Detections
Analytics
CISA SCuBA Microsoft 365 Entra ID v1.5.0
Audit Details
Name: CISA SCuBA Microsoft 365 Entra ID v1.5.0
Updated: 3/22/2025
Authority: TNS
Plugin: microsoft_azure
Revision: 1.0
Estimated Item Count: 30
File Details
Filename: CISA_SCuBA_M365_Entra_ID_v1.5.0.audit
Size: 137 kB
Audit Items
| Description | Categories |
|---|---|
| MS.AAD.1.1v1 - Legacy authentication SHALL be blocked. | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.2.1v1 - Users detected as high risk SHALL be blocked. | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.2.2v1 - A notification SHOULD be sent to the administrator when high-risk users are detected. | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.2.3v1 - Sign-ins detected as high risk SHALL be blocked. | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.3.1v1 - Phishing-resistant MFA SHALL be enforced for all users. | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.3.2v1 - If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users. | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.3.3v1 - If phishing-resistant MFA has not been enforced and Microsoft Authenticator is enabled, it SHALL be configured to show login context information. | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.3.4v1 - The Authentication Methods Manage Migration feature SHALL be set to Migration Complete. | CONFIGURATION MANAGEMENT |
| MS.AAD.3.5v1 - The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled. | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.3.6v1 - Phishing-resistant MFA SHALL be required for highly privileged roles. | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.3.7v1 - Managed devices SHOULD be required for authentication. | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.3.8v1 - Managed Devices SHOULD be required to register MFA. | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.4.1v1 - Security logs SHALL be sent to the agency's security operations center for monitoring. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| MS.AAD.5.1v1 - Only administrators SHALL be allowed to register applications. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.5.2v1 - Only administrators SHALL be allowed to consent to applications. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.5.3v1 - An admin consent workflow SHALL be configured for applications. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.5.4v1 - Group owners SHALL NOT be allowed to consent to applications. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.6.1v1 - User passwords SHALL NOT expire. | CONFIGURATION MANAGEMENT |
| MS.AAD.7.1v1 - A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.7.2v1 - Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.7.3v1 - Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| MS.AAD.7.4v1 - Permanent active role assignments SHALL NOT be allowed for highly privileged roles. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.7.5v1 - Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system. | CONFIGURATION MANAGEMENT |
| MS.AAD.7.6v1 - Activation of the Global Administrator role SHALL require approval. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.7.7v1 - Eligible and Active highly privileged role assignments SHALL trigger an alert. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.7.8v1 - User activation of the Global Administrator role SHALL trigger an alert. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.7.9v1 - User activation of other highly privileged roles SHOULD trigger an alert. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.8.1v1 - Guest users SHOULD have limited or restricted access to Microsoft Entra ID directory objects. | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| MS.AAD.8.2v1 - Only users with the Guest Inviter role SHOULD be able to invite guest users. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| MS.AAD.8.3v1 - Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes. | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |