Microsoft 365 Compliance Consulting: CMMC, HIPAA, SOC 2, and NIST for Regulated Enterprises

Quick Answer

Microsoft 365 compliance consulting configures Entra ID Conditional Access, Purview DLP, and audit logging to the specific control requirements of CMMC 2.0, HIPAA, SOC 2, or NIST 800-171. Microsoft’s platform certifications cover infrastructure; your tenant configuration is what auditors evaluate, and the defaults satisfy none of these frameworks.

Microsoft 365 compliance consulting configures Purview, Conditional Access, DLP policies, and Audit Log against your specific framework, not generic cloud-security defaults. For a defense contractor that means mapping each control to CMMC Level 2 requirements and fixing where the default Microsoft 365 configuration fails them.

i3solutions has delivered M365 compliance implementations across defense, healthcare, and financial services environments, including work for organizations such as Pratt & Whitney, Brown Advisory, and Kaiser Permanente. With 600+ Microsoft platform implementations and nearly 30 years as a Microsoft Gold Partner, our compliance engagements begin with a control-mapping exercise that identifies the gap between your current tenant and what your specific framework requires. This guide maps that relationship for CMMC 2.0, HIPAA, SOC 2, and NIST 800-171, using the actual control family references your assessors will apply. The Microsoft 365 Governance Framework that i3solutions builds for regulated enterprises provides the governance structure this compliance work operates inside. This page covers the compliance-framework-specific configuration within that structure.

Defense prime contractors and their subcontractors handling Controlled Unclassified Information must satisfy CMMC 2.0 Level 2 requirements, which map directly to the 110 practices in NIST Special Publication 800-171. DFARS clause 252.204-7012 establishes the contractual obligation: organizations processing, storing, or transmitting covered defense information must provide adequate security on all covered systems. For organizations running M365 as their collaboration and production environment, that obligation runs to how the M365 tenant is configured, not merely whether the underlying Microsoft infrastructure holds a CMMC or FedRAMP authorization.

CMMC Level 2 Practice Requirements and M365 Control Mapping

CMMC Level 2 encompasses 110 practices across 14 domains. Several domains map directly to M365 capabilities, but only when those capabilities are actively configured rather than left at platform defaults.

The Access Control domain includes 22 practices. AC.1.001 requires limiting system access to authorized users; Entra ID implements this through user accounts, Conditional Access policies, and Identity Governance. AC.1.002 restricts access to authorized transaction types; Entra ID role assignments and SharePoint permission models address this. AC.3.017 requires separating duties to reduce risk of malevolent activity; Entra ID Privileged Identity Management provides just-in-time role activation that satisfies separation-of-duties requirements. AC.2.006 controls the use of portable storage; Microsoft Intune device management policies configured to block external storage on managed devices satisfy this practice.

The Audit and Accountability domain requires that actions of individual users can be traced (AU.2.041) and that audit logs are created and retained (AU.2.042). Microsoft Purview Audit records user and admin activity across Exchange, SharePoint, Teams, and Entra ID. Purview Audit Premium provides extended log retention for high-value events and supports forensic-level investigation, satisfying both the creation and retention requirements.

Identification and Authentication practices include IA.1.076 and IA.1.077 (identify and authenticate users before access) and IA.3.083 (use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts). Entra ID MFA satisfies the basic authentication requirements. For CUI access specifically, phishing-resistant MFA through FIDO2 security keys or Windows Hello for Business satisfies the elevated IA.3.083 standard that CMMC assessors now apply.

DFARS 252.204-7012 also imposes a 72-hour cyber incident reporting requirement to the DoD. Microsoft Sentinel, integrated with M365, supports the incident detection and documentation the reporting requirement depends on. Compliance Manager provides an assessment template for NIST 800-171 that maps current tenant configuration against the 110 practices and generates a scored gap report.

Where Default M365 Configuration Fails CMMC Level 2

Default M365 commercial configurations fail CMMC Level 2 at multiple practice levels. Three gaps are consistently surfaced in assessments.

Default MFA settings allow phone-based MFA for all users including those accessing CUI. CMMC assessors applying current NIST 800-171A assessment objectives increasingly require phishing-resistant MFA for CUI-accessible accounts. Standard authenticator app push notifications do not satisfy this requirement; the Entra ID MFA configuration must be scoped to require FIDO2 or Windows Hello for Business authentication for CUI-accessing users.

Default DLP policies in M365 commercial tenants do not classify CUI categories. The Purview DLP library includes standard sensitive information types such as Social Security numbers and credit card numbers, but not CUI category definitions including ITAR-controlled technical data, EAR-controlled items, or DoD CUI categories. These classifications require custom DLP policy construction and testing against real document samples before an assessment.

