Controls / SCuBA / MS.AAD.5.3v1

SCuBA MS.AAD.5.3v1

60 Senserva Microsoft 365 security checks evidence CISA SCuBA policy MS.AAD.5.3v1, part of the Microsoft Entra ID secure configuration baseline. Each is checked against your tenant, ranked by Severity, with validated remediation.

60 checksMicrosoft Entra IDTop Severity: Critical

What MS.AAD.5.3v1 is

CISA's Secure Cloud Business Applications (SCuBA) project publishes secure configuration baselines for the core Microsoft 365 services; policy MS.AAD.5.3v1 belongs to the Microsoft Entra ID baseline. CISA Binding Operational Directive 25-01 directs federal civilian agencies to apply these baselines. Senserva evidences this policy with the 60 checks below. See the exact policy statement and implementation steps in the CISA baseline.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 60 checks that evidence SCuBA MS.AAD.5.3v1

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
App Application Disabled By Microsoft StatusCriticalApplication has been disabled by Microsoft due to policy violation or abuse detection
Sp Critical Graph PermissionCriticalService principal has been granted critical Graph API permissions that enable privilege escalation (e.g., RoleManagementReadWriteDirectory, ApplicationReadWriteAll)
Sp Risk Detection Malicious ApplicationCriticalService principal flagged as a malicious application by Entra ID Protection
Sp Risk State Confirmed CompromisedCriticalService principal risk state is "confirmed compromised", immediate action required
Sp Secret Non ExpiringCriticalService principal secret has no expiration date. Non-expiring secrets remain valid indefinitely if compromised
Sp Service Principal Disabled By Microsoft StatusCriticalService principal has been disabled by Microsoft due to policy violation or abuse
App Application Management Policy DisabledHighApplication management policy exists but is disabled
App Broad Consent ScopeHighApplication has admin consent granted for all users (ConsentType = AllPrincipals). Broad consent means every user is affected if the app is compromised
App Certificate ExpiredHighApplication certificate has expired. The application may lose access or fail authentication
App Certificate Non ExpiringHighApplication certificate has no expiration date. Non-expiring certificates remain valid indefinitely if the private key is compromised
App Secret ExpiredHighApplication secret has expired. The application may lose access or fail authentication
App Secret Non ExpiringHighApplication secret has no expiration date. Non-expiring secrets remain valid indefinitely if compromised
Sp Certificate Non ExpiringHighService principal certificate has no expiration date. Non-expiring certificates remain valid indefinitely if the private key is compromised
Sp High Risk PermissionsHighService principal has been granted high-risk Graph API permissions
Sp Risk DetectionHighRisk detection event associated with this service principal from Entra ID Protection
Sp Risk Detection Leaked CredentialsHighLeaked credentials risk detection for a service principal
Sp Risk State At RiskHighService principal risk state is "at risk", active investigation recommended
Sp Risky Service PrincipalHighService principal flagged as risky by Entra ID Protection for workload identities
Sp Secret ExpiredHighService principal secret has expired
Sp Secret Expiring SoonHighService principal secret is expiring within the configured warning threshold
Sp Service Principal App Registration Has A Client SecretHighService principal's corresponding app registration has client secret credentials
Sp Service Principal Has Password CredentialsHighService principal itself has password credentials (secrets) configured directly
Sp Service Principal Member Of Directory RoleHighService principal is a member of one or more directory roles. Service principals with role assignments have elevated tenant access
Sp Service Principal Review API AssignmentHighService principal has API permission assignments that should be reviewed
App Application Password CredentialsMediumApplication registration has password credentials. Reports count and expiration status
App Application Registration Has A Client SecretMediumApplication registration has client secret (password) credentials configured. Secrets are less secure than certificates and should be monitored
App Certificate Expiring SoonMediumApplication certificate is expiring within the configured warning threshold
App Certificate Too Long LivedMediumApplication certificate has a lifetime exceeding the maximum allowed by security policy
