How to Set Up Microsoft 365 for CMMC Level 2 Compliance: A Technical Configuration Guide

Why Microsoft 365 Configuration Is Central to CMMC Level 2

For most defense contractors, Microsoft 365 is the backbone of daily operations — email, file sharing, collaboration, and document management all flow through it. That makes it one of the most consequential platforms when pursuing CMMC Level 2 certification. It is also one of the most commonly misconfigured.

CMMC Level 2 maps directly to the 110 security practices in NIST SP 800-171. A significant portion of those controls — covering access control, audit logging, configuration management, identification and authentication, incident response, and data protection — can be addressed, at least in part, through deliberate Microsoft 365 configuration. But out-of-the-box M365 settings are built for commercial convenience, not federal compliance. The gap between default and compliant is real, and assessors will find it.

This guide walks compliance managers and IT leads through the critical configuration areas you must address before your CMMC assessment.

Step 1: Choose the Right Microsoft 365 Tenant Environment

Before configuring anything, confirm you are operating in the correct cloud environment. This is a foundational decision that cannot be undone cheaply.

• Commercial M365: Does not meet the data residency and sovereignty requirements for Controlled Unclassified Information (CUI) in most DoD contracts. Not acceptable for ITAR-controlled data.
• Microsoft 365 GCC: FedRAMP Moderate authorized. Suitable for some federal use cases but may not satisfy DFARS 252.204-7012 requirements depending on your CUI exposure.
• Microsoft 365 GCC High: FedRAMP High authorized, designed specifically for DoD contractors handling CUI. Required if your contract contains DFARS 252.204-7012 and your data meets the threshold. Learn more in our post on what GCC High means for ITAR and CMMC 2.0.

If you are handling CUI regularly and your contracts reference DFARS 252.204-7012, GCC High is almost certainly where you need to be. Confirm this with a qualified consultant before migration.

Step 2: Harden Identity and Access Management

Access control is one of the most heavily weighted domains in NIST SP 800-171 and CMMC Level 2. Microsoft Entra ID (formerly Azure Active Directory) is your primary tool here.

Multi-Factor Authentication

Enable MFA for all users without exception. Use Conditional Access policies in Entra ID to enforce MFA based on user role, device compliance state, and network location. Phishing-resistant MFA methods — such as FIDO2 security keys or Microsoft Authenticator with number matching — are strongly preferred by assessors.

Privileged Access Controls

• Implement Privileged Identity Management (PIM) to enforce just-in-time access for administrative roles.
• Separate administrative accounts from daily-use accounts for all IT staff.
• Apply role-based access control (RBAC) so users access only the data and systems their job function requires.
• Review and certify access assignments at least quarterly.

External Access and Guest Accounts

Disable or tightly restrict external sharing and guest access in SharePoint Online, Teams, and OneDrive. Any external collaboration involving CUI must be controlled, documented, and limited to authorized individuals. This is a common audit finding and one of the most frequently failed CMMC Level 2 controls.

Step 3: Configure Microsoft Purview for CUI Protection

Microsoft Purview (formerly Microsoft Information Protection and Compliance Center) is your compliance control center within M365. Proper configuration here directly supports multiple CMMC domains.

Sensitivity Labels and Classification

Deploy sensitivity labels aligned to your CUI categories. At minimum, create labels for CUI, CUI-Specified, and internal-use data. Apply these labels to documents, emails, and Teams channels. Require users to label content at creation and enforce label-based policies through auto-labeling where possible.

Data Loss Prevention Policies

Configure DLP policies to detect and block unauthorized transmission of CUI — including via email, Teams chat, SharePoint sharing links, and USB devices when combined with Intune. Your DLP policies should be tuned to your specific CUI categories rather than applied as generic templates. For a deeper look at how DLP works in practice, see our post on understanding Data Loss Prevention.

Retention and Records Management

Configure retention policies that align with your contractual and regulatory obligations. CUI-related records often carry DoD-mandated retention periods. Ensure deletion policies do not purge records before their required retention period expires.

Step 4: Harden Endpoint Management with Microsoft Intune

Every device accessing CUI is within scope of your CMMC assessment. Microsoft Intune provides mobile device management (MDM) and mobile application management (MAM) capabilities essential for endpoint compliance.

