Controls / MCSB / IM-7

MCSB IM-7: Identity Management

42 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control IM-7 (Identity Management). Each is checked against your tenant, ranked by Severity, with validated remediation.

42 checksIdentity ManagementTop Severity: Critical

What MCSB IM-7 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. IM-7 sits in the Identity Management domain. Senserva evidences it with the 42 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 42 checks that evidence MCSB IM-7

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Auth User Not MFA RegisteredCriticalUser is not registered for any MFA method. Cannot complete MFA challenges
Security Defaults Disabled No Conditional AccessCriticalSecurity defaults are disabled and no Conditional Access policies are configured. The tenant has no enforced MFA baseline
Admin Enforces MFA For Admins Not FoundHighNo Conditional Access policy was found that enforces MFA specifically for admin roles Admins are high-value targets and must always require MFA
Auth Microsoft Authenticator Authentication Method In Use But Not Allowed By UserHighUser is using Microsoft Authenticator but it is not allowed by the security baseline
Auth Passwordless Microsoft Authenticator Authentication Method In Use But Not Allowed By UserHighUser is using passwordless Microsoft Authenticator but it is not allowed by the security baseline
Auth Require Passwordless But Its Not Used By UserHighPolicy requires passwordless authentication but the user is not using it
Auth User FIDO2 Attestation Not Enforced By UserHighFIDO2 attestation is not enforced. Without attestation, the origin and integrity of security keys cannot be verified
Auth User Invalid Default Method Type By UserHighUser's default MFA method type is invalid or unrecognized
Auth User No Default MFA Method Found By UserHighUser has no default MFA method configured
Auth User No Strong Authentication Method By UserHighUser has no strong authentication method registered (no FIDO2, Windows Hello, Authenticator, or platform credential)
Auth User Not MFA CapableHighUser is not MFA-capable (no registered methods that satisfy MFA)
Auth User Unallowed User Default Authentication Method Type Is Used By UserHighUser's default authentication method type is disallowed by security baseline
Auth Windows Hello Key Strength Normal Not Set By UserHighWindows Hello key strength is set to Normal instead of the recommended higher strength
Conditional Access Block Legacy Exchange Active Sync Not FoundHighNo Conditional Access policy blocks legacy Exchange ActiveSync authentication for all users. EAS is a common vector for credential-based attacks since it bypasses modern auth
Conditional Access Require Block Legacy Other Not FoundHighNo Conditional Access policy blocks legacy "Other" client app type. Older protocols like MAPI, SMTP, POP, and IMAP remain open
Log Conditional Access Policy Exclusion AppliedHighConditional Access policy exclusion applied during sign-in, policy bypassed due to satisfied exclusion conditions
Password Protection Banned Check DisabledHighEntra ID password protection custom banned-password check is disabled. Common and organization-specific weak passwords are not blocked
Password Protection Lockout Duration Too ShortHighSmart lockout duration is shorter than organizational minimum. Short lockouts allow rapid retry cycles
Password Protection Not EnforcedHighPassword protection mode is not set to Enforced. In Audit mode, weak passwords are logged but not blocked
Security Defaults Enabled With Conditional AccessHighSecurity defaults and Conditional Access policies are both active. Security defaults can conflict with CA policies and cause unexpected behavior
User Signin With Single Factor AuthenticationHighUser signed in with single-factor authentication (no MFA)
Auth FIDO2 Authentication Method In Use But Not Allowed By UserMediumUser is using FIDO2 authentication but it is not allowed by security baseline
Auth FIDO2 Key Restrictions Not EnforcedMediumFIDO2 key restrictions are not enforced Any security key can be registered regardless of make or model
Auth FIDO2 Passwordless Enabled But Not GovernedMediumFIDO2 passwordless authentication is enabled but lacks governance controls (no key restrictions or attestation)
Auth No Default MFA Method Found By UserMediumUser has no default MFA method configured. They may fall back to weaker methods
Auth Platform Credential Authentication Method In Use But Not Allowed By UserMediumUser is using platform credential authentication but it is not allowed by the security baseline
Auth User Recommended User Default Authentication Method Type Not Used By UserMediumUser is not using the recommended default authentication method type
Auth User Windows Hello For Business Authentication Method In Use But Not Allowed By UserMediumUser is using Windows Hello for Business but it is not allowed by security baseline
Conditional Access Enforces MFA For All Users Not FoundMediumNo Conditional Access policy was found that enforces MFA for all users across all applications. Indicates a fundamental gap in tenant-wide MFA coverage
Conditional Access Group With Policy ExclusionsMediumGroup is excluded from one or more Conditional Access policies. Members of excluded groups bypass those policies entirely
Conditional Access Require Block Legacy Other FoundMediumA Conditional Access policy blocking legacy "Other" client app type is present and active
Password Protection Lockout Threshold Too HighMediumSmart lockout threshold exceeds organizational maximum. High thresholds allow more password-spray attempts before lockout
User Per User MFAMediumUser has per-user MFA enabled (legacy). Should migrate to Conditional Access MFA
User Per User MFA No Data ReadMediumPer-user MFA data could not be read for this user
User With Old MFAMediumUser is registered with a legacy MFA method (SMS or voice call) that should be migrated
Auth MFA FIDO2 Self Service Registration Not AllowedLowFIDO2 self-service registration is not allowed in the tenant policy
Admin Enforces MFA For AdminsInfoA Conditional Access policy enforces MFA for admin roles across all applications
Conditional Access Block Legacy Exchange Active Sync FoundInfoA Conditional Access policy blocking legacy Exchange ActiveSync authentication was found
Conditional Access Enforces MFA For All UsersInfoA Conditional Access policy enforcing MFA for all users and all applications was found. Confirms tenant-wide MFA baseline is in place
Conditional Access Permission Check SkippedInfoSecurity checks were skipped because the scanning credential lacks a required directory role to read Conditional Access policies
Security Defaults DisabledInfoSecurity defaults are disabled but Conditional Access policies are in place. Verify CA policies provide equivalent or better MFA and legacy auth blocking
Security Defaults EnabledInfoSecurity defaults are enabled. Provides baseline MFA and legacy auth blocking for tenants without Conditional Access

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB IM-7 (Identity Management) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB IM-7 (Identity Management) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.