MCSB IM-6: Identity Management
170 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control IM-6 (Identity Management). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB IM-6 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. IM-6 sits in the Identity Management domain. Senserva evidences it with the 170 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 170 checks that evidence MCSB IM-6
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| At Risk With High Risk | Critical | User currently at risk with a high risk level assessment. Immediate investigation recommended |
| Auth User Not MFA Registered | Critical | User is not registered for any MFA method. Cannot complete MFA challenges |
| Conditional Access Admin Portal Missing MFA | Critical | Admin portal access lacks MFA for privileged users. Detected via What-If per user |
| Conditional Access Group Critical Coverage Gap | Critical | Group has no Conditional Access policy coverage (critical). The group is excluded from all applicable CA policies with no alternative coverage |
| Conditional Access MFA Policy Bypassed | Critical | MFA policy exists but sign-ins succeeded without MFA. Detected by sign-in replay vs What-If |
| Conditional Access User Critical Coverage Gap | Critical | User has no Conditional Access MFA coverage (critical). This user is excluded from all applicable MFA policies with no alternative coverage |
| Log Legacy Auth Protocol | Critical | Sign-in used a legacy authentication protocol that bypasses modern auth and MFA |
| Risk Detection Anomalous Token | Critical | Anomalous token usage detected Token properties or usage patterns do not match expected behavior. |
| Risk Detection Leaked Credentials | Critical | Leaked credentials detected. Credentials for this user were found exposed publicly |
| Risk Detection Malicious IP Address | Critical | Sign-in from a known malicious IP address. |
| Risk Detection Token Issuer Anomaly | Critical | Token issuer anomaly detected The token was issued by an unexpected or suspicious authority. |
| Security Defaults Disabled No Conditional Access | Critical | Security defaults are disabled and no Conditional Access policies are configured. The tenant has no enforced MFA baseline |
| User High Risk User | Critical | User flagged as high risk by Entra ID Protection. Immediate investigation required |
| Admin Enforces Compliant Device For Admins Not Found | High | No Conditional Access policy was found requiring compliant devices for admin roles Admins should only operate from managed, compliant endpoints |
| Admin Enforces MFA For Admins Not Found | High | No Conditional Access policy was found that enforces MFA specifically for admin roles Admins are high-value targets and must always require MFA |
| Admin Maester Device Compliance For Admins | High | Maester framework check: device compliance policy for administrators |
| At Risk Signin | High | Sign-in was flagged as at-risk by Entra ID Protection |
| At Risk With Low Risk | High | User currently at risk with a low risk level assessment |
| Auth Microsoft Authenticator Authentication Method In Use But Not Allowed By User | High | User is using Microsoft Authenticator but it is not allowed by the security baseline |
| Auth Password Authentication Method In Use But Not Allowed By Senserva Security Manager | High | User is using password authentication method but it is not allowed by the security baseline |
| Auth Passwordless Microsoft Authenticator Authentication Method In Use But Not Allowed By User | High | User is using passwordless Microsoft Authenticator but it is not allowed by the security baseline |
| Auth Require Passwordless But Its Not Used By User | High | Policy requires passwordless authentication but the user is not using it |
| Auth Software Oath Authentication Method In Use But Not Allowed By User | High | User is using software OATH token but it is not allowed by the security baseline |
| Auth Suspicious Activity Settings Not Enabled | High | Suspicious activity (fraud reporting) settings are not enabled in the authentication methods policy. Users cannot report unauthorized MFA prompts |
| Auth System Preferred Authentication Method Required But Not Set By User | High | System-preferred authentication method is required but not set for this user |
| Auth Temporary Access Pass Authentication Method In Use But Not Allowed By User | High | User is using Temporary Access Pass but it is not allowed by the security baseline |
| Auth Temporary Access Pass Lifetime Too Long | High | Temporary Access Pass maximum lifetime exceeds the recommended threshold |
| Auth Unallowed Authentication Methods Enabled | High | Authentication methods that are not allowed by the security baseline are currently enabled |
| Auth User Email Authentication Method In Use But Not Allowed By User | High | User is using email authentication but it is not allowed by security baseline |
| Auth User FIDO2 Attestation Not Enforced By User | High | FIDO2 attestation is not enforced. Without attestation, the origin and integrity of security keys cannot be verified |
| Auth User Invalid Default Method Type By User | High | User's default MFA method type is invalid or unrecognized |
