Demo portal · pre-release Back us

Controls

Maester & Zero Trust Assessment controls by Microsoft product, mapped to CIS and CISA.

Coverage this run

721 controls assessed
167 passing 5 accepted 368 skipped 181 failing
Control Title Product Standard Severity Status
CIS.M365.1.1.1 Ensure Administrative accounts are cloud-only En Entra CIS High Accepted details →
CIS.M365.1.1.3 Ensure that between two and four global admins are designated En Entra CIS High Failing details →
CIS.M365.1.2.1 Ensure that only organizationally managed/approved public groups exist En Entra CIS Medium Failing details →
CIS.M365.1.3.1 Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' En Entra CIS High Passing details →
CIS.M365.1.3.4 Ensure 'User owned apps and services' is restricted En Entra CIS Unknown Failing details →
CIS.M365.1.3.5 Ensure internal phishing protection for Forms is enabled En Entra CIS Unknown Passing details →
CIS.M365.1.3.7 Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web' En Entra CIS Unknown Accepted details →
CIS.M365.4.1 Ensure devices without a compliance policy are marked 'not compliant' In Intune CIS Unknown Failing details →
CIS.M365.5.1.2.2 Ensure third party integrated applications are not allowed En Entra CIS Unknown Passing details →
CIS.M365.5.1.2.3 Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' En Entra CIS Unknown Passing details →
CIS.M365.5.1.3.1 Ensure a dynamic group for guest users is created En Entra CIS Unknown Passing details →
CIS.M365.5.1.5.1 Ensure user consent to apps accessing company data on their behalf is not allowed En Entra CIS Unknown Failing details →
CIS.M365.5.1.5.2 Ensure the admin consent workflow is enabled En Entra CIS Unknown Failing details →
CIS.M365.5.1.6.2 Ensure that guest user access is restricted En Entra CIS Unknown Passing details →
CIS.M365.5.2.3.5 Ensure weak authentication methods are disabled En Entra CIS Unknown Failing details →
CISA.MS.AAD.1.1 Legacy authentication SHALL be blocked. En Entra CISA High Accepted details →
CISA.MS.AAD.2.1 Users detected as high risk SHALL be blocked. En Entra CISA High Failing details →
CISA.MS.AAD.2.2 A notification SHOULD be sent to the administrator when high-risk users are detected. En Entra CISA High Passing details →
CISA.MS.AAD.2.3 Sign-ins detected as high risk SHALL be blocked. En Entra CISA High Failing details →
CISA.MS.AAD.3.1 Phishing-resistant MFA SHALL be enforced for all users. En Entra CISA High Failing details →
CISA.MS.AAD.3.2 If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users. En Entra CISA High Passing details →
CISA.MS.AAD.3.3 If Microsoft Authenticator is enabled, it SHALL be configured to show login context information. En Entra CISA Medium Failing details →
CISA.MS.AAD.3.4 The Authentication Methods Manage Migration feature SHALL be set to Migration Complete. En Entra CISA High Passing details →
CISA.MS.AAD.3.5 The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled. En Entra CISA High Failing details →
CISA.MS.AAD.3.6 Phishing-resistant MFA SHALL be required for highly privileged roles. En Entra CISA High Failing details →
CISA.MS.AAD.3.7 Managed devices SHOULD be required for authentication. En Entra CISA High Accepted details →
CISA.MS.AAD.3.8 Managed Devices SHOULD be required to register MFA. En Entra CISA High Failing details →
CISA.MS.AAD.5.1 Only administrators SHALL be allowed to register applications. En Entra CISA High Passing details →
CISA.MS.AAD.5.2 Only administrators SHALL be allowed to consent to applications. En Entra CISA High Failing details →
CISA.MS.AAD.5.3 An admin consent workflow SHALL be configured for applications. En Entra CISA High Failing details →
CISA.MS.AAD.6.1 User passwords SHALL NOT expire. En Entra CISA High Passing details →
CISA.MS.AAD.7.1 A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role. En Entra CISA High Failing details →
CISA.MS.AAD.7.2 Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator. En Entra CISA High Failing details →
CISA.MS.AAD.7.3 Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers. En Entra CISA High Failing details →
CISA.MS.AAD.7.4 Permanent active role assignments SHALL NOT be allowed for highly privileged roles. En Entra CISA High Failing details →
