CISA Zero Trust Maturity Model for the identity pillar
A unified identity provider (IdP) is crucial to manage access effectively; it ensures users and entities have the right access to resources without excessive permissions. Integrating identity, credential, and access management solutions create strong authentication, tailored context-based authorization, and identity risk assessment.
The Office of Management and Budget (OMB) Memorandum-22-09, released in support of Executive Order 14028: Improving the Nation's Cybersecurity, mandates federal agencies employ centralized identity management systems for their users. These systems can integrate into applications and common platforms, ensuring a unified approach to identity management. This requirement is part of the Zero Trust strategy that enhances cybersecurity and data privacy. We recommend consolidation of IdPs, identity stores, and identity management systems by adopting Microsoft Entra ID as the IdP.
For more information, see Meet identity requirements of M-22-09 with Microsoft Entra ID.
Use the following links to go to sections of the guide.
1 Identity
This section has Microsoft guidance and recommendations for the CISA Zero Trust Maturity Model in the identity pillar. The Cybersecurity & Infrastructure Security Agency (CISA) identifies identity as an attribute, or attribute set, which uniquely describes an agency user or entity, including nonperson entities. To learn more, see Securing identity with Zero Trust.
1.1 Function: Authentication
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise authenticates identity using MFA, which may include passwords as one factor and requires validation of multiple entity attributes (e.g., locale or activity). |
Microsoft Entra ID Establish an identity foundation by consolidating identity providers, putting Microsoft Entra ID in the path of every access request. While you identify and migrate applications to Microsoft Entra ID, implement policy that mandates new applications integrate with Microsoft Entra ID. This action ensures security policies, such as multifactor authentication (MFA) and entity attribute validation, are applied consistently for access to Enterprise resources. Throughout 2024-2025 Microsoft is rolling out MFA enforcement for admin portals. Microsoft recommends accounts use MFA. - Migrate apps and authentication to Microsoft Entra ID - Mandatory Microsoft Entra MFA - Secure identity with Zero Trust Microsoft Entra authentication methods Enable enterprise-allowed MFA methods with policy settings in Microsoft Entra. Enable methods users select or use during sign-in. - Manage authentication methods - Microsoft Entra MFA overview Microsoft Entra Conditional Access Create Conditional Access policy to require MFA for all cloud apps. Any multifactor authentication method passes the “require MFA” grant control in Conditional Access. Include validation of multiple entity attributes, such as locale and activity. Use application targeting and network conditions. - Enable multifactor authentication - Cloud apps, actions, and auth in Conditional Access - Network in Conditional Access policy Microsoft Entra External ID Require MFA for all users, including external guests. Configure cross-tenant access trust settings to improve the partner collaboration experience. Cross-tenant access for B2B collaboration |
| Advanced Maturity Status Enterprise begins to authenticate all identity using phishing-resistant MFA and attributes, including initial implementation of password-less MFA via FIDO2 or PIV. |
Microsoft Entra ID Migrate current applications to use Microsoft Entra ID as the identity provider (IdP). Require integration with Microsoft Entra ID for new applications. Include applications using legacy authentication protocols with Microsoft Entra application proxy. Migrate to cloud and managed authentication from federated IdPs with Staged Rollout. These actions ensure phishing-resistant MFA is applied consistently for access to enterprise resources. - Migrate apps and auth to Microsoft Entra ID - Microsoft Entra app gallery - Microsoft Entra application proxy to publish on-premises apps - Cloud authentication with Staged Rollout Conditional Access Configure Conditional Access authentication strengths to require phishing-resistant MFA, including passwordless MFA such as Fast IDentity Online 2 (FIDO2) passkeys, or certificate-based authentication (CBA) with personal identity verification (PIV) cards. Microsoft Entra authentication strengths Microsoft Entra authentication methods Implement authentication policies with phishing-resistant methods, such as passkeys in Microsoft Authenticator, Microsoft Entra CBA, Windows Hello for Business, and passkeys. See also FIDO2 security keys. To transition users from nonphishing resistant MFA, exclude them from weaker authentication methods. - Authentication methods - Microsoft Entra CBA - Passwordless security key sign-in - Passkeys in Authenticator - Windows Hello for Business - M-22-09 MFA requirements Microsoft Entra External ID Configure cross-tenant access policies to trust MFA from partners. Enable external users to use phishing-resistant authentication methods to access resources. Cross-tenant access for B2B |
| Optimal Maturity Status Enterprise continuously validates identity with phishing-resistant MFA, not just when access is initially granted. |
