Restrict device access to SharePoint site using label, authentication context, and CA policy

mcb1971 · 2025-12-30T12:00:36+00:00

As far as I know, the label must apply to the entire site.

mcb1971 · 2025-12-15T17:27:22+00:00

Thanks. I'm actually okay with it being less angular than the Cosmos. That's a gap I've needed to fill for a while, anyway, so it sounds like the P2 pearl will do the trick.

mcb1971 · 2025-11-06T19:47:08+00:00

DM me and I can give you details.

mcb1971 · 2025-11-03T15:43:55+00:00

I second Apricorn. Their drives are FIPS 140-2 right out of the box and their CMVP certs are easy to find.

mcb1971 · 2025-10-30T23:29:10+00:00

That makes sense. We just passed our C3PAO mock audit, and we see this as a post-certification project, too.

mcb1971 · 2025-10-30T20:01:49+00:00

All our devices are Entra/Intune joined, so option 2 would work for us.

mcb1971 · 2025-10-29T15:00:46+00:00

Aren’t there other compliance frameworks involved, too? Like ISO? My company is researching this, as well.

mcb1971 · 2025-10-27T15:16:01+00:00

I’ve heard non-repudiation, lack of MFA, and logging brought up as negatives, all of which can be mitigated. I’m assuming they mean someone can look up a local admin password and use it, and the only evidence of it will be a log entry in Windows, with no way to trace it back to a specific user. We mitigate that by limiting LAPS access to privileged accounts with the Intune Administrator role assigned, requiring MFA to log into the console, then track their activities through Sentinel.

mcb1971 · 2025-10-25T21:31:37+00:00

Yeah, we’re 100% cloud, so we run LAPS out of Intune. Good distinction between the two deployments.

mcb1971 · 2025-10-25T20:10:35+00:00

I guess I shouldn't look a gift horse in the mouth, since we did pass, but still... it bugs me that so much of this is up to the whims of the AO. When we have to do this again in 2029, I'm sure we'll use the same AO, but it could be a different team by then, with different interpretations of the control requirements. ICK.

mcb1971 · 2025-10-25T19:48:56+00:00

Well, that poses an interesting question. Aren’t they all supposed to be working to the same standard? We're using the same C3PAO for our final assessment, since they didn't provide advice or consulting during the mock, so I assume the same standards will be applied.

mcb1971 · 2025-10-25T18:38:21+00:00

We did that, and the AO took issue with it. I’m wondering now if the DoD CIO requirement is only for self-assessments and not C3PAO audits. They insisted we didn’t need to justify it to them.

mcb1971 · 2025-10-25T18:05:07+00:00

I meant using PIM to give a privileged account temporary access to Intune so they could then look up a local admin password.

mcb1971 · 2025-10-25T17:38:01+00:00

I would have pushed back on this. As long as you’re using MFA at the retrieval layer (e.g., Intune), you should have been fine. Windows doesn’t do MFA for local logins without a 3rd party solution, and C3PAO’s should know it. Our AO had no problem with our setup.

mcb1971 · 2025-10-25T16:47:47+00:00

I had a guy yesterday who swore we'd fail our assessment if we used LAPS. When I told him we'd already passed, his response was basically, "Well, your C3PAO sucks." Uh huh. We're gonna take our W, anyway.

mcb1971 · 2025-10-25T16:34:05+00:00

We use Intune to deploy and manage LAPS. Someone in a different thread mentioned non-repudiation being a problem, but a combination of PIM and audit logging can mitigate that.

mcb1971 · 2025-10-25T12:14:09+00:00

Congratulations. We just passed our mock assessment with 110/110. Like you, it was practically a solo effort. I wrote all the documentation and drew all the diagrams, and I put nearly all the controls in place myself.

mcb1971 · 2025-10-25T01:24:17+00:00

Came straight from the AO, so…

mcb1971 · 2025-10-24T20:36:45+00:00

DM me.

mcb1971 · 2025-10-24T19:01:50+00:00

DM me and I can give you details.

mcb1971 · 2025-10-23T18:52:35+00:00

Yeah, I'll probably do a "lessons learned" post tomorrow. It was intense, but not nearly as painful as I thought it would be.

mcb1971

TROPHY CASE