App Federated Identity Credential Broad ScopeMediumApplication has a federated identity credential with an overly broad audience or wildcard subject that could allow unintended workloads to authenticate
App High Risk PermissionsMediumApplication has been granted high-risk delegated permissions (e.g., MailReadWrite, DirectoryReadWriteAll). These scopes provide broad access to tenant data
App Insecure Redirect UriMediumApplication has an insecure redirect URI (e.g., HTTP instead of HTTPS, localhost in production, wildcard domains, or deprecated OOB redirect URIs)
App Multi Tenant With High PrivilegesMediumMulti-tenant application with elevated permissions and active credentials. External-facing apps with broad access require extra scrutiny
App Secret Expiring SoonMediumApplication secret is expiring within the configured warning threshold
App Secret Too Long LivedMediumApplication secret has a lifetime exceeding the maximum allowed by security policy. Long-lived secrets increase exposure window if compromised
Sp Assigned To Disabled UserMediumService principal is assigned to a disabled user account. May indicate an orphaned or misconfigured assignment
Sp Certificate ExpiredMediumService principal certificate has expired
Sp Certificate Expiring SoonMediumService principal certificate is expiring within the configured warning threshold
Sp Certificate Too Long LivedMediumService principal certificate lifetime exceeds the maximum allowed by security policy
Sp Risk Detection Anomalous ActivityMediumAnomalous activity risk detection on a service principal (unusual sign-in patterns)
Sp Risk Detection Suspicious Sign InMediumSuspicious sign-in risk detection on a service principal
Sp Secret Too Long LivedMediumService principal secret lifetime exceeds the maximum allowed by security policy
Sp Service Principal Exchange AppMediumService principal has Exchange-related permissions (Mail, Calendar, Contacts). These apps may need Application Access Policies to restrict mailbox scope
Sp Service Principal No Verified PublisherMediumService principal does not have a verified publisher but has a publisher name. Third-party apps without verification pose higher trust risk
App No CredentialsLowApplication registration has no credentials (no secrets or certificates). May indicate an unused or template-only registration
App No OwnersLowApplication registration has no owners assigned. Orphaned apps lack accountability and may not receive security updates
App No Verified PublisherLowApplication registration does not have a verified publisher. Unverified apps pose a higher trust risk for users granting consent
App Service Principal DisabledLowThe service principal associated with this application is disabled. The app registration exists but its enterprise app instance is not active
App StaleLowApplication registration has not been used recently (stale). Unused apps with credentials represent unnecessary attack surface
Sp DisabledLowService principal account is disabled (AccountEnabled = false)
Sp No OwnersLowService principal has no owners assigned. Orphaned SPs lack accountability
Sp Service Principal No PublisherLowService principal has no publisher information at all
Sp StaleLowService principal has not been used recently (stale). Unused SPs with credentials represent unnecessary attack surface
App Application Has Key CredentialsInfoApplication registration has key (certificate) credentials configured
App Application Management ChangeInfoApplication management change detected in directory audit logs (successful)
App Application Management PolicyInfoApplication management policy is configured and enabled
App Federated Identity CredentialsInfoApplication has federated identity credentials configured. These allow external identity providers to authenticate as this application
Sp Managed IdentityInfoService principal is a managed identity (system or user-assigned). Tracked for inventory and privilege awareness
Sp Risk State DismissedInfoService principal risk state has been dismissed by an administrator
Sp Risk State RemediatedInfoService principal risk state has been remediated (e.g., credentials rotated)
Sp Service Principal Has Key CredentialsInfoService principal has key (certificate) credentials configured directly

Also evidences

The same checks provide evidence for these frameworks:

Every SCuBA policy and the checks that evidence it: the control reference. More on the baselines: SCuBA for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence SCuBA MS.AAD.5.3v1 (Microsoft Entra ID) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
SCuBA MS.AAD.5.3v1 (Microsoft Entra ID) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.