| Auth User No Default MFA Method Found By User | High | User has no default MFA method configured |
| Auth User No Strong Authentication Method By User | High | User has no strong authentication method registered (no FIDO2, Windows Hello, Authenticator, or platform credential) |
| Auth User Not MFA Capable | High | User is not MFA-capable (no registered methods that satisfy MFA) |
| Auth User Sms Sign In State Is Not Ready By User | High | User's SMS sign-in state is provisioned |
| Auth User System Preferred Authentication Method Is Not Enabled By User | High | System-preferred authentication method is not enabled for this user |
| Auth User Unallowed User Default Authentication Method Type Is Used By User | High | User's default authentication method type is disallowed by security baseline |
| Auth Windows Hello Key Strength Normal Not Set By User | High | Windows Hello key strength is set to Normal instead of the recommended higher strength |
| Conditional Access Block Legacy Exchange Active Sync Not Found | High | No Conditional Access policy blocks legacy Exchange ActiveSync authentication for all users. EAS is a common vector for credential-based attacks since it bypasses modern auth |
| Conditional Access Block Requested Platforms | High | A CA policy blocks a device platform listed in the security baseline's blocked set |
| Conditional Access Browser O365 Missing MFA | High | Browser access to O365 not protected by MFA for this user. Detected via What-If |
| Conditional Access Enforces Block Unknown Device Not Found | High | No CA policy blocks unknown/unsupported device platforms |
| Conditional Access Enforces MFA For High And Medium Risk Users Not Found | High | No CA policy enforces MFA for high and medium risk users |
| Conditional Access Enforces Password For High Risk Users Not Found | High | No CA policy enforces password change for high-risk users |
| Conditional Access Enforces Risk Levels Not Found | High | No CA policy references sign-in or user risk levels. Risk-based CA is missing |
| Conditional Access Group High Coverage Gap | High | Group has a high-severity Conditional Access coverage gap. An important CA scenario (e.g., MFA) has no policy covering this group |
| Conditional Access Password Change Bypassed | High | Password-change grant control bypassed in actual sign-ins. Detected by sign-in replay |
| Conditional Access Policy Included Location Has Unwanted Country | High | A CA policy's included location list contains a country flagged as unwanted |
| Conditional Access Require Block From Untrusted Countries For All Users | High | A CA policy includes an untrusted named location and applies to all users/apps, blocking untrusted countries |
| Conditional Access Require Block Legacy Other Not Found | High | No Conditional Access policy blocks legacy "Other" client app type. Older protocols like MAPI, SMTP, POP, and IMAP remain open |
| Conditional Access Untrusted Location Missing MFA | High | Privileged user access from untrusted locations not protected by MFA. Detected via What-If |
| Conditional Access User High Coverage Gap | High | User has a high-severity Conditional Access coverage gap. An important CA scenario (e.g., MFA) has no policy covering this user |
| Conditional Access User Logged In Without Conditional Access Policy | High | User has sign-in activity but no Conditional Access policies were applied to any of their sign-ins. Indicates the user is signing in completely outside CA policy coverage |
| High Risk Detection Data | High | High-risk detection data record from Entra ID Protection |
| Intune Policy Compliance Idle Lock Timeout Minutes | High | Idle lock timeout is too long or not enforced by compliance policy |
| Intune Policy Compliance Password Block Simple | High | Simple passwords are not blocked by device compliance policy |
| Intune Policy Compliance Password Minimum Length | High | Minimum password length is not enforced by device compliance policy |
| Intune Policy Compliance Password Required | High | Password is not required by device compliance policy |
| Intune Policy Compliance Password Required To Unlock From Idle | High | Password is not required to unlock device from idle state |
| Intune Policy Compliance Password Required Type | High | Required password type is not enforced by device compliance policy |
| Low Risk Detection Data | High | Low-risk detection data record from Entra ID Protection |
| Medium Risk Detection Data | High | Medium-risk detection data record from Entra ID Protection |
| MFA MFA For Guest Not Found | High | No Conditional Access policy requiring MFA for guest users was found. Guest accounts without MFA are vulnerable to credential compromise |
| No Assigned To PIM Rules In Tenant | High | No PIM rules are assigned to roles in the tenant. PIM is not governing privileged role activation |
| Old At Risk With High Risk | High | User was previously at risk with a high risk level (historical) |
| Password Protection Banned Check Disabled | High | Entra ID password protection custom banned-password check is disabled. Common and organization-specific weak passwords are not blocked |
