MCSB PA-4: Privileged Access
11 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control PA-4 (Privileged Access). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB PA-4 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. PA-4 sits in the Privileged Access domain. Senserva evidences it with the 11 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 11 checks that evidence MCSB PA-4
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Conditional Access Break Glass Account Covered By Policy | Critical | Break-glass (emergency access) account is not explicitly excluded from one or more enabled Conditional Access policies. The account may be blocked or challenged during an emergency sign-in |
| User Break Glass Account Disabled | Critical | Break-glass (emergency access) account is disabled. Break-glass accounts must remain enabled for emergency tenant recovery |
| User Break Glass Account Is Not Highly Privileged | Critical | Break-glass account does not have highly privileged roles assigned. Emergency accounts must have Global Admin or equivalent to be effective |
| User Break Glass Account Last Password Change | Critical | Break-glass account last password change timestamp. Passwords on emergency accounts should be changed on a regular schedule per policy |
| User Break Glass User Not Enabled | Critical | Break-glass account user is not enabled (account exists but is inactive) |
| User Break Glass User Has Login History | High | Break-glass account has recent sign-in history. This may be expected for testing or may indicate unauthorized use - requires investigation |
| User Break Glass User Has No Login History | High | Break-glass account has no sign-in history. Expected for dormant emergency accounts but periodic testing is recommended |
| App Mgmt No Secret Lifetime Restriction | Medium | No secret lifetime restriction on apps |
| App Mgmt Policy Disabled | Medium | App management policy disabled |
| App Mgmt No Cert Lifetime Restriction | Low | No certificate lifetime restriction on apps |
| Conditional Access Break Glass Account Excluded | Low | Break-glass (emergency access) account is excluded from all enabled Conditional Access policies. Emergency access is preserved |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.