Controls / MCSB / IM-6

MCSB IM-6: Identity Management

170 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control IM-6 (Identity Management). Each is checked against your tenant, ranked by Severity, with validated remediation.

170 checksIdentity ManagementTop Severity: Critical

What MCSB IM-6 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. IM-6 sits in the Identity Management domain. Senserva evidences it with the 170 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 170 checks that evidence MCSB IM-6

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
At Risk With High RiskCriticalUser currently at risk with a high risk level assessment. Immediate investigation recommended
Auth User Not MFA RegisteredCriticalUser is not registered for any MFA method. Cannot complete MFA challenges
Conditional Access Admin Portal Missing MFACriticalAdmin portal access lacks MFA for privileged users. Detected via What-If per user
Conditional Access Group Critical Coverage GapCriticalGroup has no Conditional Access policy coverage (critical). The group is excluded from all applicable CA policies with no alternative coverage
Conditional Access MFA Policy BypassedCriticalMFA policy exists but sign-ins succeeded without MFA. Detected by sign-in replay vs What-If
Conditional Access User Critical Coverage GapCriticalUser has no Conditional Access MFA coverage (critical). This user is excluded from all applicable MFA policies with no alternative coverage
Log Legacy Auth ProtocolCriticalSign-in used a legacy authentication protocol that bypasses modern auth and MFA
Risk Detection Anomalous TokenCriticalAnomalous token usage detected Token properties or usage patterns do not match expected behavior.
Risk Detection Leaked CredentialsCriticalLeaked credentials detected. Credentials for this user were found exposed publicly
Risk Detection Malicious IP AddressCriticalSign-in from a known malicious IP address.
Risk Detection Token Issuer AnomalyCriticalToken issuer anomaly detected The token was issued by an unexpected or suspicious authority.
Security Defaults Disabled No Conditional AccessCriticalSecurity defaults are disabled and no Conditional Access policies are configured. The tenant has no enforced MFA baseline
User High Risk UserCriticalUser flagged as high risk by Entra ID Protection. Immediate investigation required
Admin Enforces Compliant Device For Admins Not FoundHighNo Conditional Access policy was found requiring compliant devices for admin roles Admins should only operate from managed, compliant endpoints
Admin Enforces MFA For Admins Not FoundHighNo Conditional Access policy was found that enforces MFA specifically for admin roles Admins are high-value targets and must always require MFA
Admin Maester Device Compliance For AdminsHighMaester framework check: device compliance policy for administrators
At Risk SigninHighSign-in was flagged as at-risk by Entra ID Protection
At Risk With Low RiskHighUser currently at risk with a low risk level assessment
Auth Microsoft Authenticator Authentication Method In Use But Not Allowed By UserHighUser is using Microsoft Authenticator but it is not allowed by the security baseline
Auth Password Authentication Method In Use But Not Allowed By Senserva Security ManagerHighUser is using password authentication method but it is not allowed by the security baseline
Auth Passwordless Microsoft Authenticator Authentication Method In Use But Not Allowed By UserHighUser is using passwordless Microsoft Authenticator but it is not allowed by the security baseline
Auth Require Passwordless But Its Not Used By UserHighPolicy requires passwordless authentication but the user is not using it
Auth Software Oath Authentication Method In Use But Not Allowed By UserHighUser is using software OATH token but it is not allowed by the security baseline
Auth Suspicious Activity Settings Not EnabledHighSuspicious activity (fraud reporting) settings are not enabled in the authentication methods policy. Users cannot report unauthorized MFA prompts
Auth System Preferred Authentication Method Required But Not Set By UserHighSystem-preferred authentication method is required but not set for this user
Auth Temporary Access Pass Authentication Method In Use But Not Allowed By UserHighUser is using Temporary Access Pass but it is not allowed by the security baseline
Auth Temporary Access Pass Lifetime Too LongHighTemporary Access Pass maximum lifetime exceeds the recommended threshold
Auth Unallowed Authentication Methods EnabledHighAuthentication methods that are not allowed by the security baseline are currently enabled
Auth User Email Authentication Method In Use But Not Allowed By UserHighUser is using email authentication but it is not allowed by security baseline
Auth User FIDO2 Attestation Not Enforced By UserHighFIDO2 attestation is not enforced. Without attestation, the origin and integrity of security keys cannot be verified
