Controls / MCSB / PA-7

MCSB PA-7: Privileged Access

48 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control PA-7 (Privileged Access). Each is checked against your tenant, ranked by Severity, with validated remediation.

48 checksPrivileged AccessTop Severity: Critical

What MCSB PA-7 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. PA-7 sits in the Privileged Access domain. Senserva evidences it with the 48 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 48 checks that evidence MCSB PA-7

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Intune Role Excessive Destructive PermissionsCriticalIntune RBAC role has excessive destructive permissions, high count of delete, wipe, retire, or reset actions
Intune Role Privilege EscalationCriticalIntune RBAC role has permissions that allow privilege escalation, can manage roles or expand assignment scope
PIM Alerts No MFA On Activation AlertCriticalPIM alert: MFA is not required on role activation. Compromised credentials can escalate
PIM Policy Missing For UserCriticalUser has a direct role assignment with no PIM policy governing activation
Role Ai Administrator AssignedCriticalA principal is assigned the AI Administrator role, which controls all Microsoft 365 Copilot settings and AI data access boundaries
Role Standing High Privilege AssignmentCriticalStanding (permanent, non-PIM) assignment on a high-privilege role
Agents Agent Identity Blueprint Inheritable Permission High RiskHighAn AI agent has inheritable permissions that include high-risk Microsoft Graph scopes.
Auth Policy Guest Invite UnrestrictedHighGuest invitation policy is set to unrestricted, any user can invite external guests Broadens external access surface.
Auth Policy Msol Not BlockedHighLegacy MSOL PowerShell access is not blocked. MSOL bypasses modern auth controls and CA policies
Auth Policy Users Can Create Security GroupsHighUsers can create security groups without admin approval. Uncontrolled group creation leads to sprawl and unintended access grants
Auth Policy Users Can Register AppsHighUsers are allowed to register applications in the tenant. Overly permissive app registration increases shadow-app risk
Device Privileged User Non CompliantHighPrivileged user is using a non-compliant device. High-risk combination - admin activity from unmanaged devices undermines security controls
Group Public M365 GroupHighMicrosoft 365 group has Public visibility. Any tenant user can access group content including files, conversations, and calendar without joining
Intune Role Custom High RiskHighCustom Intune RBAC role with elevated risk score, not a Microsoft built-in role
Intune Role Global ScopeHighIntune RBAC role has unrestricted global scope, applies to all resources with no scope tag restriction
Intune Role Over AssignedHighIntune RBAC role is assigned to many principals, broad exposure increases compromise risk
Intune Role Security SensitiveHighIntune RBAC role has security-sensitive permissions, touches security baselines, compliance, Defender, or endpoint protection
License Missing Licenses Required For Highly Privileged AccountHighHighly privileged account (e.g., Global Admin) is missing licenses required by the security baseline. These accounts need maximum protection features enabled
PIM Alerts License SuspendedHighPIM license is suspended. PIM protections are not enforced without an active license
PIM Alerts Stale Alert IncidentHighPIM alert: stale role assignment detected. A user's privileged role has not been activated recently
PIM Alerts Too Many Global Admins Assigned To Tenant Alert IncidentHighPIM alert: too many Global Admins assigned to the tenant
PIM Policy Missing For GroupHighGroup has a direct role assignment with no PIM policy governing activation
PIM Policy Missing For Service PrincipalHighService principal has a direct role assignment with no PIM policy governing activation
PIM Roles Assigned Outside PIMHighA role was assigned outside of Privileged Identity Management. Standing assignments bypass PIM activation controls entirely
Role Custom Role In UseHighA custom (non-built-in) role definition has active assignments
Role Direct User AssignmentHighUser is directly assigned to a privileged role instead of via a group
Role No Roles Assigned To RuleHighNo roles are assigned to a PIM governance rule. The rule exists but covers no roles
Sub Custom Role With Wildcard ActionsHighCustom Azure role uses wildcard (*) actions, granting broad permissions
Sub Owner At Subscription ScopeHighUser holds the Owner role at subscription scope, full control
Sub User Access Admin At Subscription ScopeHighUser holds the User Access Administrator role at subscription scope. Can grant any Azure role to any user
User Highly Privileged User Has No P1 Or P2HighHighly privileged user lacks Entra ID P1/P2 license. Required for CA, PIM, and ID Protection
User Privileged User Is Not EnabledHighPrivileged user account is disabled but still has role assignments
Admin Missing User Required For Admin License MatchMediumAdmin user is missing required licenses defined in the security baseline for admin accounts
Auth Policy Guest Same As MemberMediumGuest users have the same access as member users. Guests should have restricted default permissions
Auth Policy Users Can Create TenantsMediumUsers can create new Entra ID tenants. Uncontrolled tenant creation enables shadow-IT environments outside organizational governance
Group Creation UnrestrictedMediumM365 group creation unrestricted
Intune Role DormantMediumIntune RBAC role has permissions but zero active assignments, dormant role
License Missing Licenses Required For Privileged AccountMediumPrivileged account is missing licenses required by the security baseline (e.g., Entra ID P1/P2 for Conditional Access and PIM)
License SKU SuspendedMediumSKU subscription is suspended. Security features provided by this license are inactive for all assigned users
PIM Alert Configuration IncorrectMediumPIM alert configuration is incorrect or misconfigured for the tenant
PIM Missing Alert TypeMediumExpected PIM alert type is missing from the tenant's alert configuration
Role Unused Custom Role DefinitionMediumA custom role definition exists but has zero assignments
Sub Deleted Principal Role AssignmentMediumRole assignment references a principal that no longer exists, likely deleted
User Privileged User Is Synced With On PremisesMediumPrivileged user is synced from on-premises AD. Cloud-only is recommended for admins
Group Guest Access EnabledLowGuest access to M365 groups enabled
Group Naming Policy MissingInfoNo group naming policy configured
Group Usage Guideline MissingInfoNo group usage guidelines URL configured
PIM AlertsInfoPIM alert record with role, assignee, and last activation details

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB PA-7 (Privileged Access) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB PA-7 (Privileged Access) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.