Why Your Microsoft 365 Configuration Can Make or Break Your CMMC Assessment
Microsoft 365 is the productivity platform of choice for most defense contractors, and for good reason. When properly configured, it provides a powerful foundation for meeting the requirements of CMMC Level 2. When improperly configured, it becomes one of the most common reasons contractors fail their assessments.
In my work with defense contractors across the federal and defense industrial base, I see the same Microsoft 365 setup mistakes repeatedly. These are not exotic edge cases. They are fundamental configuration errors that assessors find in the first hours of an audit. Before you schedule your C3PAO assessment, make sure your environment is not committing any of these five mistakes.
Mistake 1: Using Commercial Microsoft 365 Instead of GCC High to Handle CUI
This is the single most disqualifying mistake a defense contractor can make. If your organization handles Controlled Unclassified Information and you are running on a standard commercial Microsoft 365 tenant, you are almost certainly out of compliance with DFARS 252.204-7012 and CMMC Level 2 requirements before the assessor even opens a laptop.
Commercial Microsoft 365 is not built to the FedRAMP High baseline. It does not provide the data residency guarantees, personnel screening, or sovereignty controls required for CUI. Microsoft 365 Government Community Cloud High, known as GCC High, was specifically designed to meet these requirements and is the appropriate environment for contractors handling CUI under DoD contracts.
If you are unsure which Microsoft cloud environment is right for your organization, our post on what GCC High is and how it applies to CMMC 2.0 is a practical starting point. The short answer is this: if your contract contains DFARS 252.204-7012 and your work involves CUI, you almost certainly need GCC High.
Migrating to GCC High is not a weekend project, but it is a prerequisite for a defensible CMMC posture. Our CMMC, CUI, and DFARS compliance services include tenant migration planning and configuration validation to help contractors make this transition correctly.
Mistake 2: Leaving Multi-Factor Authentication Partially Deployed
CMMC Level 2 includes NIST SP 800-171 control 3.5.3, which requires multi-factor authentication for local and network access to privileged accounts, and for network access to non-privileged accounts. Microsoft 365, even in GCC High, does not enforce MFA by default across your entire tenant. You have to configure it.
The mistake I see most often is not a complete absence of MFA, but a partial deployment. Organizations enable MFA for administrators and forget about standard users. Or they configure Conditional Access policies that contain exclusions so broad they effectively create an unenforced bypass. Or they rely on legacy per-user MFA settings instead of modern Conditional Access, which does not satisfy assessor expectations in 2025 and beyond.
Assessors will test this. They will review your Conditional Access policies, look for excluded users and service accounts, and verify that your MFA enforcement has no meaningful gaps. A policy that covers 95 percent of your users is not a passing control. Every account with access to CUI systems must be covered.
Review your Conditional Access policies carefully. Eliminate legacy authentication protocols where possible. Ensure that named location exclusions and device compliance exclusions are not creating backdoors into your CUI environment.
Mistake 3: Failing to Configure Data Loss Prevention for CUI
One of the most misunderstood CMMC requirements in the Microsoft 365 context is the obligation to control the flow of CUI. NIST SP 800-171 control 3.1.3 requires that you control the flow of CUI in accordance with approved authorizations. In a Microsoft 365 environment, this means deploying and tuning Data Loss Prevention policies that actually prevent CUI from leaving your authorized environment.
Most organizations we assess have DLP either turned off entirely, deployed in audit-only mode with no enforcement actions, or configured with generic sensitive information types that do not reflect the actual CUI categories present in their environment. None of these configurations satisfy the control.
Effective DLP for CMMC purposes requires you to define what CUI looks like in your specific environment, build policies that detect it, and configure enforcement actions that block unauthorized sharing. This includes blocking external email forwarding of CUI, preventing uploads to personal cloud storage, and restricting sharing with non-GCC High tenants. Our detailed post on understanding Data Loss Prevention covers the foundational concepts, and our technical guidance on configuring Microsoft Purview for compliance goes deeper on implementation specifics.
