[ [ 'control_key' => 'strong_authentication', 'name' => 'Strong authentication', 'domain_key' => 'identity_access', 'subdomain_key' => 'authentication_assurance', 'control_class' => 'preventive', 'summary' => 'Accounts and privileged actions require strong authentication before access is granted.', 'operator_description' => 'Use this control when the governance objective is proving that access depends on multi-factor or similarly strong authentication.', 'detectability_class' => 'indirect_technical', 'evaluation_strategy' => 'signal_inferred', 'evidence_archetypes' => [ 'configuration_snapshot', 'policy_or_assignment_summary', 'execution_result', ], 'artifact_suitability' => [ 'baseline' => true, 'drift' => true, 'finding' => true, 'exception' => true, 'evidence' => true, 'review' => true, 'report' => true, ], 'historical_status' => 'active', 'microsoft_bindings' => [ [ 'subject_family_key' => 'conditional_access_policy', 'workload' => 'entra', 'signal_keys' => [ 'conditional_access.require_mfa', 'conditional_access.authentication_strength', ], 'supported_contexts' => ['baseline', 'drift', 'finding', 'evidence', 'review', 'report'], 'primary' => true, 'notes' => 'Microsoft conditional access is provider-owned evidence for strong authentication, not the canonical control identity.', ], [ 'subject_family_key' => 'permission_posture', 'workload' => 'entra', 'signal_keys' => [ 'permission_posture.required_graph_permission', ], 'supported_contexts' => ['finding', 'evidence', 'review', 'report'], 'primary' => false, 'notes' => 'Permission posture can support authentication governance when missing permissions block assessment evidence.', ], ], ], [ 'control_key' => 'conditional_access_enforcement', 'name' => 'Conditional access enforcement', 'domain_key' => 'identity_access', 'subdomain_key' => 'access_policy', 'control_class' => 'preventive', 'summary' => 'Access decisions are governed by explicit policy conditions and assignment boundaries.', 'operator_description' => 'Use this control when evaluating whether access is constrained by conditional policies rather than unmanaged default access.', 'detectability_class' => 'direct_technical', 'evaluation_strategy' => 'state_evaluated', 'evidence_archetypes' => [ 'configuration_snapshot', 'policy_or_assignment_summary', ], 'artifact_suitability' => [ 'baseline' => true, 'drift' => true, 'finding' => true, 'exception' => true, 'evidence' => true, 'review' => true, 'report' => true, ], 'historical_status' => 'active', 'microsoft_bindings' => [ [ 'subject_family_key' => 'conditional_access_policy', 'workload' => 'entra', 'signal_keys' => [ 'conditional_access.policy_state', 'conditional_access.assignment_scope', ], 'supported_contexts' => ['baseline', 'drift', 'finding', 'evidence', 'review', 'report'], 'primary' => true, 'notes' => 'Policy state and assignments are Microsoft-owned signals for the provider-neutral access enforcement objective.', ], ], ], [ 'control_key' => 'privileged_access_governance', 'name' => 'Privileged access governance', 'domain_key' => 'identity_access', 'subdomain_key' => 'privileged_access', 'control_class' => 'preventive', 'summary' => 'Privileged roles are assigned intentionally, reviewed, and limited to accountable identities.', 'operator_description' => 'Use this control when privileged role exposure, ownership, and reviewability are the core governance objective.', 'detectability_class' => 'indirect_technical', 'evaluation_strategy' => 'signal_inferred', 'evidence_archetypes' => [ 'policy_or_assignment_summary', 'execution_result', 'operator_attestation', ], 'artifact_suitability' => [ 'baseline' => false, 'drift' => false, 'finding' => true, 'exception' => true, 'evidence' => true, 'review' => true, 'report' => true, ], 'historical_status' => 'active', 'microsoft_bindings' => [ [ 'subject_family_key' => 'entra_admin_roles', 'workload' => 'entra', 'signal_keys' => [ 'entra_admin_roles.global_admin_assignment', 'entra_admin_roles.privileged_role_assignment', ], 'supported_contexts' => ['finding', 'evidence', 'review', 'report'], 'primary' => true, 'notes' => 'Directory role assignment data supports privileged access governance without becoming the control taxonomy.', ], ], ], [ 'control_key' => 'external_sharing_boundaries', 'name' => 'External sharing boundaries', 'domain_key' => 'collaboration_boundary', 'subdomain_key' => 'external_access', 'control_class' => 'preventive', 'summary' => 'External access and sharing are constrained by explicit tenant or workload boundaries.', 'operator_description' => 'Use this control when the product needs to explain whether cross-boundary collaboration is intentionally limited.', 'detectability_class' => 'workflow_attested', 'evaluation_strategy' => 'workflow_confirmed', 'evidence_archetypes' => [ 'configuration_snapshot', 'operator_attestation', 'external_artifact_reference', ], 