MCSB PA-2: Privileged Access
10 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control PA-2 (Privileged Access). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB PA-2 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. PA-2 sits in the Privileged Access domain. Senserva evidences it with the 10 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 10 checks that evidence MCSB PA-2
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| PIM Policy Expiration Required | Critical | PIM policy does not require expiration for role assignments. Permanent assignments violate just-in-time access principles |
| Role Standing High Privilege Assignment | Critical | Standing (permanent, non-PIM) assignment on a high-privilege role |
| Pa Avoid Standing Access | High | Avoid standing access: privileged roles should use just-in-time activation via PIM |
| Pa Follow Least Privilege Principle | High | Follow least privilege principle: users and apps should have minimum permissions needed |
| PIM Policy Enablement Rule Not Set | High | PIM enablement rule is not set for a role. The role lacks activation workflow configuration |
| PIM Policy Justification Required | High | PIM policy requires a justification for role activation |
| PIM Policy Maximum Duration | High | PIM policy maximum activation duration for a role |
| PIM Policy Ticketing Required | High | PIM policy requires a support ticket number for role activation |
| PIM Policy PIM Approval Required | Info | PIM policy requires approval for role activation. Second-person authorization for privileged access |
| PIM Policy PIM MFA Required | Info | PIM policy requires MFA for role activation. Confirms step-up auth is enforced |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.