DLP is not a set-and-forget control. It requires ongoing tuning, false positive management, and periodic review to remain effective as your data environment changes.
Mistake 4: Ignoring Endpoint Compliance and Device Management
Microsoft 365 does not exist in isolation. The security of your tenant is only as strong as the devices connecting to it. CMMC Level 2 includes a substantial set of requirements around endpoint configuration, covering controls in the System and Communications Protection, Configuration Management, and Access Control domains, among others.
Contractors frequently configure their Microsoft 365 tenant with reasonable settings and then allow unmanaged personal devices, contractor laptops, and BYOD phones to connect to Exchange Online and SharePoint without any compliance validation. This is an assessor finding waiting to happen.
Microsoft Intune, which is included in Microsoft 365 E3 and E5 Government licenses, provides the mobile device management and mobile application management capabilities needed to enforce device compliance before access is granted. Conditional Access policies should be configured to require compliant devices for access to applications that handle CUI. Devices that do not meet your compliance baseline, including current OS patch levels, disk encryption, and endpoint protection status, should be blocked from accessing CUI resources.
If your Conditional Access policies do not include a device compliance requirement, any user with valid credentials can connect from an unmanaged, unpatched device and your CUI is exposed. This directly implicates several NIST SP 800-171 controls and will result in findings during your assessment. For a deeper look at endpoint requirements, review our post on endpoint security fundamentals.
Mistake 5: Missing or Inadequate Audit Logging and Monitoring Configuration
CMMC Level 2 includes extensive requirements for audit logging under the Audit and Accountability domain. NIST SP 800-171 controls 3.3.1 and 3.3.2 require that you create, protect, and retain system audit logs to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Microsoft 365 has robust logging capabilities. The problem is that unified audit logging is not always enabled by default, log retention periods may be insufficient, and most contractors have no active monitoring process in place.
There are several specific failures I encounter regularly. First, the Unified Audit Log is not enabled in the tenant, meaning there is no record of user and administrator activity to review. Second, log retention is set to the default 90-day period, which does not meet the 3-year retention requirement many assessors look for when evaluating alignment with federal recordkeeping expectations. Third, there is no Security Information and Event Management capability, or equivalent monitoring process, that actually reviews these logs for anomalous activity.
An audit log that exists but is never reviewed does not satisfy the spirit or the letter of the control. Assessors will ask you to demonstrate your monitoring process, not just show them that logging is turned on. You need documented procedures, evidence of regular log review, and a defined process for escalating potential incidents.
This connects directly to your broader incident response obligations. A properly configured and monitored audit log is the foundation of your ability to detect, respond to, and report cyber incidents as required under DFARS 252.204-7012. For more on the documentation side of this requirement, our post on SSP and POA&M components of a strong security program is worth reviewing alongside your logging configuration work.
The Common Thread: Configuration Alone Is Not Compliance
Every one of these mistakes shares a common root cause: organizations treat Microsoft 365 as a product that arrives compliant and requires no further attention. It does not. CMMC compliance in a Microsoft 365 environment requires deliberate, documented configuration decisions, ongoing management, and the organizational processes to support the technology.
Your System Security Plan must accurately reflect how Microsoft 365 is configured. Your policies must describe how CUI is handled in the platform. Your users must be trained on acceptable use within the environment. The technology and the documentation must tell the same story, and both must align with what the assessor actually observes in your tenant.
For a comprehensive look at what assessors evaluate during a formal assessment, our post on how to prepare for your CMMC audit covers the process in detail.
Get Your Microsoft 365 Environment Assessment-Ready
If you are preparing for a CMMC Level 2 assessment and are not confident your Microsoft 365 environment is correctly configured, the time to find out is now, not the week before your C3PAO arrives. Cleared Systems provides hands-on IT compliance services that include Microsoft 365 configuration review, GCC High migration support, Purview and Intune implementation, and assessment readiness validation. We work directly with defense contractors to close configuration gaps before they become formal findings. Request a quote to discuss your environment and get a clear picture of where you stand before your assessment date.