CMMC Level 2 User Provisioning And Deprovisioning Checklist In Entra ID

How many “temporary” accounts are still active in your tenant right now? If you handle CUI, that question isn’t academic. Under CMMC user provisioning expectations, every account needs a clear reason to exist, a clear access path, and a clean exit plan.

I build user lifecycle routines in Microsoft Entra ID (formerly Azure AD) for small teams that can’t afford chaos. In this post, I’m sharing a practical checklist you can use for CMMC Level 2, with an emphasis on what auditors want to see: approvals, least privilege, MFA enforcement, and proof that offboarding actually revokes access.

What CMMC Level 2 expects from your Entra ID user lifecycle

The core user lifecycle stages I document for CMMC Level 2, created with AI.

CMMC Level 2 maps to NIST SP 800-171 Rev 2, which means access control is not optional. You’re expected to limit access to authorized users, approve access before it’s granted, and remove access when it’s no longer needed. In Entra ID terms, that means your onboarding and offboarding can’t be “tribal knowledge” living in someone’s head.

As of March 2026, the big timing issue is business planning. CMMC rollout continues, and Phase 2 is scheduled to start November 10, 2026, when certification requirements begin showing up more often in solicitations. If your process is still manual and inconsistent, it’s going to hurt when you try to package evidence.

Microsoft has started publishing direct mappings for Entra configurations that support CMMC. I treat this as required reading, because it helps me align identity settings to audit language: CMMC Level 2 access control guidance in Entra.

This also connects to how I run service for real clients. I’m often the Business Technology Partner for teams doing Digital Transformation without a giant IT staff. My Technology Consulting work usually spans Small Business IT, Cloud Infrastructure, and Secure Cloud Architecture, plus Cloud Management after go-live. Many firms also need Office 365 Migration planning, and some still depend on Data Center Technology where Infrastructure Optimization matters for uptime. For restaurants, I also support Restaurant POS Support and Kitchen Technology Solutions, where identity sprawl can happen fast. Across all of it, my Cybersecurity Services focus on Endpoint Security and Device Hardening, because identity rules fail when devices are unmanaged.

If you can’t prove who approved access, when it was granted, and when it was removed, you’re betting your certification on memory.

CMMC Level 2 provisioning checklist in Entra ID (what I set up first)

Provisioning is where most small contractors bleed risk. A new hire needs access quickly, so someone assigns roles directly, skips groups, and “fixes it later.” That’s how permission creep becomes normal.

Here’s the provisioning flow I use for CMMC user provisioning in Entra ID, keeping audit evidence in mind from day one:

1. Request and approval
   • I require a ticket or written request tied to the job role, contract, and CUI scope.
   • I document who approved it and when, even for internal IT requests.
2. Create the identity the same way every time
   • I standardize naming, UPN format, and required attributes.
   • If you use hybrid identity, I confirm source of authority and change control.
3. Assign access through groups, not one-off permissions
   • I map job roles to security groups (and Microsoft 365 groups where needed).
   • When possible, I use group-based app assignments, so removal is clean later.
4. Lock down sign-ins before the user ever logs in
   • I enforce MFA via Conditional Access.
   • I block legacy authentication unless there’s a documented exception.
   • I restrict access by device state when it’s feasible, because managed devices reduce CUI leakage.
5. Control admin privilege with time limits
   • For admin tasks, I prefer just-in-time privilege using PIM when licensing supports it.
   • I keep Global Admin accounts rare, and I separate admin accounts from daily user accounts.
6. Validate access the same day
   • I test sign-in, app access, and group membership.
   • I capture a small set of screenshots or exported logs as “day-zero” evidence.

If you’re automating user lifecycle across SaaS apps, don’t guess your way through it. Microsoft’s planning guide is solid and helps reduce drift: automatic user provisioning planning in Entra ID.

From an operations angle, this is where Managed IT for Small Business makes a difference. When I run onboarding as a repeatable service, it stops being stressful, and it becomes measurable. You can also tie provisioning to your IT Strategy for SMBs so access is tied to role design, not personalities.

Deprovisioning checklist in Entra ID (where audits are won or lost)

The offboarding steps I follow to remove access cleanly, created with AI.

Offboarding is where I see the most dangerous gaps, because it involves HR timing, manager follow-through, and sometimes emotion. For CMMC Level 2, I don’t treat offboarding as a “cleanup task.” I treat it like closing and locking a door after someone leaves.

My deprovisioning checklist looks like this:

• Trigger and timing
  • I require an offboarding request (ticket) with an effective date and the reason.
  • If employment ends or a contractor rolls off, I disable access fast (same day when possible).
• Immediate access revocation
  • I disable the Entra account.
  • I revoke active sessions and refresh tokens to cut off existing sign-ins.
  • I remove the user from security groups and app assignments.
• Mailbox, OneDrive, and data handling
  • I convert mailboxes to shared when needed, apply retention, and set delegated access with approval.
  • I check for shared links and external sharing risk before handing data to a manager.
• Privileged and non-human access
  • I rotate credentials tied to service accounts if a person knew them.
  • I review guest accounts, because B2B access gets forgotten constantly.
• Evidence and review
  • I export or screenshot audit events showing the disable action, group removals, and sign-in blocks.
  • I run an access review cadence for high-risk groups, then I keep the results.

For background on why lifecycle discipline matters beyond compliance language, this overview is a useful reference: identity lifecycle management concepts.

Here’s the evidence map I keep handy for auditors and internal reviews:

Lifecycle stage	What I do in Entra ID	Evidence I save
Request and approval	Ticket, manager approval, role defined	Request record, approval trail
Provisioning	Create account, assign groups/apps	Change record, group membership proof
Access governance	MFA, Conditional Access, least privilege	Policy screenshots, role assignments
Monitoring and review	Audit/sign-in logs, access reviews	Log exports, access review results
Deprovisioning	Disable, revoke sessions, remove access	Audit events, deprovision ticket

Conclusion

CMMC Level 2 doesn’t require perfection on day one, but it does demand control, proof, and repeatable outcomes. When I implement CMMC user provisioning and deprovisioning in Entra ID, I focus on fast approvals, least privilege by default, and offboarding that actually revokes access. That combination protects CUI and supports Business Continuity & Security without slowing the business down. If you want, I can help you turn your current process into something a C3PAO can follow in one sitting.