Controls / MCSB / IM-1

MCSB IM-1: Identity Management

46 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control IM-1 (Identity Management). Each is checked against your tenant, ranked by Severity, with validated remediation.

46 checksIdentity ManagementTop Severity: Critical

What MCSB IM-1 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. IM-1 sits in the Identity Management domain. Senserva evidences it with the 46 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 46 checks that evidence MCSB IM-1

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Conditional Access Break Glass Account Covered By PolicyCriticalBreak-glass (emergency access) account is not explicitly excluded from one or more enabled Conditional Access policies. The account may be blocked or challenged during an emergency sign-in
User Break Glass Account DisabledCriticalBreak-glass (emergency access) account is disabled. Break-glass accounts must remain enabled for emergency tenant recovery
User Break Glass Account Is Not Highly PrivilegedCriticalBreak-glass account does not have highly privileged roles assigned. Emergency accounts must have Global Admin or equivalent to be effective
User Break Glass Account Last Password ChangeCriticalBreak-glass account last password change timestamp. Passwords on emergency accounts should be changed on a regular schedule per policy
User Break Glass User Not EnabledCriticalBreak-glass account user is not enabled (account exists but is inactive)
Auth Policy Guest Invite UnrestrictedHighGuest invitation policy is set to unrestricted, any user can invite external guests Broadens external access surface.
Auth Policy Msol Not BlockedHighLegacy MSOL PowerShell access is not blocked. MSOL bypasses modern auth controls and CA policies
Auth Policy Users Can Create Security GroupsHighUsers can create security groups without admin approval. Uncontrolled group creation leads to sprawl and unintended access grants
Auth Policy Users Can Register AppsHighUsers are allowed to register applications in the tenant. Overly permissive app registration increases shadow-app risk
MFA MFA For Guest Not FoundHighNo Conditional Access policy requiring MFA for guest users was found. Guest accounts without MFA are vulnerable to credential compromise
No Assigned To PIM Rules In TenantHighNo PIM rules are assigned to roles in the tenant. PIM is not governing privileged role activation
User Break Glass User Has Login HistoryHighBreak-glass account has recent sign-in history. This may be expected for testing or may indicate unauthorized use - requires investigation
User Break Glass User Has No Login HistoryHighBreak-glass account has no sign-in history. Expected for dormant emergency accounts but periodic testing is recommended
User Has No Login HistoryHighUser has no sign-in history. May be dormant or newly created
Agents Agent Identity Blueprint Inheritable PermissionMediumAn AI Agent Identity Blueprint has inheritable permissions configured.
Agents Agent Identity Blueprint Inheritable Permission BlueprintMediumAn AI Agent Identity Blueprint is registered in this tenant.
Agents Agent Identity Blueprint Inheritable Permission IdentityMediumAn AI Agent Identity (service principal) is associated with an Agent Identity Blueprint.
Agents Agent Identity Blueprint Inheritable Permission UserMediumA user account is associated with an AI Agent Identity.
Auth Policy Guest Same As MemberMediumGuest users have the same access as member users. Guests should have restricted default permissions
Auth Policy Users Can Create TenantsMediumUsers can create new Entra ID tenants. Uncontrolled tenant creation enables shadow-IT environments outside organizational governance
Group Creation UnrestrictedMediumM365 group creation unrestricted
MFA Temporary Access Pass Not Once OnlyMediumTemporary Access Pass is configured to allow multiple uses instead of once-only. Multi-use TAPs increase the window of exposure if intercepted
Org Azure Organization Privacy StatementMediumOrganization's privacy statement URL is missing or not configured. A privacy statement is recommended for compliance frameworks (GDPR, etc)
Org Organization Missing Compliance EmailMediumOrganization's security compliance notification email is missing. Microsoft uses this for critical security notifications and breach contact
Org Organization Missing Compliance Phone NumbersMediumOrganization's security compliance notification phone numbers are missing. Microsoft uses these for critical security notifications and breach contact
Org Organization On Premises Sync TimesMediumOrganization's on-premises sync schedule. Reports the configured sync cycle times. Emitted when on-premises sync is enabled
User Disabled User Has Roles Or LicensesMediumDisabled user still has roles or licenses assigned. Should be reclaimed
User Enabled User Has RolesMediumEnabled user has directory roles assigned
User On Premises Last Sync Date TimeMediumUser's on-premises last sync timestamp
Conditional Access Break Glass Account ExcludedLowBreak-glass (emergency access) account is excluded from all enabled Conditional Access policies. Emergency access is preserved
Demo Code Example Threshold Too SmallLowDemo code example: threshold value is too small. Used for testing/demo purposes
Group Guest Access EnabledLowGuest access to M365 groups enabled
Org Organization Missing Technical Contact Phone NumbersLowOrganization's technical contact phone numbers are missing
Org Organization On Premises Last Password Sync Date Time DurationLowDuration since the last on-premises password sync to Entra ID. Long gaps may indicate sync health issues, leaving password changes unsynced
User Disabled Users Last Interactive LoginLowDisabled user's last interactive sign-in timestamp
Device On Premises Sync EnabledInfoDevice has on-premises sync enabled, indicating it is hybrid-joined
Device Stale On Premises Last Sync Date TimeInfoDevice's on-premises last sync timestamp. Long gaps may indicate sync issues
Group Naming Policy MissingInfoNo group naming policy configured
Group Usage Guideline MissingInfoNo group usage guidelines URL configured
Org Organization StateInfoReports the current state of the Entra ID organization (e.g., active, suspended)
Org Organization Verified DomainsInfoLists the verified domains associated with the organization
User Enabled User Has LicensesInfoEnabled user has licenses assigned. License utilization tracking
User Enabled User Has No Roles Or LicensesInfoEnabled user has no roles or licenses assigned. May be unused or misconfigured
User Is Not EnabledInfoUser account is disabled
User Last Password ChangeInfoUser's last password change timestamp
User User Last Interactive LoginInfoUser's last interactive sign-in timestamp. Activity tracking

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB IM-1 (Identity Management) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB IM-1 (Identity Management) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.