CISA.MS.AAD.7.5 Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system. En Entra CISA High Failing details →
CISA.MS.AAD.7.6 Activation of the Global Administrator role SHALL require approval. En Entra CISA High Passing details →
CISA.MS.AAD.7.7 Eligible and Active highly privileged role assignments SHALL trigger an alert. En Entra CISA High Accepted details →
CISA.MS.AAD.7.8 User activation of the Global Administrator role SHALL trigger an alert. En Entra CISA High Passing details →
CISA.MS.AAD.7.9 User activation of other highly privileged roles SHOULD trigger an alert. En Entra CISA High Failing details →
CISA.MS.AAD.8.1 Guest users SHOULD have limited or restricted access to Entra ID directory objects. En Entra CISA Medium Passing details →
CISA.MS.AAD.8.2 Only users with the Guest Inviter role SHOULD be able to invite guest users. En Entra CISA High Failing details →
CISA.MS.AAD.8.3 Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes. En Entra CISA Medium Failing details →
CISA.MS.SHAREPOINT.1.1 External sharing for SharePoint SHALL be limited to Existing guests or Only People in your organization. Sp SharePoint CISA Medium Failing details →
CISA.MS.SHAREPOINT.1.3 External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs. Sp SharePoint CISA High Failing details →
EIDSCA.AF01 Authentication Method - FIDO2 security key - State. En Entra EIDSCA High Passing details →
EIDSCA.AF02 Authentication Method - FIDO2 security key - Allow self-service set up. En Entra EIDSCA Medium Passing details →
EIDSCA.AF03 Authentication Method - FIDO2 security key - Enforce attestation. En Entra EIDSCA High Failing details →
EIDSCA.AF04 Authentication Method - FIDO2 security key - Enforce key restrictions. En Entra EIDSCA High Failing details →
EIDSCA.AG01 Authentication Method - General Settings - Manage migration. En Entra EIDSCA High Passing details →
EIDSCA.AG02 Authentication Method - General Settings - Report suspicious activity - State. En Entra EIDSCA Medium Failing details →
EIDSCA.AG03 Authentication Method - General Settings - Report suspicious activity - Included users/groups. En Entra EIDSCA Medium Passing details →
EIDSCA.AM01 Authentication Method - Microsoft Authenticator - State. En Entra EIDSCA High Passing details →
EIDSCA.AM02 Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP. En Entra EIDSCA Medium Failing details →
EIDSCA.AM03 Authentication Method - Microsoft Authenticator - Require number matching for push notifications. En Entra EIDSCA Medium Passing details →
EIDSCA.AM04 Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications. En Entra EIDSCA Medium Passing details →
EIDSCA.AM06 Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications. En Entra EIDSCA Medium Passing details →
EIDSCA.AM07 Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications. En Entra EIDSCA Medium Passing details →
EIDSCA.AM09 Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications. En Entra EIDSCA Medium Passing details →
EIDSCA.AM10 Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications. En Entra EIDSCA Medium Passing details →
EIDSCA.AP01 Default Authorization Settings - Enabled Self service password reset for administrators. En Entra EIDSCA High Passing details →
EIDSCA.AP04 Default Authorization Settings - Guest invite restrictions. En Entra EIDSCA Medium Failing details →
EIDSCA.AP05 Default Authorization Settings - Sign-up for email based subscription. En Entra EIDSCA Medium Failing details →
EIDSCA.AP06 Default Authorization Settings - User can join the tenant by email validation. En Entra EIDSCA Medium Failing details →
EIDSCA.AP07 Default Authorization Settings - Guest user access. En Entra EIDSCA High Passing details →
EIDSCA.AP08 Default Authorization Settings - User consent policy assigned for applications. En Entra EIDSCA Medium Passing details →
EIDSCA.AP09 Default Authorization Settings - Allow user consent on risk-based apps. En Entra EIDSCA Medium Passing details →
EIDSCA.AP10 Default Authorization Settings - Default User Role Permissions - Allowed to create Apps. En Entra EIDSCA High Passing details →
EIDSCA.AP14 Default Authorization Settings - Default User Role Permissions - Allowed to read other users. En Entra EIDSCA High Passing details →
EIDSCA.AS04 Authentication Method - SMS - Use for sign-in. En Entra EIDSCA High Passing details →
