Identity is where almost every defense contractor we work with should start. It is the control family that maps to the most NIST 800-171 requirements and the one an attacker hits first. In Microsoft 365 GCC High you configure all of it from the Microsoft Entra admin center.
Enforce MFA for every user (3.5.3)
NIST 800-171 3.5.3 requires multifactor authentication for every account, and it is the single highest-impact control you can turn on. In Entra, go to Protection then Conditional Access and create a policy targeting All users that grants access only when MFA is satisfied. Start it in report-only, confirm it is not breaking anyone, then switch it On. Exclude your break-glass accounts (more on those below).
Block legacy authentication (3.1.1, 3.5.4)
Legacy protocols like POP, IMAP, SMTP AUTH and older Office clients bypass MFA entirely, which makes them the most common credential-stuffing path. Add a Conditional Access policy that, under Conditions then Client apps, targets Exchange ActiveSync and other clients, and blocks access.
Add phishing-resistant methods for admins (3.5.3)
Push-based MFA is phishable. GCC High supports FIPS 140-validated, phishing-resistant methods such as Windows Hello for Business and FIDO2 security keys. Enable them under Protection then Authentication methods, and require an Authentication Strength of Phishing-resistant MFA for your privileged users.
Set the password policy (3.5.7 to 3.5.10)
Enable Entra Password Protection so the banned-password list applies to cloud and on-prem accounts, enforce a minimum length of 14 or more, and follow current NIST guidance by turning off forced periodic expiration. Passwords are never stored or transmitted in the clear in Entra by default.
Create break-glass accounts before you tighten anything (3.1.5)
Two cloud-only Global Administrator accounts with long random passphrases, excluded from every Conditional Access policy, are your insurance against locking yourself out with a misconfigured policy. Store the credentials offline and alert on every sign-in.
Apply least privilege with PIM (3.1.5 to 3.1.7)
Privileged Identity Management makes admin roles just-in-time instead of standing. Under Identity Governance then Privileged Identity Management, make roles like Global Admin and Exchange Admin eligible rather than active, and require approval, MFA and a justification to activate. Then strip standing admin rights from day-to-day accounts.
Restrict access to US locations (3.1.3)
CUI handling and many DFARS obligations call for keeping access inside the United States. Define a United States named location under Protection then Named locations, then add a Conditional Access policy that blocks access from anywhere else, excluding your break-glass accounts.
A note on what "done" means
Configuring these settings hardens your Microsoft 365 GCC High tenant to the NIST 800-171 technical baseline. It is not a CMMC certification. A C3PAO assesses your documented System Security Plan, not your tenant directly, so the configuration above only counts once it is written down with evidence. Our free GCC High Setup Autopilot walks you through every step in order and hands the result to your control set when you move to Readyline Pro.
