MCSB IM-7: Identity Management
42 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control IM-7 (Identity Management). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB IM-7 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. IM-7 sits in the Identity Management domain. Senserva evidences it with the 42 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 42 checks that evidence MCSB IM-7
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Auth User Not MFA Registered | Critical | User is not registered for any MFA method. Cannot complete MFA challenges |
| Security Defaults Disabled No Conditional Access | Critical | Security defaults are disabled and no Conditional Access policies are configured. The tenant has no enforced MFA baseline |
| Admin Enforces MFA For Admins Not Found | High | No Conditional Access policy was found that enforces MFA specifically for admin roles Admins are high-value targets and must always require MFA |
| Auth Microsoft Authenticator Authentication Method In Use But Not Allowed By User | High | User is using Microsoft Authenticator but it is not allowed by the security baseline |
| Auth Passwordless Microsoft Authenticator Authentication Method In Use But Not Allowed By User | High | User is using passwordless Microsoft Authenticator but it is not allowed by the security baseline |
| Auth Require Passwordless But Its Not Used By User | High | Policy requires passwordless authentication but the user is not using it |
| Auth User FIDO2 Attestation Not Enforced By User | High | FIDO2 attestation is not enforced. Without attestation, the origin and integrity of security keys cannot be verified |
| Auth User Invalid Default Method Type By User | High | User's default MFA method type is invalid or unrecognized |
| Auth User No Default MFA Method Found By User | High | User has no default MFA method configured |
| Auth User No Strong Authentication Method By User | High | User has no strong authentication method registered (no FIDO2, Windows Hello, Authenticator, or platform credential) |
| Auth User Not MFA Capable | High | User is not MFA-capable (no registered methods that satisfy MFA) |
| Auth User Unallowed User Default Authentication Method Type Is Used By User | High | User's default authentication method type is disallowed by security baseline |
| Auth Windows Hello Key Strength Normal Not Set By User | High | Windows Hello key strength is set to Normal instead of the recommended higher strength |
| Conditional Access Block Legacy Exchange Active Sync Not Found | High | No Conditional Access policy blocks legacy Exchange ActiveSync authentication for all users. EAS is a common vector for credential-based attacks since it bypasses modern auth |
| Conditional Access Require Block Legacy Other Not Found | High | No Conditional Access policy blocks legacy "Other" client app type. Older protocols like MAPI, SMTP, POP, and IMAP remain open |
| Log Conditional Access Policy Exclusion Applied | High | Conditional Access policy exclusion applied during sign-in, policy bypassed due to satisfied exclusion conditions |
| Password Protection Banned Check Disabled | High | Entra ID password protection custom banned-password check is disabled. Common and organization-specific weak passwords are not blocked |
| Password Protection Lockout Duration Too Short | High | Smart lockout duration is shorter than organizational minimum. Short lockouts allow rapid retry cycles |
| Password Protection Not Enforced | High | Password protection mode is not set to Enforced. In Audit mode, weak passwords are logged but not blocked |
| Security Defaults Enabled With Conditional Access | High | Security defaults and Conditional Access policies are both active. Security defaults can conflict with CA policies and cause unexpected behavior |
| User Signin With Single Factor Authentication | High | User signed in with single-factor authentication (no MFA) |
| Auth FIDO2 Authentication Method In Use But Not Allowed By User | Medium | User is using FIDO2 authentication but it is not allowed by security baseline |
| Auth FIDO2 Key Restrictions Not Enforced | Medium | FIDO2 key restrictions are not enforced Any security key can be registered regardless of make or model |
| Auth FIDO2 Passwordless Enabled But Not Governed | Medium | FIDO2 passwordless authentication is enabled but lacks governance controls (no key restrictions or attestation) |
| Auth No Default MFA Method Found By User | Medium | User has no default MFA method configured. They may fall back to weaker methods |
| Auth Platform Credential Authentication Method In Use But Not Allowed By User | Medium | User is using platform credential authentication but it is not allowed by the security baseline |
| Auth User Recommended User Default Authentication Method Type Not Used By User | Medium | User is not using the recommended default authentication method type |
| Auth User Windows Hello For Business Authentication Method In Use But Not Allowed By User | Medium | User is using Windows Hello for Business but it is not allowed by security baseline |
| Conditional Access Enforces MFA For All Users Not Found | Medium | No Conditional Access policy was found that enforces MFA for all users across all applications. Indicates a fundamental gap in tenant-wide MFA coverage |
| Conditional Access Group With Policy Exclusions | Medium | Group is excluded from one or more Conditional Access policies. Members of excluded groups bypass those policies entirely |
| Conditional Access Require Block Legacy Other Found | Medium | A Conditional Access policy blocking legacy "Other" client app type is present and active |
| Password Protection Lockout Threshold Too High | Medium | Smart lockout threshold exceeds organizational maximum. High thresholds allow more password-spray attempts before lockout |
| User Per User MFA | Medium | User has per-user MFA enabled (legacy). Should migrate to Conditional Access MFA |
| User Per User MFA No Data Read | Medium | Per-user MFA data could not be read for this user |
| User With Old MFA | Medium | User is registered with a legacy MFA method (SMS or voice call) that should be migrated |
| Auth MFA FIDO2 Self Service Registration Not Allowed | Low | FIDO2 self-service registration is not allowed in the tenant policy |
| Admin Enforces MFA For Admins | Info | A Conditional Access policy enforces MFA for admin roles across all applications |
| Conditional Access Block Legacy Exchange Active Sync Found | Info | A Conditional Access policy blocking legacy Exchange ActiveSync authentication was found |
| Conditional Access Enforces MFA For All Users | Info | A Conditional Access policy enforcing MFA for all users and all applications was found. Confirms tenant-wide MFA baseline is in place |
| Conditional Access Permission Check Skipped | Info | Security checks were skipped because the scanning credential lacks a required directory role to read Conditional Access policies |
| Security Defaults Disabled | Info | Security defaults are disabled but Conditional Access policies are in place. Verify CA policies provide equivalent or better MFA and legacy auth blocking |
| Security Defaults Enabled | Info | Security defaults are enabled. Provides baseline MFA and legacy auth blocking for tenants without Conditional Access |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.