How to Meet AC.L2-3.1.6

Requirement

AC.L2-3.1.6 – Use non-privileged accounts or roles when accessing nonsecurity functions.

This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.

Understanding the Requirement

This control requires you to explicitly distinguish routine, nonsecurity tasks (email, documents, collaboration) from privileged or security tasks (system changes, user management), and ensure users—especially administrators—perform nonsecurity work using non-privileged accounts. Unprivileged accounts cannot alter system settings or manage other users, which reduces risk if a credential is compromised. Practically, this means identifying which functions are nonsecurity, providing separate accounts or roles for admin staff, and enforcing that daily activities occur with non-privileged accounts only.

Policies and Procedures Needed

Document a least-privilege policy that defines nonsecurity functions and mandates separate admin and standard user accounts for staff with elevated duties. Include onboarding/offboarding steps to issue two identities to admins, naming conventions (e.g., jdoe for standard, jdoe-admin for privileged), and role assignment approval. Define procedures for service accounts, emergency break-glass accounts, device authorization (managed/compliant devices only), and periodic access reviews of privileged roles. Require stronger authentication for privileged accounts and prohibit their use for email, chat, or general productivity. Record attestation steps and logging/monitoring expectations.

Technical Implementation in Microsoft 365

• Create separate standard and privileged identities in Entra ID (Azure AD). Provision all administrators with two accounts: a standard user for daily work and a privileged account for admin tasks. Assign admin roles only to the privileged account, ideally via role-assignable groups. Use a clear naming convention (e.g., -admin suffix) and document ownership, purpose, and approval for each privileged assignment.
• Enforce just-in-time admin with Privileged Identity Management (PIM) in Entra ID. Make all privileged roles “eligible,” not “active,” and require activation with approval, MFA, and a time limit. Configure role settings to require a business justification and ticket number, and to send notifications on activation. This minimizes standing privilege and supports auditability.
• Apply Conditional Access to restrict how privileged accounts can sign in. Target privileged roles or the admin-account group with policies that require compliant devices, MFA with a strong authentication strength (e.g., FIDO2), and location/device risk conditions. Add a policy to block privileged accounts from accessing non-admin cloud apps like Exchange Online and Teams to prevent day-to-day use. Require sign-in frequency controls and reauthentication for sensitive sessions.
• Use Intune to remove local admin rights and enforce compliant devices. Deploy policies that remove users from local Administrators on Windows devices (LocalUsersAndGroups) and enforce device compliance (disk encryption, secure boot, OS version). This ensures routine work is performed without local administrative rights and that admin activities occur only from hardened, managed endpoints.
• Schedule Access Reviews for privileged roles. Use Entra ID Access Reviews to run monthly or quarterly attestations of membership in privileged roles and role-assignable groups. Route reviews to the resource owner or security lead and require explicit keep/remove decisions. Automatically remove access if reviewers don’t respond to minimize privilege creep.
• Monitor with Identity Protection and Audit Logs. Enable Identity Protection policies to block or require password reset for high-risk sign-ins—especially for privileged accounts. Regularly review Entra ID Audit and Sign-in logs for privileged role activations, administrative actions, and sign-in anomalies. Establish a weekly operational review and retain logs per your policy.

Example in a Small or Medium Business

BrightWave Manufacturing (85 employees) has two IT administrators. Each admin receives a standard account (e.g., mlopez) for daily work and a privileged account (mlopez-admin) used only for admin tasks. The IT lead assigns all admin roles to the -admin accounts and makes them eligible via Entra ID PIM, requiring approval, MFA, a 2-hour time limit, and a ticket number for activation. Conditional Access policies force -admin accounts to use phishing-resistant MFA and a compliant device, and block those accounts from Exchange Online and Teams. Intune removes users from local Administrators and enforces device compliance policies across the fleet. Monthly Access Reviews prompt the IT lead to confirm who still needs roles. Identity Protection flags risky sign-ins, and Audit Logs are checked weekly. Admins now handle email and documents with their standard accounts and only elevate when necessary, satisfying the control.

Summary

By defining nonsecurity functions, issuing separate standard and privileged accounts, and enforcing strong technical guardrails, SMBs can ensure daily work happens with non-privileged access. Entra ID PIM minimizes standing privilege, Conditional Access constrains when and how admin accounts are used, Intune enforces endpoint hardening, Access Reviews prevent privilege drift, and Identity Protection plus Audit Logs provide oversight. Together, these policy and Microsoft 365 controls meet AC.L2-3.1.6 and materially reduce the impact of credential compromise.