MCSB IM-1: Identity Management
46 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control IM-1 (Identity Management). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB IM-1 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. IM-1 sits in the Identity Management domain. Senserva evidences it with the 46 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 46 checks that evidence MCSB IM-1
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Conditional Access Break Glass Account Covered By Policy | Critical | Break-glass (emergency access) account is not explicitly excluded from one or more enabled Conditional Access policies. The account may be blocked or challenged during an emergency sign-in |
| User Break Glass Account Disabled | Critical | Break-glass (emergency access) account is disabled. Break-glass accounts must remain enabled for emergency tenant recovery |
| User Break Glass Account Is Not Highly Privileged | Critical | Break-glass account does not have highly privileged roles assigned. Emergency accounts must have Global Admin or equivalent to be effective |
| User Break Glass Account Last Password Change | Critical | Break-glass account last password change timestamp. Passwords on emergency accounts should be changed on a regular schedule per policy |
| User Break Glass User Not Enabled | Critical | Break-glass account user is not enabled (account exists but is inactive) |
| Auth Policy Guest Invite Unrestricted | High | Guest invitation policy is set to unrestricted, any user can invite external guests Broadens external access surface. |
| Auth Policy Msol Not Blocked | High | Legacy MSOL PowerShell access is not blocked. MSOL bypasses modern auth controls and CA policies |
| Auth Policy Users Can Create Security Groups | High | Users can create security groups without admin approval. Uncontrolled group creation leads to sprawl and unintended access grants |
| Auth Policy Users Can Register Apps | High | Users are allowed to register applications in the tenant. Overly permissive app registration increases shadow-app risk |
| MFA MFA For Guest Not Found | High | No Conditional Access policy requiring MFA for guest users was found. Guest accounts without MFA are vulnerable to credential compromise |
| No Assigned To PIM Rules In Tenant | High | No PIM rules are assigned to roles in the tenant. PIM is not governing privileged role activation |
| User Break Glass User Has Login History | High | Break-glass account has recent sign-in history. This may be expected for testing or may indicate unauthorized use - requires investigation |
| User Break Glass User Has No Login History | High | Break-glass account has no sign-in history. Expected for dormant emergency accounts but periodic testing is recommended |
| User Has No Login History | High | User has no sign-in history. May be dormant or newly created |
| Agents Agent Identity Blueprint Inheritable Permission | Medium | An AI Agent Identity Blueprint has inheritable permissions configured. |
| Agents Agent Identity Blueprint Inheritable Permission Blueprint | Medium | An AI Agent Identity Blueprint is registered in this tenant. |
| Agents Agent Identity Blueprint Inheritable Permission Identity | Medium | An AI Agent Identity (service principal) is associated with an Agent Identity Blueprint. |
| Agents Agent Identity Blueprint Inheritable Permission User | Medium | A user account is associated with an AI Agent Identity. |
| Auth Policy Guest Same As Member | Medium | Guest users have the same access as member users. Guests should have restricted default permissions |
| Auth Policy Users Can Create Tenants | Medium | Users can create new Entra ID tenants. Uncontrolled tenant creation enables shadow-IT environments outside organizational governance |
| Group Creation Unrestricted | Medium | M365 group creation unrestricted |
| MFA Temporary Access Pass Not Once Only | Medium | Temporary Access Pass is configured to allow multiple uses instead of once-only. Multi-use TAPs increase the window of exposure if intercepted |
| Org Azure Organization Privacy Statement | Medium | Organization's privacy statement URL is missing or not configured. A privacy statement is recommended for compliance frameworks (GDPR, etc) |
| Org Organization Missing Compliance Email | Medium | Organization's security compliance notification email is missing. Microsoft uses this for critical security notifications and breach contact |
| Org Organization Missing Compliance Phone Numbers | Medium | Organization's security compliance notification phone numbers are missing. Microsoft uses these for critical security notifications and breach contact |
| Org Organization On Premises Sync Times | Medium | Organization's on-premises sync schedule. Reports the configured sync cycle times. Emitted when on-premises sync is enabled |
| User Disabled User Has Roles Or Licenses | Medium | Disabled user still has roles or licenses assigned. Should be reclaimed |
| User Enabled User Has Roles | Medium | Enabled user has directory roles assigned |
| User On Premises Last Sync Date Time | Medium | User's on-premises last sync timestamp |
| Conditional Access Break Glass Account Excluded | Low | Break-glass (emergency access) account is excluded from all enabled Conditional Access policies. Emergency access is preserved |
| Demo Code Example Threshold Too Small | Low | Demo code example: threshold value is too small. Used for testing/demo purposes |
| Group Guest Access Enabled | Low | Guest access to M365 groups enabled |
| Org Organization Missing Technical Contact Phone Numbers | Low | Organization's technical contact phone numbers are missing |
| Org Organization On Premises Last Password Sync Date Time Duration | Low | Duration since the last on-premises password sync to Entra ID. Long gaps may indicate sync health issues, leaving password changes unsynced |
| User Disabled Users Last Interactive Login | Low | Disabled user's last interactive sign-in timestamp |
| Device On Premises Sync Enabled | Info | Device has on-premises sync enabled, indicating it is hybrid-joined |
| Device Stale On Premises Last Sync Date Time | Info | Device's on-premises last sync timestamp. Long gaps may indicate sync issues |
| Group Naming Policy Missing | Info | No group naming policy configured |
| Group Usage Guideline Missing | Info | No group usage guidelines URL configured |
| Org Organization State | Info | Reports the current state of the Entra ID organization (e.g., active, suspended) |
| Org Organization Verified Domains | Info | Lists the verified domains associated with the organization |
| User Enabled User Has Licenses | Info | Enabled user has licenses assigned. License utilization tracking |
| User Enabled User Has No Roles Or Licenses | Info | Enabled user has no roles or licenses assigned. May be unused or misconfigured |
| User Is Not Enabled | Info | User account is disabled |
| User Last Password Change | Info | User's last password change timestamp |
| User User Last Interactive Login | Info | User's last interactive sign-in timestamp. Activity tracking |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.