Microsoft Compliance Configuration Baseline for Defense Contractors: Where to Start

Why Microsoft Compliance Configuration Is Not Optional for Defense Contractors

If your organization handles Controlled Unclassified Information (CUI) and operates on Microsoft 365, the way you configure that platform is not a preference—it is a compliance requirement. Yet in my experience auditing and advising defense contractors, Microsoft 365 deployments are consistently one of the highest-risk areas we find. Organizations assume that purchasing the right license automatically confers compliance. It does not. The platform provides the tools. Your configuration determines whether you are protected.

This guide is designed for compliance managers and executives at defense contractors who are either starting their Microsoft compliance configuration from scratch or trying to understand why their current setup may not be audit-ready. We will cover the foundational baseline you need before moving into more advanced controls, and we will flag the areas where most organizations fall short.

Start With Tenant Selection: Commercial, GCC, or GCC High

The first and most consequential decision in your Microsoft compliance configuration is which tenant environment is appropriate for your organization. This is not a technical preference—it is a regulatory determination.

• Commercial Microsoft 365 is appropriate for organizations with no federal data obligations. If you handle CUI, ITAR-controlled technical data, or operate under DFARS 252.204-7012, commercial is almost certainly insufficient.
• Microsoft 365 GCC meets FedRAMP Moderate requirements and is appropriate for many organizations handling non-sensitive federal data. Some contractors use GCC with supplemental controls, but it has meaningful limitations for CUI environments.
• Microsoft 365 GCC High is the appropriate baseline for most defense contractors handling CUI, operating under ITAR, or pursuing CMMC Level 2 certification. GCC High meets FedRAMP High and is housed in an environment accessible only to U.S. persons, which directly supports ITAR foreign national access restrictions.

If you are uncertain which environment applies to your situation, that determination should happen before any configuration work begins. Many of the compliance failures we see stem from organizations that configured the wrong environment and had to migrate later—a costly and disruptive process. Our post on what GCC High means for ITAR and CMMC 2.0 provides a useful starting framework for that decision.

Define Your CUI Boundary Before You Configure Anything

You cannot configure data protection controls if you do not know where your data lives. Before touching a single Microsoft 365 compliance setting, your organization must define the boundary of systems, users, and data flows that are in scope for CUI handling. This is called your CUI boundary, and it directly determines the scope of your System Security Plan (SSP) and your CMMC assessment.

Common mistakes at this stage include treating all of Microsoft 365 as in-scope (which inflates your assessment scope unnecessarily) or excluding systems that genuinely touch CUI (which creates audit exposure). Your CUI boundary documentation must be defensible and consistent with how your organization actually operates.

Our CMMC, CUI, and DFARS compliance services include structured boundary definition work precisely because this step determines the cost and complexity of everything that follows.

The Core Microsoft Compliance Configuration Baseline

Once your tenant and boundary are established, the following represent the foundational configuration areas that every defense contractor must address. This is not an exhaustive list, but it represents where most organizations have the most significant gaps.

1. Identity and Access Management

Azure Active Directory (now Microsoft Entra ID) is the backbone of your access control posture. Your baseline configuration must include:

• Multi-factor authentication (MFA) enforced for all users, without exception. Conditional Access policies should enforce MFA based on user role, device compliance state, and network location.
• Privileged Identity Management (PIM) for any accounts with administrative rights. Just-in-time privileged access reduces the attack surface significantly and is expected under CMMC Level 2.
• Role-based access control (RBAC) aligned to your CUI boundary. Users should have access to only the data and systems required for their role, and those assignments should be documented and reviewed periodically.
• Conditional Access policies that enforce compliant device requirements before granting access to CUI-bearing workloads.

2. Endpoint Compliance via Microsoft Intune

Every device that can access your Microsoft 365 environment and touch CUI must meet a defined compliance baseline. Microsoft Intune is the primary tool for enforcing device compliance policies across your fleet. Configuration requirements include:

• Minimum OS version enforcement
• Disk encryption (BitLocker for Windows)
• Antivirus and endpoint detection and response (EDR) enabled and reporting
• Screen lock and password complexity requirements
• Jailbreak and root detection for mobile devices

Devices that do not meet compliance policy should be blocked from accessing CUI workloads through Conditional Access integration. For a deeper look at endpoint-level requirements, our post on endpoint security fundamentals is a useful reference.

3. Data Loss Prevention (DLP) and Sensitivity Labeling

One of the most frequently misconfigured areas in Microsoft 365 environments is data protection. Microsoft Purview provides the tools to classify, label, and enforce handling rules on CUI—but only if configured correctly.

