Controls / MCSB / PA-1

MCSB PA-1: Privileged Access

73 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control PA-1 (Privileged Access). Each is checked against your tenant, ranked by Severity, with validated remediation.

73 checksPrivileged AccessTop Severity: Critical

What MCSB PA-1 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. PA-1 sits in the Privileged Access domain. Senserva evidences it with the 73 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 73 checks that evidence MCSB PA-1

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Intune Role Excessive Destructive PermissionsCriticalIntune RBAC role has excessive destructive permissions, high count of delete, wipe, retire, or reset actions
Intune Role Privilege EscalationCriticalIntune RBAC role has permissions that allow privilege escalation, can manage roles or expand assignment scope
PIM Policy Expiration RequiredCriticalPIM policy does not require expiration for role assignments. Permanent assignments violate just-in-time access principles
PIM Policy Missing For UserCriticalUser has a direct role assignment with no PIM policy governing activation
Role Ai Administrator AssignedCriticalA principal is assigned the AI Administrator role, which controls all Microsoft 365 Copilot settings and AI data access boundaries
Role Standing High Privilege AssignmentCriticalStanding (permanent, non-PIM) assignment on a high-privilege role
Sp Critical Graph PermissionCriticalService principal has been granted critical Graph API permissions that enable privilege escalation (e.g., RoleManagementReadWriteDirectory, ApplicationReadWriteAll)
Agents Agent Identity Blueprint Inheritable Permission High RiskHighAn AI agent has inheritable permissions that include high-risk Microsoft Graph scopes.
App Broad Consent ScopeHighApplication has admin consent granted for all users (ConsentType = AllPrincipals). Broad consent means every user is affected if the app is compromised
Apply Least Privilege For Agent FunctionsHighApply least-privilege principle to AI agent functions to limit blast radius of misuse
Auth Policy Guest Invite UnrestrictedHighGuest invitation policy is set to unrestricted, any user can invite external guests Broadens external access surface.
Auth Policy Msol Not BlockedHighLegacy MSOL PowerShell access is not blocked. MSOL bypasses modern auth controls and CA policies
Auth Policy Users Can Create Security GroupsHighUsers can create security groups without admin approval. Uncontrolled group creation leads to sprawl and unintended access grants
Auth Policy Users Can Register AppsHighUsers are allowed to register applications in the tenant. Overly permissive app registration increases shadow-app risk
Intune Role Custom High RiskHighCustom Intune RBAC role with elevated risk score, not a Microsoft built-in role
Intune Role Global ScopeHighIntune RBAC role has unrestricted global scope, applies to all resources with no scope tag restriction
Intune Role Over AssignedHighIntune RBAC role is assigned to many principals, broad exposure increases compromise risk
Intune Role Security SensitiveHighIntune RBAC role has security-sensitive permissions, touches security baselines, compliance, Defender, or endpoint protection
Pa Avoid Standing AccessHighAvoid standing access: privileged roles should use just-in-time activation via PIM
Pa Follow Least Privilege PrincipleHighFollow least privilege principle: users and apps should have minimum permissions needed
PIM Group Number Of Groups In High Privilege RolesHighCount of groups assigned to highly privileged directory roles
PIM Policy Enablement Rule Not SetHighPIM enablement rule is not set for a role. The role lacks activation workflow configuration
PIM Policy Justification RequiredHighPIM policy requires a justification for role activation
PIM Policy Maximum DurationHighPIM policy maximum activation duration for a role
PIM Policy Missing For GroupHighGroup has a direct role assignment with no PIM policy governing activation
PIM Policy Missing For Service PrincipalHighService principal has a direct role assignment with no PIM policy governing activation
PIM Policy Ticketing RequiredHighPIM policy requires a support ticket number for role activation
PIM Roles Assigned Outside PIMHighA role was assigned outside of Privileged Identity Management. Standing assignments bypass PIM activation controls entirely
PIM Service Principal Count In High Privileged RolesHighCount of service principals assigned to highly privileged directory roles (e.g., Global Administrator, Privileged Role Administrator)
PIM User Number Of Users In High Privilege RolesHighCount of users assigned to highly privileged directory roles
Role Custom Role In UseHighA custom (non-built-in) role definition has active assignments
Role Direct User AssignmentHighUser is directly assigned to a privileged role instead of via a group
Role No Roles Assigned To RuleHighNo roles are assigned to a PIM governance rule. The rule exists but covers no roles
Role Overlapping High PrivilegeHighA single principal holds multiple highly-privileged roles, indicating role creep