Auth User Invalid Default Method Type By UserHighUser's default MFA method type is invalid or unrecognized
Auth User No Default MFA Method Found By UserHighUser has no default MFA method configured
Auth User No Strong Authentication Method By UserHighUser has no strong authentication method registered (no FIDO2, Windows Hello, Authenticator, or platform credential)
Auth User Not MFA CapableHighUser is not MFA-capable (no registered methods that satisfy MFA)
Auth User Sms Sign In State Is Not Ready By UserHighUser's SMS sign-in state is provisioned
Auth User System Preferred Authentication Method Is Not Enabled By UserHighSystem-preferred authentication method is not enabled for this user
Auth User Unallowed User Default Authentication Method Type Is Used By UserHighUser's default authentication method type is disallowed by security baseline
Auth Windows Hello Key Strength Normal Not Set By UserHighWindows Hello key strength is set to Normal instead of the recommended higher strength
Conditional Access Block Legacy Exchange Active Sync Not FoundHighNo Conditional Access policy blocks legacy Exchange ActiveSync authentication for all users. EAS is a common vector for credential-based attacks since it bypasses modern auth
Conditional Access Block Requested PlatformsHighA CA policy blocks a device platform listed in the security baseline's blocked set
Conditional Access Browser O365 Missing MFAHighBrowser access to O365 not protected by MFA for this user. Detected via What-If
Conditional Access Enforces Block Unknown Device Not FoundHighNo CA policy blocks unknown/unsupported device platforms
Conditional Access Enforces MFA For High And Medium Risk Users Not FoundHighNo CA policy enforces MFA for high and medium risk users
Conditional Access Enforces Password For High Risk Users Not FoundHighNo CA policy enforces password change for high-risk users
Conditional Access Enforces Risk Levels Not FoundHighNo CA policy references sign-in or user risk levels. Risk-based CA is missing
Conditional Access Group High Coverage GapHighGroup has a high-severity Conditional Access coverage gap. An important CA scenario (e.g., MFA) has no policy covering this group
Conditional Access Password Change BypassedHighPassword-change grant control bypassed in actual sign-ins. Detected by sign-in replay
Conditional Access Policy Included Location Has Unwanted CountryHighA CA policy's included location list contains a country flagged as unwanted
Conditional Access Require Block From Untrusted Countries For All UsersHighA CA policy includes an untrusted named location and applies to all users/apps, blocking untrusted countries
Conditional Access Require Block Legacy Other Not FoundHighNo Conditional Access policy blocks legacy "Other" client app type. Older protocols like MAPI, SMTP, POP, and IMAP remain open
Conditional Access Untrusted Location Missing MFAHighPrivileged user access from untrusted locations not protected by MFA. Detected via What-If
Conditional Access User High Coverage GapHighUser has a high-severity Conditional Access coverage gap. An important CA scenario (e.g., MFA) has no policy covering this user
Conditional Access User Logged In Without Conditional Access PolicyHighUser has sign-in activity but no Conditional Access policies were applied to any of their sign-ins. Indicates the user is signing in completely outside CA policy coverage
High Risk Detection DataHighHigh-risk detection data record from Entra ID Protection
Intune Policy Compliance Idle Lock Timeout MinutesHighIdle lock timeout is too long or not enforced by compliance policy
Intune Policy Compliance Password Block SimpleHighSimple passwords are not blocked by device compliance policy
Intune Policy Compliance Password Minimum LengthHighMinimum password length is not enforced by device compliance policy
Intune Policy Compliance Password RequiredHighPassword is not required by device compliance policy
Intune Policy Compliance Password Required To Unlock From IdleHighPassword is not required to unlock device from idle state
Intune Policy Compliance Password Required TypeHighRequired password type is not enforced by device compliance policy
Low Risk Detection DataHighLow-risk detection data record from Entra ID Protection
Medium Risk Detection DataHighMedium-risk detection data record from Entra ID Protection
MFA MFA For Guest Not FoundHighNo Conditional Access policy requiring MFA for guest users was found. Guest accounts without MFA are vulnerable to credential compromise
No Assigned To PIM Rules In TenantHighNo PIM rules are assigned to roles in the tenant. PIM is not governing privileged role activation
Old At Risk With High RiskHighUser was previously at risk with a high risk level (historical)
Password Protection Banned Check DisabledHighEntra ID password protection custom banned-password check is disabled. Common and organization-specific weak passwords are not blocked