| Password Protection Lockout Duration Too Short | High | Smart lockout duration is shorter than organizational minimum. Short lockouts allow rapid retry cycles |
| Password Protection Not Enforced | High | Password protection mode is not set to Enforced. In Audit mode, weak passwords are logged but not blocked |
| Risk Detection Anonymized IP Address | High | Sign-in from an anonymized IP address (VPN, Tor, or proxy) |
| Risk Detection Suspicious IP Address | High | Sign-in from a suspicious IP address flagged by threat intelligence |
| Risk Level During Signin | High | Risk level recorded during a user sign-in event |
| Security Defaults Enabled With Conditional Access | High | Security defaults and Conditional Access policies are both active. Security defaults can conflict with CA policies and cause unexpected behavior |
| User Login Device Must Be Compliant | High | User sign-in from a device that is not compliant |
| User Login Device Must Be Managed | High | User sign-in from a device that is not managed by Intune |
| User Login Outdated Windows Operating System | High | User sign-in from a Windows device with an outdated OS |
| User Low Risk User | High | User flagged as low risk by Entra ID Protection |
| User Signin With Single Factor Authentication | High | User signed in with single-factor authentication (no MFA) |
| User With Policy Exclusions | High | User is excluded from one or more Conditional Access policies |
| At Risk With Medium Risk | Medium | User currently at risk with a medium risk level assessment |
| Auth Allowed Authentication Methods Disabled | Medium | Authentication methods that are required by the security baseline are currently disabled |
| Auth Authentication Method Excluded User Target | Medium | Authentication method policy has excluded user targets. These users are exempt from the method policy, which may create coverage gaps |
| Auth FIDO2 Authentication Method In Use But Not Allowed By User | Medium | User is using FIDO2 authentication but it is not allowed by security baseline |
| Auth FIDO2 Key Restrictions Not Enforced | Medium | FIDO2 key restrictions are not enforced Any security key can be registered regardless of make or model |
| Auth FIDO2 Passwordless Enabled But Not Governed | Medium | FIDO2 passwordless authentication is enabled but lacks governance controls (no key restrictions or attestation) |
| Auth No Default MFA Method Found By User | Medium | User has no default MFA method configured. They may fall back to weaker methods |
| Auth Phone Authentication Method In Use But Not Allowed By User | Medium | User is using phone (SMS/voice) authentication but it is not allowed by the security baseline. SMS is susceptible to SIM-swap attacks |
| Auth Platform Credential Authentication Method In Use But Not Allowed By User | Medium | User is using platform credential authentication but it is not allowed by the security baseline |
| Auth Registration Enforcement Campaign Not Configured | Medium | Authentication methods registration enforcement campaign is not configured |
| Auth System Credential Preferences Not Enabled | Medium | System-preferred credential preferences are not enabled in the authentication methods policy. Without system preference, users may choose weaker authentication methods |
| Auth User Hardware Oath Authentication Method In Use But Not Allowed By User | Medium | User is using hardware OATH token but it is not allowed by security baseline |
| Auth User Recommended User Default Authentication Method Type Not Used By User | Medium | User is not using the recommended default authentication method type |
| Auth User Windows Hello For Business Authentication Method In Use But Not Allowed By User | Medium | User is using Windows Hello for Business but it is not allowed by security baseline |
| Conditional Access Critical Coverage Gap | Medium | Tenant-wide coverage matrix found a critical coverage gap. Core scenario has no policy |
| Conditional Access Device Code Flow Not Blocked | Medium | Device code flow not blocked for privileged users. Detected via What-If |
| Conditional Access Enforces MFA For All Users Not Found | Medium | No Conditional Access policy was found that enforces MFA for all users across all applications. Indicates a fundamental gap in tenant-wide MFA coverage |
| Conditional Access Enforces Risk Levels Both Signin And User Risk In Same Policy | Medium | A single CA policy includes both sign-in risk and user risk. Microsoft recommends separating these |
| Conditional Access Graph API Missing MFA | Medium | Privileged user Graph API access not protected by MFA. Detected via What-If |
| Conditional Access Group Coverage Gap | Medium | Group has a Conditional Access coverage gap. A CA scenario does not cover this group |
| Conditional Access Group With Policy Exclusions | Medium | Group is excluded from one or more Conditional Access policies. Members of excluded groups bypass those policies entirely |
| Conditional Access High Coverage Gap | Medium | Tenant-wide coverage matrix found a high-severity coverage gap |
| Conditional Access High Risk Sign In Not Protected | Medium | High-risk sign-in scenarios not protected by MFA or block policies. Detected via What-If |
