Controls / SCuBA / MS.AAD.1.1v1
SCuBA MS.AAD.1.1v1
60 Senserva Microsoft 365 security checks evidence CISA SCuBA policy MS.AAD.1.1v1, part of the Microsoft Entra ID secure configuration baseline. Each is checked against your tenant, ranked by Severity, with validated remediation.
What MS.AAD.1.1v1 is
CISA's Secure Cloud Business Applications (SCuBA) project publishes secure configuration baselines for the core Microsoft 365 services; policy MS.AAD.1.1v1 belongs to the Microsoft Entra ID baseline. CISA Binding Operational Directive 25-01 directs federal civilian agencies to apply these baselines. Senserva evidences this policy with the 60 checks below. See the exact policy statement and implementation steps in the CISA baseline.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 60 checks that evidence SCuBA MS.AAD.1.1v1
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Conditional Access Admin Portal Missing MFA | Critical | Admin portal access lacks MFA for privileged users. Detected via What-If per user |
| Conditional Access Break Glass Account Covered By Policy | Critical | Break-glass (emergency access) account is not explicitly excluded from one or more enabled Conditional Access policies. The account may be blocked or challenged during an emergency sign-in |
| Conditional Access Group Critical Coverage Gap | Critical | Group has no Conditional Access policy coverage (critical). The group is excluded from all applicable CA policies with no alternative coverage |
| Conditional Access MFA Policy Bypassed | Critical | MFA policy exists but sign-ins succeeded without MFA. Detected by sign-in replay vs What-If |
| Conditional Access User Critical Coverage Gap | Critical | User has no Conditional Access MFA coverage (critical). This user is excluded from all applicable MFA policies with no alternative coverage |
| Conditional Access Block Legacy Exchange Active Sync Not Found | High | No Conditional Access policy blocks legacy Exchange ActiveSync authentication for all users. EAS is a common vector for credential-based attacks since it bypasses modern auth |
| Conditional Access Block Requested Platforms | High | A CA policy blocks a device platform listed in the security baseline's blocked set |
| Conditional Access Browser O365 Missing MFA | High | Browser access to O365 not protected by MFA for this user. Detected via What-If |
| Conditional Access Enforces Block Unknown Device Not Found | High | No CA policy blocks unknown/unsupported device platforms |
| Conditional Access Enforces MFA For High And Medium Risk Users Not Found | High | No CA policy enforces MFA for high and medium risk users |
| Conditional Access Enforces Password For High Risk Users Not Found | High | No CA policy enforces password change for high-risk users |
| Conditional Access Enforces Risk Levels Not Found | High | No CA policy references sign-in or user risk levels. Risk-based CA is missing |
| Conditional Access Group High Coverage Gap | High | Group has a high-severity Conditional Access coverage gap. An important CA scenario (e.g., MFA) has no policy covering this group |
| Conditional Access Password Change Bypassed | High | Password-change grant control bypassed in actual sign-ins. Detected by sign-in replay |
| Conditional Access Policy Included Location Has Unwanted Country | High | A CA policy's included location list contains a country flagged as unwanted |
| Conditional Access Require Block From Untrusted Countries For All Users | High | A CA policy includes an untrusted named location and applies to all users/apps, blocking untrusted countries |
| Conditional Access Require Block Legacy Other Not Found | High | No Conditional Access policy blocks legacy "Other" client app type. Older protocols like MAPI, SMTP, POP, and IMAP remain open |
| Conditional Access Untrusted Location Missing MFA | High | Privileged user access from untrusted locations not protected by MFA. Detected via What-If |
| Conditional Access User High Coverage Gap | High | User has a high-severity Conditional Access coverage gap. An important CA scenario (e.g., MFA) has no policy covering this user |
| Conditional Access User Logged In Without Conditional Access Policy | High | User has sign-in activity but no Conditional Access policies were applied to any of their sign-ins. Indicates the user is signing in completely outside CA policy coverage |
| Conditional Access Critical Coverage Gap | Medium | Tenant-wide coverage matrix found a critical coverage gap. Core scenario has no policy |
| Conditional Access Device Code Flow Not Blocked | Medium | Device code flow not blocked for privileged users. Detected via What-If |
| Conditional Access Enforces MFA For All Users Not Found | Medium | No Conditional Access policy was found that enforces MFA for all users across all applications. Indicates a fundamental gap in tenant-wide MFA coverage |
| Conditional Access Enforces Risk Levels Both Signin And User Risk In Same Policy | Medium | A single CA policy includes both sign-in risk and user risk. Microsoft recommends separating these |
| Conditional Access Graph API Missing MFA | Medium | Privileged user Graph API access not protected by MFA. Detected via What-If |
| Conditional Access Group Coverage Gap | Medium | Group has a Conditional Access coverage gap. A CA scenario does not cover this group |
