MCSB control domains and where Senserva provides evidence
MCSB groups controls into domains. The table below maps each domain to the Senserva coverage that produces evidence for it. This is a domain-level view; the checks catalog has the control-level detail.
| MCSB domain | Senserva evidence |
|---|---|
| Identity Management | MFA coverage, authentication methods and strengths, FIDO2 and Windows Hello, legacy authentication, risky users and sign-ins. |
| Privileged Access | Directory and Azure role assignments, eligible vs active PIM, role-management policies, break-glass accounts. |
| Data Protection | Purview sensitivity labels, retention, and DLP posture, SharePoint and OneDrive sharing and access. |
| Asset Management | Organization, storage, licensing, and access inventory, app registrations and service principals. |
| Logging and Threat Detection | Unified audit log health, sign-in, directory and provisioning logs, security alerts. |
| Posture and Vulnerability Management | Patch and CVE coverage enriched with MSRC, CISA KEV, and EPSS, Secure Score control breakdown. |
| Endpoint Security | Intune compliance and configuration, Defender Antivirus, firewall, attack surface reduction, disk encryption. |
| Email and Collaboration | Anti-phishing, anti-malware, anti-spam, and Safe Links protections, Teams and SharePoint posture. |
MCSB also covers Network Security, Incident Response, Backup and Recovery, DevOps Security, and Governance and Strategy. Senserva contributes to these where they touch Microsoft 365 configuration; the rest stay operational and organizational responsibilities.
Why MCSB is a good backbone
Microsoft maps MCSB to CIS, NIST 800-53, and PCI DSS, so evidence gathered against MCSB carries over to those frameworks. Senserva builds on Microsoft's own baseline and Secure Score, then adds ranking by real-world risk and validated remediation, so you are not just measuring against Microsoft's bar, you are closing the gaps. It complements Defender and Secure Score rather than replacing them.