Controls / SCuBA / MS.AAD.3.3v2
SCuBA MS.AAD.3.3v2
19 Senserva Microsoft 365 security checks evidence CISA SCuBA policy MS.AAD.3.3v2, part of the Microsoft Entra ID secure configuration baseline. Each is checked against your tenant, ranked by Severity, with validated remediation.
What MS.AAD.3.3v2 is
CISA's Secure Cloud Business Applications (SCuBA) project publishes secure configuration baselines for the core Microsoft 365 services; policy MS.AAD.3.3v2 belongs to the Microsoft Entra ID baseline. CISA Binding Operational Directive 25-01 directs federal civilian agencies to apply these baselines. Senserva evidences this policy with the 19 checks below. See the exact policy statement and implementation steps in the CISA baseline.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 19 checks that evidence SCuBA MS.AAD.3.3v2
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Risk Detection Anomalous Token | Critical | Anomalous token usage detected Token properties or usage patterns do not match expected behavior. |
| Risk Detection Leaked Credentials | Critical | Leaked credentials detected. Credentials for this user were found exposed publicly |
| Risk Detection Malicious IP Address | Critical | Sign-in from a known malicious IP address. |
| Risk Detection Offline | Critical | Risk detection was discovered offline (retroactively). The compromise predates the detection |
| Risk Detection State Confirmed Compromised | Critical | Risk detection is confirmed compromised. Immediate action required |
| Risk Detection Token Issuer Anomaly | Critical | Token issuer anomaly detected The token was issued by an unexpected or suspicious authority. |
| Group Public M365 Group | High | Microsoft 365 group has Public visibility. Any tenant user can access group content including files, conversations, and calendar without joining |
| MFA MFA For Guest Not Found | High | No Conditional Access policy requiring MFA for guest users was found. Guest accounts without MFA are vulnerable to credential compromise |
| Risk Detection Anonymized IP Address | High | Sign-in from an anonymized IP address (VPN, Tor, or proxy) |
| Risk Detection Stale | High | Unresolved risk detection has exceeded the configured stale threshold |
| Risk Detection State At Risk | High | Risk detection is in AtRisk state and has not been remediated |
| Risk Detection State Dismissed | High | Risk detection was dismissed without documented remediation |
| Risk Detection Suspicious IP Address | High | Sign-in from a suspicious IP address flagged by threat intelligence |
| Risk Level During Signin | High | Risk level recorded during a user sign-in event |
| MFA Temporary Access Pass Not Once Only | Medium | Temporary Access Pass is configured to allow multiple uses instead of once-only. Multi-use TAPs increase the window of exposure if intercepted |
| Risk Detection Data Missing | Medium | Risk detection has a null, None, Hidden, or unknown risk level. May indicate Identity Protection is not licensed or data is incomplete |
| Group Guest Member | Low | Group contains one or more guest (external) members. Guests may access group resources including SharePoint sites and Teams channels |
| Group Empty | Info | Group has zero members across users, nested groups, and service principals |
| Group Member Of Directory Role | Info | Group is a member of one or more Entra ID directory roles. Groups with role assignments grant elevated access to all members |
Every SCuBA policy and the checks that evidence it: the control reference. More on the baselines: SCuBA for Microsoft 365.