EIDSCA.AT01 Authentication Method - Temporary Access Pass - State. En Entra EIDSCA High Passing details →
EIDSCA.AT02 Authentication Method - Temporary Access Pass - One-time. En Entra EIDSCA High Passing details →
EIDSCA.AV01 Authentication Method - Voice call - State. En Entra EIDSCA High Passing details →
EIDSCA.CP03 Default Settings - Consent Policy Settings - Block user consent for risky apps. En Entra EIDSCA High Passing details →
EIDSCA.CP04 Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to. En Entra EIDSCA Medium Failing details →
EIDSCA.CR01 Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature. En Entra EIDSCA High Failing details →
EIDSCA.PR01 Default Settings - Password Rule Settings - Password Protection - Mode. En Entra EIDSCA High Failing details →
EIDSCA.PR02 Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory. En Entra EIDSCA High Passing details →
EIDSCA.PR03 Default Settings - Password Rule Settings - Enforce custom list. En Entra EIDSCA Medium Passing details →
EIDSCA.PR05 Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds. En Entra EIDSCA Medium Passing details →
EIDSCA.PR06 Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold. En Entra EIDSCA Medium Failing details →
EIDSCA.ST08 Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner. En Entra EIDSCA Medium Passing details →
EIDSCA.ST09 Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content. En Entra EIDSCA Medium Passing details →
MT.1001 At least one Conditional Access policy is configured with device compliance. En Entra Maester Medium Passing details →
MT.1002 App management restrictions on applications and service principals is configured and enabled. En Entra Maester High Passing details →
MT.1003 At least one Conditional Access policy is configured with All Apps. En Entra Maester High Passing details →
MT.1004 At least one Conditional Access policy is configured with All Apps and All Users. En Entra Maester High Passing details →
MT.1005 All Conditional Access policies are configured to exclude at least one emergency/break glass account or group. En Entra Maester High Failing details →
MT.1006 At least one Conditional Access policy is configured to require MFA for admins. En Entra Maester High Passing details →
MT.1007 At least one Conditional Access policy is configured to require MFA for all users. En Entra Maester High Passing details →
MT.1008 At least one Conditional Access policy is configured to require MFA for Azure management. En Entra Maester High Passing details →
MT.1009 At least one Conditional Access policy is configured to block other legacy authentication. En Entra Maester High Failing details →
MT.1010 At least one Conditional Access policy is configured to block legacy authentication for Exchange ActiveSync. En Entra Maester High Failing details →
MT.1011 At least one Conditional Access policy is configured to secure security info registration only from a trusted location. En Entra Maester High Failing details →
MT.1012 At least one Conditional Access policy is configured to require MFA for risky sign-ins. En Entra Maester High Failing details →
MT.1013 At least one Conditional Access policy is configured to require new password when user risk is high. En Entra Maester High Failing details →
MT.1014 At least one Conditional Access policy is configured to require compliant or Entra hybrid joined devices for admins. En Entra Maester High Failing details →
MT.1015 At least one Conditional Access policy is configured to block access for unknown or unsupported device platforms. En Entra Maester Medium Passing details →
MT.1016 At least one Conditional Access policy is configured to require MFA for guest access. En Entra Maester High Passing details →
MT.1017 At least one Conditional Access policy is configured to enforce non persistent browser session for non-corporate devices. En Entra Maester High Failing details →
MT.1018 At least one Conditional Access policy is configured to enforce sign-in frequency for non-corporate devices. En Entra Maester Medium Failing details →
MT.1019 At least one Conditional Access policy is configured to enable application enforced restrictions. En Entra Maester Medium Failing details →
MT.1022 All users utilizing a P1 license should be licensed. En Entra Maester Medium Passing details →
