Compliance / Controls
Microsoft 365 compliance controls, mapped to the checks that evidence them
This is a control-by-control reference for Microsoft 365 compliance. A compliance control is a single requirement a framework asks you to meet, for example "restrict privileged access" or "block legacy authentication." This page lists 87 controls, 35 from the Microsoft Cloud Security Benchmark (MCSB) and 52 from the CISA SCuBA baselines, and maps each one to the exact Senserva security checks that prove it is met in your tenant.
Auditors ask "show me the evidence for this control." Frameworks describe controls in the abstract; they do not tell you which Microsoft 365 settings satisfy them. This reference answers it the other way around: pick a control and see the specific checks that evidence it, each with its Severity and remediation. Search or filter the table below, click any control to open it, or jump to a control page for the full list of checks, the plain-language explanation, an AI prompt, and the authoritative source. It is the granular, per-control companion to the frameworks crosswalk (which sizes each framework as a whole) and the checks catalog (which lists all 672 checks).
MCSB and SCuBA are covered today because every Senserva check already carries its exact MCSB control code and SCuBA policy ID. NIST 800-53 and CMMC control pages are next. Senserva is not an auditor and issues no certifications; it provides the configuration evidence, Severity ranking, and remediation that make an audit defensible.
Click any control for its area, example checks, and links.
| Control | Framework | Area | Checks |
|---|---|---|---|
| AM-1 | MCSB | Asset Management | 32 |
| AM-2 | MCSB | Asset Management | 14 |
| DP-1 | MCSB | Data Protection | 29 |
| DP-2 | MCSB | Data Protection | 16 |
| DP-3 | MCSB | Data Protection | 2 |
| DP-4 | MCSB | Data Protection | 37 |
| DP-6 | MCSB | Data Protection | 6 |
| ES-1 | MCSB | Endpoint Security | 170 |
| ES-2 | MCSB | Endpoint Security | 50 |
| ES-3 | MCSB | Endpoint Security | 61 |
| ES-4 | MCSB | Endpoint Security | 25 |
| ES-5 | MCSB | Endpoint Security | 5 |
| ES-8 | MCSB | Endpoint Security | 9 |
| GS-1 | MCSB | Governance and Strategy | 16 |
| IM-1 | MCSB | Identity Management | 46 |
| IM-3 | MCSB | Identity Management | 55 |
| IM-4 | MCSB | Identity Management | 5 |
| IM-6 | MCSB | Identity Management | 170 |
| IM-7 | MCSB | Identity Management | 42 |
| IM-8 | MCSB | Identity Management | 1 |
| IM-9 | MCSB | Identity Management | 1 |
| IR-1 | MCSB | Incident Response | 12 |
| IR-4 | MCSB | Incident Response | 3 |
| LT-1 | MCSB | Logging and Threat Detection | 69 |
| LT-3 | MCSB | Logging and Threat Detection | 116 |
| LT-4 | MCSB | Logging and Threat Detection | 7 |
| NS-1 | MCSB | Network Security | 25 |
| PA-1 | MCSB | Privileged Access | 73 |
| PA-2 | MCSB | Privileged Access | 10 |
| PA-3 | MCSB | Privileged Access | 1 |
| PA-4 | MCSB | Privileged Access | 11 |
| PA-6 | MCSB | Privileged Access | 2 |
| PA-7 | MCSB | Privileged Access | 48 |
| PV-6 | MCSB | Posture and Vulnerability Management | 52 |