Microsoft Teams default settings allow guest users from any external domain. Guest accounts represent an access control gap under AC.1.001 and a potential CUI exfiltration path. External access must be restricted to specific approved domains and guest account provisioning must follow a defined access control process to satisfy the AC domain practices.

A defense prime contractor in the aerospace sector engaged i3solutions after failing a pre-assessment readiness review conducted by their C3PAO. The readiness review identified 23 practice gaps, the majority in the AC and AU domains. i3solutions redesigned the Conditional Access policy stack, implemented phishing-resistant MFA for CUI-system users, built custom DLP policies for their primary CUI categories, and configured Purview Audit Premium with extended retention. The organization passed their CMMC Level 2 assessment within the project timeline. Pratt & Whitney is among the defense and aerospace enterprises that have worked with i3solutions on Microsoft platform implementations in high-compliance environments. For organizations preparing for a CMMC assessment, our How to Prepare for a CMMC Audit guide covers the readiness steps in detail.

Healthcare organizations using M365 as their primary collaboration platform carry obligations under the HIPAA Security Rule (45 CFR Part 164) for every system that creates, receives, maintains, or transmits electronic protected health information. M365 is a covered system the moment clinical communication, patient records, or payer correspondence moves through it, regardless of whether the primary EHR runs on a separate platform. An HHS OCR audit evaluates the M365 configuration directly.

Technical Safeguard Mapping in Microsoft 365

The HIPAA Security Rule Technical Safeguards at 45 CFR 164.312 specify four required categories, each with required and addressable implementation specifications.

Access control (164.312(a)(1)) requires a unique user identification specification (164.312(a)(2)(i)), emergency access procedures, and encryption and decryption capabilities (164.312(a)(2)(iv)). Entra ID satisfies the unique user identification requirement through individual user accounts and enforces automatic session lockout, satisfying the automatic logoff addressable specification at 164.312(a)(2)(iii). Microsoft Purview Information Protection encrypts ePHI in documents and emails using sensitivity labels, satisfying the encryption specification.

Audit controls (164.312(b)) require hardware, software, and procedural mechanisms that record and examine activity in information systems containing ePHI. Microsoft Purview Audit records user activity across all M365 workloads. Purview Audit Premium provides extended audit log retention for specific high-value events and supports the investigation capability the audit controls standard requires.

Integrity controls (164.312(c)(1)) require protection from improper alteration or destruction. Microsoft Defender for Office 365 provides anti-malware and anti-tampering capabilities. SharePoint versioning and document protection satisfy the integrity mechanism specification.

Transmission security (164.312(e)(1)) requires guarding against unauthorized access to ePHI transmitted over electronic communications networks. M365 uses TLS 1.2 or higher for all data in transit and enforces encryption for external email transmission via Exchange Online Protection. These configurations must be verified and, where default settings allow downgrade or unencrypted fallback, explicitly locked.

HIPAA also requires a minimum six-year record retention period for policies and procedures (164.530(j)). Purview retention policies must be configured to enforce at least a six-year minimum hold on ePHI-containing content across SharePoint, Exchange, and Teams. For breach notification, the 60-day notification timeline at 45 CFR 164.404 depends on rapid identification of affected ePHI. Purview eDiscovery supports rapid content searches across M365 workloads to identify affected data scope, and Communication Compliance monitoring flags unauthorized sharing of ePHI before it escalates to a reportable event.

Where Default M365 Configuration Gaps Stall HIPAA Compliance

Three default configuration gaps consistently surface in HIPAA readiness reviews for M365 environments.

Default retention policies in M365 do not satisfy the six-year retention minimum. The default SharePoint recycle bin retention is 93 days. Without an explicit Purview retention policy covering all ePHI repositories including SharePoint sites, Exchange mailboxes, and Teams channels, content containing ePHI can be permanently deleted within 93 days, violating the retention requirement under 164.530(j).

Default Teams settings allow external guest access from any domain. For healthcare organizations where Teams is used for clinical communication, referral coordination, or payer correspondence, unrestricted guest access creates an ePHI exposure risk that violates the access control specifications at 164.312(a). External collaboration must be restricted to approved partner domains and monitored for ePHI transmission.

Microsoft 365 Business and Frontline tiers do not include Purview Audit Premium, which supports the extended log retention that thorough breach investigation requires. Organizations on lower license tiers often discover this gap when an OCR investigation requests log records that standard audit retention does not cover.

