access only from trusted endpoints.
6 Sichere Software 6 Secure software	App registration hygiene, workload identity governance, secret minimization App registration hygiene, workload identity governance, secret minimization	CI/CD und Service Principals kontrollieren. Control CI/CD and service principals.
7 Need to know 7 Need to know	RBAC, Groups, Access Packages, Reviews RBAC, groups, access packages, reviews	Minimalprinzip für Benutzer und Automatisierungen. Least privilege for users and automations.
8 Identifizieren und authentifizieren 8 Identify and authenticate	MFA, passwordless, phishing-resistente Strengths, Password Protection MFA, passwordless, phishing-resistant strengths, password protection	Besonders für Administratoren und Remote-Zugriffe. Especially for administrators and remote access.
10 Loggen und überwachen 10 Log and monitor	Sign-in Logs, Audit Logs, Sentinel Sign-in logs, audit logs, Sentinel	CDE-Zugriffe und Adminänderungen beweissicher machen. Make CDE access and admin changes provable.
11 Testen 11 Test	What-if, Report-only, CA-Validierung, PIM-Review What-if, report-only, Conditional Access validation, PIM review	Regelmäßige Funktions- und Ausnahmeprüfung. Regular validation of function and exceptions.

MFA Supplemental Requirements MFA supplemental requirements

Verlange MFA für alle Administratoren, Remote-Zugriffe und alle Rollen, die das CDE beeinflussen können. Require MFA for all administrators, remote access, and every role that can affect the CDE.
Bevorzuge phishing-resistente Authentication Strengths statt generischer MFA. Prefer phishing-resistant authentication strengths over generic MFA.
Blockiere Legacy-Authentifizierung vollständig, weil sie MFA oft umgeht. Block legacy authentication completely because it often bypasses MFA.
Nutze Report-only und Sign-in-Analyse vor dem Erzwingen, um ungeplante Ausfälle im Bezahlbetrieb zu vermeiden. Use report-only and sign-in analysis before enforcement to avoid unplanned payment outages.

Komplette PCI-DSS-Mapping-Tabelle Complete PCI-DSS mapping table

PCI-Bereich PCI area	Entra-Kontrolle Entra control	Ergänzende Produkte Complementary products	Nachweis Evidence
Req. 1 Req. 1	CA, trusted network paths Conditional Access, trusted network paths	Entra Internet Access, firewalls Entra Internet Access, firewalls	Policy and network design evidence Policy and network design evidence
Req. 2 Req. 2	Legacy auth block, secure admin model, app governance Legacy auth block, secure admin model, app governance	Defender for Cloud Apps Defender for Cloud Apps	Config baseline and audits Config baseline and audits
Req. 5 Req. 5	Device trust with CA Device trust with Conditional Access	Defender for Endpoint Defender for Endpoint	Compliant-device policy evidence Compliant-device policy evidence
Req. 6 Req. 6	Workload identity governance Workload identity governance	DevSecOps controls DevSecOps controls	Service principal inventory Service principal inventory
Req. 7 Req. 7	RBAC, access packages, reviews RBAC, access packages, reviews	Privileged access workflows Privileged access workflows	Assignments and review decisions Assignments and review decisions
Req. 8 Req. 8	MFA, authentication strengths, password protection MFA, authentication strengths, password protection	FIDO2/WHfB ecosystem FIDO2/WHfB ecosystem	Registration and method policies Registration and method policies
Req. 10 Req. 10	Sign-in and audit logs Sign-in and audit logs	Sentinel, Purview Audit Sentinel, Purview Audit	Query history and retention Query history and retention
Req. 11 Req. 11	Report-only, What If, review cadence Report-only, What If, review cadence	Test plans Test plans	Evidence of regular validation Evidence of regular validation

PowerShell PowerShell

Connect-MgGraph -Scopes "Policy.Read.All","AuditLog.Read.All"

Get-MgIdentityConditionalAccessPolicy |
  Select-Object DisplayName, State

Get-MgAuditLogSignIn -Top 50 |
  Select-Object CreatedDateTime, UserPrincipalName, AppDisplayName, ConditionalAccessStatus

