Controls / SCuBA / MS.AAD.7.8v1

SCuBA MS.AAD.7.8v1

47 Senserva Microsoft 365 security checks evidence CISA SCuBA policy MS.AAD.7.8v1, part of the Microsoft Entra ID secure configuration baseline. Each is checked against your tenant, ranked by Severity, with validated remediation.

47 checksMicrosoft Entra IDTop Severity: Critical

What MS.AAD.7.8v1 is

CISA's Secure Cloud Business Applications (SCuBA) project publishes secure configuration baselines for the core Microsoft 365 services; policy MS.AAD.7.8v1 belongs to the Microsoft Entra ID baseline. CISA Binding Operational Directive 25-01 directs federal civilian agencies to apply these baselines. Senserva evidences this policy with the 47 checks below. See the exact policy statement and implementation steps in the CISA baseline.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 47 checks that evidence SCuBA MS.AAD.7.8v1

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
PIM Alerts No MFA On Activation AlertCriticalPIM alert: MFA is not required on role activation. Compromised credentials can escalate
PIM Policy Expiration RequiredCriticalPIM policy does not require expiration for role assignments. Permanent assignments violate just-in-time access principles
PIM Policy Missing For UserCriticalUser has a direct role assignment with no PIM policy governing activation
Role Ai Administrator AssignedCriticalA principal is assigned the AI Administrator role, which controls all Microsoft 365 Copilot settings and AI data access boundaries
User Break Glass Account DisabledCriticalBreak-glass (emergency access) account is disabled. Break-glass accounts must remain enabled for emergency tenant recovery
User Break Glass Account Is Not Highly PrivilegedCriticalBreak-glass account does not have highly privileged roles assigned. Emergency accounts must have Global Admin or equivalent to be effective
User Break Glass Account Last Password ChangeCriticalBreak-glass account last password change timestamp. Passwords on emergency accounts should be changed on a regular schedule per policy
User Break Glass User Not EnabledCriticalBreak-glass account user is not enabled (account exists but is inactive)
Admin Enforces Compliant Device For Admins Not FoundHighNo Conditional Access policy was found requiring compliant devices for admin roles Admins should only operate from managed, compliant endpoints
Admin Enforces MFA For Admins Not FoundHighNo Conditional Access policy was found that enforces MFA specifically for admin roles Admins are high-value targets and must always require MFA
Admin Maester Device Compliance For AdminsHighMaester framework check: device compliance policy for administrators
Pa Avoid Standing AccessHighAvoid standing access: privileged roles should use just-in-time activation via PIM
Pa Follow Least Privilege PrincipleHighFollow least privilege principle: users and apps should have minimum permissions needed
PIM Alerts License SuspendedHighPIM license is suspended. PIM protections are not enforced without an active license
PIM Alerts Stale Alert IncidentHighPIM alert: stale role assignment detected. A user's privileged role has not been activated recently
PIM Alerts Too Many Global Admins Assigned To Tenant Alert IncidentHighPIM alert: too many Global Admins assigned to the tenant
PIM Group Number Of Groups In High Privilege RolesHighCount of groups assigned to highly privileged directory roles
PIM Policy Enablement Rule Not SetHighPIM enablement rule is not set for a role. The role lacks activation workflow configuration
PIM Policy Justification RequiredHighPIM policy requires a justification for role activation
PIM Policy Maximum DurationHighPIM policy maximum activation duration for a role
PIM Policy Missing For GroupHighGroup has a direct role assignment with no PIM policy governing activation
PIM Policy Missing For Service PrincipalHighService principal has a direct role assignment with no PIM policy governing activation
PIM Policy Notifications MissingHighPIM policy is missing notification rules. Admins are not alerted on role activation
PIM Policy Ticketing RequiredHighPIM policy requires a support ticket number for role activation
PIM Roles Assigned Outside PIMHighA role was assigned outside of Privileged Identity Management. Standing assignments bypass PIM activation controls entirely
PIM Service Principal Count In High Privileged RolesHighCount of service principals assigned to highly privileged directory roles (e.g., Global Administrator, Privileged Role Administrator)
PIM User Number Of Users In High Privilege RolesHighCount of users assigned to highly privileged directory roles
Role Custom Role In UseHighA custom (non-built-in) role definition has active assignments
Role No Roles Assigned To RuleHighNo roles are assigned to a PIM governance rule. The rule exists but covers no roles
Role Overlapping High PrivilegeHighA single principal holds multiple highly-privileged roles, indicating role creep
User Break Glass User Has Login HistoryHighBreak-glass account has recent sign-in history. This may be expected for testing or may indicate unauthorized use - requires investigation
User Break Glass User Has No Login HistoryHighBreak-glass account has no sign-in history. Expected for dormant emergency accounts but periodic testing is recommended
Admin Missing User Required For Admin License MatchMediumAdmin user is missing required licenses defined in the security baseline for admin accounts
PIM Alert Configuration IncorrectMediumPIM alert configuration is incorrect or misconfigured for the tenant
PIM Group Number Of Groups In Privilege RolesMediumCount of groups assigned to privileged directory roles
PIM Missing Alert TypeMediumExpected PIM alert type is missing from the tenant's alert configuration
PIM Service Principal Count In Privileged RolesMediumCount of service principals assigned to privileged directory roles
Role Principal Count Per RoleMediumCount of principals assigned to this role. High counts on privileged roles increase blast radius
Role Unused Custom Role DefinitionMediumA custom role definition exists but has zero assignments
Admin SCuBA Gws Common Admin Audit And AlertsLowSCUBA/CISA baseline check: Google Workspace admin audit and alerts configuration
PIM User Number Of Users In Privilege RolesLowCount of users assigned to privileged directory roles
Admin Enforces Compliant Device For AdminsInfoA Conditional Access policy requires compliant or domain-joined devices for admin roles
Admin Enforces MFA For AdminsInfoA Conditional Access policy enforces MFA for admin roles across all applications
PIM AlertsInfoPIM alert record with role, assignee, and last activation details
PIM Policy Modified ByInfoPIM management policy was last modified by the reported user. Change tracking
PIM Policy PIM Approval RequiredInfoPIM policy requires approval for role activation. Second-person authorization for privileged access
PIM Policy PIM MFA RequiredInfoPIM policy requires MFA for role activation. Confirms step-up auth is enforced

Also evidences

The same checks provide evidence for these frameworks:

Every SCuBA policy and the checks that evidence it: the control reference. More on the baselines: SCuBA for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence SCuBA MS.AAD.7.8v1 (Microsoft Entra ID) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
SCuBA MS.AAD.7.8v1 (Microsoft Entra ID) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.