Controls / SCuBA / MS.AAD.7.7v1
SCuBA MS.AAD.7.7v1
47 Senserva Microsoft 365 security checks evidence CISA SCuBA policy MS.AAD.7.7v1, part of the Microsoft Entra ID secure configuration baseline. Each is checked against your tenant, ranked by Severity, with validated remediation.
What MS.AAD.7.7v1 is
CISA's Secure Cloud Business Applications (SCuBA) project publishes secure configuration baselines for the core Microsoft 365 services; policy MS.AAD.7.7v1 belongs to the Microsoft Entra ID baseline. CISA Binding Operational Directive 25-01 directs federal civilian agencies to apply these baselines. Senserva evidences this policy with the 47 checks below. See the exact policy statement and implementation steps in the CISA baseline.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 47 checks that evidence SCuBA MS.AAD.7.7v1
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| PIM Alerts No MFA On Activation Alert | Critical | PIM alert: MFA is not required on role activation. Compromised credentials can escalate |
| PIM Policy Expiration Required | Critical | PIM policy does not require expiration for role assignments. Permanent assignments violate just-in-time access principles |
| PIM Policy Missing For User | Critical | User has a direct role assignment with no PIM policy governing activation |
| Role Ai Administrator Assigned | Critical | A principal is assigned the AI Administrator role, which controls all Microsoft 365 Copilot settings and AI data access boundaries |
| User Break Glass Account Disabled | Critical | Break-glass (emergency access) account is disabled. Break-glass accounts must remain enabled for emergency tenant recovery |
| User Break Glass Account Is Not Highly Privileged | Critical | Break-glass account does not have highly privileged roles assigned. Emergency accounts must have Global Admin or equivalent to be effective |
| User Break Glass Account Last Password Change | Critical | Break-glass account last password change timestamp. Passwords on emergency accounts should be changed on a regular schedule per policy |
| User Break Glass User Not Enabled | Critical | Break-glass account user is not enabled (account exists but is inactive) |
| Admin Enforces Compliant Device For Admins Not Found | High | No Conditional Access policy was found requiring compliant devices for admin roles Admins should only operate from managed, compliant endpoints |
| Admin Enforces MFA For Admins Not Found | High | No Conditional Access policy was found that enforces MFA specifically for admin roles Admins are high-value targets and must always require MFA |
| Admin Maester Device Compliance For Admins | High | Maester framework check: device compliance policy for administrators |
| Pa Avoid Standing Access | High | Avoid standing access: privileged roles should use just-in-time activation via PIM |
| Pa Follow Least Privilege Principle | High | Follow least privilege principle: users and apps should have minimum permissions needed |
| PIM Alerts License Suspended | High | PIM license is suspended. PIM protections are not enforced without an active license |
| PIM Alerts Stale Alert Incident | High | PIM alert: stale role assignment detected. A user's privileged role has not been activated recently |
| PIM Alerts Too Many Global Admins Assigned To Tenant Alert Incident | High | PIM alert: too many Global Admins assigned to the tenant |
| PIM Group Number Of Groups In High Privilege Roles | High | Count of groups assigned to highly privileged directory roles |
| PIM Policy Enablement Rule Not Set | High | PIM enablement rule is not set for a role. The role lacks activation workflow configuration |
| PIM Policy Justification Required | High | PIM policy requires a justification for role activation |
| PIM Policy Maximum Duration | High | PIM policy maximum activation duration for a role |
| PIM Policy Missing For Group | High | Group has a direct role assignment with no PIM policy governing activation |
| PIM Policy Missing For Service Principal | High | Service principal has a direct role assignment with no PIM policy governing activation |
| PIM Policy Notifications Missing | High | PIM policy is missing notification rules. Admins are not alerted on role activation |
| PIM Policy Ticketing Required | High | PIM policy requires a support ticket number for role activation |
| PIM Roles Assigned Outside PIM | High | A role was assigned outside of Privileged Identity Management. Standing assignments bypass PIM activation controls entirely |
| PIM Service Principal Count In High Privileged Roles | High | Count of service principals assigned to highly privileged directory roles (e.g., Global Administrator, Privileged Role Administrator) |
| PIM User Number Of Users In High Privilege Roles | High | Count of users assigned to highly privileged directory roles |
| Role Custom Role In Use | High | A custom (non-built-in) role definition has active assignments |
| Role No Roles Assigned To Rule | High | No roles are assigned to a PIM governance rule. The rule exists but covers no roles |
| Role Overlapping High Privilege | High | A single principal holds multiple highly-privileged roles, indicating role creep |
| User Break Glass User Has Login History | High | Break-glass account has recent sign-in history. This may be expected for testing or may indicate unauthorized use - requires investigation |
| User Break Glass User Has No Login History | High | Break-glass account has no sign-in history. Expected for dormant emergency accounts but periodic testing is recommended |
| Admin Missing User Required For Admin License Match | Medium | Admin user is missing required licenses defined in the security baseline for admin accounts |
| PIM Alert Configuration Incorrect | Medium | PIM alert configuration is incorrect or misconfigured for the tenant |
| PIM Group Number Of Groups In Privilege Roles | Medium | Count of groups assigned to privileged directory roles |
| PIM Missing Alert Type | Medium | Expected PIM alert type is missing from the tenant's alert configuration |
| PIM Service Principal Count In Privileged Roles | Medium | Count of service principals assigned to privileged directory roles |
| Role Principal Count Per Role | Medium | Count of principals assigned to this role. High counts on privileged roles increase blast radius |
| Role Unused Custom Role Definition | Medium | A custom role definition exists but has zero assignments |
| Admin SCuBA Gws Common Admin Audit And Alerts | Low | SCUBA/CISA baseline check: Google Workspace admin audit and alerts configuration |
| PIM User Number Of Users In Privilege Roles | Low | Count of users assigned to privileged directory roles |
| Admin Enforces Compliant Device For Admins | Info | A Conditional Access policy requires compliant or domain-joined devices for admin roles |
| Admin Enforces MFA For Admins | Info | A Conditional Access policy enforces MFA for admin roles across all applications |
| PIM Alerts | Info | PIM alert record with role, assignee, and last activation details |
| PIM Policy Modified By | Info | PIM management policy was last modified by the reported user. Change tracking |
| PIM Policy PIM Approval Required | Info | PIM policy requires approval for role activation. Second-person authorization for privileged access |
| PIM Policy PIM MFA Required | Info | PIM policy requires MFA for role activation. Confirms step-up auth is enforced |
Every SCuBA policy and the checks that evidence it: the control reference. More on the baselines: SCuBA for Microsoft 365.