MCSB DP-1: Data Protection
29 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control DP-1 (Data Protection). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB DP-1 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. DP-1 sits in the Data Protection domain. Senserva evidences it with the 29 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 29 checks that evidence MCSB DP-1
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Purview Label Mandatory Labeling Disabled | High | Mandatory sensitivity labeling is disabled in the tenant label policy settings. |
| Purview Label None Configured | High | No Microsoft Purview sensitivity labels are configured in this tenant. |
| Share Point Anyone Link Expiration Max30 Days | High | SharePoint "Anyone" links expire within 30 days maximum |
| Share Point Anyone Link Permission View Only | High | SharePoint "Anyone" link permission is "View Only" |
| Share Point Default Sharing Permission View Only | High | SharePoint default sharing permission is "View Only" |
| Share Point Default Sharing Scope Specific People | High | SharePoint default sharing scope is "Specific People" |
| Share Point External Sharing Limit To Existing Guests Or Org | High | SharePoint external sharing limited to existing guests or org members only |
| Share Point External Sharing One Drive Limit To Existing Guests Or Org | High | OneDrive external sharing limited to existing guests or org members only |
| Share Point External Sharing Restrict To Approved Domains Or Groups | High | SharePoint external sharing restricted to approved domains or security groups |
| Share Point Verification Code Reauth Max30 Days | High | SharePoint verification code re-authentication within 30 days maximum |
| Access Guest With Roles | Medium | Guest (external) user has been assigned directory roles in the tenant. Guest accounts with roles expand the attack surface from external identities |
| Access Non Employee With Roles | Medium | Non-employee user (non-member type) has been assigned directory roles |
| Purview Label Manual Only | Medium | All sensitivity labels are configured for manual application only with no automatic or recommended labeling. |
| Purview Label No Assigned Policies | Medium | A sensitivity label is not included in any label policy. |
| Purview Label No Downgrade Justification | Medium | Users can downgrade or remove sensitivity labels without providing a justification. |
| Purview Label No Protection | Medium | A sensitivity label has no protection actions configured. |
| Purview Label No Tenant Default | Medium | No tenant-default sensitivity label is configured. |
| Purview Label Not Endpoint Protected | Medium | A sensitivity label does not have endpoint protection enabled. |
| Purview Label Permission Check Skipped | Medium | Purview sensitivity label checks were skipped because the scanning credential lacks a required directory role. |
| Purview Label Policy Settings Not Configured | Medium | No tenant-wide sensitivity label policy settings are configured. |
| Saas Gws SCuBA Gws Common Restrict External Sharing Defaults | Medium | SCUBA/CISA baseline: Google Workspace external sharing defaults restrictions |
| Storage High Exchange Storage Quota Used | Medium | Exchange mailbox storage usage exceeds the high-usage threshold for a user |
| Storage High One Drive Storage Quota Used | Medium | OneDrive storage usage exceeds the high-usage threshold for a user or aggregate |
| Storage High Share Point Storage Quota Used | Medium | SharePoint site storage usage exceeds the high-usage threshold Risk of hitting quota limits which can disrupt collaboration |
| Purview Label Disabled | Low | A sensitivity label is configured but disabled. |
| Teams Usage | Low | User has no Teams activity (calls, meetings, messages) over the reporting period |
| Storage Exchange Storage Quota Used | Info | Exchange mailbox storage usage proportion (used vs send quota) per user |
| Storage One Drive Storage Quota Used | Info | OneDrive storage usage proportion (used vs allocated) per user and aggregate |
| Storage Share Point Storage Quota Used | Info | SharePoint site storage usage proportion (used vs allocated) Reports per-site and aggregate storage utilization |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.