A regional healthcare network engaged i3solutions to address gaps identified in their annual HIPAA security risk analysis: M365 had been deployed for clinical communication and administrative operations but the required technical safeguard configuration had not been completed during the original deployment. i3solutions conducted a full control-mapping assessment, configured Purview retention policies with a seven-year minimum hold on ePHI repositories, implemented sensitivity labels for PHI classification and encryption, locked down external sharing to approved payer and referral partner domains, and upgraded the licensing tier to include Purview Audit Premium. Kaiser Permanente is among the large healthcare organizations that has engaged i3solutions for Microsoft platform implementations in high-compliance environments.

Ready to engage i3solutions?

i3solutions has delivered M365 compliance implementations for CMMC, HIPAA, SOC 2, and NIST 800-171 environments. Our compliance team begins with a Compliance Manager baseline assessment that maps your current tenant against your framework’s control requirements, identifies the configuration gaps, and defines an implementation scope built on the honest gap report, not a self-assessed compliance claim. Every engagement ships with documented audit evidence your assessors can use directly.

Financial services organizations undergoing SOC 2 Type II examinations face an increasing expectation that their M365 environments demonstrate control effectiveness across the AICPA Trust Services Criteria. A SOC 2 Type II report covers a defined period, typically 6 to 12 months, and requires evidence that controls were not just designed but operating effectively throughout that period. M365 provides the evidence collection mechanism, but only if the relevant controls are active and systematically logged.

Trust Service Criteria Mapping to M365 Controls

The Common Criteria category provides the primary control framework for most financial services SOC 2 examinations.

CC6 (Logical and Physical Access Controls) requires that access is restricted to authorized personnel (CC6.1), provisioned and de-provisioned through a defined process (CC6.2), granted based on defined roles (CC6.3), and that network-level access from external sources is managed (CC6.6). Entra ID addresses CC6.1 and CC6.3 through Conditional Access policies and role-based access control. Entra ID Privileged Identity Management satisfies CC6.3 by eliminating standing administrative access and requiring just-in-time role activation with approval workflows. Conditional Access policies that restrict access from untrusted networks and unenrolled devices satisfy CC6.6.

CC7 (System Operations) requires detection of configuration changes (CC7.1) and monitoring of system components for anomalies (CC7.2). Microsoft Defender for Cloud Apps provides configuration change detection and anomaly alerting across M365 workloads. Microsoft Purview Insider Risk Management addresses CC7.2 by monitoring for anomalous user behavior patterns including unusual data download volumes, external sharing activity, and off-hours access.

CC9 (Risk Mitigation) requires identification and implementation of risk mitigation activities. Microsoft Purview Compliance Manager provides continuous SOC 2 assessment scoring against the AICPA criteria and generates evidence packages that support the examination process.

The Gramm-Leach-Bliley Act Safeguards Rule (16 CFR Part 314), updated in 2023, imposes specific technical safeguard requirements on financial institutions beyond what SOC 2 covers. The Safeguards Rule requires access controls to customer information, encryption in transit and at rest, monitoring and testing of key controls, and a written incident response plan. M365’s Entra ID, Purview, and Defender components satisfy the technical safeguard elements of the GLBA Safeguards Rule. The annual risk assessment requirement under GLBA aligns with Compliance Manager’s continuous assessment capability, which generates scored findings that document the risk assessment process and support both SOC 2 and GLBA compliance simultaneously.

Where Default M365 Configuration Gaps Appear in SOC 2 Type II Audits

SOC 2 Type II auditors consistently find three configuration gaps in M365 environments that have not received active compliance configuration.

Standing administrative access fails CC6.3. Default M365 Global Administrator and SharePoint Administrator roles, once assigned, remain active indefinitely. SOC 2 examiners reviewing access control effectiveness ask to see evidence of just-in-time access or time-limited elevated permissions. Without Entra ID PIM configured and activated, the access model does not satisfy CC6.3.

Default external sharing settings for SharePoint and Teams allow sharing with anyone using a link or any authenticated external user. SOC 2 examiners testing CC6.6 review external access configurations and the evidence of access monitoring. Anonymous link sharing provides no user-identity tracking, and the absence of external sharing monitoring leaves gaps in evidence of CC6.6 controls operating effectively.

Without Compliance Manager’s SOC 2 template activated and configured, organizations have no systematic evidence collection for the examination period. When auditors request evidence of control operation over the prior 12 months, manually assembled documentation is typically incomplete. Compliance Manager’s continuous assessment provides the ongoing evidence record that SOC 2 Type II examinations require.