DORA: ICT-Risikomanagement und Entra-Konfiguration DORA: ICT risk management and Entra configuration

DORA richtet sich an Finanzunternehmen und kritische ICT-Dienstleister. Microsoft betont ausdrücklich, dass Entra nur ein Teil eines umfassenden Digital-Operational-Resilience-Programms ist. Dennoch unterstützt Entra viele Anforderungen rund um IAM-Resilienz, Authentifizierung, Logging, Governance und Geschäftsfortführung. DORA targets financial entities and critical ICT service providers. Microsoft explicitly states that Entra is only one part of a broader digital operational resilience program. Even so, Entra supports many requirements around IAM resilience, authentication, logging, governance, and business continuity.

DORA-Fokus DORA focus	Empfohlene Entra-Nutzung Recommended Entra usage	Warum relevant Why relevant
ICT risk management framework ICT risk management framework	CA, MFA, PIM, Reviews, risk policies, app governance Conditional Access, MFA, PIM, reviews, risk policies, app governance	Zentralisiert Identitätsrisiken und Schutzmaßnahmen. Centralizes identity risks and protections.
Business continuity Business continuity	Backup Authentication System, PHS als resilienter Hybridpfad, CAE Backup authentication system, PHS as a resilient hybrid path, CAE	Reduziert Ausfall- und Abhängigkeitspunkte. Reduces outage and dependency points.
Response and recovery Response and recovery	Sign-in/Audit Logs, Sentinel, risk-based blocking, break-glass accounts Sign-in and audit logs, Sentinel, risk-based blocking, break-glass accounts	Unterstützt schnelle Reaktion und Wiederanlauf. Supports rapid response and recovery.
Third-party and app access Third-party and app access	Enterprise App Governance, B2B/B2B direct, periodic access reviews Enterprise app governance, B2B/B2B direct, periodic access reviews	Begrenzt Lieferketten- und Partnerzugriffe. Constrains supply-chain and partner access.

Prioritäten für Finanzunternehmen Priorities for financial entities

CA Resilience Defaults aktiviert lassen, wenn keine hart begründete Ausnahme besteht. Keep Conditional Access resilience defaults enabled unless there is a strong documented exception.
Für hybride Identität möglichst Password Hash Sync als resilienten Standardpfad einplanen. Prefer password hash sync as the resilient standard path for hybrid identity.
CAE-fähige Clients und Dienste bevorzugen, um Tokenneuausstellung und Ausfallpfade zu reduzieren. Prefer CAE-capable clients and services to reduce token reissuance and outage paths.
Break-Glass-Konten, Notfallkommunikation und SIEM-Runbooks im Identitätsbetrieb üben. Exercise break-glass accounts, emergency communications, and SIEM runbooks in identity operations.

PowerShell PowerShell

Connect-MgGraph -Scopes "Policy.Read.All","AuditLog.Read.All","Directory.Read.All"

Get-MgIdentityConditionalAccessPolicy |
  Select-Object DisplayName, State

Get-MgAuditLogDirectoryAudit -Top 25 |
  Select-Object ActivityDateTime, ActivityDisplayName

Memorandum 22-09: Enterprise Identity, MFA und Zero Trust Memorandum 22-09: enterprise identity, MFA, and Zero Trust

OMB Memorandum 22-09 fordert für US-Behörden eine zentralisierte Identitätsplattform, phishing-resistente MFA, gerätebasierte Signale für Autorisierung und einen Zero-Trust-Ansatz über Identität, Geräte, Netzwerk, Anwendungen und Daten. Microsoft Entra adressiert diesen Identitätspfeiler sehr direkt. OMB Memorandum 22-09 requires a centralized identity platform, phishing-resistant MFA, device-based authorization signals, and a Zero Trust approach across identity, devices, network, applications, and data. Microsoft Entra addresses that identity pillar very directly.