| PV-7 | MCSB | Posture and Vulnerability Management | 3 |
| MS.AAD.1.1v1 | SCuBA | Microsoft Entra ID | 60 |
| MS.AAD.2.1v1 | SCuBA | Microsoft Entra ID | 60 |
| MS.AAD.2.2v1 | SCuBA | Microsoft Entra ID | 60 |
| MS.AAD.2.3v1 | SCuBA | Microsoft Entra ID | 60 |
| MS.AAD.3.1v1 | SCuBA | Microsoft Entra ID | 60 |
| MS.AAD.3.2v1 | SCuBA | Microsoft Entra ID | 60 |
| MS.AAD.3.3v2 | SCuBA | Microsoft Entra ID | 19 |
| MS.AAD.3.4v1 | SCuBA | Microsoft Entra ID | 19 |
| MS.AAD.3.5v1 | SCuBA | Microsoft Entra ID | 19 |
| MS.AAD.4.1v1 | SCuBA | Microsoft Entra ID | 42 |
| MS.AAD.5.1v1 | SCuBA | Microsoft Entra ID | 60 |
| MS.AAD.5.2v1 | SCuBA | Microsoft Entra ID | 60 |
| MS.AAD.5.3v1 | SCuBA | Microsoft Entra ID | 60 |
| MS.AAD.6.1v1 | SCuBA | Microsoft Entra ID | 41 |
| MS.AAD.7.1v1 | SCuBA | Microsoft Entra ID | 47 |
| MS.AAD.7.2v1 | SCuBA | Microsoft Entra ID | 48 |
| MS.AAD.7.3v1 | SCuBA | Microsoft Entra ID | 47 |
| MS.AAD.7.4v1 | SCuBA | Microsoft Entra ID | 48 |
| MS.AAD.7.5v1 | SCuBA | Microsoft Entra ID | 47 |
| MS.AAD.7.6v1 | SCuBA | Microsoft Entra ID | 47 |
| MS.AAD.7.7v1 | SCuBA | Microsoft Entra ID | 47 |
| MS.AAD.7.8v1 | SCuBA | Microsoft Entra ID | 47 |
| MS.AAD.7.9v1 | SCuBA | Microsoft Entra ID | 47 |
| MS.DEFENDER.1.1v1 | SCuBA | Microsoft Defender for Office 365 | 4 |
| MS.DEFENDER.1.2v1 | SCuBA | Microsoft Defender for Office 365 | 4 |
| MS.DEFENDER.1.3v1 | SCuBA | Microsoft Defender for Office 365 | 4 |
| MS.DEFENDER.1.4v1 | SCuBA | Microsoft Defender for Office 365 | 4 |
| MS.DEFENDER.1.5v1 | SCuBA | Microsoft Defender for Office 365 | 4 |
| MS.DEFENDER.2.1v1 | SCuBA | Microsoft Defender for Office 365 | 4 |
| MS.DEFENDER.2.2v1 | SCuBA | Microsoft Defender for Office 365 | 4 |
| MS.DEFENDER.2.3v1 | SCuBA | Microsoft Defender for Office 365 | 4 |
| MS.DEFENDER.3.1v1 | SCuBA | Microsoft Defender for Office 365 | 4 |
| MS.DEFENDER.4.1v2 | SCuBA | Microsoft Defender for Office 365 | 4 |
| MS.SHAREPOINT.1.1v1 | SCuBA | SharePoint and OneDrive | 9 |
| MS.SHAREPOINT.1.2v1 | SCuBA | SharePoint and OneDrive | 9 |
| MS.SHAREPOINT.1.3v1 | SCuBA | SharePoint and OneDrive | 9 |
| MS.SHAREPOINT.2.1v1 | SCuBA | SharePoint and OneDrive | 9 |
| MS.SHAREPOINT.2.2v1 | SCuBA | SharePoint and OneDrive | 9 |
| MS.SHAREPOINT.3.1v1 | SCuBA | SharePoint and OneDrive | 9 |
| MS.SHAREPOINT.3.2v1 | SCuBA | SharePoint and OneDrive | 9 |
| MS.SHAREPOINT.3.3v1 | SCuBA | SharePoint and OneDrive | 9 |
| MS.TEAMS.1.1v1 | SCuBA | Microsoft Teams | 1 |
| MS.TEAMS.1.2v2 | SCuBA | Microsoft Teams | 1 |
| MS.TEAMS.1.3v1 | SCuBA | Microsoft Teams | 1 |
| MS.TEAMS.1.4v1 | SCuBA | Microsoft Teams | 1 |
| MS.TEAMS.1.5v1 | SCuBA | Microsoft Teams | 1 |
| MS.TEAMS.1.6v1 | SCuBA | Microsoft Teams | 1 |
| MS.TEAMS.1.7v2 | SCuBA | Microsoft Teams | 1 |
| MS.TEAMS.2.1v2 | SCuBA | Microsoft Teams | 1 |
| MS.TEAMS.2.2v2 | SCuBA | Microsoft Teams | 1 |
| MS.TEAMS.2.3v2 | SCuBA | Microsoft Teams | 1 |
| MS.TEAMS.4.1v1 | SCuBA | Microsoft Teams | 1 |
Looking for a framework overview instead? The compliance frameworks crosswalk sizes every framework next to the checks that evidence it.