Password Protection Lockout Duration Too ShortHighSmart lockout duration is shorter than organizational minimum. Short lockouts allow rapid retry cycles
Password Protection Not EnforcedHighPassword protection mode is not set to Enforced. In Audit mode, weak passwords are logged but not blocked
Risk Detection Anonymized IP AddressHighSign-in from an anonymized IP address (VPN, Tor, or proxy)
Risk Detection Suspicious IP AddressHighSign-in from a suspicious IP address flagged by threat intelligence
Risk Level During SigninHighRisk level recorded during a user sign-in event
Security Defaults Enabled With Conditional AccessHighSecurity defaults and Conditional Access policies are both active. Security defaults can conflict with CA policies and cause unexpected behavior
User Login Device Must Be CompliantHighUser sign-in from a device that is not compliant
User Login Device Must Be ManagedHighUser sign-in from a device that is not managed by Intune
User Login Outdated Windows Operating SystemHighUser sign-in from a Windows device with an outdated OS
User Low Risk UserHighUser flagged as low risk by Entra ID Protection
User Signin With Single Factor AuthenticationHighUser signed in with single-factor authentication (no MFA)
User With Policy ExclusionsHighUser is excluded from one or more Conditional Access policies
At Risk With Medium RiskMediumUser currently at risk with a medium risk level assessment
Auth Allowed Authentication Methods DisabledMediumAuthentication methods that are required by the security baseline are currently disabled
Auth Authentication Method Excluded User TargetMediumAuthentication method policy has excluded user targets. These users are exempt from the method policy, which may create coverage gaps
Auth FIDO2 Authentication Method In Use But Not Allowed By UserMediumUser is using FIDO2 authentication but it is not allowed by security baseline
Auth FIDO2 Key Restrictions Not EnforcedMediumFIDO2 key restrictions are not enforced Any security key can be registered regardless of make or model
Auth FIDO2 Passwordless Enabled But Not GovernedMediumFIDO2 passwordless authentication is enabled but lacks governance controls (no key restrictions or attestation)
Auth No Default MFA Method Found By UserMediumUser has no default MFA method configured. They may fall back to weaker methods
Auth Phone Authentication Method In Use But Not Allowed By UserMediumUser is using phone (SMS/voice) authentication but it is not allowed by the security baseline. SMS is susceptible to SIM-swap attacks
Auth Platform Credential Authentication Method In Use But Not Allowed By UserMediumUser is using platform credential authentication but it is not allowed by the security baseline
Auth Registration Enforcement Campaign Not ConfiguredMediumAuthentication methods registration enforcement campaign is not configured
Auth System Credential Preferences Not EnabledMediumSystem-preferred credential preferences are not enabled in the authentication methods policy. Without system preference, users may choose weaker authentication methods
Auth User Hardware Oath Authentication Method In Use But Not Allowed By UserMediumUser is using hardware OATH token but it is not allowed by security baseline
Auth User Recommended User Default Authentication Method Type Not Used By UserMediumUser is not using the recommended default authentication method type
Auth User Windows Hello For Business Authentication Method In Use But Not Allowed By UserMediumUser is using Windows Hello for Business but it is not allowed by security baseline
Conditional Access Critical Coverage GapMediumTenant-wide coverage matrix found a critical coverage gap. Core scenario has no policy
Conditional Access Device Code Flow Not BlockedMediumDevice code flow not blocked for privileged users. Detected via What-If
Conditional Access Enforces MFA For All Users Not FoundMediumNo Conditional Access policy was found that enforces MFA for all users across all applications. Indicates a fundamental gap in tenant-wide MFA coverage
Conditional Access Enforces Risk Levels Both Signin And User Risk In Same PolicyMediumA single CA policy includes both sign-in risk and user risk. Microsoft recommends separating these
Conditional Access Graph API Missing MFAMediumPrivileged user Graph API access not protected by MFA. Detected via What-If
Conditional Access Group Coverage GapMediumGroup has a Conditional Access coverage gap. A CA scenario does not cover this group
Conditional Access Group With Policy ExclusionsMediumGroup is excluded from one or more Conditional Access policies. Members of excluded groups bypass those policies entirely
Conditional Access High Coverage GapMediumTenant-wide coverage matrix found a high-severity coverage gap
Conditional Access High Risk Sign In Not ProtectedMediumHigh-risk sign-in scenarios not protected by MFA or block policies. Detected via What-If