A financial services firm engaged i3solutions prior to their first SOC 2 Type II examination after their auditors identified M365 as an in-scope system. i3solutions implemented Entra ID PIM across all administrative roles, configured Conditional Access policies for CC6.6 external network management, activated the SOC 2 Compliance Manager template, and implemented Purview Insider Risk Management policies for CC7.2 anomaly monitoring. The organization completed the examination period with documented control effectiveness across all relevant CC criteria. Brown Advisory is among the financial services organizations that has engaged i3solutions for Microsoft platform implementations.

NIST Special Publication 800-171 Revision 2 specifies 110 security requirements in 14 families for protecting Controlled Unclassified Information in nonfederal systems. While CMMC 2.0 Level 2 adopts these 110 requirements directly, NIST 800-171 applies independently to organizations with contractual CUI handling obligations outside the defense industrial base, including research institutions with federal grant obligations, civilian agency contractors, and organizations handling federal CUI categories beyond DFARS-covered defense information.

High-Impact Control Families and M365 Implementation

Three NIST 800-171 control families have the highest volume of requirements and the most direct M365 implementation surfaces.

The Access Control family (3.1) specifies 22 requirements. Requirement 3.1.1 (authorized access) and 3.1.2 (authorized users) map to Entra ID account provisioning and Conditional Access policies. Requirement 3.1.3 (CUI flow control) maps to Purview Information Protection labels that prevent CUI from being transmitted outside approved destinations. Requirement 3.1.5 (least privilege) maps to Entra ID role-based access control and PIM for privileged accounts. Requirement 3.1.13 (remote access with MFA) maps to Entra ID MFA enforcement for all remote connections.

The Audit and Accountability family (3.3) specifies 9 requirements. Requirement 3.3.1 requires creating and retaining system audit logs and audit records to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Microsoft Purview Audit supports this requirement, but the default audit log retention in standard M365 licenses, 90 days under Purview Audit Standard, does not satisfy the operational requirement that audit logs remain available for investigation. Purview Audit Premium extends retention to 10 years for designated high-value event types and to one year for all audit events, satisfying 3.3.1 for ongoing investigation purposes. Requirement 3.3.2 (individual accountability) maps to Entra ID’s per-user audit trail in Purview Audit.

The System and Communications Protection family (3.13) specifies 16 requirements. Requirement 3.13.1 (boundary protection) maps to Entra ID Conditional Access and Microsoft Defender for Endpoint for managed device boundary enforcement. Requirement 3.13.8 (encryption in transit) is satisfied by M365’s TLS 1.2/1.3 enforcement for all data in transit, but this must be verified for all communication paths including outbound email. Requirement 3.13.16 (encryption at rest) maps to Microsoft’s service-side encryption for all M365 workloads, though customer-managed key configurations through Purview Customer Key may be required for specific CUI categories.

For organizations with contractual obligations requiring deployment on Microsoft’s government cloud, the CUI handling boundary is an important architectural decision. Microsoft 365 GCC satisfies FedRAMP Moderate authorization and supports ITAR and EAR-controlled data handling for many contractor scenarios. Microsoft 365 GCC High provides FedRAMP High authorization and data residency in US government datacenters with access restricted to screened US persons, required for the most sensitive CUI categories and DoD IL4-equivalent workloads. The distinction matters because Compliance Manager’s NIST 800-171 template operates differently across commercial M365, GCC, and GCC High tenants, and the configuration delta between commercial and GCC High is significant.

Where NIST 800-171 Gaps Typically Appear in Standard Commercial M365 Tenants

Two structural gaps affect nearly every standard commercial M365 tenant assessed against NIST 800-171.

Default audit log retention does not satisfy requirement 3.3.1 for investigation-quality log availability. Standard M365 licenses retain audit logs for 90 days. E3 and E5 licenses extend to 90 and 180 days under Purview Audit Standard. The 90-to-180-day window is insufficient for retrospective investigation of incidents discovered weeks or months after occurrence. Purview Audit Premium, available in E5 and as an add-on, provides 10-year retention for designated event types and one-year retention by default for all audit events, satisfying the 3.3.1 investigation requirement.

Commercial M365 tenants do not provide the CUI data boundary that DFARS-covered contractors with the most sensitive CUI categories require. Data in commercial M365 tenants is processed and stored on Microsoft’s commercial cloud infrastructure. For CUI categories requiring controlled cloud handling, GCC or GCC High deployment is not optional. Organizations that discover this boundary requirement after deploying on commercial tenants face a tenant migration that is substantially more complex than the initial deployment.

Still evaluating?

If your organization is in the evaluation stage, a scoping conversation with our team identifies where your current M365 tenant stands against your framework’s control requirements and defines the implementation path to close the gaps. No obligations.

Implementation Sequence and Engagement Structure

i3solutions Microsoft 365 compliance engagements follow a defined implementation sequence that produces audit-ready evidence at each stage.