Sp High Risk PermissionsHighService principal has been granted high-risk Graph API permissions
Sp Service Principal Member Of Directory RoleHighService principal is a member of one or more directory roles. Service principals with role assignments have elevated tenant access
Sp Service Principal Review API AssignmentHighService principal has API permission assignments that should be reviewed
Sub Contributor At Subscription ScopeHighUser holds the Contributor role at subscription scope
Sub Foreign Group Role AssignmentHighForeign group (outside the tenant) has a role assignment on the subscription
Sub Owner At Subscription ScopeHighUser holds the Owner role at subscription scope, full control
Sub Service Principal High RoleHighService principal holds a high-privilege role at subscription scope
Sub User Access Admin At Subscription ScopeHighUser holds the User Access Administrator role at subscription scope. Can grant any Azure role to any user
User Highly Privileged User Has No P1 Or P2HighHighly privileged user lacks Entra ID P1/P2 license. Required for CA, PIM, and ID Protection
User Privileged User Is Not EnabledHighPrivileged user account is disabled but still has role assignments
Agents Agent Identity Blueprint Inheritable PermissionMediumAn AI Agent Identity Blueprint has inheritable permissions configured.
Agents Agent Identity Blueprint Inheritable Permission BlueprintMediumAn AI Agent Identity Blueprint is registered in this tenant.
Agents Agent Identity Blueprint Inheritable Permission IdentityMediumAn AI Agent Identity (service principal) is associated with an Agent Identity Blueprint.
Agents Agent Identity Blueprint Inheritable Permission UserMediumA user account is associated with an AI Agent Identity.
App Federated Identity Credential Broad ScopeMediumApplication has a federated identity credential with an overly broad audience or wildcard subject that could allow unintended workloads to authenticate
App High Risk PermissionsMediumApplication has been granted high-risk delegated permissions (e.g., MailReadWrite, DirectoryReadWriteAll). These scopes provide broad access to tenant data
App Insecure Redirect UriMediumApplication has an insecure redirect URI (e.g., HTTP instead of HTTPS, localhost in production, wildcard domains, or deprecated OOB redirect URIs)
App Mgmt No Secret Lifetime RestrictionMediumNo secret lifetime restriction on apps
App Mgmt Policy DisabledMediumApp management policy disabled
App Multi Tenant With High PrivilegesMediumMulti-tenant application with elevated permissions and active credentials. External-facing apps with broad access require extra scrutiny
Auth Policy Guest Same As MemberMediumGuest users have the same access as member users. Guests should have restricted default permissions
Auth Policy Users Can Create TenantsMediumUsers can create new Entra ID tenants. Uncontrolled tenant creation enables shadow-IT environments outside organizational governance
Ensure Human In The LoopMediumEnsure human-in-the-loop controls exist for high-risk AI decisions and actions
Intune Role DormantMediumIntune RBAC role has permissions but zero active assignments, dormant role
PIM Group Number Of Groups In Privilege RolesMediumCount of groups assigned to privileged directory roles
PIM Service Principal Count In Privileged RolesMediumCount of service principals assigned to privileged directory roles
Role Principal Count Per RoleMediumCount of principals assigned to this role. High counts on privileged roles increase blast radius
Role Unused Custom Role DefinitionMediumA custom role definition exists but has zero assignments
Sub Deleted Principal Role AssignmentMediumRole assignment references a principal that no longer exists, likely deleted
Sub Excessive Role AssignmentsMediumSubscription has excessive role assignments, indicating potential over-provisioning
User Privileged User Is Synced With On PremisesMediumPrivileged user is synced from on-premises AD. Cloud-only is recommended for admins
App Mgmt No Cert Lifetime RestrictionLowNo certificate lifetime restriction on apps
Group Guest MemberLowGroup contains one or more guest (external) members. Guests may access group resources including SharePoint sites and Teams channels
PIM User Number Of Users In Privilege RolesLowCount of users assigned to privileged directory roles
App Federated Identity CredentialsInfoApplication has federated identity credentials configured. These allow external identity providers to authenticate as this application
Group EmptyInfoGroup has zero members across users, nested groups, and service principals
Group Member Of Directory RoleInfoGroup is a member of one or more Entra ID directory roles. Groups with role assignments grant elevated access to all members
PIM Policy PIM Approval RequiredInfoPIM policy requires approval for role activation. Second-person authorization for privileged access
PIM Policy PIM MFA RequiredInfoPIM policy requires MFA for role activation. Confirms step-up auth is enforced

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB PA-1 (Privileged Access) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB PA-1 (Privileged Access) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.