• Device compliance policies: Require devices to be enrolled, encrypted (BitLocker for Windows), running supported OS versions, and free of known malware before granting access to corporate resources.
• Configuration profiles: Enforce security baselines — Microsoft publishes NIST SP 800-171 and CMMC-aligned baselines for Windows endpoints. Deploy these through Intune rather than managing them manually.
• Application control: Use Intune to restrict installation of unauthorized applications. Allowlist approved software and block untrusted executables.
• BYOD restrictions: Either prohibit personal devices from accessing CUI environments or enforce strict MAM policies that containerize corporate data on personal devices. Most assessors prefer the former.

Step 5: Enable Comprehensive Audit Logging

CMMC Level 2 requires that you create, protect, and retain audit logs to support after-the-fact investigation of security incidents. In Microsoft 365, audit logging is available but must be explicitly enabled and configured.

• Enable Unified Audit Log in the Microsoft Purview compliance portal. Do not assume it is on by default — verify it.
• Set audit log retention to a minimum of 90 days in the platform and export logs to long-term storage (at least one year) using Azure Monitor, Microsoft Sentinel, or a third-party SIEM.
• Configure alert policies for high-risk events: mass file downloads, permission changes, failed login attempts, and external sharing of labeled content.
• Document your audit log review process. Logging without a defined review cadence will not satisfy an assessor — you must demonstrate the logs are actually used.

Step 6: Configure Microsoft Defender for Endpoint and M365

Microsoft Defender for Endpoint provides endpoint detection and response (EDR) capabilities that map to CMMC's System and Communications Protection and Incident Response domains. Enable Defender for Endpoint on all in-scope devices and configure the following:

• Enable tamper protection to prevent users or malware from disabling security features.
• Configure attack surface reduction (ASR) rules aligned to CIS and NIST guidance.
• Enable cloud-delivered protection and automatic sample submission in Defender Antivirus.
• Integrate Defender for Endpoint alerts into your SIEM or Microsoft Sentinel for centralized monitoring.
• Review and document your incident response procedures so that Defender alerts trigger a defined response workflow.

Step 7: Document Your System Security Plan to Reflect M365 Controls

Configuration alone is not enough. Your System Security Plan (SSP) must accurately describe how each CMMC practice is implemented, including your specific Microsoft 365 configurations. Assessors will cross-reference your SSP against what they observe in your tenant. Gaps between documentation and reality are among the fastest paths to a failed assessment.

Map each relevant NIST SP 800-171 control to the specific M365 feature implementing it. For controls that M365 supports only partially — such as physical protection or personnel screening — document the compensating or supplemental controls in place. For an overview of the SSP and POA&M requirements that underpin this documentation, see our post on SSP and POA&M as critical components of a strong security program.

Common Configuration Gaps That Derail CMMC Assessments

Based on our work with defense contractors across the industry, these are the Microsoft 365 gaps assessors find most often:

1. Unified Audit Log not enabled — one of the most consistent findings and entirely avoidable.
2. MFA not enforced for all users — service accounts and shared mailboxes are frequently overlooked.
3. External sharing not restricted — SharePoint and OneDrive default settings allow broad external access.
4. No sensitivity labels deployed — CUI is stored in M365 with no classification or protection applied.
5. Devices not enrolled in Intune — endpoints accessing CUI are unmanaged and unverifiable.
6. Licenses insufficient for compliance features — E3 licenses do not include Defender for Endpoint Plan 2, Purview Information Protection, or advanced audit features. Many CMMC-required controls require E5 or add-on licensing.

Licensing Considerations for CMMC Level 2

Microsoft 365 licensing directly limits what security controls you can implement. Most organizations pursuing CMMC Level 2 will need Microsoft 365 E5 (or E3 with E5 Security and Compliance add-ons) to access the full suite of required capabilities, including advanced DLP, Purview Information Protection, Defender for Endpoint Plan 2, and extended audit log retention. Review your current licensing against your control requirements before beginning configuration work. Our post on what a Microsoft 365 E5 license includes provides a useful breakdown.

Microsoft 365 Is a Tool, Not a Compliance Program

A correctly configured Microsoft 365 environment is a critical enabler of CMMC Level 2, but it does not constitute a compliance program on its own. Policies, procedures, training, physical controls, incident response plans, and a defensible SSP are equally required. Configuration without governance is not compliance — it is a partially built foundation.

If your organization is working toward CMMC certification and needs expert guidance on Microsoft 365 configuration, scoping your CUI environment, or preparing your SSP and POA&M, our team at Cleared Systems is ready to help. Explore our IT compliance services or request a quote to speak directly with our compliance team about your specific environment and timeline.