MT.1023 All users utilizing a P2 license should be licensed. En Entra Maester Medium Passing details →
MT.1024.adminMFAV2 Require multifactor authentication for administrative roles. En Entra Maester High Failing details →
MT.1024.applicationCredentialExpiry Renew expiring application credentials. En Entra Maester High Failing details →
MT.1024.blockLegacyAuthentication Enable policy to block legacy authentication. En Entra Maester High Failing details →
MT.1024.DefenderForIdentityIsNotInstalled Start your Defender for Identity deployment, installing Sensors on Domain Controllers and other eligible servers.. En Entra Maester Low Failing details →
MT.1024.insiderRiskPolicy Protect your tenant with Insider Risk condition in Conditional Access policy. En Entra Maester Medium Failing details →
MT.1024.integratedApps Do not allow users to grant consent to unreliable applications. En Entra Maester Medium Passing details →
MT.1024.mfaRegistrationV2 Ensure all users can complete multifactor authentication. En Entra Maester High Failing details →
MT.1024.oneAdmin Designate more than one global admin. En Entra Maester Low Passing details →
MT.1024.passwordHashSync Enable password hash sync if hybrid. En Entra Maester Medium Failing details →
MT.1024.pwagePolicyNew Do not expire passwords. En Entra Maester High Passing details →
MT.1024.roleOverlap Use least privileged administrative roles . En Entra Maester Low Passing details →
MT.1024.selfServicePasswordReset Enable self-service password reset. En Entra Maester Low Passing details →
MT.1024.servicePrincipalKeyExpiry Renew expiring service principal credentials. En Entra Maester High Passing details →
MT.1024.signinRiskPolicy Protect all users with a sign-in risk policy. En Entra Maester High Failing details →
MT.1024.staleAppCreds Remove unused credentials from applications. En Entra Maester Medium Failing details →
MT.1024.staleApps Remove unused applications. En Entra Maester Medium Failing details →
MT.1024.userRiskPolicy Protect all users with a user risk policy . En Entra Maester High Failing details →
MT.1025 No external user with permanent role assignment on Control Plane. En Entra Maester High Failing details →
MT.1026 No hybrid user with permanent role assignment on Control Plane. En Entra Maester High Failing details →
MT.1027 No Service Principal with Client Secret and permanent role assignment on Control Plane. En Entra Maester High Failing details →
MT.1028 No user with mailbox and permanent role assignment on Control Plane. En Entra Maester High Failing details →
MT.1029 Stale accounts are not assigned to privileged roles. En Entra Maester High Passing details →
MT.1030 Eligible role assignments on Control Plane are in use by administrators. En Entra Maester High Failing details →
MT.1031 Privileged role on Control Plane are managed by PIM only. En Entra Maester High Failing details →
MT.1032 Limited number of Global Admins are assigned. En Entra Maester High Failing details →
MT.1035 All security groups assigned to Conditional Access Policies should be protected by RMAU. En Entra Maester High Failing details →
MT.1036 All excluded objects should have a fallback include in another policy. En Entra Maester Medium Failing details →
MT.1038 Conditional Access policies should not include or exclude deleted groups. En Entra Maester Medium Failing details →
MT.1045 Only invited users should be automatically admitted to Teams meetings Te Teams Maester Medium Failing details →
MT.1049 Conditional Access policies for User Risk and Sign-in Risk should be configured separately. En Entra Maester High Failing details →
MT.1052 At least one Conditional Access policy is targeting the Device Code authentication flow. En Entra Maester High Passing details →
MT.1053 Ensure intune device clean-up rule is configured In Intune Maester Medium Failing details →
MT.1054 Ensure built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant' In Intune Maester Medium Failing details →
MT.1055 Microsoft 365 Group (and Team) creation should be restricted to approved users. En Entra Maester Medium Passing details →
MT.1061 Device registration MFA control conflicts with Conditional Access policies. En Entra Maester Medium Passing details →
