Security checks / Check reference

Microsoft 365 security checks, by domain

672 checks across 28 domains, each with its own page: what it verifies, why it matters, how to fix it, and the compliance frameworks it evidences.

Authentication methods (42)

Auth User Not MFA RegisteredAuth Microsoft Authenticator Authentication Method In U...Auth Password Authentication Method In Use But Not Allo...Auth Passwordless Microsoft Authenticator Authenticatio...Auth Require Passwordless But Its Not Used By UserAuth Software Oath Authentication Method In Use But Not...Auth Suspicious Activity Settings Not EnabledAuth System Preferred Authentication Method Required Bu...Auth Temporary Access Pass Authentication Method In Use...Auth Temporary Access Pass Lifetime Too LongAuth Unallowed Authentication Methods EnabledAuth User Email Authentication Method In Use But Not Al...Auth User FIDO2 Attestation Not Enforced By UserAuth User Invalid Default Method Type By UserAuth User No Default MFA Method Found By UserAuth User No Strong Authentication Method By UserAuth User Not MFA CapableAuth User Sms Sign In State Is Not Ready By UserAuth User System Preferred Authentication Method Is Not...Auth User Unallowed User Default Authentication Method ...Auth Windows Hello Key Strength Normal Not Set By UserAuth Allowed Authentication Methods DisabledAuth Authentication Method Excluded User TargetAuth FIDO2 Authentication Method In Use But Not Allowed...Auth FIDO2 Key Restrictions Not EnforcedAuth FIDO2 Passwordless Enabled But Not GovernedAuth No Default MFA Method Found By UserAuth Phone Authentication Method In Use But Not Allowed...Auth Platform Credential Authentication Method In Use B...Auth Registration Enforcement Campaign Not ConfiguredAuth System Credential Preferences Not EnabledAuth User Hardware Oath Authentication Method In Use Bu...Auth User Recommended User Default Authentication Metho...Auth User Windows Hello For Business Authentication Met...Auth Authentication Method Included User Target Registr...Auth Group Authentication Method Excluded Group TargetAuth Group Authentication Method Included Group Target ...Auth MFA FIDO2 Self Service Registration Not AllowedAuth MFA Software Oath Not EnabledAuth Suspicious Activity Settings No TargetAuth Authentication Method Included User Target Registr...Auth Group Authentication Method Included Group Target ...

Conditional Access (60)

Conditional Access Admin Portal Missing MFAConditional Access Break Glass Account Covered By PolicyConditional Access Group Critical Coverage GapConditional Access MFA Policy BypassedConditional Access User Critical Coverage GapConditional Access Block Legacy Exchange Active Sync No...Conditional Access Block Requested PlatformsConditional Access Browser O365 Missing MFAConditional Access Enforces Block Unknown Device Not FoundConditional Access Enforces MFA For High And Medium Ris...Conditional Access Enforces Password For High Risk User...Conditional Access Enforces Risk Levels Not FoundConditional Access Group High Coverage GapConditional Access Password Change BypassedConditional Access Policy Included Location Has Unwante...Conditional Access Require Block From Untrusted Countri...Conditional Access Require Block Legacy Other Not FoundConditional Access Untrusted Location Missing MFAConditional Access User High Coverage GapConditional Access User Logged In Without Conditional A...Conditional Access Critical Coverage GapConditional Access Device Code Flow Not BlockedConditional Access Enforces MFA For All Users Not FoundConditional Access Enforces Risk Levels Both Signin And...Conditional Access Graph API Missing MFAConditional Access Group Coverage GapConditional Access Group With Policy ExclusionsConditional Access High Coverage GapConditional Access High Risk Sign In Not ProtectedConditional Access Mobile App Missing ProtectionConditional Access Policy Covers Device Code Flow Not F...Conditional Access Policy Device Excluded By FilterConditional Access Require Block Legacy Other FoundConditional Access Risky User Not ProtectedConditional Access User Coverage GapConditional Access User Rule Applies In What If Read OnlyConditional Access User Rule Does Not Apply In What IfConditional Access What If Missing Legacy App PolicyConditional Access Break Glass Account ExcludedConditional Access Coverage GapConditional Access Device Compliance BypassedConditional Access Es Device Sign In Not Time Based Non...Conditional Access Policy Not EnforcedConditional Access Unmanaged Device Not ProtectedConditional Access Block Legacy Exchange Active Sync FoundConditional Access Enforces Block Unknown DeviceConditional Access Enforces MFA For All UsersConditional Access Enforces MFA For High And Medium Ris...Conditional Access Enforces Password For High Risk UsersConditional Access Enforces Risk LevelsConditional Access Es Device Not Persistent Browser For...Conditional Access Es Device Signin Timebased For Non C...Conditional Access Loc Entra Location DataConditional Access MFA For Guest FoundConditional Access Permission Check SkippedConditional Access Policy Blocks All But Allowed CountriesConditional Access Policy ChangeConditional Access Policy Device Included By FilterConditional Access Policy Only Allows Approved CountriesConditional Access User Rule Applies In What If