Conditional Access Conditional Access policies are evaluated continuously throughout a user’s session. Configure session controls to increase the required sign-in frequency under certain conditions, like when the user or sign-in are detected as risky in Microsoft Entra ID Protection. Session controls Continuous Access Evaluation Enable Continuous Access Evaluation (CAE) for critical events and near-real-time continuous access validation. - Continuous Access Evaluation - CAE for Microsoft 365 - CAE-enabled APIs in apps |
1.2 Function: Identity stores
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise has a combination of self-managed identity stores and hosted identity store(s) (e.g., cloud or other enterprise) with minimal integration between the store(s) (e.g., single sign-on). |
Microsoft Entra ID Enterprises might have apps integrated with multiple identity stores and/or identity providers (IdPs). Consolidate and adopt Microsoft Entra ID as the enterprise IdP. Plan for cloud adoption and reduction of on-premises identity store dependencies. - Move identity and access to Microsoft Entra ID - Migrate apps and auth to Microsoft Entra ID Inventory apps, users, groups, and devices. Have an accurate count of identity stores. Include identity stores or IdPs, like Active Directory Federation Services (AD FS) or third-party IdPs. To ensure user, group, and device attributes consistently update across platforms, synchronize identities between on-premises Active Directory Domain Services (AD DS) and Microsoft Entra ID. - Microsoft Entra Connect Sync - Microsoft Entra Cloud Sync - Single sign-on (SSO) - App migration to Microsoft Entra ID - Microsoft Entra integrations with authentication protocols Microsoft Intune Microsoft Entra hybrid-join current AD DS domain joined devices. To modernize device management, avoid domain-joining new workstations. Manage devices with Microsoft Intune. - Cloud-first approach - Hybrid-joined devices - SSO to on-premises resources with joined devices - Microsoft Intune |
| Advanced Maturity Status Enterprise begins to securely consolidate and integrate some self-managed and hosted identity stores. |
Microsoft Entra ID The enterprise adopted Microsoft Entra ID as the identity store and IdP. New apps integrate with Microsoft Entra ID. For migration, inventory current apps not integrated with Microsoft Entra ID. Legacy apps that don’t support modern authentication can use Microsoft Entra ID secure hybrid access (SHA) with Microsoft Entra application proxy. To use modern authentication protocols, replace, refactor, or reconfigure apps. - Microsoft Entra app gallery - Migrate apps and auth to Microsoft Entra ID |
| Optimal Maturity Status Enterprise securely integrates their identity stores across all partners and environments as appropriate. |
Microsoft Entra ID App migration to Microsoft Entra ID is complete. Access to enterprise resources requires authentication with Microsoft Entra ID. Microsoft Entra External ID Enable secure collaboration with External ID. Configure cross-tenant synchronization to reduce IT administrative burden. Provide seamless and automated user experiences. - External ID - Cross-tenant sync in Microsoft Entra ID Microsoft Entra application provisioning For applications with identity stores, configure app provisioning to manage identities and roles. - App provisioning - On-premises app provisioning - Configure API-driven provisioning app - Microsoft Entra application proxy to publish on-premises apps Microsoft Entra HR inbound provisioning Modernize with HR-driven identity provisioning. Create digital identities based on an HR system, the authoritative source for new digital identities. Provisioning often begins at this juncture. Use Microsoft Entra with on-premises HR systems to create and update users in Active Directory, or in Microsoft Entra ID. HR-driven provisioning Microsoft 365 for enterprise Use the multitenant organization feature in Microsoft Entra ID and Microsoft 365 to form a tenant group and streamline intra-organizational cross-tenant collaboration. Multitenant organizations in Microsoft Entra ID and Microsoft 365 enable unified people search experience, global address list (GAL), and improved Microsoft Teams collaboration in multiple tenants. - Multitenant organization capabilities - Multitenant organizations in Microsoft 365 |
1.3 Function: Risk assessments
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise determines identity risk using manual methods and static rules to support visibility. |
Enterprises can manually review security events and configuration baselines. Microsoft Entra ID Use Microsoft Entra logs to assess aspects of the Microsoft Entra tenant. Microsoft Entra ID has options to access activity log data and reports for various scenarios. - Stream activity logs to integrate tools - Activity logs with Microsoft Graph API - Integrate activity logs - Real-time activity with Sentinel - Activity logs and reports in the Azure portal - Export activity logs for storage and queries Configure diagnostic settings in Microsoft Entra ID to integrate logs with Azure Monitor. Stream logs to an event hub, or archive logs in a storage account. Diagnostic settings |
| Advanced Maturity Status Enterprise determines identity risk with some automated analysis and dynamic rules to inform access decisions and response activities. |
