Controls / SCuBA / MS.AAD.4.1v1
SCuBA MS.AAD.4.1v1
42 Senserva Microsoft 365 security checks evidence CISA SCuBA policy MS.AAD.4.1v1, part of the Microsoft Entra ID secure configuration baseline. Each is checked against your tenant, ranked by Severity, with validated remediation.
What MS.AAD.4.1v1 is
CISA's Secure Cloud Business Applications (SCuBA) project publishes secure configuration baselines for the core Microsoft 365 services; policy MS.AAD.4.1v1 belongs to the Microsoft Entra ID baseline. CISA Binding Operational Directive 25-01 directs federal civilian agencies to apply these baselines. Senserva evidences this policy with the 42 checks below. See the exact policy statement and implementation steps in the CISA baseline.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 42 checks that evidence SCuBA MS.AAD.4.1v1
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Log Blocked Signin Bad IP Or Too Many Invalid Attempts | Critical | Sign-in blocked due to bad IP reputation or too many invalid attempts. May indicate brute-force or credential stuffing attack |
| Log Flagged For Review | Critical | Microsoft flagged this sign-in for review as potentially suspicious |
| Log Legacy Auth Protocol | Critical | Sign-in used a legacy authentication protocol that bypasses modern auth and MFA |
| Audit CA Change | High | Successful Conditional Access change in directory audit logs |
| Audit CA Failed Conditional Access Change | High | Failed Conditional Access change in directory audit logs |
| Audit Failed Authorization Change | High | Failed authorization policy change in directory audit logs |
| Audit Failed Directory Management Change | High | Failed directory management change in audit logs |
| Audit Failed Other Change | High | Failed change in uncategorized category in directory audit logs |
| Audit Failed Resource Management Change | High | Failed resource management change in directory audit logs |
| Audit Group Failed Group Management Change | High | Failed group management change in directory audit logs |
| Audit Im Auth Failed Authentication Change | High | Failed authentication method/policy change in directory audit logs |
| Audit Role Failed Roll Management Change | High | Failed role management change in directory audit logs. May indicate unauthorized attempts |
| Audit User Failed User Management Change | High | Failed user management change in directory audit logs |
| Audit User Failed User Modification Attempt | High | Failed user modification attempt in directory audit logs |
| Audit User Successful User Modification | High | Successful user modification in directory audit logs |
| Log Conditional Access Error Log | High | Conditional Access error in sign-in logs. CA policy evaluation failed during sign-in |
| Log Conditional Access Log Request Audit | High | Conditional Access request audit record from sign-in logs |
| Log Conditional Access Policy Exclusion Applied | High | Conditional Access policy exclusion applied during sign-in, policy bypassed due to satisfied exclusion conditions |
| Log User Sign In Log Request Audit | High | Sign-in log request audit record |
| Log User Single Factor Authentication | High | User sign-in completed with single-factor authentication as recorded in sign-in logs |
| Audit As App Failed Application Management Change | Medium | Failed application management change detected in directory audit logs May indicate unauthorized modification attempts |
| Audit Authentication Change | Medium | Successful authentication method/policy change in directory audit logs |
| Audit Authorization Change Authorization Change | Medium | Successful authorization policy change in directory audit logs |
| Audit Im Policy Failed Policy Change | Medium | Failed Conditional Access policy change in directory audit logs |
| Audit PIM Change | Medium | Successful PIM change in directory audit logs |
| Audit PIM Failed PIM Change | Medium | Failed PIM change in directory audit logs. May indicate unauthorized modification attempts |
| Audit Role Management Change | Medium | Successful role management change in directory audit logs |
| Log Conditional Access Status | Medium | Conditional Access status observed across sign-in logs |
| Log Cross Tenant Signin | Medium | Sign-in originated from an external tenant (cross-tenant) |
| Log Es Device Login Fails Counts | Medium | Aggregated device login failure counts. Tracks devices with repeated auth failures |
| Log Es Device Non Compliant Device Login Counts | Medium | Count of sign-ins from non-compliant devices |
| Log Failed Login Count | Medium | Aggregated failed login count for a user. High counts may indicate brute-force attacks |
| Log User Sign In Log Error | Medium | Sign-in log error record. Captures specific error codes and failure reasons |
| Audit Es Device Failed Device Change | Low | Failed device management change in directory audit logs |
| Audit As App Application Activity | Info | Application activity detected in directory audit logs (non-management actions) |
| Audit Audit Completed | Info | Audit scan completed for the tenant |
| Audit Audit Started | Info | Audit scan started for the tenant |
| Audit Directory Management Change | Info | Successful directory management change in audit logs |
| Audit Group Management Change | Info | Successful group management change in directory audit logs |
| Audit Resource Management Change | Info | Successful resource management change in directory audit logs |
| Audit User Activity | Info | User activity event in directory audit logs (non-management actions) |
| Audit User Management Change | Info | Successful user management change in directory audit logs |
Every SCuBA policy and the checks that evidence it: the control reference. More on the baselines: SCuBA for Microsoft 365.