This post provides practical, actionable guidance to implement IA.L1-B.1.V — user and device identification — mapped to FAR 52.204-21 and CMMC 2.0 Level 1 using Azure AD and on-premises Active Directory (AD), with specific steps, commands, and small-business scenarios to help you meet compliance requirements.
What the requirement means in practice
IA.L1-B.1.V expects organizations to uniquely identify users and devices that access Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), and to maintain records tying actions to those identities. For small businesses this means no shared generic accounts for interactive access, robust naming and lifecycle controls for user and device accounts, and the ability to demonstrate who/what accessed systems during an audit or incident investigation.
Implementation approach with Azure AD and AD
User identity configuration (AD and Azure AD)
Start by standardizing user identities and mappings between AD and Azure AD: enforce unique sAMAccountName/UPN and consistent UPN domain(s) that match Azure AD. Create new users in AD with a documented naming convention (e.g., firstname.lastname@company.mil or firstinitiallastname@company.com), and sync to Azure AD using Azure AD Connect. Example AD PowerShell user creation (on-prem): New-ADUser -Name "Jane Smith" -SamAccountName jsmith -UserPrincipalName jsmith@contoso.com -Path "OU=Users,DC=contoso,DC=com" -AccountPassword (ConvertTo-SecureString 'InitialP@ssw0rd' -AsPlainText -Force) -Enabled $True. In Azure, validate users: Connect-AzureAD; Get-AzureADUser -ObjectId jsmith@contoso.com. Document that each interactive account is unique, and restrict or formally approve any service/shared accounts with compensating controls and monitoring.
Device identification and enrollment
For devices, implement Azure AD Join for cloud-only endpoints and Hybrid Azure AD Join for domain-joined endpoints so each device has a distinct Azure AD device object. Use Azure AD Connect to enable Hybrid Azure AD Join (configure Device options and enable device writeback if you need to manage device objects on-prem). On a Windows device, verify join state with dsregcmd /status; confirm the AzureADJoined / DomainJoined / DeviceId fields are populated. For automated provisioning and consistent device identity, use Autopilot + Azure AD Join or Group Policy to auto-register domain-joined devices (Computer Configuration → Administrative Templates → Windows Components → Device Registration → Register domain-joined computers as devices).
Technical controls, policy enforcement, and telemetry
After identities exist, enforce identification through policy: restrict who can join devices to Azure AD (Azure AD > Devices > Device settings), require device registration for access to sensitive resources via Conditional Access (e.g., require "Device is Hybrid Azure AD joined" or "Device is marked compliant" for access to Exchange Online/SharePoint), and enable sign-in and audit logs. Example Conditional Access flow: create a policy named "Require device identity for contractor access" targeting contractor user group, cloud apps (Exchange Online, SharePoint), and grant access only if device is marked compliant. Collect logs into Azure Monitor or export to a SIEM; use Sign-ins (Azure AD) and Device reports (Azure AD > Devices > All devices) as evidence for auditors. Regularly run queries: Get-AzureADDevice | Where-Object {$_.DeviceTrustType -ne $null} to enumerate joined devices, and use Azure AD sign-in logs to map UserPrincipalName → DeviceID → IP address for session attribution.
Risk of not implementing proper identification
Failing to uniquely identify users and devices increases the risk of unauthorized access, lateral movement, and inability to investigate incidents — consequences include data exfiltration, contract penalties, and suspension from federal contracting. For small businesses, shared accounts or unmanaged guest devices are the most common weaknesses: they lead to ambiguous audit trails and make it impossible to attribute actions, which violates FAR 52.204-21 clauses and CMMC evidence requirements.
Small-business scenarios and practical best practices
Scenario 1: A 25-person contractor company maintaining CUI on laptops — implement Azure AD Join for all new laptops, enroll in Microsoft Intune, create a compliance policy (require BitLocker, password complexity), and use Conditional Access to require compliant devices for Office 365. Scenario 2: A small office with an on-prem file server — use Hybrid Azure AD Join for domain-joined desktops, enable device writeback so Azure AD knows about on-prem devices, and disable shared "office" accounts; instead create role-based AD groups (e.g., FileServer_ReadOnly) and assign unique user accounts. Best practices: document naming conventions and device lifecycle (enroll → manage → retire), disable accounts after 30 days of inactivity, require approvals for join permissions, and keep an auditable record (screenshots, export CSVs) showing device registration and sign-ins for compliance artifacts.
Compliance tips and quick checklist
Checklist: 1) Inventory current accounts and devices; 2) Adopt a user/device naming policy; 3) Deploy Azure AD Connect with Hybrid Azure AD Join where needed; 4) Enroll endpoints in Intune or another MDM; 5) Configure Conditional Access to require device identity/compliance for sensitive apps; 6) Enable and retain Azure AD sign-in and audit logs for at least 90 days (or per contract); 7) Remove/disable shared interactive accounts and document approved service accounts. Additional tips: use automation (PowerShell/Graph) to produce periodic reports for auditors, and put identification procedures into your System Security Plan and POA&M so gaps are tracked and remediated.
In summary, satisfying IA.L1-B.1.V for FAR 52.204-21 / CMMC 2.0 Level 1 is a matter of ensuring every human and device has a unique, documented identity and that you can demonstrate that mapping via logs and device records; for most small businesses the fastest path is to standardize identity creation in AD, sync with Azure AD using Azure AD Connect, enable Azure AD/Hybrid Join and MDM enrollment, and use Conditional Access and logging to enforce and prove compliance.
