Controls / SCuBA / MS.AAD.3.2v1

SCuBA MS.AAD.3.2v1

60 Senserva Microsoft 365 security checks evidence CISA SCuBA policy MS.AAD.3.2v1, part of the Microsoft Entra ID secure configuration baseline. Each is checked against your tenant, ranked by Severity, with validated remediation.

60 checksMicrosoft Entra IDTop Severity: Critical

What MS.AAD.3.2v1 is

CISA's Secure Cloud Business Applications (SCuBA) project publishes secure configuration baselines for the core Microsoft 365 services; policy MS.AAD.3.2v1 belongs to the Microsoft Entra ID baseline. CISA Binding Operational Directive 25-01 directs federal civilian agencies to apply these baselines. Senserva evidences this policy with the 60 checks below. See the exact policy statement and implementation steps in the CISA baseline.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 60 checks that evidence SCuBA MS.AAD.3.2v1

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Conditional Access Admin Portal Missing MFACriticalAdmin portal access lacks MFA for privileged users. Detected via What-If per user
Conditional Access Break Glass Account Covered By PolicyCriticalBreak-glass (emergency access) account is not explicitly excluded from one or more enabled Conditional Access policies. The account may be blocked or challenged during an emergency sign-in
Conditional Access Group Critical Coverage GapCriticalGroup has no Conditional Access policy coverage (critical). The group is excluded from all applicable CA policies with no alternative coverage
Conditional Access MFA Policy BypassedCriticalMFA policy exists but sign-ins succeeded without MFA. Detected by sign-in replay vs What-If
Conditional Access User Critical Coverage GapCriticalUser has no Conditional Access MFA coverage (critical). This user is excluded from all applicable MFA policies with no alternative coverage
Conditional Access Block Legacy Exchange Active Sync Not FoundHighNo Conditional Access policy blocks legacy Exchange ActiveSync authentication for all users. EAS is a common vector for credential-based attacks since it bypasses modern auth
Conditional Access Block Requested PlatformsHighA CA policy blocks a device platform listed in the security baseline's blocked set
Conditional Access Browser O365 Missing MFAHighBrowser access to O365 not protected by MFA for this user. Detected via What-If
Conditional Access Enforces Block Unknown Device Not FoundHighNo CA policy blocks unknown/unsupported device platforms
Conditional Access Enforces MFA For High And Medium Risk Users Not FoundHighNo CA policy enforces MFA for high and medium risk users
Conditional Access Enforces Password For High Risk Users Not FoundHighNo CA policy enforces password change for high-risk users
Conditional Access Enforces Risk Levels Not FoundHighNo CA policy references sign-in or user risk levels. Risk-based CA is missing
Conditional Access Group High Coverage GapHighGroup has a high-severity Conditional Access coverage gap. An important CA scenario (e.g., MFA) has no policy covering this group
Conditional Access Password Change BypassedHighPassword-change grant control bypassed in actual sign-ins. Detected by sign-in replay
Conditional Access Policy Included Location Has Unwanted CountryHighA CA policy's included location list contains a country flagged as unwanted
Conditional Access Require Block From Untrusted Countries For All UsersHighA CA policy includes an untrusted named location and applies to all users/apps, blocking untrusted countries
Conditional Access Require Block Legacy Other Not FoundHighNo Conditional Access policy blocks legacy "Other" client app type. Older protocols like MAPI, SMTP, POP, and IMAP remain open
Conditional Access Untrusted Location Missing MFAHighPrivileged user access from untrusted locations not protected by MFA. Detected via What-If
Conditional Access User High Coverage GapHighUser has a high-severity Conditional Access coverage gap. An important CA scenario (e.g., MFA) has no policy covering this user
Conditional Access User Logged In Without Conditional Access PolicyHighUser has sign-in activity but no Conditional Access policies were applied to any of their sign-ins. Indicates the user is signing in completely outside CA policy coverage
Conditional Access Critical Coverage GapMediumTenant-wide coverage matrix found a critical coverage gap. Core scenario has no policy
Conditional Access Device Code Flow Not BlockedMediumDevice code flow not blocked for privileged users. Detected via What-If
Conditional Access Enforces MFA For All Users Not FoundMediumNo Conditional Access policy was found that enforces MFA for all users across all applications. Indicates a fundamental gap in tenant-wide MFA coverage
Conditional Access Enforces Risk Levels Both Signin And User Risk In Same PolicyMediumA single CA policy includes both sign-in risk and user risk. Microsoft recommends separating these
Conditional Access Graph API Missing MFAMediumPrivileged user Graph API access not protected by MFA. Detected via What-If
Conditional Access Group Coverage GapMediumGroup has a Conditional Access coverage gap. A CA scenario does not cover this group
