MCSB PA-1: Privileged Access
73 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control PA-1 (Privileged Access). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB PA-1 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. PA-1 sits in the Privileged Access domain. Senserva evidences it with the 73 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 73 checks that evidence MCSB PA-1
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Intune Role Excessive Destructive Permissions | Critical | Intune RBAC role has excessive destructive permissions, high count of delete, wipe, retire, or reset actions |
| Intune Role Privilege Escalation | Critical | Intune RBAC role has permissions that allow privilege escalation, can manage roles or expand assignment scope |
| PIM Policy Expiration Required | Critical | PIM policy does not require expiration for role assignments. Permanent assignments violate just-in-time access principles |
| PIM Policy Missing For User | Critical | User has a direct role assignment with no PIM policy governing activation |
| Role Ai Administrator Assigned | Critical | A principal is assigned the AI Administrator role, which controls all Microsoft 365 Copilot settings and AI data access boundaries |
| Role Standing High Privilege Assignment | Critical | Standing (permanent, non-PIM) assignment on a high-privilege role |
| Sp Critical Graph Permission | Critical | Service principal has been granted critical Graph API permissions that enable privilege escalation (e.g., RoleManagementReadWriteDirectory, ApplicationReadWriteAll) |
| Agents Agent Identity Blueprint Inheritable Permission High Risk | High | An AI agent has inheritable permissions that include high-risk Microsoft Graph scopes. |
| App Broad Consent Scope | High | Application has admin consent granted for all users (ConsentType = AllPrincipals). Broad consent means every user is affected if the app is compromised |
| Apply Least Privilege For Agent Functions | High | Apply least-privilege principle to AI agent functions to limit blast radius of misuse |
| Auth Policy Guest Invite Unrestricted | High | Guest invitation policy is set to unrestricted, any user can invite external guests Broadens external access surface. |
| Auth Policy Msol Not Blocked | High | Legacy MSOL PowerShell access is not blocked. MSOL bypasses modern auth controls and CA policies |
| Auth Policy Users Can Create Security Groups | High | Users can create security groups without admin approval. Uncontrolled group creation leads to sprawl and unintended access grants |
| Auth Policy Users Can Register Apps | High | Users are allowed to register applications in the tenant. Overly permissive app registration increases shadow-app risk |
| Intune Role Custom High Risk | High | Custom Intune RBAC role with elevated risk score, not a Microsoft built-in role |
| Intune Role Global Scope | High | Intune RBAC role has unrestricted global scope, applies to all resources with no scope tag restriction |
| Intune Role Over Assigned | High | Intune RBAC role is assigned to many principals, broad exposure increases compromise risk |
| Intune Role Security Sensitive | High | Intune RBAC role has security-sensitive permissions, touches security baselines, compliance, Defender, or endpoint protection |
| Pa Avoid Standing Access | High | Avoid standing access: privileged roles should use just-in-time activation via PIM |
| Pa Follow Least Privilege Principle | High | Follow least privilege principle: users and apps should have minimum permissions needed |
| PIM Group Number Of Groups In High Privilege Roles | High | Count of groups assigned to highly privileged directory roles |
| PIM Policy Enablement Rule Not Set | High | PIM enablement rule is not set for a role. The role lacks activation workflow configuration |
| PIM Policy Justification Required | High | PIM policy requires a justification for role activation |
| PIM Policy Maximum Duration | High | PIM policy maximum activation duration for a role |
| PIM Policy Missing For Group | High | Group has a direct role assignment with no PIM policy governing activation |
| PIM Policy Missing For Service Principal | High | Service principal has a direct role assignment with no PIM policy governing activation |
| PIM Policy Ticketing Required | High | PIM policy requires a support ticket number for role activation |
| PIM Roles Assigned Outside PIM | High | A role was assigned outside of Privileged Identity Management. Standing assignments bypass PIM activation controls entirely |
| PIM Service Principal Count In High Privileged Roles | High | Count of service principals assigned to highly privileged directory roles (e.g., Global Administrator, Privileged Role Administrator) |
| PIM User Number Of Users In High Privilege Roles | High | Count of users assigned to highly privileged directory roles |
| Role Custom Role In Use | High | A custom (non-built-in) role definition has active assignments |
| Role Direct User Assignment | High | User is directly assigned to a privileged role instead of via a group |
| Role No Roles Assigned To Rule | High | No roles are assigned to a PIM governance rule. The rule exists but covers no roles |
| Role Overlapping High Privilege | High | A single principal holds multiple highly-privileged roles, indicating role creep |
