Controls / SCuBA / MS.AAD.5.3v1
SCuBA MS.AAD.5.3v1
60 Senserva Microsoft 365 security checks evidence CISA SCuBA policy MS.AAD.5.3v1, part of the Microsoft Entra ID secure configuration baseline. Each is checked against your tenant, ranked by Severity, with validated remediation.
What MS.AAD.5.3v1 is
CISA's Secure Cloud Business Applications (SCuBA) project publishes secure configuration baselines for the core Microsoft 365 services; policy MS.AAD.5.3v1 belongs to the Microsoft Entra ID baseline. CISA Binding Operational Directive 25-01 directs federal civilian agencies to apply these baselines. Senserva evidences this policy with the 60 checks below. See the exact policy statement and implementation steps in the CISA baseline.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 60 checks that evidence SCuBA MS.AAD.5.3v1
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| App Application Disabled By Microsoft Status | Critical | Application has been disabled by Microsoft due to policy violation or abuse detection |
| Sp Critical Graph Permission | Critical | Service principal has been granted critical Graph API permissions that enable privilege escalation (e.g., RoleManagementReadWriteDirectory, ApplicationReadWriteAll) |
| Sp Risk Detection Malicious Application | Critical | Service principal flagged as a malicious application by Entra ID Protection |
| Sp Risk State Confirmed Compromised | Critical | Service principal risk state is "confirmed compromised", immediate action required |
| Sp Secret Non Expiring | Critical | Service principal secret has no expiration date. Non-expiring secrets remain valid indefinitely if compromised |
| Sp Service Principal Disabled By Microsoft Status | Critical | Service principal has been disabled by Microsoft due to policy violation or abuse |
| App Application Management Policy Disabled | High | Application management policy exists but is disabled |
| App Broad Consent Scope | High | Application has admin consent granted for all users (ConsentType = AllPrincipals). Broad consent means every user is affected if the app is compromised |
| App Certificate Expired | High | Application certificate has expired. The application may lose access or fail authentication |
| App Certificate Non Expiring | High | Application certificate has no expiration date. Non-expiring certificates remain valid indefinitely if the private key is compromised |
| App Secret Expired | High | Application secret has expired. The application may lose access or fail authentication |
| App Secret Non Expiring | High | Application secret has no expiration date. Non-expiring secrets remain valid indefinitely if compromised |
| Sp Certificate Non Expiring | High | Service principal certificate has no expiration date. Non-expiring certificates remain valid indefinitely if the private key is compromised |
| Sp High Risk Permissions | High | Service principal has been granted high-risk Graph API permissions |
| Sp Risk Detection | High | Risk detection event associated with this service principal from Entra ID Protection |
| Sp Risk Detection Leaked Credentials | High | Leaked credentials risk detection for a service principal |
| Sp Risk State At Risk | High | Service principal risk state is "at risk", active investigation recommended |
| Sp Risky Service Principal | High | Service principal flagged as risky by Entra ID Protection for workload identities |
| Sp Secret Expired | High | Service principal secret has expired |
| Sp Secret Expiring Soon | High | Service principal secret is expiring within the configured warning threshold |
| Sp Service Principal App Registration Has A Client Secret | High | Service principal's corresponding app registration has client secret credentials |
| Sp Service Principal Has Password Credentials | High | Service principal itself has password credentials (secrets) configured directly |
| Sp Service Principal Member Of Directory Role | High | Service principal is a member of one or more directory roles. Service principals with role assignments have elevated tenant access |
| Sp Service Principal Review API Assignment | High | Service principal has API permission assignments that should be reviewed |
| App Application Password Credentials | Medium | Application registration has password credentials. Reports count and expiration status |
| App Application Registration Has A Client Secret | Medium | Application registration has client secret (password) credentials configured. Secrets are less secure than certificates and should be monitored |
| App Certificate Expiring Soon | Medium | Application certificate is expiring within the configured warning threshold |
| App Certificate Too Long Lived | Medium | Application certificate has a lifetime exceeding the maximum allowed by security policy |