Conditional Access Mobile App Missing ProtectionMediumMobile app access not protected by MFA/app protection for this user. Detected via What-If
Conditional Access Policy Covers Device Code Flow Not FoundMediumA CA policy covers device code flow with block or device-compliance grant
Conditional Access Policy Device Excluded By FilterMediumA CA policy's device filter excludes this device. Tracks which devices are excluded from enforcement
Conditional Access Require Block Legacy Other FoundMediumA Conditional Access policy blocking legacy "Other" client app type is present and active
Conditional Access Risky User Not ProtectedMediumHigh-risk user scenarios lack password change or block. Detected via What-If
Conditional Access User Coverage GapMediumUser has a Conditional Access coverage gap. A CA scenario does not cover this user
Conditional Access User Rule Applies In What If Read OnlyMediumA CA policy applies to this user in What-If but is in report-only mode, not enforcing
Conditional Access User Rule Does Not Apply In What IfMediumNo Conditional Access policy applies to this user for a given What-If scenario, a coverage gap
Conditional Access What If Missing Legacy App PolicyMediumWhat-If found no policy blocking legacy authentication for this user
Device Not Registered But Is Logging InMediumDevice is not registered to any user but has recent sign-in activity An unregistered device actively in use is a security concern
Device Policy That Covers Device Code Flow Not FoundMediumNo Conditional Access policy was found that covers device code flow. Device code flow is commonly abused in phishing attacks
Device Sign In Not Time Based Non Compliant DevicesMediumSign-in frequency is not time-based for non-compliant devices. Non-compliant devices should be forced to re-authenticate on a schedule
Intune Policy Compliance Password Expiration DaysMediumPassword expiration is not enforced by device compliance policy
Intune Policy Compliance Password Minimum Character SetsMediumMinimum character sets (complexity) is not enforced by device compliance policy
Log Cross Tenant SigninMediumSign-in originated from an external tenant (cross-tenant)
MFA Temporary Access Pass Not Once OnlyMediumTemporary Access Pass is configured to allow multiple uses instead of once-only. Multi-use TAPs increase the window of exposure if intercepted
Old At Risk With Low RiskMediumUser was previously at risk with a low risk level (historical)
Old At Risk With Medium RiskMediumUser was previously at risk with a medium risk level (historical)
Password Protection Lockout Threshold Too HighMediumSmart lockout threshold exceeds organizational maximum. High thresholds allow more password-spray attempts before lockout
Risk Detection Data MissingMediumRisk detection has a null, None, Hidden, or unknown risk level. May indicate Identity Protection is not licensed or data is incomplete
Saas Gws SCuBA Gws Common Enforce Two Step VerificationMediumSCUBA/CISA baseline: Google Workspace two-step verification enforcement
User Device Registered To Not Enabled UserMediumDevice registered to a disabled user account
User Disabled User Device Last Signin DateMediumDisabled user's device last sign-in date
User Medium Risk UserMediumUser flagged as medium risk by Entra ID Protection
User Per User MFAMediumUser has per-user MFA enabled (legacy). Should migrate to Conditional Access MFA
User Per User MFA No Data ReadMediumPer-user MFA data could not be read for this user
User Required License MatchMediumUser has required licenses matching the security baseline for their privilege level
User With Old MFAMediumUser is registered with a legacy MFA method (SMS or voice call) that should be migrated
Auth Authentication Method Included User Target Registration Not RequiredLowAuthentication method policy includes a user target without registration enforcement. Users may not be prompted to register the method
Auth Group Authentication Method Excluded Group TargetLowAuthentication method policy has excluded group targets. These groups are exempt from the method policy, which may create coverage gaps
Auth Group Authentication Method Included Group Target Registration Not RequiredLowAuthentication method group target is included but registration is not required for the group
Auth MFA FIDO2 Self Service Registration Not AllowedLowFIDO2 self-service registration is not allowed in the tenant policy
Auth MFA Software Oath Not EnabledLowSoftware OATH token authentication method is not enabled in the tenant
Auth Suspicious Activity Settings No TargetLowSuspicious activity reporting is enabled but no include target is configured to receive alerts
Conditional Access Coverage GapLowTenant-wide coverage matrix found a coverage gap (medium or lower)
Conditional Access Device Compliance BypassedLowDevice compliance policy bypassed in actual sign-ins. Detected by sign-in replay
