Controls / MCSB / IM-3

MCSB IM-3: Identity Management

55 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control IM-3 (Identity Management). Each is checked against your tenant, ranked by Severity, with validated remediation.

55 checksIdentity ManagementTop Severity: Critical

What MCSB IM-3 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. IM-3 sits in the Identity Management domain. Senserva evidences it with the 55 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 55 checks that evidence MCSB IM-3

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
App Application Disabled By Microsoft StatusCriticalApplication has been disabled by Microsoft due to policy violation or abuse detection
Sp Critical Graph PermissionCriticalService principal has been granted critical Graph API permissions that enable privilege escalation (e.g., RoleManagementReadWriteDirectory, ApplicationReadWriteAll)
Sp Secret Non ExpiringCriticalService principal secret has no expiration date. Non-expiring secrets remain valid indefinitely if compromised
Sp Service Principal Disabled By Microsoft StatusCriticalService principal has been disabled by Microsoft due to policy violation or abuse
App Application Management Policy DisabledHighApplication management policy exists but is disabled
App Broad Consent ScopeHighApplication has admin consent granted for all users (ConsentType = AllPrincipals). Broad consent means every user is affected if the app is compromised
App Certificate ExpiredHighApplication certificate has expired. The application may lose access or fail authentication
App Certificate Non ExpiringHighApplication certificate has no expiration date. Non-expiring certificates remain valid indefinitely if the private key is compromised
App Secret ExpiredHighApplication secret has expired. The application may lose access or fail authentication
App Secret Non ExpiringHighApplication secret has no expiration date. Non-expiring secrets remain valid indefinitely if compromised
Sp Certificate Non ExpiringHighService principal certificate has no expiration date. Non-expiring certificates remain valid indefinitely if the private key is compromised
Sp High Risk PermissionsHighService principal has been granted high-risk Graph API permissions
Sp Secret ExpiredHighService principal secret has expired
Sp Secret Expiring SoonHighService principal secret is expiring within the configured warning threshold
Sp Service Principal App Registration Has A Client SecretHighService principal's corresponding app registration has client secret credentials
Sp Service Principal Has Password CredentialsHighService principal itself has password credentials (secrets) configured directly
Sp Service Principal Member Of Directory RoleHighService principal is a member of one or more directory roles. Service principals with role assignments have elevated tenant access
Sp Service Principal Review API AssignmentHighService principal has API permission assignments that should be reviewed
Sub Service Principal High RoleHighService principal holds a high-privilege role at subscription scope
App Application Password CredentialsMediumApplication registration has password credentials. Reports count and expiration status
App Application Registration Has A Client SecretMediumApplication registration has client secret (password) credentials configured. Secrets are less secure than certificates and should be monitored
App Certificate Expiring SoonMediumApplication certificate is expiring within the configured warning threshold
App Certificate Too Long LivedMediumApplication certificate has a lifetime exceeding the maximum allowed by security policy
App Federated Identity Credential Broad ScopeMediumApplication has a federated identity credential with an overly broad audience or wildcard subject that could allow unintended workloads to authenticate
App High Risk PermissionsMediumApplication has been granted high-risk delegated permissions (e.g., MailReadWrite, DirectoryReadWriteAll). These scopes provide broad access to tenant data
App Insecure Redirect UriMediumApplication has an insecure redirect URI (e.g., HTTP instead of HTTPS, localhost in production, wildcard domains, or deprecated OOB redirect URIs)
App Mgmt No Secret Lifetime RestrictionMediumNo secret lifetime restriction on apps
App Mgmt Policy DisabledMediumApp management policy disabled
App Multi Tenant With High PrivilegesMediumMulti-tenant application with elevated permissions and active credentials. External-facing apps with broad access require extra scrutiny
App Secret Expiring SoonMediumApplication secret is expiring within the configured warning threshold
App Secret Too Long LivedMediumApplication secret has a lifetime exceeding the maximum allowed by security policy. Long-lived secrets increase exposure window if compromised
Saas Gws SCuBA Gws Common Restrict O Auth AppsMediumSCUBA/CISA baseline: Google Workspace OAuth app restrictions
Sp Assigned To Disabled UserMediumService principal is assigned to a disabled user account. May indicate an orphaned or misconfigured assignment
Sp Certificate ExpiredMediumService principal certificate has expired
Sp Certificate Expiring SoonMediumService principal certificate is expiring within the configured warning threshold
Sp Certificate Too Long LivedMediumService principal certificate lifetime exceeds the maximum allowed by security policy
Sp Secret Too Long LivedMediumService principal secret lifetime exceeds the maximum allowed by security policy
Sp Service Principal Exchange AppMediumService principal has Exchange-related permissions (Mail, Calendar, Contacts). These apps may need Application Access Policies to restrict mailbox scope
Sp Service Principal No Verified PublisherMediumService principal does not have a verified publisher but has a publisher name. Third-party apps without verification pose higher trust risk
App Mgmt No Cert Lifetime RestrictionLowNo certificate lifetime restriction on apps
App No CredentialsLowApplication registration has no credentials (no secrets or certificates). May indicate an unused or template-only registration
App No OwnersLowApplication registration has no owners assigned. Orphaned apps lack accountability and may not receive security updates
App No Verified PublisherLowApplication registration does not have a verified publisher. Unverified apps pose a higher trust risk for users granting consent
App Service Principal DisabledLowThe service principal associated with this application is disabled. The app registration exists but its enterprise app instance is not active
App StaleLowApplication registration has not been used recently (stale). Unused apps with credentials represent unnecessary attack surface
Sp DisabledLowService principal account is disabled (AccountEnabled = false)
Sp No OwnersLowService principal has no owners assigned. Orphaned SPs lack accountability
Sp Service Principal No PublisherLowService principal has no publisher information at all
Sp StaleLowService principal has not been used recently (stale). Unused SPs with credentials represent unnecessary attack surface
App Application Has Key CredentialsInfoApplication registration has key (certificate) credentials configured
App Application Management ChangeInfoApplication management change detected in directory audit logs (successful)
App Application Management PolicyInfoApplication management policy is configured and enabled
App Federated Identity CredentialsInfoApplication has federated identity credentials configured. These allow external identity providers to authenticate as this application
Sp Managed IdentityInfoService principal is a managed identity (system or user-assigned). Tracked for inventory and privilege awareness
Sp Service Principal Has Key CredentialsInfoService principal has key (certificate) credentials configured directly

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB IM-3 (Identity Management) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB IM-3 (Identity Management) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.