Devices & compliance (48)

Intune Device Missing KEV PatchIntune Device Vulnerability KEVDevice Endpoint Detection And ResponseDevice Has Outdated Android Operating SystemDevice Has Outdated IOS Operating SystemDevice Has Outdated Mac OS Operating SystemDevice Has Outdated Windows Operating SystemDevice Privileged User Non CompliantIntune Device Defender Recommendation CriticalIntune Device Malware Protection DisabledIntune Device Missing Critical PatchIntune Device Out Of SupportIntune Device Real Time Protection DisabledIntune Device Vulnerability CriticalIntune Device Vulnerable Software CriticalDevice Health Check FailedDevice Intune Permission Check SkippedDevice Must Be CompliantDevice Must Be ManagedDevice Not Registered But Is Logging InDevice Owned By Disabled UserDevice Policy That Covers Device Code Flow Not FoundDevice Registered To Disabled UserDevice Sign In Not Time Based Non Compliant DevicesEntra Device Not In Defender CoverageEntra Device OS Version LagIntune Device Defender Recommendation ActiveIntune Device Malware Signature Out Of DateIntune Device Missing High PatchIntune Device Non CompliantIntune Device OS Version LagIntune Device Vulnerability HighIntune Device Vulnerable SoftwareDevice Has Unallowed Extension AttributesDevice Is RootedDevice Must Be Owned By CompanyDevice Must Have OwnerDevice Not OwnedDevice Not RegisteredDevice Required Enrollment TypeDevice ChangeDevice Compliance Expiration Date TimeDevice Is EnabledDevice Last Signin DateDevice On Premises Sync EnabledDevice StaleDevice Stale On Premises Last Sync Date TimeDevice Trust Type

Intune configuration (172)

