Controls / SCuBA / MS.AAD.3.4v1

SCuBA MS.AAD.3.4v1

19 Senserva Microsoft 365 security checks evidence CISA SCuBA policy MS.AAD.3.4v1, part of the Microsoft Entra ID secure configuration baseline. Each is checked against your tenant, ranked by Severity, with validated remediation.

19 checksMicrosoft Entra IDTop Severity: Critical

What MS.AAD.3.4v1 is

CISA's Secure Cloud Business Applications (SCuBA) project publishes secure configuration baselines for the core Microsoft 365 services; policy MS.AAD.3.4v1 belongs to the Microsoft Entra ID baseline. CISA Binding Operational Directive 25-01 directs federal civilian agencies to apply these baselines. Senserva evidences this policy with the 19 checks below. See the exact policy statement and implementation steps in the CISA baseline.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 19 checks that evidence SCuBA MS.AAD.3.4v1

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Risk Detection Anomalous TokenCriticalAnomalous token usage detected Token properties or usage patterns do not match expected behavior.
Risk Detection Leaked CredentialsCriticalLeaked credentials detected. Credentials for this user were found exposed publicly
Risk Detection Malicious IP AddressCriticalSign-in from a known malicious IP address.
Risk Detection OfflineCriticalRisk detection was discovered offline (retroactively). The compromise predates the detection
Risk Detection State Confirmed CompromisedCriticalRisk detection is confirmed compromised. Immediate action required
Risk Detection Token Issuer AnomalyCriticalToken issuer anomaly detected The token was issued by an unexpected or suspicious authority.
Group Public M365 GroupHighMicrosoft 365 group has Public visibility. Any tenant user can access group content including files, conversations, and calendar without joining
MFA MFA For Guest Not FoundHighNo Conditional Access policy requiring MFA for guest users was found. Guest accounts without MFA are vulnerable to credential compromise
Risk Detection Anonymized IP AddressHighSign-in from an anonymized IP address (VPN, Tor, or proxy)
Risk Detection StaleHighUnresolved risk detection has exceeded the configured stale threshold
Risk Detection State At RiskHighRisk detection is in AtRisk state and has not been remediated
Risk Detection State DismissedHighRisk detection was dismissed without documented remediation
Risk Detection Suspicious IP AddressHighSign-in from a suspicious IP address flagged by threat intelligence
Risk Level During SigninHighRisk level recorded during a user sign-in event
MFA Temporary Access Pass Not Once OnlyMediumTemporary Access Pass is configured to allow multiple uses instead of once-only. Multi-use TAPs increase the window of exposure if intercepted
Risk Detection Data MissingMediumRisk detection has a null, None, Hidden, or unknown risk level. May indicate Identity Protection is not licensed or data is incomplete
Group Guest MemberLowGroup contains one or more guest (external) members. Guests may access group resources including SharePoint sites and Teams channels
Group EmptyInfoGroup has zero members across users, nested groups, and service principals
Group Member Of Directory RoleInfoGroup is a member of one or more Entra ID directory roles. Groups with role assignments grant elevated access to all members

Also evidences

The same checks provide evidence for these frameworks:

Every SCuBA policy and the checks that evidence it: the control reference. More on the baselines: SCuBA for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence SCuBA MS.AAD.3.4v1 (Microsoft Entra ID) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
SCuBA MS.AAD.3.4v1 (Microsoft Entra ID) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.