Controls / MCSB / LT-1

MCSB LT-1: Logging and Threat Detection

69 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control LT-1 (Logging and Threat Detection). Each is checked against your tenant, ranked by Severity, with validated remediation.

69 checksLogging and Threat DetectionTop Severity: Critical

What MCSB LT-1 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. LT-1 sits in the Logging and Threat Detection domain. Senserva evidences it with the 69 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 69 checks that evidence MCSB LT-1

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Intune Operation Approval Device Wipe MissingCriticalNo Intune operation approval policy is configured for device wipe, any admin can wipe devices without a second approval.
Intune Operation Approval Tenant Configuration MissingCriticalNo Intune operation approval policy is configured for tenant configuration changes, any admin can make tenant-wide Intune changes without a second approval.
Log Blocked Signin Bad IP Or Too Many Invalid AttemptsCriticalSign-in blocked due to bad IP reputation or too many invalid attempts. May indicate brute-force or credential stuffing attack
Log Legacy Auth ProtocolCriticalSign-in used a legacy authentication protocol that bypasses modern auth and MFA
PIM Alerts No MFA On Activation AlertCriticalPIM alert: MFA is not required on role activation. Compromised credentials can escalate
Audit CA ChangeHighSuccessful Conditional Access change in directory audit logs
Audit CA Failed Conditional Access ChangeHighFailed Conditional Access change in directory audit logs
Audit Failed Authorization ChangeHighFailed authorization policy change in directory audit logs
Audit Failed Directory Management ChangeHighFailed directory management change in audit logs
Audit Failed Other ChangeHighFailed change in uncategorized category in directory audit logs
Audit Failed Resource Management ChangeHighFailed resource management change in directory audit logs
Audit Group Failed Group Management ChangeHighFailed group management change in directory audit logs
Audit Im Auth Failed Authentication ChangeHighFailed authentication method/policy change in directory audit logs
Audit Role Failed Roll Management ChangeHighFailed role management change in directory audit logs. May indicate unauthorized attempts
Audit User Failed User Management ChangeHighFailed user management change in directory audit logs
Audit User Failed User Modification AttemptHighFailed user modification attempt in directory audit logs
Audit User Successful User ModificationHighSuccessful user modification in directory audit logs
Intune Operation Approval Device Delete MissingHighNo Intune operation approval policy is configured for device delete, any admin can delete devices from Intune without a second approval.
Intune Operation Approval Device Retire MissingHighNo Intune operation approval policy is configured for device retire, any admin can retire devices without a second approval.
Intune Operation Approval No ApproversHighAn Intune operation approval policy has no approver groups configured, the approval gate cannot enforce peer review.
Intune Policy Compliance Mde Integration RequiredHighMicrosoft Defender for Endpoint integration is not required by compliance policy
Intune Policy Compliance Mde Threat Level AllowedHighMicrosoft Defender for Endpoint allowed threat level is too permissive in compliance policy
Link SCuBA Exo Link ProtectionHighSCUBA/CISA baseline check: Exchange Online Safe Links protection configuration Verifies that URL detonation and click-time protection are enabled
Log Conditional Access Error LogHighConditional Access error in sign-in logs. CA policy evaluation failed during sign-in
Log Conditional Access Log Request AuditHighConditional Access request audit record from sign-in logs
Log Conditional Access Policy Exclusion AppliedHighConditional Access policy exclusion applied during sign-in, policy bypassed due to satisfied exclusion conditions
Log User Sign In Log Request AuditHighSign-in log request audit record
Log User Single Factor AuthenticationHighUser sign-in completed with single-factor authentication as recorded in sign-in logs
Malware SCuBA Exo Malware ScanningHighSCUBA/CISA baseline check: Exchange Online malware scanning configuration Verifies that anti-malware policies are properly configured
Phish SCuBA Exo Phishing ProtectionsHighSCUBA/CISA baseline check: Exchange Online anti-phishing protection configuration Verifies impersonation protection, mailbox intelligence, and spoof settings