Intune Policy Autopatch CVE Gap KEVIntune Policy Antivirus Behavior MonitoringIntune Policy Antivirus Cloud ProtectionIntune Policy Antivirus Property Not FoundIntune Policy Antivirus Real Time ProtectionIntune Policy Antivirus Removable Drive ScanningIntune Policy Antivirus Script ScanningIntune Policy App Control Audit ModeIntune Policy App Control Build OptionsIntune Policy Attack Surface Reduction Block Abuse Of V...Intune Policy Attack Surface Reduction Block Credential...Intune Policy Attack Surface Reduction Block Downloadin...Intune Policy Attack Surface Reduction Block Executable...Intune Policy Attack Surface Reduction Block Js Vb Laun...Intune Policy Attack Surface Reduction Block Obfuscated...Intune Policy Attack Surface Reduction Block Office App...Intune Policy Attack Surface Reduction Block Office App...Intune Policy Attack Surface Reduction Block Office App...Intune Policy Attack Surface Reduction Block Persistenc...Intune Policy Attack Surface Reduction Block Process Cr...Intune Policy Attack Surface Reduction Block Ransomware...Intune Policy Attack Surface Reduction Block Untrusted ...Intune Policy Attack Surface Reduction Block Use Of Cop...Intune Policy Attack Surface Reduction Block Web Shell ...Intune Policy Attack Surface Reduction Block Win32 API ...Intune Policy Attack Surface Reduction Controlled Folde...Intune Policy Autopatch CVE Gap CriticalIntune Policy Autopatch Deployment No MembersIntune Policy Autopatch Deployment Not HealthyIntune Policy Autopatch Deployment Reboot Delay LongIntune Policy Autopatch Deployments NoneIntune Policy Autopatch Updatable Asset Group Not EnrolledIntune Policy Autopatch Updatable Assets NoneIntune Policy Compliance Active Firewall RequiredIntune Policy Compliance Anti Spyware RequiredIntune Policy Compliance Any Antivirus RequiredIntune Policy Compliance Bit Locker RequiredIntune Policy Compliance Code Integrity EnabledIntune Policy Compliance Device Health Attestation Requ...Intune Policy Compliance Early Launch Anti Malware EnabledIntune Policy Compliance Firmware Protection EnabledIntune Policy Compliance Idle Lock Timeout MinutesIntune Policy Compliance Kernel Dma Protection EnabledIntune Policy Compliance Mde Integration RequiredIntune Policy Compliance Mde Threat Level AllowedIntune Policy Compliance Memory Integrity EnabledIntune Policy Compliance Microsoft Defender Antivirus R...Intune Policy Compliance Microsoft Defender Minimum Ver...Intune Policy Compliance Microsoft Defender Real Time P...Intune Policy Compliance Microsoft Defender Signature M...Intune Policy Compliance Minimum OS VersionIntune Policy Compliance Password Block SimpleIntune Policy Compliance Password Minimum LengthIntune Policy Compliance Password RequiredIntune Policy Compliance Password Required To Unlock Fr...Intune Policy Compliance Password Required TypeIntune Policy Compliance Secure Boot RequiredIntune Policy Compliance Storage Encryption RequiredIntune Policy Compliance Tpm RequiredIntune Policy Compliance Vbs EnabledIntune Policy Disk Fixed Drives Encryption TypeIntune Policy Disk Fixed Drives Encryption Type DropdownIntune Policy Disk Fixed Drives Recovery OptionsIntune Policy Disk Fixed Drives Require EncryptionIntune Policy Disk Property Not FoundIntune Policy Disk Removable Drives Configure BDEIntune Policy Disk Removable Drives Require EncryptionIntune Policy Disk Require Device EncryptionIntune Policy Disk System Drives Disallow Standard User...Intune Policy Disk System Drives Encryption TypeIntune Policy Disk System Drives Encryption Type OS Dro...Intune Policy Disk System Drives Minimum Pin LengthIntune Policy Disk System Drives Minimum Pin Length Ena...Intune Policy Disk System Drives Recovery OptionsIntune Policy Firewall Domain Network Default Inbound A...Intune Policy Firewall Domain Network EnablementIntune Policy Firewall Private Network Default Inbound ...Intune Policy Firewall Private Network EnablementIntune Policy Firewall Public Network Default Inbound A...Intune Policy Firewall Public Network Disabled Inbound ...Intune Policy Firewall Public Network EnablementIntune Policy Firewall Public Network IP Sec MergeIntune Policy Firewall Public Network Local Policy MergeIntune Policy Firewall Public Network Log Dropped PacketsIntune Policy Update Driver Auto ApprovalIntune Policy Update Driver No DeferralIntune Policy Update Driver Profile MissingIntune Policy Update Driver Profile UnassignedIntune Policy Update Driver Sync FailedIntune Policy Update Feature No Gradual RolloutIntune Policy Update Feature Profile MissingIntune Policy Update Feature Profile UnassignedIntune Policy Update Feature Rollout Deadline MissingIntune Policy Update Feature Version Not SetIntune Policy Update Feature Version OutdatedIntune Policy Update Profile Assignment Empty GroupIntune Policy Update Quality Expedited MissingIntune Policy Update Quality Profile MissingIntune