| App Federated Identity Credential Broad Scope | Medium | Application has a federated identity credential with an overly broad audience or wildcard subject that could allow unintended workloads to authenticate |
| App High Risk Permissions | Medium | Application has been granted high-risk delegated permissions (e.g., MailReadWrite, DirectoryReadWriteAll). These scopes provide broad access to tenant data |
| App Insecure Redirect Uri | Medium | Application has an insecure redirect URI (e.g., HTTP instead of HTTPS, localhost in production, wildcard domains, or deprecated OOB redirect URIs) |
| App Multi Tenant With High Privileges | Medium | Multi-tenant application with elevated permissions and active credentials. External-facing apps with broad access require extra scrutiny |
| App Secret Expiring Soon | Medium | Application secret is expiring within the configured warning threshold |
| App Secret Too Long Lived | Medium | Application secret has a lifetime exceeding the maximum allowed by security policy. Long-lived secrets increase exposure window if compromised |
| Sp Assigned To Disabled User | Medium | Service principal is assigned to a disabled user account. May indicate an orphaned or misconfigured assignment |
| Sp Certificate Expired | Medium | Service principal certificate has expired |
| Sp Certificate Expiring Soon | Medium | Service principal certificate is expiring within the configured warning threshold |
| Sp Certificate Too Long Lived | Medium | Service principal certificate lifetime exceeds the maximum allowed by security policy |
| Sp Risk Detection Anomalous Activity | Medium | Anomalous activity risk detection on a service principal (unusual sign-in patterns) |
| Sp Risk Detection Suspicious Sign In | Medium | Suspicious sign-in risk detection on a service principal |
| Sp Secret Too Long Lived | Medium | Service principal secret lifetime exceeds the maximum allowed by security policy |
| Sp Service Principal Exchange App | Medium | Service principal has Exchange-related permissions (Mail, Calendar, Contacts). These apps may need Application Access Policies to restrict mailbox scope |
| Sp Service Principal No Verified Publisher | Medium | Service principal does not have a verified publisher but has a publisher name. Third-party apps without verification pose higher trust risk |
| App No Credentials | Low | Application registration has no credentials (no secrets or certificates). May indicate an unused or template-only registration |
| App No Owners | Low | Application registration has no owners assigned. Orphaned apps lack accountability and may not receive security updates |
| App No Verified Publisher | Low | Application registration does not have a verified publisher. Unverified apps pose a higher trust risk for users granting consent |
| App Service Principal Disabled | Low | The service principal associated with this application is disabled. The app registration exists but its enterprise app instance is not active |
| App Stale | Low | Application registration has not been used recently (stale). Unused apps with credentials represent unnecessary attack surface |
| Sp Disabled | Low | Service principal account is disabled (AccountEnabled = false) |
| Sp No Owners | Low | Service principal has no owners assigned. Orphaned SPs lack accountability |
| Sp Service Principal No Publisher | Low | Service principal has no publisher information at all |
| Sp Stale | Low | Service principal has not been used recently (stale). Unused SPs with credentials represent unnecessary attack surface |
| App Application Has Key Credentials | Info | Application registration has key (certificate) credentials configured |
| App Application Management Change | Info | Application management change detected in directory audit logs (successful) |
| App Application Management Policy | Info | Application management policy is configured and enabled |
| App Federated Identity Credentials | Info | Application has federated identity credentials configured. These allow external identity providers to authenticate as this application |
| Sp Managed Identity | Info | Service principal is a managed identity (system or user-assigned). Tracked for inventory and privilege awareness |
| Sp Risk State Dismissed | Info | Service principal risk state has been dismissed by an administrator |
| Sp Risk State Remediated | Info | Service principal risk state has been remediated (e.g., credentials rotated) |
| Sp Service Principal Has Key Credentials | Info | Service principal has key (certificate) credentials configured directly |
Every SCuBA policy and the checks that evidence it: the control reference. More on the baselines: SCuBA for Microsoft 365.