MT.1066 Conditional Access policies should not reference non-existent users, groups, or roles. En Entra Maester Medium Failing details →
MT.1067 Authentication method policies should not reference non-existent groups. En Entra Maester Medium Passing details →
MT.1068 Restrict non-admin users from creating tenants. En Entra Maester Medium Passing details →
MT.1069 Restrict non-admin users from creating security groups. En Entra Maester Low Passing details →
MT.1070 Restrict device join to selected users/groups or none. En Entra Maester Medium Passing details →
MT.1071 At least one Conditional Access policy explicitly includes Azure DevOps. En Entra Maester Medium Failing details →
MT.1072 Conditional access policies should not use the deprecated Approved Client App grant. En Entra Maester High Passing details →
MT.1073 Soft- and hard-matching of synchronized objects should be blocked. En Entra Maester Medium Failing details →
MT.1074 Ensure no more then 100 outbound mails per day are send using the .onmicrosoft.com domain Ex Exchange Maester Medium Passing details →
MT.1076 MOERA SHOULD NOT be used for sent mail Ex Exchange Maester High Passing details →
MT.1084 Microsoft Entra seamless single sign-on should be disabled for all domains in EntraID Connect servers. En Entra Maester High Passing details →
MT.1085 Pending approvals for Critical Asset Management should not be present. Xm Exposure Mgmt Exposure Management Medium Passing details →
MT.1090 Global administrator role should not be added as local administrator on the device during Microsoft Entra join En Entra Maester Medium Failing details →
MT.1091 Registering user should not be added as local administrator on the device during Microsoft Entra join En Entra Maester Medium Failing details →
MT.1092 Intune APNS certificate should be valid for more than 30 days In Intune Maester High Failing details →
MT.1096 Ensure at least one Intune Multi Admin Approval policy is configured In Intune Maester Medium Passing details →
MT.1099 Windows Diagnostic Data Processing should be enabled In Intune Maester Low Failing details →
MT.1101 Default Branding Profile should be customized In Intune Maester Low Passing details →
MT.1103 Ensure Intune RBAC groups are protected by Restricted Management Administrative Units or Role Assignable groups In Intune Maester High Passing details →
MT.1105 Ensure MDM Authority is set to Intune In Intune Maester Low Passing details →
MT.1106 Catalog resources must have valid roles (no stale / removed app roles or SPNs). En Entra Maester Medium Passing details →
MT.1107 Access packages and catalogs should not reference deleted groups. En Entra Maester Medium Passing details →
MT.1108 Access packages should not reference inactive or orphaned assignment policies. En Entra Maester Medium Failing details →
MT.1109 Access package approval workflows must have valid approvers. En Entra Maester Medium Passing details →
MT.1110 No catalog should contain resources without any associated access packages. En Entra Maester Medium Failing details →
MT.1123 Ensure BitLocker full disk encryption is configured In Intune Maester High Failing details →
MT.1147 Do not sync krbtgt_AzureAD to Entra ID. En Entra Maester High Passing details →
AZDO.1000 Azure DevOps OAuth apps can access resources in your organization through OAuth. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1001 Identities can connect to your organization's Git repos through SSH. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1002 Log Audit Events. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1003 Restrict public projects. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1004 Additional protections when using public package registries. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1005 IP Conditional Access policy validation. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1006 External Users access. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1007 Team and project administrator are allowed to invite new users. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1008 Request access to Azure DevOps by e-mail notifications to administrators. Ad Azure DevOps Azure DevOps Medium Skipped details →
AZDO.1009 Feedback Collection. Ad Azure DevOps Azure DevOps Info Skipped details →