| Conditional Access Mobile App Missing Protection | Medium | Mobile app access not protected by MFA/app protection for this user. Detected via What-If |
| Conditional Access Policy Covers Device Code Flow Not Found | Medium | A CA policy covers device code flow with block or device-compliance grant |
| Conditional Access Policy Device Excluded By Filter | Medium | A CA policy's device filter excludes this device. Tracks which devices are excluded from enforcement |
| Conditional Access Require Block Legacy Other Found | Medium | A Conditional Access policy blocking legacy "Other" client app type is present and active |
| Conditional Access Risky User Not Protected | Medium | High-risk user scenarios lack password change or block. Detected via What-If |
| Conditional Access User Coverage Gap | Medium | User has a Conditional Access coverage gap. A CA scenario does not cover this user |
| Conditional Access User Rule Applies In What If Read Only | Medium | A CA policy applies to this user in What-If but is in report-only mode, not enforcing |
| Conditional Access User Rule Does Not Apply In What If | Medium | No Conditional Access policy applies to this user for a given What-If scenario, a coverage gap |
| Conditional Access What If Missing Legacy App Policy | Medium | What-If found no policy blocking legacy authentication for this user |
| Device Not Registered But Is Logging In | Medium | Device is not registered to any user but has recent sign-in activity An unregistered device actively in use is a security concern |
| Device Policy That Covers Device Code Flow Not Found | Medium | No Conditional Access policy was found that covers device code flow. Device code flow is commonly abused in phishing attacks |
| Device Sign In Not Time Based Non Compliant Devices | Medium | Sign-in frequency is not time-based for non-compliant devices. Non-compliant devices should be forced to re-authenticate on a schedule |
| Intune Policy Compliance Password Expiration Days | Medium | Password expiration is not enforced by device compliance policy |
| Intune Policy Compliance Password Minimum Character Sets | Medium | Minimum character sets (complexity) is not enforced by device compliance policy |
| Log Cross Tenant Signin | Medium | Sign-in originated from an external tenant (cross-tenant) |
| MFA Temporary Access Pass Not Once Only | Medium | Temporary Access Pass is configured to allow multiple uses instead of once-only. Multi-use TAPs increase the window of exposure if intercepted |
| Old At Risk With Low Risk | Medium | User was previously at risk with a low risk level (historical) |
| Old At Risk With Medium Risk | Medium | User was previously at risk with a medium risk level (historical) |
| Password Protection Lockout Threshold Too High | Medium | Smart lockout threshold exceeds organizational maximum. High thresholds allow more password-spray attempts before lockout |
| Risk Detection Data Missing | Medium | Risk detection has a null, None, Hidden, or unknown risk level. May indicate Identity Protection is not licensed or data is incomplete |
| Saas Gws SCuBA Gws Common Enforce Two Step Verification | Medium | SCUBA/CISA baseline: Google Workspace two-step verification enforcement |
| User Device Registered To Not Enabled User | Medium | Device registered to a disabled user account |
| User Disabled User Device Last Signin Date | Medium | Disabled user's device last sign-in date |
| User Medium Risk User | Medium | User flagged as medium risk by Entra ID Protection |
| User Per User MFA | Medium | User has per-user MFA enabled (legacy). Should migrate to Conditional Access MFA |
| User Per User MFA No Data Read | Medium | Per-user MFA data could not be read for this user |
| User Required License Match | Medium | User has required licenses matching the security baseline for their privilege level |
| User With Old MFA | Medium | User is registered with a legacy MFA method (SMS or voice call) that should be migrated |
| Auth Authentication Method Included User Target Registration Not Required | Low | Authentication method policy includes a user target without registration enforcement. Users may not be prompted to register the method |
| Auth Group Authentication Method Excluded Group Target | Low | Authentication method policy has excluded group targets. These groups are exempt from the method policy, which may create coverage gaps |
| Auth Group Authentication Method Included Group Target Registration Not Required | Low | Authentication method group target is included but registration is not required for the group |
| Auth MFA FIDO2 Self Service Registration Not Allowed | Low | FIDO2 self-service registration is not allowed in the tenant policy |
| Auth MFA Software Oath Not Enabled | Low | Software OATH token authentication method is not enabled in the tenant |
| Auth Suspicious Activity Settings No Target | Low | Suspicious activity reporting is enabled but no include target is configured to receive alerts |
| Conditional Access Coverage Gap | Low | Tenant-wide coverage matrix found a coverage gap (medium or lower) |
| Conditional Access Device Compliance Bypassed | Low | Device compliance policy bypassed in actual sign-ins. Detected by sign-in replay |
