Controls / SCuBA / MS.AAD.6.1v1
SCuBA MS.AAD.6.1v1
41 Senserva Microsoft 365 security checks evidence CISA SCuBA policy MS.AAD.6.1v1, part of the Microsoft Entra ID secure configuration baseline. Each is checked against your tenant, ranked by Severity, with validated remediation.
What MS.AAD.6.1v1 is
CISA's Secure Cloud Business Applications (SCuBA) project publishes secure configuration baselines for the core Microsoft 365 services; policy MS.AAD.6.1v1 belongs to the Microsoft Entra ID baseline. CISA Binding Operational Directive 25-01 directs federal civilian agencies to apply these baselines. Senserva evidences this policy with the 41 checks below. See the exact policy statement and implementation steps in the CISA baseline.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 41 checks that evidence SCuBA MS.AAD.6.1v1
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| At Risk With High Risk | Critical | User currently at risk with a high risk level assessment. Immediate investigation recommended |
| User High Risk User | Critical | User flagged as high risk by Entra ID Protection. Immediate investigation required |
| At Risk Signin | High | Sign-in was flagged as at-risk by Entra ID Protection |
| At Risk With Low Risk | High | User currently at risk with a low risk level assessment |
| High Risk Detection Data | High | High-risk detection data record from Entra ID Protection |
| Low Risk Detection Data | High | Low-risk detection data record from Entra ID Protection |
| Medium Risk Detection Data | High | Medium-risk detection data record from Entra ID Protection |
| Missing User Optional License Match | High | User is missing optional (recommended) licenses defined in the security baseline |
| No Assigned To PIM Rules In Tenant | High | No PIM rules are assigned to roles in the tenant. PIM is not governing privileged role activation |
| Old At Risk With High Risk | High | User was previously at risk with a high risk level (historical) |
| User Has No Login History | High | User has no sign-in history. May be dormant or newly created |
| User Highly Privileged User Has No P1 Or P2 | High | Highly privileged user lacks Entra ID P1/P2 license. Required for CA, PIM, and ID Protection |
| User Login Device Must Be Compliant | High | User sign-in from a device that is not compliant |
| User Login Device Must Be Managed | High | User sign-in from a device that is not managed by Intune |
| User Login Outdated Windows Operating System | High | User sign-in from a Windows device with an outdated OS |
| User Low Risk User | High | User flagged as low risk by Entra ID Protection |
| User Privileged User Is Not Enabled | High | Privileged user account is disabled but still has role assignments |
| User Signin With Single Factor Authentication | High | User signed in with single-factor authentication (no MFA) |
| User With Policy Exclusions | High | User is excluded from one or more Conditional Access policies |
| At Risk With Medium Risk | Medium | User currently at risk with a medium risk level assessment |
| Old At Risk With Low Risk | Medium | User was previously at risk with a low risk level (historical) |
| Old At Risk With Medium Risk | Medium | User was previously at risk with a medium risk level (historical) |
| User Device Registered To Not Enabled User | Medium | Device registered to a disabled user account |
| User Disabled User Device Last Signin Date | Medium | Disabled user's device last sign-in date |
| User Disabled User Has Roles Or Licenses | Medium | Disabled user still has roles or licenses assigned. Should be reclaimed |
| User Enabled User Has Roles | Medium | Enabled user has directory roles assigned |
| User Medium Risk User | Medium | User flagged as medium risk by Entra ID Protection |
| User Not Enabled Guest With Roles Or License | Medium | Guest user is not enabled but has roles or licenses assigned |
| User On Premises Last Sync Date Time | Medium | User's on-premises last sync timestamp |
| User Per User MFA | Medium | User has per-user MFA enabled (legacy). Should migrate to Conditional Access MFA |
| User Per User MFA No Data Read | Medium | Per-user MFA data could not be read for this user |
| User Privileged User Is Synced With On Premises | Medium | Privileged user is synced from on-premises AD. Cloud-only is recommended for admins |
| User Required License Match | Medium | User has required licenses matching the security baseline for their privilege level |
| User With Old MFA | Medium | User is registered with a legacy MFA method (SMS or voice call) that should be migrated |
| User Disabled Users Last Interactive Login | Low | Disabled user's last interactive sign-in timestamp |
| User Enabled User Has Licenses | Info | Enabled user has licenses assigned. License utilization tracking |
| User Enabled User Has No Roles Or Licenses | Info | Enabled user has no roles or licenses assigned. May be unused or misconfigured |
| User Is Not Enabled | Info | User account is disabled |
| User Last Password Change | Info | User's last password change timestamp |
| User Login Device Trust Type | Info | Reports the device trust type used during user sign-in |
| User User Last Interactive Login | Info | User's last interactive sign-in timestamp. Activity tracking |
Every SCuBA policy and the checks that evidence it: the control reference. More on the baselines: SCuBA for Microsoft 365.