Conditional Access Group With Policy ExclusionsMediumGroup is excluded from one or more Conditional Access policies. Members of excluded groups bypass those policies entirely
Conditional Access High Coverage GapMediumTenant-wide coverage matrix found a high-severity coverage gap
Conditional Access High Risk Sign In Not ProtectedMediumHigh-risk sign-in scenarios not protected by MFA or block policies. Detected via What-If
Conditional Access Mobile App Missing ProtectionMediumMobile app access not protected by MFA/app protection for this user. Detected via What-If
Conditional Access Policy Covers Device Code Flow Not FoundMediumA CA policy covers device code flow with block or device-compliance grant
Conditional Access Policy Device Excluded By FilterMediumA CA policy's device filter excludes this device. Tracks which devices are excluded from enforcement
Conditional Access Require Block Legacy Other FoundMediumA Conditional Access policy blocking legacy "Other" client app type is present and active
Conditional Access Risky User Not ProtectedMediumHigh-risk user scenarios lack password change or block. Detected via What-If
Conditional Access User Coverage GapMediumUser has a Conditional Access coverage gap. A CA scenario does not cover this user
Conditional Access User Rule Applies In What If Read OnlyMediumA CA policy applies to this user in What-If but is in report-only mode, not enforcing
Conditional Access User Rule Does Not Apply In What IfMediumNo Conditional Access policy applies to this user for a given What-If scenario, a coverage gap
Conditional Access What If Missing Legacy App PolicyMediumWhat-If found no policy blocking legacy authentication for this user
Conditional Access Break Glass Account ExcludedLowBreak-glass (emergency access) account is excluded from all enabled Conditional Access policies. Emergency access is preserved
Conditional Access Coverage GapLowTenant-wide coverage matrix found a coverage gap (medium or lower)
Conditional Access Device Compliance BypassedLowDevice compliance policy bypassed in actual sign-ins. Detected by sign-in replay
Conditional Access Es Device Sign In Not Time Based Non Compliant DevicesLowA CA policy has sign-in frequency enabled but not time-based or not targeting non-compliant devices
Conditional Access Policy Not EnforcedLowCA policies should apply per What-If but are not enforced on actual sign-ins
Conditional Access Unmanaged Device Not ProtectedLowNo CA policy protects access from unmanaged devices for this user. Detected via What-If
Conditional Access Block Legacy Exchange Active Sync FoundInfoA Conditional Access policy blocking legacy Exchange ActiveSync authentication was found
Conditional Access Enforces Block Unknown DeviceInfoA CA policy blocks sign-ins from unknown/unsupported device platforms across all apps
Conditional Access Enforces MFA For All UsersInfoA Conditional Access policy enforcing MFA for all users and all applications was found. Confirms tenant-wide MFA baseline is in place
Conditional Access Enforces MFA For High And Medium Risk UsersInfoA CA policy enforces MFA for high and medium risk users across all apps
Conditional Access Enforces Password For High Risk UsersInfoA CA policy enforces password change for high-risk users across all apps
Conditional Access Enforces Risk LevelsInfoA CA policy references sign-in risk or user risk levels. Confirms risk-based policies are active
Conditional Access Es Device Not Persistent Browser For Non Compliant DevicesInfoA CA policy disables persistent browser sessions for non-compliant devices
Conditional Access Es Device Signin Timebased For Non Compliant DevicesInfoA CA policy enforces time-based sign-in frequency for non-compliant devices
Conditional Access Loc Entra Location DataInfoEntra ID named location data record. Emitted per named location for visibility into CA location definitions
Conditional Access MFA For Guest FoundInfoA Conditional Access policy enforcing MFA for guest/external users was found
Conditional Access Permission Check SkippedInfoSecurity checks were skipped because the scanning credential lacks a required directory role to read Conditional Access policies
Conditional Access Policy Blocks All But Allowed CountriesInfoA CA policy excludes allowed countries and blocks everything else (geo-fencing allow-list)
Conditional Access Policy ChangeInfoA Conditional Access policy was modified. Detected from directory audit logs
Conditional Access Policy Device Included By FilterInfoA CA policy's device filter includes this device via its filter rule
Conditional Access Policy Only Allows Approved CountriesInfoA CA policy includes only approved countries with no disallowed countries
Conditional Access User Rule Applies In What IfInfoA Conditional Access policy applies to this user in What-If scenario evaluation. Reports the policy name and enforcement details (MFA, device compliance)

Also evidences

The same checks provide evidence for these frameworks:

Every SCuBA policy and the checks that evidence it: the control reference. More on the baselines: SCuBA for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence SCuBA MS.AAD.3.2v1 (Microsoft Entra ID) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
SCuBA MS.AAD.3.2v1 (Microsoft Entra ID) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.