Microsoft Entra ID Protection Configure risk-based Microsoft Entra Conditional Access policies for user and sign-in risk. Configure Conditional Access policies with response activities, based on an assessment of user impact. For example, high user and sign-in risk: block access or configure sign-in frequency session control. Use authentication strengths that require a personal identity verification (PIV) card, or phishing-resistant authentication methods. - Microsoft Entra ID Protection - MFA registration policy - Secure workload identities - Risk-based Conditional Access Microsoft Sentinel Microsoft Entra ID Protection alerts automatically appear in Microsoft Defender XDR. Connect Microsoft Defender XDR to Microsoft Sentinel for increased visibility, correlation with nonXDR data, longer data retention, and more customizable response automation. - Defender XDR - Connect Defender XDR to Sentinel |
| Optimal Maturity Status Enterprise determines identity risk in real time based on continuous analysis and dynamic rules to deliver ongoing protection. |
Conditional Access Configure Conditional Access app control for cloud apps. Protect devices with Microsoft Defender for Endpoint and enable Microsoft Defender for Office 365 to protect against threats in email, links (URLs), file attachments, and collaboration tools. - App access monitoring with Defender for Cloud Apps and Microsoft Entra ID - Deploy Defender for Endpoint - Deploy Defender for Office 365 Microsoft Purview Insider Risk Management Configure Insider Risk Management to detect, investigate, and act on malicious or accidental activities. Use insider risk policies to define risk types to identify and detect. Act on cases or escalate them to Microsoft Purview eDiscovery (Premium), if needed. - Microsoft Purview - Insider risk management - Block insider-risk access Microsoft Defender XDR Microsoft Defender for Endpoint, Defender for Cloud Apps, and Defender for Office detect unusual activity and contribute risk signals to user and sign-in risk levels in Microsoft Entra ID Protection. Risk detections |
1.4 Function: Access management
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise authorizes access, including for privileged access requests, which expires with automated review. |
Microsoft Entra Conditional Access Configure Conditional Access to apply policy to app usage. Conditional Access takes signals from various sources to authorize access. Conditional Access Microsoft Entra entitlement management Configure access packages in entitlement management for access requests and approval workflows into roles and groups, including privileged roles and groups. Configure access review automation; include expiration and removal from roles and groups. - Entitlement management - Entitlement management and access packages - Access reviews |
| Advanced Maturity Status Enterprise authorizes need based and session-based access, including for privileged access request, which is tailored to actions and resources. |
Conditional Access Configure Conditional Access to authorize access, including session-based access. Target resources, roles, and privileged roles. Conditional Access Microsoft Entra Privileged Identity Manager Configure PIM to manage, control, and monitor access to important resources, such as custom roles and groups. Tailor access to specific actions and resources. - Privileged Identity Management - Azure custom roles in PIM - PIM for Groups Microsoft Purview privileged access management Configure privileged access management for granular access control of privileged administrator tasks in Office 365. - Privileged access management - Get started with PAM |
| Optimal Maturity Status Enterprise uses automation to authorize just-in-time and just-enough access tailored to individual actions and individual resource needs. |
Microsoft Entra ID Governance Configure Microsoft Entra ID Governance access packages to automate authorization of just-in-time (JIT) and just-enough access (JEA) tailored to individual actions and resource needs. - Entitlement management - Access packages |
1.5 Function: Visibility and analytics
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise collects user and entity activity logs and performs routine manual analysis and some automated analysis, with limited correlation between log types. |
Microsoft Entra ID, Azure Monitor Archive Microsoft Entra logs in a storage account or integrate with Azure Monitor. Facilitate routine manual analysis with Kusto Data library and built-in identity workbooks with correlation of log types. - Microsoft Entra monitoring and health - Archive activity logs in Azure Storage - Integrate logs with Azure Monitor logs - Activity logs and Log Analytics - Microsoft Entra workbooks |
| Advanced Maturity Status Enterprise performs automated analysis across some user and entity activity log types and augments collection to address gaps in visibility. |
Microsoft Entra ID, Microsoft Defender XDR, Microsoft Sentinel Ingest Microsoft Entra Identity activity logs, with other Identity log categories from diagnostic settings and Defender XDR, into a security information event management (SIEM) solution, like Sentinel. - Microsoft Entra monitoring and health - Sign-in logs in Microsoft Entra ID - Microsoft Sentinel - Connect Microsoft Entra data to Sentinel - Defender for Identity - Connect Defender XDR data to Sentinel - Defender for Cloud Apps |