The engagement begins with a Compliance Manager baseline assessment against the target framework template: NIST 800-171, HIPAA, SOC 2, or a custom multi-framework assessment. Compliance Manager scores the current tenant configuration against the control requirements and produces a gap report sorted by control family and severity. This baseline assessment defines the implementation scope and provides the prioritized gap list that drives the project plan.

Gap remediation proceeds across four phases. Phase 1 covers identity and access controls (Entra ID Conditional Access, PIM, MFA configuration) because access control gaps affect the widest range of subsequent control requirements. Phase 2 covers data protection configuration including Purview DLP policies, sensitivity labels, and retention policies, which requires test document sets and policy tuning against real content before finalization. Phase 3 covers audit configuration: Purview Audit Premium activation, log retention policy, and alert rule construction. Phase 4 covers testing and documentation: each completed control area is tested against the framework’s assessment objective before sign-off, and the documentation package is assembled.

The implementation produces a documentation package that includes a re-scored Compliance Manager assessment reflecting the post-implementation control state, DLP and Conditional Access policy documentation formatted as audit evidence, retention policy configuration records, and a named-controls attestation summary that maps each framework control to the M365 configuration element that satisfies it.

i3solutions deploys all-senior US-based engineers on regulated-environment compliance work. No offshore resources. No junior staff on configuration work in CUI or PHI environments. Our Enterprise Delivery Assurance methodology means engagements ship on-time, in-scope, in-production, with documented handoff materials rather than undocumented configurations. As a Microsoft Gold Partner since 1997 with nearly 30 years of Microsoft platform delivery and 600+ implementations, the borrowed expertise our clients bring to their auditors, contracting officers, and boards is earned from a track record that generalist IT firms cannot replicate. Learn more about our Microsoft consulting services.

The M365 tools in every compliance engagement include Microsoft Purview (Compliance Manager, Information Protection, DLP, Audit, eDiscovery, Insider Risk Management), Microsoft Entra ID (Conditional Access, Privileged Identity Management, MFA, Identity Governance), and Microsoft Defender (for Office 365, for Endpoint, for Cloud Apps) as required by the framework and environment profile.

Diagnostic Questions and Documented Deliverables

The buying decision for a Microsoft 365 compliance consulting engagement carries long-term consequences. A misconfigured compliance environment discovered during an assessment costs more to remediate than a correctly scoped initial engagement. The following diagnostic questions separate compliance consulting firms that have done this work from those that have read about it.

Ask which specific Conditional Access named locations they will configure for your environment and why. A firm that has implemented CMMC Level 2 or NIST 800-171 can describe the named location configuration for CUI-system access without hesitation. Ask what the NIST 800-171 Compliance Manager assessment score in an unconfigured commercial M365 tenant typically starts at and which control families drive the largest gap. Ask how they handle the difference between what Compliance Manager scores as compliant and what an assessor will verify in a hands-on technical assessment. Ask what they produce at the end of the engagement that your assessor or auditor can use directly.

A compliance consulting engagement should produce documented deliverables that function as audit evidence: a Compliance Manager gap assessment in both pre- and post-implementation states, DLP policy documentation with test case validation records, Conditional Access policy exports with business justification documentation, retention policy configuration records with scope verification, and a named-controls attestation summary that maps each framework control to the M365 configuration element that satisfies it.

The buying committee for a compliance engagement typically spans three or four roles. The IT Director or CISO owns the M365 tenant and the technical configuration work. The Compliance Officer or Privacy Officer owns the framework obligation and will present the evidence to auditors. Legal or Contracts is particularly relevant in defense contractor scenarios where the DFARS clause creates direct liability. Executive sponsorship enters when the compliance program carries board-level reporting obligations. Each role has a different primary question: the IT Director asks about the configuration approach and implementation timeline, the Compliance Officer asks about evidence packages and what assessors will see, and Legal asks about the scope of the engagement agreement. A consulting partner who cannot engage substantively with all four of these roles is not a match for a regulated-enterprise compliance program.

For context on how M365 compliance configuration fits within the broader governance structure, the Microsoft 365 Access and Permissions: The Complete Governance Guide guide covers the implementation consulting layer that this compliance-specific configuration work operates within.

• Microsoft 365 Governance Framework

• Microsoft 365 Access and Permissions: The Complete Governance Guide

• How to Prepare for a CMMC Audit

Begin your Microsoft 365 compliance engagement

i3solutions delivers Microsoft 365 compliance implementations for CMMC, HIPAA, SOC 2, and NIST 800-171 environments. Our compliance team is ready to scope your engagement.