• Sensitivity labels should be created and published that align to your CUI categories. At minimum, you need labels for CUI Basic and any CUI Specified categories your organization handles. Labels should enforce encryption and apply visual markings on documents and emails.
• DLP policies should be configured to detect and block unauthorized sharing of CUI outside your organization. This includes policies covering SharePoint, OneDrive, Teams, and Exchange.
• Auto-labeling policies can be configured to detect content patterns associated with CUI and apply labels without requiring user action, reducing reliance on end-user judgment.

For more on configuring DLP effectively, see our detailed post on understanding data loss prevention in Microsoft environments.

4. Audit Logging and Monitoring

CMMC Level 2 and NIST SP 800-171 both require that you maintain audit logs sufficient to detect, investigate, and respond to security incidents. Microsoft 365 provides native audit capabilities through the Unified Audit Log, but out-of-the-box settings are often insufficient.

• Ensure audit logging is enabled across all workloads: Exchange, SharePoint, OneDrive, Teams, and Azure AD.
• Configure log retention to meet your compliance requirements. CMMC and DFARS generally require at least 90 days of accessible logs with longer-term retention for forensic purposes.
• Integrate Microsoft Sentinel or a third-party SIEM to provide alerting on high-risk events such as mass downloads, external sharing, and failed authentication attempts.

5. Microsoft Defender Configuration

Microsoft Defender for Endpoint provides the endpoint detection and response capability required under CMMC Level 2. Configuration must go beyond simply enabling the product. You need to confirm that:

• All endpoints are onboarded and reporting to Defender for Endpoint
• Attack surface reduction (ASR) rules are enabled and tuned
• Alerts are being reviewed and responded to within defined timeframes
• Vulnerability management is active and findings are tracked in your Plan of Action and Milestones (POA&M)

Licensing Considerations

Many of the compliance features described above require Microsoft 365 E3 or E5 licensing at minimum. Microsoft Purview's advanced DLP, automatic sensitivity labeling, Privileged Identity Management, and Defender for Endpoint P2 are all E5 features. Organizations that attempt CMMC Level 2 compliance on E3 licensing often find they cannot meet certain controls without upgrading or procuring add-ons.

If you are unsure what licensing tier supports your compliance requirements, our post on what a Microsoft 365 E5 license includes and whether you need it breaks down the relevant compliance features by license tier.

Documentation Is Part of Configuration

Compliance assessors do not simply verify that your settings are correct—they verify that your policies and procedures describe what you do, that your configuration implements what your policies say, and that your evidence demonstrates it is working consistently. This means your Microsoft compliance configuration work must be accompanied by:

• A System Security Plan (SSP) that describes how each NIST 800-171 control is implemented using Microsoft 365 features
• Configuration documentation for each major control area
• A POA&M that tracks any controls not yet fully implemented
• Evidence artifacts such as screenshots, policy exports, and audit log samples

Organizations that treat configuration and documentation as separate workstreams typically discover the gap during their C3PAO assessment. For contractors in the federal and defense sector, that gap can mean failed certification and lost contract eligibility.

Common Mistakes We See in the Field

After working with dozens of defense contractors on their Microsoft compliance configuration, the following are the most common failure patterns:

1. Deploying in the wrong tenant and discovering mid-assessment that commercial Microsoft 365 does not satisfy ITAR or CUI handling requirements.
2. Enabling tools without configuring them. Microsoft Purview, Defender, and Intune all require deliberate, documented configuration. Enabling a feature is not the same as implementing a control.
3. Treating Microsoft 365 as the entire compliance program. Microsoft provides excellent tools, but your compliance program also requires policy documentation, training, physical controls, incident response, and ongoing monitoring—none of which the platform provides automatically.
4. Failing to restrict guest and external access. Default Microsoft 365 settings often allow external sharing and guest collaboration that is inconsistent with CUI handling requirements.
5. No alert triage process. Organizations that configure Defender and Sentinel but have no process for reviewing and responding to alerts gain little actual security benefit from those investments.

Where to Go From Here

Getting your Microsoft compliance configuration right is one of the highest-leverage investments a defense contractor can make. It directly supports CMMC certification, DFARS compliance, and CUI protection requirements—and it provides the audit evidence that assessors need to confirm your controls are operational, not just documented.

If your organization is beginning this process, the right starting point is a structured gap assessment against NIST SP 800-171, mapped to your current Microsoft 365 configuration. That assessment tells you exactly where you stand and what work remains. For additional context on the underlying requirements, our post on NIST SP 800-171 Revision 3 and its impact on CUI protection is worth reviewing before you begin.

At Cleared Systems, we help defense contractors build and implement their Microsoft compliance configuration as part of a broader, audit-ready compliance program. Whether you need a full-service engagement or targeted support for a specific gap, we work alongside your team to get you assessment-ready without unnecessary cost or delay. Request a quote today to discuss your Microsoft 365 compliance configuration needs, or explore our IT compliance services to see how we structure our engagements for defense contractors and federal supply chain participants.