Memo-Bereich Memo area	Empfohlene Entra-Konfiguration Recommended Entra configuration	Kernaussage Key message
Enterprise-wide identity management Enterprise-wide identity management	Zentraler Entra-Tenant, Föderationsabbau wo möglich, einheitliche Governance Central Entra tenant, reduced federation where possible, uniform governance	So wenige Identitätssysteme wie praktikabel. Use as few identity systems as practicable.
MFA MFA	FIDO2, WHfB, Zertifikate, phishing-resistente Authentication Strengths FIDO2, WHfB, certificates, phishing-resistant authentication strengths	MFA auf Anwendungsebene, nicht nur im Netzwerk. Enforce MFA at the application layer, not only at the network edge.
Authorization Authorization	Compliant device, hybrid join, threat signals, RBAC, ABAC, PIM Compliant device, hybrid join, threat signals, RBAC, ABAC, PIM	Mindestens ein Gerätesignal in Autorisierungsentscheidungen. At least one device signal in authorization decisions.
Zero Trust alignment Zero Trust alignment	CA, Logs, Automation, Governance, Conditional Session Controls Conditional Access, logs, automation, governance, conditional session controls	Kontinuierliche Verifikation statt einmaliger Netzvertrauensstellung. Continuous verification instead of one-time network trust.

Komplette Memo-22-09-Mapping-Tabelle Complete Memo 22-09 mapping table

Anforderung Requirement	Entra-Kernmittel Core Entra means	Ergänzende Dienste Complementary services	Evidenz Evidence
Zentralisierte Identitätsverwaltung Centralized identity management	Entra ID, Governance, App management Entra ID, governance, app management	Purview, Intune, Defender Purview, Intune, Defender	Tenant architecture and role model Tenant architecture and role model
Phishing-resistente MFA Phishing-resistant MFA	FIDO2, WHfB, certificates, strengths FIDO2, WHfB, certificates, strengths	PKI and endpoint hardware evidence PKI and endpoint hardware evidence	Method inventory and CA policy JSON Method inventory and Conditional Access policy JSON
Device signal in authorization Device signal in authorization	Compliant device, hybrid join, threat signals Compliant device, hybrid join, threat signals	Intune and MDE Intune and MDE	Device compliance and access logs Device compliance and access logs
Least privilege and authorization Least privilege and authorization	RBAC, ABAC, Access Packages, PIM RBAC, ABAC, access packages, PIM	Lifecycle automation Lifecycle automation	Role assignments and review outputs Role assignments and review outputs
Visibility and orchestration Visibility and orchestration	Sign-in logs, audit logs, risk detections Sign-in logs, audit logs, risk detections	Sentinel and SOAR Sentinel and SOAR	Incident timeline and dashboards Incident timeline and dashboards

PowerShell PowerShell

Connect-MgGraph -Scopes "Policy.Read.All","AuditLog.Read.All","Directory.Read.All"

Get-MgIdentityConditionalAccessPolicy |
  Select-Object DisplayName, State

Get-MgDeviceManagementManagedDevice -Top 20 |
  Select-Object DeviceName, ComplianceState, AzureAdRegistered

Frameworkübergreifender Vergleich und Prioritäten Cross-framework comparison and priorities