| Sp High Risk Permissions | High | Service principal has been granted high-risk Graph API permissions |
| Sp Service Principal Member Of Directory Role | High | Service principal is a member of one or more directory roles. Service principals with role assignments have elevated tenant access |
| Sp Service Principal Review API Assignment | High | Service principal has API permission assignments that should be reviewed |
| Sub Contributor At Subscription Scope | High | User holds the Contributor role at subscription scope |
| Sub Foreign Group Role Assignment | High | Foreign group (outside the tenant) has a role assignment on the subscription |
| Sub Owner At Subscription Scope | High | User holds the Owner role at subscription scope, full control |
| Sub Service Principal High Role | High | Service principal holds a high-privilege role at subscription scope |
| Sub User Access Admin At Subscription Scope | High | User holds the User Access Administrator role at subscription scope. Can grant any Azure role to any user |
| User Highly Privileged User Has No P1 Or P2 | High | Highly privileged user lacks Entra ID P1/P2 license. Required for CA, PIM, and ID Protection |
| User Privileged User Is Not Enabled | High | Privileged user account is disabled but still has role assignments |
| Agents Agent Identity Blueprint Inheritable Permission | Medium | An AI Agent Identity Blueprint has inheritable permissions configured. |
| Agents Agent Identity Blueprint Inheritable Permission Blueprint | Medium | An AI Agent Identity Blueprint is registered in this tenant. |
| Agents Agent Identity Blueprint Inheritable Permission Identity | Medium | An AI Agent Identity (service principal) is associated with an Agent Identity Blueprint. |
| Agents Agent Identity Blueprint Inheritable Permission User | Medium | A user account is associated with an AI Agent Identity. |
| App Federated Identity Credential Broad Scope | Medium | Application has a federated identity credential with an overly broad audience or wildcard subject that could allow unintended workloads to authenticate |
| App High Risk Permissions | Medium | Application has been granted high-risk delegated permissions (e.g., MailReadWrite, DirectoryReadWriteAll). These scopes provide broad access to tenant data |
| App Insecure Redirect Uri | Medium | Application has an insecure redirect URI (e.g., HTTP instead of HTTPS, localhost in production, wildcard domains, or deprecated OOB redirect URIs) |
| App Mgmt No Secret Lifetime Restriction | Medium | No secret lifetime restriction on apps |
| App Mgmt Policy Disabled | Medium | App management policy disabled |
| App Multi Tenant With High Privileges | Medium | Multi-tenant application with elevated permissions and active credentials. External-facing apps with broad access require extra scrutiny |
| Auth Policy Guest Same As Member | Medium | Guest users have the same access as member users. Guests should have restricted default permissions |
| Auth Policy Users Can Create Tenants | Medium | Users can create new Entra ID tenants. Uncontrolled tenant creation enables shadow-IT environments outside organizational governance |
| Ensure Human In The Loop | Medium | Ensure human-in-the-loop controls exist for high-risk AI decisions and actions |
| Intune Role Dormant | Medium | Intune RBAC role has permissions but zero active assignments, dormant role |
| PIM Group Number Of Groups In Privilege Roles | Medium | Count of groups assigned to privileged directory roles |
| PIM Service Principal Count In Privileged Roles | Medium | Count of service principals assigned to privileged directory roles |
| Role Principal Count Per Role | Medium | Count of principals assigned to this role. High counts on privileged roles increase blast radius |
| Role Unused Custom Role Definition | Medium | A custom role definition exists but has zero assignments |
| Sub Deleted Principal Role Assignment | Medium | Role assignment references a principal that no longer exists, likely deleted |
| Sub Excessive Role Assignments | Medium | Subscription has excessive role assignments, indicating potential over-provisioning |
| User Privileged User Is Synced With On Premises | Medium | Privileged user is synced from on-premises AD. Cloud-only is recommended for admins |
| App Mgmt No Cert Lifetime Restriction | Low | No certificate lifetime restriction on apps |
| Group Guest Member | Low | Group contains one or more guest (external) members. Guests may access group resources including SharePoint sites and Teams channels |
| PIM User Number Of Users In Privilege Roles | Low | Count of users assigned to privileged directory roles |
| App Federated Identity Credentials | Info | Application has federated identity credentials configured. These allow external identity providers to authenticate as this application |
| Group Empty | Info | Group has zero members across users, nested groups, and service principals |
| Group Member Of Directory Role | Info | Group is a member of one or more Entra ID directory roles. Groups with role assignments grant elevated access to all members |
| PIM Policy PIM Approval Required | Info | PIM policy requires approval for role activation. Second-person authorization for privileged access |
| PIM Policy PIM MFA Required | Info | PIM policy requires MFA for role activation. Confirms step-up auth is enforced |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.