Why Microsoft Configuration Failures Dominate CMMC Assessment Findings
Microsoft 365 is the productivity backbone for the majority of defense contractors pursuing CMMC certification. Most organizations assume that simply purchasing a GCC High tenant or an E5 license puts them in a strong compliance position. In practice, licensing is the starting line, not the finish line. During CMMC assessments, our team and third-party C3PAOs consistently find that Microsoft compliance configuration errors are among the most cited reasons contractors receive findings, require plan of action and milestone entries, or outright fail domain-level practice requirements.
What follows is a direct, practitioner-level breakdown of the configuration failures assessors flag most often. If you are preparing for a Level 2 assessment, this list deserves your full attention.
1. Conditional Access Policies That Are Incomplete or Unenforced
Conditional Access is the cornerstone of access control in Entra ID (formerly Azure Active Directory). NIST SP 800-171 and CMMC Level 2 require organizations to enforce multi-factor authentication, limit access based on device compliance, and restrict access to CUI systems from unmanaged endpoints. Assessors look for Conditional Access policies that are in Report-only mode rather than enforced mode—a remarkably common finding.
Other failures in this area include:
- Policies that exclude service accounts or break-glass accounts without compensating controls documented in the SSP
- No policy blocking legacy authentication protocols, which bypass MFA entirely
- Absence of device compliance requirements tied to Microsoft Intune enrollment
- Sign-in risk policies that exist in configuration but are not scoped to cover all users with access to CUI
If your Conditional Access policies are not in enforced mode and scoped to every user touching Controlled Unclassified Information, you will have findings on day one. Review our guidance on common Microsoft Intune compliance misconfigurations that put CUI at risk for specific remediation steps.
2. Microsoft Purview DLP Policies That Do Not Cover All CUI Categories
Data Loss Prevention is one of the most frequently misconfigured Microsoft compliance tools we encounter. Contractors typically build a DLP policy covering a handful of sensitive information types, confirm it generates some alerts, and consider the requirement satisfied. Assessors take a much more granular view.
The specific failures we see most often include:
- DLP policies scoped only to Exchange Online, leaving SharePoint Online, OneDrive, and Teams unprotected
- Policies set to audit only with no enforcement actions, meaning CUI can still be transmitted externally without restriction
- Absence of CUI-specific sensitive information types or trainable classifiers aligned to the CUI Registry categories applicable to the organization's contracts
- No end-user policy tip configuration, leaving employees without real-time guidance when a potential violation is detected
DLP is a technical safeguard that maps directly to multiple CMMC practices under the Media Protection and Configuration Management domains. For a deeper look at how to build effective policies, see our post on understanding Data Loss Prevention.
3. Sensitivity Labeling Gaps That Leave CUI Unclassified
Microsoft Purview sensitivity labels are the primary mechanism for implementing CUI marking requirements inside Microsoft 365. Assessors expect to see a label taxonomy that mirrors the organization's CUI categories, applied consistently across documents, emails, and Teams channels. What they actually find at most organizations is far messier.
Common labeling failures include:
- Labels created in Purview but auto-labeling disabled, resulting in inconsistent manual application across the user population
- No label publishing policy scoped to users who handle CUI, so the labels appear only for a subset of the workforce
- Labels that apply visual markings but do not trigger encryption or access restriction on documents leaving the tenant
- No integration between sensitivity labels and DLP policies, meaning labeled content can still be exfiltrated without triggering a policy match
Proper sensitivity labeling is not just a technical checkbox. It is the operational mechanism that demonstrates your organization can identify, mark, and control CUI at the data level. See our detailed resource on CUI compliance and protection with Microsoft Security for configuration guidance.
4. Microsoft Defender Configuration That Falls Short of Hardening Requirements
Most contractors have Microsoft Defender for Endpoint enabled. Far fewer have it configured to meet the hardening and logging requirements that CMMC assessors expect. Defender's default configuration is not a compliance configuration. Assessors verify specific settings that default deployments leave untouched.
The most frequently flagged Defender gaps include:
- Attack Surface Reduction rules not enabled or set to audit-only rather than block mode
- Tamper protection disabled, allowing endpoint security settings to be modified by local users
- Alert suppression rules that mask security events relevant to the assessment boundary
- No integration between Defender for Endpoint and Microsoft Sentinel or another SIEM solution, resulting in an inability to demonstrate continuous monitoring as required under CMMC
- Incomplete onboarding of all endpoints within the CUI boundary, leaving coverage gaps the assessor can detect in the device inventory
5. Audit Logging That Is Enabled but Not Retained or Reviewed
CMMC requires organizations to create, protect, and review audit logs sufficient to detect unauthorized access and anomalous behavior. Microsoft 365 Unified Audit Log (UAL) is the primary mechanism for most contractors. Assessors look beyond whether the UAL is enabled—they evaluate retention periods, log coverage, and whether anyone is actually reviewing the logs.
