A Practical Windows Server Hardening Checklist for CMMC Level 2
When I review a small contractor’s Windows Server, I usually find the same issue: the server is trusted far more than it should be. If that system stores or supports…
CMMC Level 2 OAuth Review Checklist for Microsoft 365
When I assess Microsoft 365 for CMMC Level 2 OAuth risk, OAuth apps are one of the first places I look. A tenant can have strong MFA, good mail hygiene,…
CMMC Entra ID Sign-In Risk Policies for Level 2
A bad sign-in can undo months of security work. When I review Microsoft 365 tenants that handle CUI, the weak spot is often not MFA itself. It’s the lack of…
CMMC Level 2 Email Impersonation Defense in Defender for Office 365
A fake CEO email can do more damage than a noisy malware alert. One believable message can trigger wire fraud, credential theft, or a bad file share before anyone slows…
How I Set Up Entra ID Authentication Strengths for CMMC Level 2
If one stolen password can still open SharePoint or Exchange Online, the identity side of your CMMC story is weak. When I help security teams tighten Microsoft 365 access, I…
How I Build a CMMC Named Locations Policy in Entra ID
A trusted office IP can lower risk, but it can also create false comfort. When I build a CMMC named locations policy in Entra ID, I treat location as one…
CMMC Level 2: Unmanaged Device Access in SharePoint and OneDrive
When I review a Microsoft 365 tenant for Level 2, I start with one hard truth: if CUI can land on a personal laptop, risk rises fast. SharePoint and OneDrive…
Blocking Device Code Flow in Entra ID for Stronger CMMC Level 2 Alignment
A short code on a screen can turn into a full Microsoft 365 session. That is why device code flow gets so much attention now. When I review Entra ID…
Entra ID Privileged Group Review SOP for CMMC Level 2
Stale admin access is one of the fastest ways to fail a CMMC credibility check. If I can’t show who has privileged access in Microsoft Entra ID, why they still…
Entra ID Temporary Access Pass Setup for CMMC Level 2
A weak onboarding process can undo a strong security stack in one afternoon. That is why I treat Entra ID temporary access pass setup as a controlled identity process, not…