Controls / MCSB / DP-4

MCSB DP-4: Data Protection

37 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control DP-4 (Data Protection). Each is checked against your tenant, ranked by Severity, with validated remediation.

37 checksData ProtectionTop Severity: High

What MCSB DP-4 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. DP-4 sits in the Data Protection domain. Senserva evidences it with the 37 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 37 checks that evidence MCSB DP-4

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Intune Policy Compliance Bit Locker RequiredHighBitLocker encryption is not required by device compliance policy
Intune Policy Compliance Storage Encryption RequiredHighStorage encryption is not required by device compliance policy
Intune Policy Disk Fixed Drives Encryption TypeHighFixed drive encryption type is not configured in BitLocker policy
Intune Policy Disk Fixed Drives Encryption Type DropdownHighFixed drive encryption type dropdown is not set in BitLocker policy
Intune Policy Disk Fixed Drives Recovery OptionsHighFixed drive recovery options are not configured in BitLocker policy
Intune Policy Disk Fixed Drives Require EncryptionHighFixed drive encryption is not required by BitLocker policy
Intune Policy Disk Property Not FoundHighExpected disk encryption property was not found in the Intune policy configuration
Intune Policy Disk Removable Drives Configure BDEHighRemovable drive BitLocker policy is not configured
Intune Policy Disk Removable Drives Require EncryptionHighRemovable drive encryption is not required by BitLocker policy
Intune Policy Disk Require Device EncryptionHighDevice encryption is not required by BitLocker policy
Intune Policy Disk System Drives Disallow Standard Users Can Change PinHighStandard users are allowed to change BitLocker PIN
Intune Policy Disk System Drives Encryption TypeHighOS drive encryption type is not configured in BitLocker policy
Intune Policy Disk System Drives Encryption Type OS DropdownHighOS drive encryption type dropdown is not set in BitLocker policy
Intune Policy Disk System Drives Minimum Pin LengthHighMinimum PIN length for OS drive is below recommended threshold
Intune Policy Disk System Drives Minimum Pin Length EnabledHighMinimum PIN length is not enabled for OS drive
Intune Policy Disk System Drives Recovery OptionsHighOS drive recovery options are not configured in BitLocker policy
Share Point Anyone Link Expiration Max30 DaysHighSharePoint "Anyone" links expire within 30 days maximum
Share Point Anyone Link Permission View OnlyHighSharePoint "Anyone" link permission is "View Only"
Share Point Default Sharing Permission View OnlyHighSharePoint default sharing permission is "View Only"
Share Point Default Sharing Scope Specific PeopleHighSharePoint default sharing scope is "Specific People"
Share Point External Sharing Limit To Existing Guests Or OrgHighSharePoint external sharing limited to existing guests or org members only
Share Point External Sharing One Drive Limit To Existing Guests Or OrgHighOneDrive external sharing limited to existing guests or org members only
Share Point External Sharing Restrict To Approved Domains Or GroupsHighSharePoint external sharing restricted to approved domains or security groups
Share Point Verification Code Reauth Max30 DaysHighSharePoint verification code re-authentication within 30 days maximum
Intune Policy Disk Configure Recovery Password RotationMediumRecovery password rotation is not configured in BitLocker policy
Intune Policy Disk Encryption Method By Drive TypeMediumEncryption method is not configured by drive type in BitLocker policy
Intune Policy Disk System Drives Enable Pre Boot Pin Exception On DE Capable DeviceMediumPre-boot PIN exception is enabled on InstantGo/Modern Standby devices
Intune Policy Disk System Drives Enhanced PinMediumEnhanced PIN (alphanumeric) is not enabled for OS drive
Intune Policy Disk System Drives Recovery MessageMediumOS drive recovery message is not configured
Storage High One Drive Storage Quota UsedMediumOneDrive storage usage exceeds the high-usage threshold for a user or aggregate
Storage High Share Point Storage Quota UsedMediumSharePoint site storage usage exceeds the high-usage threshold Risk of hitting quota limits which can disrupt collaboration
Intune Policy Disk Allow Warning For Other Disk EncryptionLowWarning for other disk encryption software is allowed
Intune Policy Disk Identification FieldLowBitLocker identification field is not configured
Teams UsageLowUser has no Teams activity (calls, meetings, messages) over the reporting period
Intune Policy Disk System Drives Enable Pre Boot Input Protectors On SlatesInfoPre-boot input protectors are enabled on slates/tablets
Storage One Drive Storage Quota UsedInfoOneDrive storage usage proportion (used vs allocated) per user and aggregate
Storage Share Point Storage Quota UsedInfoSharePoint site storage usage proportion (used vs allocated) Reports per-site and aggregate storage utilization

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB DP-4 (Data Protection) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB DP-4 (Data Protection) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.