| Optimal Maturity Status Enterprise maintains comprehensive visibility and situational awareness across enterprises by performing automated analysis over user activity log types, including behavior-based analytics. |
Microsoft Entra ID Protection Enable ID Protection to monitor user behavior patterns for risk. Configure insider risk detection and integrate with Conditional Access. - ID Protection - Risk policies Sentinel, Identity Threat Detection and Response Sentinel analytics rules and near real-time event analysis ingests and analyzes Microsoft Entra logs. Enable proactive identification of, and response to, security events and risks with advanced analytics, incident management workflows, and threat intelligence integration. Streamline incident investigation and enhance enterprise security posture. - Microsoft Sentinel - Near-real-time detection analytics rules - Data connector for threat intelligence - User and entity behavior (UEBA) |
1.6 Function: Automation and orchestration
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise manually orchestrates privileged and external identities and automates orchestration of nonprivileged users and of self-managed entities. |
Microsoft Entra Connect, Microsoft Entra Cloud Sync With on-premises Active Directory, automate orchestration of nonprivileged users with Entra Connect and/or Entra Cloud Sync. Don't synchronize privileged users from on-premises Active Directory. On the journey toward cloud-first identity, orchestrate nonprivileged users with Microsoft Entra HR Provisioning. - Microsoft Entra Connect v2 - Microsoft Entra Cloud Sync - Protect Microsoft 365 from on-premises attacks - Cloud HR app to Microsoft Entra user provisioning |
| Advanced Maturity Status Enterprise manually orchestrates privileged user identities and automates orchestration of all identities with integration across all environments. |
Microsoft Entra app provisioning With Microsoft Entra application provisioning, automate orchestration of identities across environments, such as cloud providers or software as a service (SaaS) apps). - App provisioning in Microsoft Entra ID - System for Cross-Domain Identity Management (SCIM) sync with Microsoft Entra ID Microsoft Entra External ID Configure cross-tenant synchronization to automate identity orchestration across partner environments. - External ID - Cross-tenant sync in Microsoft Entra ID - Configure cross-tenant sync |
| Optimal Maturity Status Enterprise automates orchestration of all identities with full integration across all environments based on behaviors, enrollments, and deployment needs. |
Microsoft Entra ID Governance At this maturity stage identity orchestration is complete. See Advanced status. Microsoft Entra entitlement management is implemented to orchestrate managed user, application, role, and group access. Complete identity integration by configuring privileged user identities with Privileged Identity Management (PIM). Use lifecycle workflows to automate movement between joiner, mover, and leaver scenarios. - Entitlement management - Learn about PIM - Lifecycle workflows |
1.7 Function: Governance
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise defines and begins implementing identity policies for enterprise-wide enforcement with minimal automation and manual updates. |
Microsoft Entra ID Use Microsoft Entra ID as the identity provider (IdP) for new app integrations. Migrate current apps to Microsoft Entra ID. Configure Microsoft Entra Conditional Access policies to enforce enterprise-wide requirements, and to be the policy enforcement point (PEP) for application and resource access. Implement authorization and role mapping for current and future apps using role-based access control (RBAC), claims mapping, and outbound provisioning. - Microsoft Entra ID Governance - Conditional Access |
| Advanced Maturity Status Enterprise implements identity policies for enterprise-wide enforcement with automation and updates policies periodically. |
Conditional Access Use Conditional Access for identity policy enforcement across the enterprise. Review and implement recommendations for Microsoft Entra ID from the CISA Secure Cloud Business Applications (SCuBA) Project, and automate Conditional Access configuration using its APIs. - Conditional Access deployment - CISA SCuBA and Microsoft Entra ID - condtionalAccessPolicy resource type |
| Optimal Maturity Status Enterprise implements and fully automates enterprise-wide identity policies for all users and entities across all systems with continuous enforcement and dynamic updates. |
Microsoft Entra ID Require app access to use Microsoft Entra ID, thus enforcing Conditional Access evaluation. Use Microsoft Entra ID continuous access evaluation (CAE) for near-real-time enforcement and identity protection. This action enables dynamic adaptation to environmental risks. To enforce continuous evaluation, integrate CAE into custom apps and APIs with code. - Continuous access evaluation - CAE enabled APIs in apps - Microsoft Entra ID Protection Global Secure Access Configure compliant network enforcement to reduce the risk of token theft and replay attacks. Enforcement works with services that support CAE. The app rejects stolen access tokens, replayed outside the tenant compliant network, in near-real-time. - Global Secure Access - Microsoft Entra Internet Access - Compliant network check with Conditional Access |
Next steps
Configure Microsoft Cloud Services for the CISA Zero Trust Maturity Model.