Policy Update Quality Profile UnassignedIntune Policy Update Quality Reboot Delay LongIntune Policy Update Ring Feature No DeferralIntune Policy Update Ring Feature PausedIntune Policy Update Ring MissingIntune Policy Update Ring Quality No DeferralIntune Policy Update Ring Quality PausedIntune Policy Update Ring UnassignedIntune Policy Win32 App Install FailuresIntune Policy Windows Security Experience Tamper Protec...Intune Policy Antivirus Archive ScanningIntune Policy Antivirus Email ScanningIntune Policy Antivirus IOAV ScanningIntune Policy Antivirus Network ScanningIntune Policy App Control Property Not FoundIntune Policy App Control Trust Apps From Managed Insta...Intune Policy App Control Trust Apps With Good ReputationIntune Policy Attack Surface Reduction Block Adobe Read...Intune Policy Attack Surface Reduction Block Executable...Intune Policy Attack Surface Reduction Block Office Com...Intune Policy Attack Surface Reduction Block Rebooting ...Intune Policy Attack Surface Reduction Block Unsigned O...Intune Policy Attack Surface Reduction Block Untrusted ...Intune Policy Attack Surface Reduction Block Use Of Cre...Intune Policy Attack Surface Reduction Property Not FoundIntune Policy Autopatch CVE Gap HighIntune Policy Compliance Configuration Manager Complian...Intune Policy Compliance Password Expiration DaysIntune Policy Compliance Password Minimum Character SetsIntune Policy Disk Configure Recovery Password RotationIntune Policy Disk Encryption Method By Drive TypeIntune Policy Disk System Drives Enable Pre Boot Pin Ex...Intune Policy Disk System Drives Enhanced PinIntune Policy Disk System Drives Recovery MessageIntune Policy Firewall Domain Network Disabled Inbound ...Intune Policy Firewall Domain Network Log Dropped PacketsIntune Policy Firewall Private Network Log Dropped PacketsIntune Policy Firewall Property Not FoundIntune Policy Update Profile Assignment MismatchIntune Policy Win32 App UnassignedIntune Policy Win32 Apps NoneIntune Policy Windows Security Experience Disable Tpm F...Intune Policy Windows Security Experience Hide Ransomwa...Intune Policy Windows Security Experience Property Not ...Intune Policy Antivirus PUA ProtectionIntune Policy Antivirus Sample SubmissionIntune Policy Autopatch Catalog UnavailableIntune Policy Compliance Allowed Wsl DistributionsIntune Policy Compliance Maximum OS VersionIntune Policy Compliance Password History CountIntune Policy Disk Allow Warning For Other Disk EncryptionIntune Policy Disk Identification FieldIntune Policy Firewall Private Network Disabled Inbound...Intune Policy Windows Security Experience Disable Enhan...Intune Policy Windows Security Experience Hide Windows ...Intune Policy Compliance Custom Compliance Script EnabledIntune Policy Compliance Valid OS Build RangesIntune Policy Disk System Drives Enable Pre Boot Input ...Intune Policy Firewall Domain Network Log Max File SizeIntune Policy Firewall Domain Network Log Successful Co...Intune Policy Firewall Private Network Log Max File SizeIntune Policy Firewall Private Network Log Successful C...Intune Policy Firewall Public Network Log Max File SizeIntune Policy Firewall Public Network Log Successful Co...Intune Policy Windows Security Experience Disable Accou...Intune Policy Windows Security Experience Disable App B...Intune Policy Windows Security Experience Disable Clear...Intune Policy Windows Security Experience Disable Devic...Intune Policy Windows Security Experience Disable Famil...Intune Policy Windows Security Experience Disable Healt...Intune Policy Windows Security Experience Disable Netwo...Intune Policy Windows Security Experience Disable Virus UiIntune Policy Windows Security Experience Enable Custom...Intune Policy Windows Security Experience Enable In App...

Teams & collaboration (1)

Sponsored by Senserva

Siemserva by Senserva runs this check, MFA for all users for example, across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Optional AI Enhanced Reporting: plain-language summaries and recommended next steps written into your reports
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Compliance Status Report
MFA for all users across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
CHECKSEVERITYSTATUSFINDINGS
MFA for all usersCriticalFAILING23
MFA for all usersCritical-11
Legacy authentication blockedHigh-6
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
See this check's evidence trail, click to play

How findings become audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance and audit guide, and the full checks catalog.
Data notice: check definitions describe what Siemserva verifies and are provided as is, for informational purposes only, without warranty of any kind. Framework mappings are informational and do not constitute compliance advice; confirm requirements with your assessor. All use of this data is subject to the Senserva EULA.