| Conditional Access Es Device Sign In Not Time Based Non Compliant Devices | Low | A CA policy has sign-in frequency enabled but not time-based or not targeting non-compliant devices |
| Conditional Access Policy Not Enforced | Low | CA policies should apply per What-If but are not enforced on actual sign-ins |
| Conditional Access Unmanaged Device Not Protected | Low | No CA policy protects access from unmanaged devices for this user. Detected via What-If |
| Demo Code Example Threshold Too Small | Low | Demo code example: threshold value is too small. Used for testing/demo purposes |
| Group Guest Member | Low | Group contains one or more guest (external) members. Guests may access group resources including SharePoint sites and Teams channels |
| Intune Policy Compliance Password History Count | Low | Password history count is not enforced by device compliance policy |
| Admin Enforces Compliant Device For Admins | Info | A Conditional Access policy requires compliant or domain-joined devices for admin roles |
| Admin Enforces MFA For Admins | Info | A Conditional Access policy enforces MFA for admin roles across all applications |
| Auth Authentication Method Included User Target Registration Required | Info | Authentication method policy includes a user target with registration enforcement enabled |
| Auth Group Authentication Method Included Group Target Registration Required | Info | Authentication method group target is included with registration enforcement enabled |
| Conditional Access Block Legacy Exchange Active Sync Found | Info | A Conditional Access policy blocking legacy Exchange ActiveSync authentication was found |
| Conditional Access Enforces Block Unknown Device | Info | A CA policy blocks sign-ins from unknown/unsupported device platforms across all apps |
| Conditional Access Enforces MFA For All Users | Info | A Conditional Access policy enforcing MFA for all users and all applications was found. Confirms tenant-wide MFA baseline is in place |
| Conditional Access Enforces MFA For High And Medium Risk Users | Info | A CA policy enforces MFA for high and medium risk users across all apps |
| Conditional Access Enforces Password For High Risk Users | Info | A CA policy enforces password change for high-risk users across all apps |
| Conditional Access Enforces Risk Levels | Info | A CA policy references sign-in risk or user risk levels. Confirms risk-based policies are active |
| Conditional Access Es Device Not Persistent Browser For Non Compliant Devices | Info | A CA policy disables persistent browser sessions for non-compliant devices |
| Conditional Access Es Device Signin Timebased For Non Compliant Devices | Info | A CA policy enforces time-based sign-in frequency for non-compliant devices |
| Conditional Access Loc Entra Location Data | Info | Entra ID named location data record. Emitted per named location for visibility into CA location definitions |
| Conditional Access MFA For Guest Found | Info | A Conditional Access policy enforcing MFA for guest/external users was found |
| Conditional Access Permission Check Skipped | Info | Security checks were skipped because the scanning credential lacks a required directory role to read Conditional Access policies |
| Conditional Access Policy Blocks All But Allowed Countries | Info | A CA policy excludes allowed countries and blocks everything else (geo-fencing allow-list) |
| Conditional Access Policy Change | Info | A Conditional Access policy was modified. Detected from directory audit logs |
| Conditional Access Policy Device Included By Filter | Info | A CA policy's device filter includes this device via its filter rule |
| Conditional Access Policy Only Allows Approved Countries | Info | A CA policy includes only approved countries with no disallowed countries |
| Conditional Access User Rule Applies In What If | Info | A Conditional Access policy applies to this user in What-If scenario evaluation. Reports the policy name and enforcement details (MFA, device compliance) |
| Group Member Of Directory Role | Info | Group is a member of one or more Entra ID directory roles. Groups with role assignments grant elevated access to all members |
| Security Defaults Disabled | Info | Security defaults are disabled but Conditional Access policies are in place. Verify CA policies provide equivalent or better MFA and legacy auth blocking |
| Security Defaults Enabled | Info | Security defaults are enabled. Provides baseline MFA and legacy auth blocking for tenants without Conditional Access |
| Tenant Branding Missing | Info | Organizational branding is not configured on the sign-in page. Users cannot visually verify they are on the correct tenant login |
| Tenant Branding No Logo | Info | Organizational branding exists but no company logo is configured. Logo helps users identify legitimate sign-in pages |
| Tenant Branding No Sign In Text | Info | Organizational branding exists but no sign-in page text is configured. Custom text can warn users about phishing |
| User Login Device Trust Type | Info | Reports the device trust type used during user sign-in |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.