MCSB IM-3: Identity Management
55 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control IM-3 (Identity Management). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB IM-3 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. IM-3 sits in the Identity Management domain. Senserva evidences it with the 55 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 55 checks that evidence MCSB IM-3
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| App Application Disabled By Microsoft Status | Critical | Application has been disabled by Microsoft due to policy violation or abuse detection |
| Sp Critical Graph Permission | Critical | Service principal has been granted critical Graph API permissions that enable privilege escalation (e.g., RoleManagementReadWriteDirectory, ApplicationReadWriteAll) |
| Sp Secret Non Expiring | Critical | Service principal secret has no expiration date. Non-expiring secrets remain valid indefinitely if compromised |
| Sp Service Principal Disabled By Microsoft Status | Critical | Service principal has been disabled by Microsoft due to policy violation or abuse |
| App Application Management Policy Disabled | High | Application management policy exists but is disabled |
| App Broad Consent Scope | High | Application has admin consent granted for all users (ConsentType = AllPrincipals). Broad consent means every user is affected if the app is compromised |
| App Certificate Expired | High | Application certificate has expired. The application may lose access or fail authentication |
| App Certificate Non Expiring | High | Application certificate has no expiration date. Non-expiring certificates remain valid indefinitely if the private key is compromised |
| App Secret Expired | High | Application secret has expired. The application may lose access or fail authentication |
| App Secret Non Expiring | High | Application secret has no expiration date. Non-expiring secrets remain valid indefinitely if compromised |
| Sp Certificate Non Expiring | High | Service principal certificate has no expiration date. Non-expiring certificates remain valid indefinitely if the private key is compromised |
| Sp High Risk Permissions | High | Service principal has been granted high-risk Graph API permissions |
| Sp Secret Expired | High | Service principal secret has expired |
| Sp Secret Expiring Soon | High | Service principal secret is expiring within the configured warning threshold |
| Sp Service Principal App Registration Has A Client Secret | High | Service principal's corresponding app registration has client secret credentials |
| Sp Service Principal Has Password Credentials | High | Service principal itself has password credentials (secrets) configured directly |
| Sp Service Principal Member Of Directory Role | High | Service principal is a member of one or more directory roles. Service principals with role assignments have elevated tenant access |
| Sp Service Principal Review API Assignment | High | Service principal has API permission assignments that should be reviewed |
| Sub Service Principal High Role | High | Service principal holds a high-privilege role at subscription scope |
| App Application Password Credentials | Medium | Application registration has password credentials. Reports count and expiration status |
| App Application Registration Has A Client Secret | Medium | Application registration has client secret (password) credentials configured. Secrets are less secure than certificates and should be monitored |
| App Certificate Expiring Soon | Medium | Application certificate is expiring within the configured warning threshold |
| App Certificate Too Long Lived | Medium | Application certificate has a lifetime exceeding the maximum allowed by security policy |
| App Federated Identity Credential Broad Scope | Medium | Application has a federated identity credential with an overly broad audience or wildcard subject that could allow unintended workloads to authenticate |
| App High Risk Permissions | Medium | Application has been granted high-risk delegated permissions (e.g., MailReadWrite, DirectoryReadWriteAll). These scopes provide broad access to tenant data |
| App Insecure Redirect Uri | Medium | Application has an insecure redirect URI (e.g., HTTP instead of HTTPS, localhost in production, wildcard domains, or deprecated OOB redirect URIs) |
| App Mgmt No Secret Lifetime Restriction | Medium | No secret lifetime restriction on apps |
| App Mgmt Policy Disabled | Medium | App management policy disabled |
| App Multi Tenant With High Privileges | Medium | Multi-tenant application with elevated permissions and active credentials. External-facing apps with broad access require extra scrutiny |
| App Secret Expiring Soon | Medium | Application secret is expiring within the configured warning threshold |
| App Secret Too Long Lived | Medium | Application secret has a lifetime exceeding the maximum allowed by security policy. Long-lived secrets increase exposure window if compromised |
| Saas Gws SCuBA Gws Common Restrict O Auth Apps | Medium | SCUBA/CISA baseline: Google Workspace OAuth app restrictions |
| Sp Assigned To Disabled User | Medium | Service principal is assigned to a disabled user account. May indicate an orphaned or misconfigured assignment |
| Sp Certificate Expired | Medium | Service principal certificate has expired |
| Sp Certificate Expiring Soon | Medium | Service principal certificate is expiring within the configured warning threshold |
| Sp Certificate Too Long Lived | Medium | Service principal certificate lifetime exceeds the maximum allowed by security policy |
| Sp Secret Too Long Lived | Medium | Service principal secret lifetime exceeds the maximum allowed by security policy |
| Sp Service Principal Exchange App | Medium | Service principal has Exchange-related permissions (Mail, Calendar, Contacts). These apps may need Application Access Policies to restrict mailbox scope |
| Sp Service Principal No Verified Publisher | Medium | Service principal does not have a verified publisher but has a publisher name. Third-party apps without verification pose higher trust risk |
| App Mgmt No Cert Lifetime Restriction | Low | No certificate lifetime restriction on apps |
| App No Credentials | Low | Application registration has no credentials (no secrets or certificates). May indicate an unused or template-only registration |
| App No Owners | Low | Application registration has no owners assigned. Orphaned apps lack accountability and may not receive security updates |
| App No Verified Publisher | Low | Application registration does not have a verified publisher. Unverified apps pose a higher trust risk for users granting consent |
| App Service Principal Disabled | Low | The service principal associated with this application is disabled. The app registration exists but its enterprise app instance is not active |
| App Stale | Low | Application registration has not been used recently (stale). Unused apps with credentials represent unnecessary attack surface |
| Sp Disabled | Low | Service principal account is disabled (AccountEnabled = false) |
| Sp No Owners | Low | Service principal has no owners assigned. Orphaned SPs lack accountability |
| Sp Service Principal No Publisher | Low | Service principal has no publisher information at all |
| Sp Stale | Low | Service principal has not been used recently (stale). Unused SPs with credentials represent unnecessary attack surface |
| App Application Has Key Credentials | Info | Application registration has key (certificate) credentials configured |
| App Application Management Change | Info | Application management change detected in directory audit logs (successful) |
| App Application Management Policy | Info | Application management policy is configured and enabled |
| App Federated Identity Credentials | Info | Application has federated identity credentials configured. These allow external identity providers to authenticate as this application |
| Sp Managed Identity | Info | Service principal is a managed identity (system or user-assigned). Tracked for inventory and privilege awareness |
| Sp Service Principal Has Key Credentials | Info | Service principal has key (certificate) credentials configured directly |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.