Controls / SCuBA / MS.AAD.4.1v1

SCuBA MS.AAD.4.1v1

42 Senserva Microsoft 365 security checks evidence CISA SCuBA policy MS.AAD.4.1v1, part of the Microsoft Entra ID secure configuration baseline. Each is checked against your tenant, ranked by Severity, with validated remediation.

42 checksMicrosoft Entra IDTop Severity: Critical

What MS.AAD.4.1v1 is

CISA's Secure Cloud Business Applications (SCuBA) project publishes secure configuration baselines for the core Microsoft 365 services; policy MS.AAD.4.1v1 belongs to the Microsoft Entra ID baseline. CISA Binding Operational Directive 25-01 directs federal civilian agencies to apply these baselines. Senserva evidences this policy with the 42 checks below. See the exact policy statement and implementation steps in the CISA baseline.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 42 checks that evidence SCuBA MS.AAD.4.1v1

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Log Blocked Signin Bad IP Or Too Many Invalid AttemptsCriticalSign-in blocked due to bad IP reputation or too many invalid attempts. May indicate brute-force or credential stuffing attack
Log Flagged For ReviewCriticalMicrosoft flagged this sign-in for review as potentially suspicious
Log Legacy Auth ProtocolCriticalSign-in used a legacy authentication protocol that bypasses modern auth and MFA
Audit CA ChangeHighSuccessful Conditional Access change in directory audit logs
Audit CA Failed Conditional Access ChangeHighFailed Conditional Access change in directory audit logs
Audit Failed Authorization ChangeHighFailed authorization policy change in directory audit logs
Audit Failed Directory Management ChangeHighFailed directory management change in audit logs
Audit Failed Other ChangeHighFailed change in uncategorized category in directory audit logs
Audit Failed Resource Management ChangeHighFailed resource management change in directory audit logs
Audit Group Failed Group Management ChangeHighFailed group management change in directory audit logs
Audit Im Auth Failed Authentication ChangeHighFailed authentication method/policy change in directory audit logs
Audit Role Failed Roll Management ChangeHighFailed role management change in directory audit logs. May indicate unauthorized attempts
Audit User Failed User Management ChangeHighFailed user management change in directory audit logs
Audit User Failed User Modification AttemptHighFailed user modification attempt in directory audit logs
Audit User Successful User ModificationHighSuccessful user modification in directory audit logs
Log Conditional Access Error LogHighConditional Access error in sign-in logs. CA policy evaluation failed during sign-in
Log Conditional Access Log Request AuditHighConditional Access request audit record from sign-in logs
Log Conditional Access Policy Exclusion AppliedHighConditional Access policy exclusion applied during sign-in, policy bypassed due to satisfied exclusion conditions
Log User Sign In Log Request AuditHighSign-in log request audit record
Log User Single Factor AuthenticationHighUser sign-in completed with single-factor authentication as recorded in sign-in logs
Audit As App Failed Application Management ChangeMediumFailed application management change detected in directory audit logs May indicate unauthorized modification attempts
Audit Authentication ChangeMediumSuccessful authentication method/policy change in directory audit logs
Audit Authorization Change Authorization ChangeMediumSuccessful authorization policy change in directory audit logs
Audit Im Policy Failed Policy ChangeMediumFailed Conditional Access policy change in directory audit logs
Audit PIM ChangeMediumSuccessful PIM change in directory audit logs
Audit PIM Failed PIM ChangeMediumFailed PIM change in directory audit logs. May indicate unauthorized modification attempts
Audit Role Management ChangeMediumSuccessful role management change in directory audit logs
Log Conditional Access StatusMediumConditional Access status observed across sign-in logs
Log Cross Tenant SigninMediumSign-in originated from an external tenant (cross-tenant)
Log Es Device Login Fails CountsMediumAggregated device login failure counts. Tracks devices with repeated auth failures
Log Es Device Non Compliant Device Login CountsMediumCount of sign-ins from non-compliant devices
Log Failed Login CountMediumAggregated failed login count for a user. High counts may indicate brute-force attacks
Log User Sign In Log ErrorMediumSign-in log error record. Captures specific error codes and failure reasons
Audit Es Device Failed Device ChangeLowFailed device management change in directory audit logs
Audit As App Application ActivityInfoApplication activity detected in directory audit logs (non-management actions)
Audit Audit CompletedInfoAudit scan completed for the tenant
Audit Audit StartedInfoAudit scan started for the tenant
Audit Directory Management ChangeInfoSuccessful directory management change in audit logs
Audit Group Management ChangeInfoSuccessful group management change in directory audit logs
Audit Resource Management ChangeInfoSuccessful resource management change in directory audit logs
Audit User ActivityInfoUser activity event in directory audit logs (non-management actions)
Audit User Management ChangeInfoSuccessful user management change in directory audit logs

Also evidences

The same checks provide evidence for these frameworks:

Every SCuBA policy and the checks that evidence it: the control reference. More on the baselines: SCuBA for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence SCuBA MS.AAD.4.1v1 (Microsoft Entra ID) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
SCuBA MS.AAD.4.1v1 (Microsoft Entra ID) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.