Controls / MCSB / AM-1

MCSB AM-1: Asset Management

32 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control AM-1 (Asset Management). Each is checked against your tenant, ranked by Severity, with validated remediation.

32 checksAsset ManagementTop Severity: Critical

What MCSB AM-1 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. AM-1 sits in the Asset Management domain. Senserva evidences it with the 32 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 32 checks that evidence MCSB AM-1

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
App Application Disabled By Microsoft StatusCriticalApplication has been disabled by Microsoft due to policy violation or abuse detection
Sp Service Principal Disabled By Microsoft StatusCriticalService principal has been disabled by Microsoft due to policy violation or abuse
App Application Management Policy DisabledHighApplication management policy exists but is disabled
User Has No Login HistoryHighUser has no sign-in history. May be dormant or newly created
Device Owned By Disabled UserMediumDevice is owned by a disabled user account. May be orphaned and require re-assignment
Device Registered To Disabled UserMediumDevice is registered to a disabled user account. Active device tied to an inactive identity
Sp Assigned To Disabled UserMediumService principal is assigned to a disabled user account. May indicate an orphaned or misconfigured assignment
Sp Service Principal Exchange AppMediumService principal has Exchange-related permissions (Mail, Calendar, Contacts). These apps may need Application Access Policies to restrict mailbox scope
User Disabled User Has Roles Or LicensesMediumDisabled user still has roles or licenses assigned. Should be reclaimed
User Enabled User Has RolesMediumEnabled user has directory roles assigned
User On Premises Last Sync Date TimeMediumUser's on-premises last sync timestamp
App No OwnersLowApplication registration has no owners assigned. Orphaned apps lack accountability and may not receive security updates
App Service Principal DisabledLowThe service principal associated with this application is disabled. The app registration exists but its enterprise app instance is not active
App StaleLowApplication registration has not been used recently (stale). Unused apps with credentials represent unnecessary attack surface
Device Must Have OwnerLowDevice has no assigned owner Devices should have an accountable owner
Device Not OwnedLowDevice has no owner assigned in Entra ID Unowned devices lack accountability
Device Not RegisteredLowDevice is not registered to any user in Entra ID Unregistered devices lack identity binding
Sp DisabledLowService principal account is disabled (AccountEnabled = false)
Sp No OwnersLowService principal has no owners assigned. Orphaned SPs lack accountability
Sp StaleLowService principal has not been used recently (stale). Unused SPs with credentials represent unnecessary attack surface
User Disabled Users Last Interactive LoginLowDisabled user's last interactive sign-in timestamp
App Application Management ChangeInfoApplication management change detected in directory audit logs (successful)
App Application Management PolicyInfoApplication management policy is configured and enabled
Device Is EnabledInfoReports whether the device account is enabled or disabled in Entra ID
Device Last Signin DateInfoDevice last sign-in date. Reports the approximate last sign-in timestamp per device
Device StaleInfoDevice has not signed in within the configured stale threshold (default 90 days). Stale devices may be lost, decommissioned, or unused and should be reviewed
Sp Managed IdentityInfoService principal is a managed identity (system or user-assigned). Tracked for inventory and privilege awareness
User Enabled User Has LicensesInfoEnabled user has licenses assigned. License utilization tracking
User Enabled User Has No Roles Or LicensesInfoEnabled user has no roles or licenses assigned. May be unused or misconfigured
User Is Not EnabledInfoUser account is disabled
User Last Password ChangeInfoUser's last password change timestamp
User User Last Interactive LoginInfoUser's last interactive sign-in timestamp. Activity tracking

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB AM-1 (Asset Management) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB AM-1 (Asset Management) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.