Framework Framework	Stärkster Identity-Treiber Strongest identity driver	Top-Entra-Priorität Top Entra priority	Häufiger Fehler Common mistake
NIST AAL NIST AAL	Authenticator assurance Authenticator assurance	Authentication Strengths und Hardwaremethoden Authentication strengths and hardware methods	AAL2 mit beliebigen schwachen MFA-Methoden gleichsetzen. Treating AAL2 as equivalent to any weak MFA method.
CMMC CMMC	Least privilege und Nachweisbarkeit Least privilege and traceability	CA, PIM, Reviews und Logging Conditional Access, PIM, reviews, and logging	Nur technische Einstellungen ohne Belegprozess zu betrachten. Looking only at technical settings without evidence processes.
FedRAMP High FedRAMP High	ATO-fähige Nachweise und stabile Konfiguration ATO-ready evidence and stable configuration	Harte MFA, Logging, Change Governance Strong MFA, logging, change governance	Plattformzertifizierung mit Kundenkonfiguration verwechseln. Confusing platform certification with customer configuration.
HIPAA / HITRUST HIPAA / HITRUST	Zugriffsschutz auf ePHI Access protection for ePHI	Unique IDs, MFA, Audit und Reviews Unique IDs, MFA, audit, and reviews	Zu wenig Augenmerk auf Logaufbewahrung und Drittzugriffe. Underestimating log retention and third-party access.
PCI-DSS PCI-DSS	Starker Zugriff auf das CDE Strong access protection for the CDE	Legacy Auth Block, phishing-resistente MFA, SIEM Legacy auth block, phishing-resistant MFA, SIEM	Entra als einziges CDE-Sicherheitsmittel einzuplanen. Planning Entra as the only CDE security control.
DORA DORA	Resilienz und Wiederanlauf Resilience and recovery	Backup Auth, PHS, CAE, Logs Backup auth, PHS, CAE, logs	Nur Security und nicht Operations-Resilience mitzudenken. Thinking only about security and not operational resilience.
Memo 22-09 Memo 22-09	Phishing-resistente MFA plus Device Signal Phishing-resistant MFA plus device signal	FIDO2/WHfB, device compliance, RBAC FIDO2/WHfB, device compliance, RBAC	Netzwerkperimeter statt App-Layer-MFA zu priorisieren. Prioritizing network perimeter controls instead of app-layer MFA.

Priorisierte Maßnahmen Prioritized actions

Legacy-Authentifizierung vollständig blockieren und alte Protokolle aus dem Scope entfernen. Block legacy authentication completely and remove old protocols from scope.
Administratoren sofort auf phishing-resistente MFA und PIM umstellen. Move administrators to phishing-resistant MFA and PIM immediately.
Compliant-device- oder hybrid-join-Signale für sensible Apps erzwingen. Enforce compliant-device or hybrid-join signals for sensitive applications.
Zugriffsrechte über Gruppen, Access Packages und Reviews rezertifizierbar machen. Make access rights recertifiable through groups, access packages, and reviews.
Sign-in- und Audit-Daten mit ausreichender Aufbewahrung in Sentinel oder Purview operationalisieren. Operationalize sign-in and audit data with sufficient retention in Sentinel or Purview.

PowerShell-Auditskripte und Graph-Abfragen PowerShell audit scripts and Graph queries

Die folgenden Befehle sind keine vollwertigen Assessments, aber sie liefern schnell prüfbare Ausgangsdaten für Architekturreviews, interne Audits und Regulatorik-Workshops. The following commands are not full assessments, but they quickly deliver verifiable starting data for architecture reviews, internal audits, and regulatory workshops.

PowerShell PowerShell

Connect-MgGraph -Scopes `
  "Policy.Read.All",`
  "AuditLog.Read.All",`
  "Directory.Read.All",`
  "RoleManagement.Read.Directory"

Get-MgIdentityConditionalAccessPolicy |
  Sort-Object DisplayName |
  Format-Table DisplayName, State

Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance |
  Select-Object PrincipalId, RoleDefinitionId, AssignmentType

Graph API Graph API

GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Authorization: Bearer <token>

GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$top=50
Authorization: Bearer <token>

GET https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy
Authorization: Bearer <token>

Graph API Graph API

GET https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/accessPackages
Authorization: Bearer <token>

GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions
Authorization: Bearer <token>

💡 Evidenzstrategie 💡 Evidence strategy

Kombiniere technische Exporte aus Graph mit Screenshots genehmigter Policies, Change Tickets, PIM-Genehmigungen und Prüfergebnissen aus Microsoft Purview Compliance Manager. Erst die Kombination macht aus einer Konfiguration einen belastbaren Auditnachweis. Combine technical exports from Graph with screenshots of approved policies, change tickets, PIM approvals, and test results from Microsoft Purview Compliance Manager. That combination is what turns a configuration into durable audit evidence.