PIM Alerts License SuspendedHighPIM license is suspended. PIM protections are not enforced without an active license
PIM Alerts Stale Alert IncidentHighPIM alert: stale role assignment detected. A user's privileged role has not been activated recently
PIM Alerts Too Many Global Admins Assigned To Tenant Alert IncidentHighPIM alert: too many Global Admins assigned to the tenant
PIM Policy Notifications MissingHighPIM policy is missing notification rules. Admins are not alerted on role activation
Audit As App Failed Application Management ChangeMediumFailed application management change detected in directory audit logs May indicate unauthorized modification attempts
Audit Authentication ChangeMediumSuccessful authentication method/policy change in directory audit logs
Audit Authorization Change Authorization ChangeMediumSuccessful authorization policy change in directory audit logs
Audit Im Policy Failed Policy ChangeMediumFailed Conditional Access policy change in directory audit logs
Audit PIM ChangeMediumSuccessful PIM change in directory audit logs
Audit PIM Failed PIM ChangeMediumFailed PIM change in directory audit logs. May indicate unauthorized modification attempts
Audit Role Management ChangeMediumSuccessful role management change in directory audit logs
Establish Monitoring And DetectionMediumEstablish monitoring and anomaly detection for AI workloads and outputs
Log Conditional Access StatusMediumConditional Access status observed across sign-in logs
Log Es Device Login Fails CountsMediumAggregated device login failure counts. Tracks devices with repeated auth failures
Log Es Device Non Compliant Device Login CountsMediumCount of sign-ins from non-compliant devices
Log Failed Login CountMediumAggregated failed login count for a user. High counts may indicate brute-force attacks
Missing Licenses RequiredMediumThe tenant is missing licenses required by the security baseline for general (non-privileged) accounts
PIM Alert Configuration IncorrectMediumPIM alert configuration is incorrect or misconfigured for the tenant
PIM Missing Alert TypeMediumExpected PIM alert type is missing from the tenant's alert configuration
Secure Score Control Not ImplementedMediumA Microsoft Secure Score control is available but the tenant is earning zero points for it.
Admin SCuBA Gws Common Admin Audit And AlertsLowSCUBA/CISA baseline check: Google Workspace admin audit and alerts configuration
Audit Es Device Failed Device ChangeLowFailed device management change in directory audit logs
Other ChangeLowA directory audit log entry with a category that does not match any known category mapping. Captured for completeness
Spam SCuBA Exo Inbound Anti Spam ProtectionsLowSCUBA/CISA baseline check: Exchange Online inbound anti-spam protection configuration Verifies spam filter policies and actions are properly configured
Audit As App Application ActivityInfoApplication activity detected in directory audit logs (non-management actions)
Audit Audit CompletedInfoAudit scan completed for the tenant
Audit Audit StartedInfoAudit scan started for the tenant
Audit Directory Management ChangeInfoSuccessful directory management change in audit logs
Audit Group Management ChangeInfoSuccessful group management change in directory audit logs
Audit Resource Management ChangeInfoSuccessful resource management change in directory audit logs
Audit User ActivityInfoUser activity event in directory audit logs (non-management actions)
Audit User Management ChangeInfoSuccessful user management change in directory audit logs
Device ChangeInfoDevice configuration change detected in directory audit logs (successful)
Perform Continuous Red TeamInfoPerform continuous red-team exercises against AI deployments to identify vulnerabilities
Permission Check SkippedInfoSecurity checks were skipped because the scanning credential lacks a required directory role
PIM AlertsInfoPIM alert record with role, assignee, and last activation details
PIM Policy Modified ByInfoPIM management policy was last modified by the reported user. Change tracking
Scoring LineInfoIndividual scoring line item contributing to the overall tenant security score
Secure ScoreInfoMicrosoft Secure Score value for the tenant. Tracked for trending and benchmark comparison

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB LT-1 (Logging and Threat Detection) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB LT-1 (Logging and Threat Detection) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.