Conditional Access Es Device Sign In Not Time Based Non Compliant DevicesLowA CA policy has sign-in frequency enabled but not time-based or not targeting non-compliant devices
Conditional Access Policy Not EnforcedLowCA policies should apply per What-If but are not enforced on actual sign-ins
Conditional Access Unmanaged Device Not ProtectedLowNo CA policy protects access from unmanaged devices for this user. Detected via What-If
Demo Code Example Threshold Too SmallLowDemo code example: threshold value is too small. Used for testing/demo purposes
Group Guest MemberLowGroup contains one or more guest (external) members. Guests may access group resources including SharePoint sites and Teams channels
Intune Policy Compliance Password History CountLowPassword history count is not enforced by device compliance policy
Admin Enforces Compliant Device For AdminsInfoA Conditional Access policy requires compliant or domain-joined devices for admin roles
Admin Enforces MFA For AdminsInfoA Conditional Access policy enforces MFA for admin roles across all applications
Auth Authentication Method Included User Target Registration RequiredInfoAuthentication method policy includes a user target with registration enforcement enabled
Auth Group Authentication Method Included Group Target Registration RequiredInfoAuthentication method group target is included with registration enforcement enabled
Conditional Access Block Legacy Exchange Active Sync FoundInfoA Conditional Access policy blocking legacy Exchange ActiveSync authentication was found
Conditional Access Enforces Block Unknown DeviceInfoA CA policy blocks sign-ins from unknown/unsupported device platforms across all apps
Conditional Access Enforces MFA For All UsersInfoA Conditional Access policy enforcing MFA for all users and all applications was found. Confirms tenant-wide MFA baseline is in place
Conditional Access Enforces MFA For High And Medium Risk UsersInfoA CA policy enforces MFA for high and medium risk users across all apps
Conditional Access Enforces Password For High Risk UsersInfoA CA policy enforces password change for high-risk users across all apps
Conditional Access Enforces Risk LevelsInfoA CA policy references sign-in risk or user risk levels. Confirms risk-based policies are active
Conditional Access Es Device Not Persistent Browser For Non Compliant DevicesInfoA CA policy disables persistent browser sessions for non-compliant devices
Conditional Access Es Device Signin Timebased For Non Compliant DevicesInfoA CA policy enforces time-based sign-in frequency for non-compliant devices
Conditional Access Loc Entra Location DataInfoEntra ID named location data record. Emitted per named location for visibility into CA location definitions
Conditional Access MFA For Guest FoundInfoA Conditional Access policy enforcing MFA for guest/external users was found
Conditional Access Permission Check SkippedInfoSecurity checks were skipped because the scanning credential lacks a required directory role to read Conditional Access policies
Conditional Access Policy Blocks All But Allowed CountriesInfoA CA policy excludes allowed countries and blocks everything else (geo-fencing allow-list)
Conditional Access Policy ChangeInfoA Conditional Access policy was modified. Detected from directory audit logs
Conditional Access Policy Device Included By FilterInfoA CA policy's device filter includes this device via its filter rule
Conditional Access Policy Only Allows Approved CountriesInfoA CA policy includes only approved countries with no disallowed countries
Conditional Access User Rule Applies In What IfInfoA Conditional Access policy applies to this user in What-If scenario evaluation. Reports the policy name and enforcement details (MFA, device compliance)
Group Member Of Directory RoleInfoGroup is a member of one or more Entra ID directory roles. Groups with role assignments grant elevated access to all members
Security Defaults DisabledInfoSecurity defaults are disabled but Conditional Access policies are in place. Verify CA policies provide equivalent or better MFA and legacy auth blocking
Security Defaults EnabledInfoSecurity defaults are enabled. Provides baseline MFA and legacy auth blocking for tenants without Conditional Access
Tenant Branding MissingInfoOrganizational branding is not configured on the sign-in page. Users cannot visually verify they are on the correct tenant login
Tenant Branding No LogoInfoOrganizational branding exists but no company logo is configured. Logo helps users identify legitimate sign-in pages
Tenant Branding No Sign In TextInfoOrganizational branding exists but no sign-in page text is configured. Custom text can warn users about phishing
User Login Device Trust TypeInfoReports the device trust type used during user sign-in

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB IM-6 (Identity Management) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB IM-6 (Identity Management) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.