Specific failures in this area:
- Audit log retention set to the default 90 days rather than the 90-day minimum in policy, often without confirming whether the actual tenant configuration matches the documented policy
- Mailbox auditing not enabled for all user mailboxes, leaving a significant gap in email-related event coverage
- No documented log review process, no assigned personnel, and no evidence that reviews actually occur
- Advanced Audit features (requiring E5 or G5 licensing) not enabled, meaning high-value events such as mail item access by non-owners are never captured
Logging gaps are particularly damaging during assessments because they undercut multiple CMMC practices simultaneously. If you cannot demonstrate that logs exist, are retained, and are reviewed, you will have findings in Audit and Accountability, Incident Response, and potentially Risk Assessment domains. For a broader look at what assessors focus on, review our article on CMMC audit readiness in 2026 and what assessors are focusing on right now.
6. Intune Device Compliance Policies That Do Not Enforce What the SSP Claims
System Security Plans (SSPs) for CMMC frequently describe Intune-enforced device compliance requirements in precise terms: disk encryption required, minimum OS versions enforced, screen lock configured. Assessors test whether the Intune policies match those descriptions. The gap between documented policy and actual Intune configuration is one of the most consistent sources of findings we see across our client engagements.
Typical misalignments include:
- Compliance policies marked non-compliant for devices but with grace periods that never expire, allowing non-compliant devices to access CUI indefinitely
- BitLocker encryption required in policy but not enforced through Intune's encryption reporting, with no remediation workflow
- BYOD devices enrolled in Intune without Mobile Application Management restrictions that prevent CUI from being copied to personal storage
- No Conditional Access policy that blocks access for devices flagged as non-compliant by Intune, making the compliance policy effectively advisory
7. Overprivileged Administrator Accounts and Lack of Privileged Identity Management
Least privilege is a foundational CMMC and NIST SP 800-171 requirement. In Microsoft 365 environments, least privilege failures typically manifest as standing Global Administrator accounts that are used for routine administrative tasks, with no just-in-time access controls in place. Assessors look for Microsoft Entra Privileged Identity Management (PIM) configuration as evidence that privileged access is time-bound and requires explicit activation.
Findings in this area commonly include:
- Multiple permanent Global Administrator assignments with no PIM activation requirements
- Service accounts with excessive permissions assigned directly rather than through role-based access control
- No documented privileged account inventory aligned to the SSP's access control section
- Emergency access accounts not documented, monitored, or subject to alerting when used
Our CMMC, CUI, and DFARS compliance services include a full Microsoft 365 configuration review that specifically targets these privileged access gaps before an assessor finds them.
How to Approach Remediation Before Your Assessment
The configuration errors described above share a common thread: they represent gaps between what an organization has purchased or documented and what is actually deployed and enforced. Closing that gap requires a structured technical review that goes setting by setting through your Microsoft 365 environment, compares findings against your SSP, and produces a remediation plan with measurable completion criteria.
For contractors approaching their first CMMC Level 2 assessment, we recommend reviewing our Microsoft compliance configuration checklist covering 40 settings across Purview, Defender, and Intune as a starting point. Organizations that need expert-guided remediation should also consider our Regulatory vCISO services, which provide the ongoing technical and compliance leadership needed to maintain a defensible Microsoft 365 configuration between assessments.
Getting these configurations right is not a one-time event. Assessors return, licenses change, and tenant configurations drift. The organizations that consistently pass CMMC assessments are those that treat Microsoft compliance configuration as an operational discipline rather than a pre-audit sprint.
Ready to Close Your Microsoft Configuration Gaps Before an Assessor Does?
Cleared Systems works directly with defense contractors and federal suppliers to identify and remediate Microsoft 365 compliance configuration gaps before they become assessment findings. Whether you are preparing for your first C3PAO audit or tightening a mature program ahead of reassessment, our team brings the technical depth and CMMC expertise to get your environment into a defensible posture. Request a quote today to speak with our team about a Microsoft compliance configuration review tailored to your contract requirements and assessment timeline.