MCSB PA-7: Privileged Access
48 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control PA-7 (Privileged Access). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB PA-7 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. PA-7 sits in the Privileged Access domain. Senserva evidences it with the 48 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 48 checks that evidence MCSB PA-7
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Intune Role Excessive Destructive Permissions | Critical | Intune RBAC role has excessive destructive permissions, high count of delete, wipe, retire, or reset actions |
| Intune Role Privilege Escalation | Critical | Intune RBAC role has permissions that allow privilege escalation, can manage roles or expand assignment scope |
| PIM Alerts No MFA On Activation Alert | Critical | PIM alert: MFA is not required on role activation. Compromised credentials can escalate |
| PIM Policy Missing For User | Critical | User has a direct role assignment with no PIM policy governing activation |
| Role Ai Administrator Assigned | Critical | A principal is assigned the AI Administrator role, which controls all Microsoft 365 Copilot settings and AI data access boundaries |
| Role Standing High Privilege Assignment | Critical | Standing (permanent, non-PIM) assignment on a high-privilege role |
| Agents Agent Identity Blueprint Inheritable Permission High Risk | High | An AI agent has inheritable permissions that include high-risk Microsoft Graph scopes. |
| Auth Policy Guest Invite Unrestricted | High | Guest invitation policy is set to unrestricted, any user can invite external guests Broadens external access surface. |
| Auth Policy Msol Not Blocked | High | Legacy MSOL PowerShell access is not blocked. MSOL bypasses modern auth controls and CA policies |
| Auth Policy Users Can Create Security Groups | High | Users can create security groups without admin approval. Uncontrolled group creation leads to sprawl and unintended access grants |
| Auth Policy Users Can Register Apps | High | Users are allowed to register applications in the tenant. Overly permissive app registration increases shadow-app risk |
| Device Privileged User Non Compliant | High | Privileged user is using a non-compliant device. High-risk combination - admin activity from unmanaged devices undermines security controls |
| Group Public M365 Group | High | Microsoft 365 group has Public visibility. Any tenant user can access group content including files, conversations, and calendar without joining |
| Intune Role Custom High Risk | High | Custom Intune RBAC role with elevated risk score, not a Microsoft built-in role |
| Intune Role Global Scope | High | Intune RBAC role has unrestricted global scope, applies to all resources with no scope tag restriction |
| Intune Role Over Assigned | High | Intune RBAC role is assigned to many principals, broad exposure increases compromise risk |
| Intune Role Security Sensitive | High | Intune RBAC role has security-sensitive permissions, touches security baselines, compliance, Defender, or endpoint protection |
| License Missing Licenses Required For Highly Privileged Account | High | Highly privileged account (e.g., Global Admin) is missing licenses required by the security baseline. These accounts need maximum protection features enabled |
| PIM Alerts License Suspended | High | PIM license is suspended. PIM protections are not enforced without an active license |
| PIM Alerts Stale Alert Incident | High | PIM alert: stale role assignment detected. A user's privileged role has not been activated recently |
| PIM Alerts Too Many Global Admins Assigned To Tenant Alert Incident | High | PIM alert: too many Global Admins assigned to the tenant |
| PIM Policy Missing For Group | High | Group has a direct role assignment with no PIM policy governing activation |
| PIM Policy Missing For Service Principal | High | Service principal has a direct role assignment with no PIM policy governing activation |
| PIM Roles Assigned Outside PIM | High | A role was assigned outside of Privileged Identity Management. Standing assignments bypass PIM activation controls entirely |
| Role Custom Role In Use | High | A custom (non-built-in) role definition has active assignments |
| Role Direct User Assignment | High | User is directly assigned to a privileged role instead of via a group |
| Role No Roles Assigned To Rule | High | No roles are assigned to a PIM governance rule. The rule exists but covers no roles |
| Sub Custom Role With Wildcard Actions | High | Custom Azure role uses wildcard (*) actions, granting broad permissions |
| Sub Owner At Subscription Scope | High | User holds the Owner role at subscription scope, full control |
| Sub User Access Admin At Subscription Scope | High | User holds the User Access Administrator role at subscription scope. Can grant any Azure role to any user |
| User Highly Privileged User Has No P1 Or P2 | High | Highly privileged user lacks Entra ID P1/P2 license. Required for CA, PIM, and ID Protection |
| User Privileged User Is Not Enabled | High | Privileged user account is disabled but still has role assignments |
| Admin Missing User Required For Admin License Match | Medium | Admin user is missing required licenses defined in the security baseline for admin accounts |
| Auth Policy Guest Same As Member | Medium | Guest users have the same access as member users. Guests should have restricted default permissions |
| Auth Policy Users Can Create Tenants | Medium | Users can create new Entra ID tenants. Uncontrolled tenant creation enables shadow-IT environments outside organizational governance |
| Group Creation Unrestricted | Medium | M365 group creation unrestricted |
| Intune Role Dormant | Medium | Intune RBAC role has permissions but zero active assignments, dormant role |
| License Missing Licenses Required For Privileged Account | Medium | Privileged account is missing licenses required by the security baseline (e.g., Entra ID P1/P2 for Conditional Access and PIM) |
| License SKU Suspended | Medium | SKU subscription is suspended. Security features provided by this license are inactive for all assigned users |
| PIM Alert Configuration Incorrect | Medium | PIM alert configuration is incorrect or misconfigured for the tenant |
| PIM Missing Alert Type | Medium | Expected PIM alert type is missing from the tenant's alert configuration |
| Role Unused Custom Role Definition | Medium | A custom role definition exists but has zero assignments |
| Sub Deleted Principal Role Assignment | Medium | Role assignment references a principal that no longer exists, likely deleted |
| User Privileged User Is Synced With On Premises | Medium | Privileged user is synced from on-premises AD. Cloud-only is recommended for admins |
| Group Guest Access Enabled | Low | Guest access to M365 groups enabled |
| Group Naming Policy Missing | Info | No group naming policy configured |
| Group Usage Guideline Missing | Info | No group usage guidelines URL configured |
| PIM Alerts | Info | PIM alert record with role, assignee, and last activation details |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.