'artifact_suitability' => [ 'baseline' => false, 'drift' => false, 'finding' => false, 'exception' => true, 'evidence' => true, 'review' => true, 'report' => true, ], 'historical_status' => 'active', 'microsoft_bindings' => [ [ 'subject_family_key' => 'sharing_boundary', 'workload' => 'microsoft_365', 'signal_keys' => [ 'sharing.external_boundary_attested', ], 'supported_contexts' => ['evidence', 'review', 'report'], 'primary' => true, 'notes' => 'Current release coverage depends on attested configuration evidence rather than direct universal evaluation.', ], ], ], [ 'control_key' => 'endpoint_hardening_compliance', 'name' => 'Endpoint hardening and compliance', 'domain_key' => 'endpoint_security', 'subdomain_key' => 'device_posture', 'control_class' => 'detective', 'summary' => 'Endpoint configuration and compliance policies express the expected device hardening posture.', 'operator_description' => 'Use this control when a finding or review references device configuration, compliance, or hardening drift.', 'detectability_class' => 'direct_technical', 'evaluation_strategy' => 'state_evaluated', 'evidence_archetypes' => [ 'configuration_snapshot', 'policy_or_assignment_summary', 'execution_result', ], 'artifact_suitability' => [ 'baseline' => true, 'drift' => true, 'finding' => true, 'exception' => true, 'evidence' => true, 'review' => true, 'report' => true, ], 'historical_status' => 'active', 'microsoft_bindings' => [ [ 'subject_family_key' => 'deviceConfiguration', 'workload' => 'intune', 'signal_keys' => [ 'intune.device_configuration_drift', ], 'supported_contexts' => ['baseline', 'drift', 'finding', 'evidence', 'review', 'report'], 'primary' => true, 'notes' => 'Intune device configuration drift is a provider signal for the endpoint hardening control.', ], [ 'subject_family_key' => 'deviceCompliancePolicy', 'workload' => 'intune', 'signal_keys' => [ 'intune.device_compliance_policy', ], 'supported_contexts' => ['baseline', 'drift', 'finding', 'evidence', 'review', 'report'], 'primary' => true, 'notes' => 'Device compliance policy data supports the same endpoint hardening objective.', ], [ 'subject_family_key' => 'drift', 'workload' => 'intune', 'signal_keys' => [ 'finding.drift', ], 'supported_contexts' => ['finding', 'evidence', 'review', 'report'], 'primary' => true, 'notes' => 'Legacy drift findings without a policy-family discriminator resolve to the broad endpoint hardening objective.', ], ], ], [ 'control_key' => 'audit_log_retention', 'name' => 'Audit log retention', 'domain_key' => 'auditability', 'subdomain_key' => 'retention', 'control_class' => 'detective', 'summary' => 'Administrative and security-relevant activity remains available for investigation for the required retention period.', 'operator_description' => 'Use this control when evidence depends on retained logs or exported audit artifacts rather than live configuration alone.', 'detectability_class' => 'external_evidence_only', 'evaluation_strategy' => 'externally_attested', 'evidence_archetypes' => [ 'external_artifact_reference', 'operator_attestation', ], 'artifact_suitability' => [ 'baseline' => false, 'drift' => false, 'finding' => false, 'exception' => true, 'evidence' => true, 'review' => true, 'report' => true, ], 'historical_status' => 'active', 'microsoft_bindings' => [ [ 'subject_family_key' => 'audit_log_retention', 'workload' => 'microsoft_365', 'signal_keys' => [ 'audit.retention_attested', ], 'supported_contexts' => ['evidence', 'review', 'report'], 'primary' => true, 'notes' => 'Current evidence is external or attested until a later slice adds direct provider evaluation.', ], ], ], [ 'control_key' => 'delegated_admin_boundaries', 'name' => 'Delegated admin boundaries', 'domain_key' => 'identity_access', 'subdomain_key' => 'delegated_administration', 'control_class' => 'preventive', 'summary' => 'Delegated administration is constrained by explicit role, tenant, and scope boundaries.', 'operator_description' => 'Use this control when evaluating whether delegated administrative access is bounded and reviewable.', 'detectability_class' => 'workflow_attested', 'evaluation_strategy' => 'workflow_confirmed', 'evidence_archetypes' => [ 'policy_or_assignment_summary', 'operator_attestation', ], 'artifact_suitability' => [ 'baseline' => false, 'drift' => false, 'finding' => true, 'exception' => true, 'evidence' => true, 'review' => true, 'report' => true, ], 'historical_status' => 'active', 'microsoft_bindings' => [ [ 'subject_family_key' => 'delegated_admin_relationship', 'workload' => 'microsoft_365', 'signal_keys' => [ 'delegated_admin.relationship_boundary', ], 'supported_contexts' => ['finding', 'evidence', 'review', 'report'], 'primary' => true, 'notes' => 'Delegated admin relationship metadata remains provider-owned and secondary to the platform control.', ], ], ], ], ];