| Conditional Access Group With Policy Exclusions | Medium | Group is excluded from one or more Conditional Access policies. Members of excluded groups bypass those policies entirely |
| Conditional Access High Coverage Gap | Medium | Tenant-wide coverage matrix found a high-severity coverage gap |
| Conditional Access High Risk Sign In Not Protected | Medium | High-risk sign-in scenarios not protected by MFA or block policies. Detected via What-If |
| Conditional Access Mobile App Missing Protection | Medium | Mobile app access not protected by MFA/app protection for this user. Detected via What-If |
| Conditional Access Policy Covers Device Code Flow Not Found | Medium | A CA policy covers device code flow with block or device-compliance grant |
| Conditional Access Policy Device Excluded By Filter | Medium | A CA policy's device filter excludes this device. Tracks which devices are excluded from enforcement |
| Conditional Access Require Block Legacy Other Found | Medium | A Conditional Access policy blocking legacy "Other" client app type is present and active |
| Conditional Access Risky User Not Protected | Medium | High-risk user scenarios lack password change or block. Detected via What-If |
| Conditional Access User Coverage Gap | Medium | User has a Conditional Access coverage gap. A CA scenario does not cover this user |
| Conditional Access User Rule Applies In What If Read Only | Medium | A CA policy applies to this user in What-If but is in report-only mode, not enforcing |
| Conditional Access User Rule Does Not Apply In What If | Medium | No Conditional Access policy applies to this user for a given What-If scenario, a coverage gap |
| Conditional Access What If Missing Legacy App Policy | Medium | What-If found no policy blocking legacy authentication for this user |
| Conditional Access Break Glass Account Excluded | Low | Break-glass (emergency access) account is excluded from all enabled Conditional Access policies. Emergency access is preserved |
| Conditional Access Coverage Gap | Low | Tenant-wide coverage matrix found a coverage gap (medium or lower) |
| Conditional Access Device Compliance Bypassed | Low | Device compliance policy bypassed in actual sign-ins. Detected by sign-in replay |
| Conditional Access Es Device Sign In Not Time Based Non Compliant Devices | Low | A CA policy has sign-in frequency enabled but not time-based or not targeting non-compliant devices |
| Conditional Access Policy Not Enforced | Low | CA policies should apply per What-If but are not enforced on actual sign-ins |
| Conditional Access Unmanaged Device Not Protected | Low | No CA policy protects access from unmanaged devices for this user. Detected via What-If |
| Conditional Access Block Legacy Exchange Active Sync Found | Info | A Conditional Access policy blocking legacy Exchange ActiveSync authentication was found |
| Conditional Access Enforces Block Unknown Device | Info | A CA policy blocks sign-ins from unknown/unsupported device platforms across all apps |
| Conditional Access Enforces MFA For All Users | Info | A Conditional Access policy enforcing MFA for all users and all applications was found. Confirms tenant-wide MFA baseline is in place |
| Conditional Access Enforces MFA For High And Medium Risk Users | Info | A CA policy enforces MFA for high and medium risk users across all apps |
| Conditional Access Enforces Password For High Risk Users | Info | A CA policy enforces password change for high-risk users across all apps |
| Conditional Access Enforces Risk Levels | Info | A CA policy references sign-in risk or user risk levels. Confirms risk-based policies are active |
| Conditional Access Es Device Not Persistent Browser For Non Compliant Devices | Info | A CA policy disables persistent browser sessions for non-compliant devices |
| Conditional Access Es Device Signin Timebased For Non Compliant Devices | Info | A CA policy enforces time-based sign-in frequency for non-compliant devices |
| Conditional Access Loc Entra Location Data | Info | Entra ID named location data record. Emitted per named location for visibility into CA location definitions |
| Conditional Access MFA For Guest Found | Info | A Conditional Access policy enforcing MFA for guest/external users was found |
| Conditional Access Permission Check Skipped | Info | Security checks were skipped because the scanning credential lacks a required directory role to read Conditional Access policies |
| Conditional Access Policy Blocks All But Allowed Countries | Info | A CA policy excludes allowed countries and blocks everything else (geo-fencing allow-list) |
| Conditional Access Policy Change | Info | A Conditional Access policy was modified. Detected from directory audit logs |
| Conditional Access Policy Device Included By Filter | Info | A CA policy's device filter includes this device via its filter rule |
| Conditional Access Policy Only Allows Approved Countries | Info | A CA policy includes only approved countries with no disallowed countries |
| Conditional Access User Rule Applies In What If | Info | A Conditional Access policy applies to this user in What-If scenario evaluation. Reports the policy name and enforcement details (MFA, device compliance) |
Every SCuBA policy and the checks that evidence it: the control reference. More on the baselines: SCuBA for Microsoft 365.