MCSB AM-1: Asset Management
32 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control AM-1 (Asset Management). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB AM-1 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. AM-1 sits in the Asset Management domain. Senserva evidences it with the 32 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 32 checks that evidence MCSB AM-1
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| App Application Disabled By Microsoft Status | Critical | Application has been disabled by Microsoft due to policy violation or abuse detection |
| Sp Service Principal Disabled By Microsoft Status | Critical | Service principal has been disabled by Microsoft due to policy violation or abuse |
| App Application Management Policy Disabled | High | Application management policy exists but is disabled |
| User Has No Login History | High | User has no sign-in history. May be dormant or newly created |
| Device Owned By Disabled User | Medium | Device is owned by a disabled user account. May be orphaned and require re-assignment |
| Device Registered To Disabled User | Medium | Device is registered to a disabled user account. Active device tied to an inactive identity |
| Sp Assigned To Disabled User | Medium | Service principal is assigned to a disabled user account. May indicate an orphaned or misconfigured assignment |
| Sp Service Principal Exchange App | Medium | Service principal has Exchange-related permissions (Mail, Calendar, Contacts). These apps may need Application Access Policies to restrict mailbox scope |
| User Disabled User Has Roles Or Licenses | Medium | Disabled user still has roles or licenses assigned. Should be reclaimed |
| User Enabled User Has Roles | Medium | Enabled user has directory roles assigned |
| User On Premises Last Sync Date Time | Medium | User's on-premises last sync timestamp |
| App No Owners | Low | Application registration has no owners assigned. Orphaned apps lack accountability and may not receive security updates |
| App Service Principal Disabled | Low | The service principal associated with this application is disabled. The app registration exists but its enterprise app instance is not active |
| App Stale | Low | Application registration has not been used recently (stale). Unused apps with credentials represent unnecessary attack surface |
| Device Must Have Owner | Low | Device has no assigned owner Devices should have an accountable owner |
| Device Not Owned | Low | Device has no owner assigned in Entra ID Unowned devices lack accountability |
| Device Not Registered | Low | Device is not registered to any user in Entra ID Unregistered devices lack identity binding |
| Sp Disabled | Low | Service principal account is disabled (AccountEnabled = false) |
| Sp No Owners | Low | Service principal has no owners assigned. Orphaned SPs lack accountability |
| Sp Stale | Low | Service principal has not been used recently (stale). Unused SPs with credentials represent unnecessary attack surface |
| User Disabled Users Last Interactive Login | Low | Disabled user's last interactive sign-in timestamp |
| App Application Management Change | Info | Application management change detected in directory audit logs (successful) |
| App Application Management Policy | Info | Application management policy is configured and enabled |
| Device Is Enabled | Info | Reports whether the device account is enabled or disabled in Entra ID |
| Device Last Signin Date | Info | Device last sign-in date. Reports the approximate last sign-in timestamp per device |
| Device Stale | Info | Device has not signed in within the configured stale threshold (default 90 days). Stale devices may be lost, decommissioned, or unused and should be reviewed |
| Sp Managed Identity | Info | Service principal is a managed identity (system or user-assigned). Tracked for inventory and privilege awareness |
| User Enabled User Has Licenses | Info | Enabled user has licenses assigned. License utilization tracking |
| User Enabled User Has No Roles Or Licenses | Info | Enabled user has no roles or licenses assigned. May be unused or misconfigured |
| User Is Not Enabled | Info | User account is disabled |
| User Last Password Change | Info | User's last password change timestamp |
| User User Last Interactive Login | Info | User's last interactive sign-in timestamp. Activity tracking |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.