AZDO.1010 Audit streaming. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1011 Project Resource Limits. Ad Azure DevOps Azure DevOps Info Skipped details →
AZDO.1012 Work Items Tags Limits. Ad Azure DevOps Azure DevOps Info Skipped details →
AZDO.1013 Organization Owner should not be an individual. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1014 Anonymous access to pipeline badges. Ad Azure DevOps Azure DevOps Medium Skipped details →
AZDO.1015 Limit variables that can be set at queue time. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1016 Limit job authorization scope to current project for non-release pipelines. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1017 Limit job authorization scope to current project for classic release pipelines. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1018 Protect access to repositories in YAML pipelines. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1019 Stage chooser. Ad Azure DevOps Azure DevOps Medium Skipped details →
AZDO.1020 Creation of classic build pipelines. Ad Azure DevOps Azure DevOps Medium Skipped details →
AZDO.1021 Creation of classic release pipelines. Ad Azure DevOps Azure DevOps Medium Skipped details →
AZDO.1022 Limit building pull requests from forked GitHub repositories. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1023 Disable Marketplace tasks. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1024 Disable Node 6 tasks. Ad Azure DevOps Azure DevOps Medium Skipped details →
AZDO.1025 Enable shell tasks arguments validation. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1026 Enable automatic enrollment to Advanced Security for Azure DevOps. Ad Azure DevOps Azure DevOps Medium Skipped details →
AZDO.1027 Disable showing Gravatar images for users outside of your enterprise. Ad Azure DevOps Azure DevOps Medium Skipped details →
AZDO.1028 Disable creation of TFVC repositories. Ad Azure DevOps Azure DevOps Medium Skipped details →
AZDO.1029 Storage Usage Limit. Ad Azure DevOps Azure DevOps Medium Skipped details →
AZDO.1030 Project Collection Administrators. Ad Azure DevOps Azure DevOps Critical Skipped details →
AZDO.1031 Validate SSH Key Expiration. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1032 (Tenant) Restrict creation of global Personal Access Tokens. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1033 (Tenant) Enable automatic revocation of leaked Personal Access Tokens. Ad Azure DevOps Azure DevOps Critical Skipped details →
AZDO.1034 (Tenant) Restrict creation of new Azure DevOps organizations. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1035 (Tenant) Restrict Personal Access Token lifespan. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1036 (Tenant) Restrict Personal Access Token full scope. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1037 (Organization) Restrict Personal Access Token creation. Ad Azure DevOps Azure DevOps High Skipped details →
AZDO.1038 (Organization) Disallow extensions from accessing resources on the local network. Ad Azure DevOps Azure DevOps Medium Skipped details →
CIS.M365.1.2.2 Ensure sign-in to shared mailboxes is blocked En Entra CIS High Skipped details →
CIS.M365.1.3.3 Ensure 'External sharing' of calendars is not available En Entra CIS Medium Skipped details →
CIS.M365.1.3.6 Ensure the customer lockbox feature is enabled En Entra CIS High Skipped details →
CIS.M365.2.1.1 Ensure Safe Links for Office Applications is Enabled (Only Checks Priority 0 Policy) Do Defender O365 CIS Medium Skipped details →
CIS.M365.2.1.11 Ensure comprehensive attachment filtering is applied Do Defender O365 CIS High Skipped details →
CIS.M365.2.1.12 Ensure the connection filter IP allow list is not used (Only Checks Default Policy) Do Defender O365 CIS Medium Skipped details →
CIS.M365.2.1.13 Ensure the connection filter safe list is off (Only Checks Default Policy) Do Defender O365 CIS Medium Skipped details →
CIS.M365.2.1.2 Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy) Do Defender O365 CIS Medium Skipped details →
CIS.M365.2.1.3 Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy) Do Defender O365 CIS Medium Skipped details →
CIS.M365.2.1.4 Ensure Safe Attachments policy is enabled (Only Checks Default Policy) Do Defender O365 CIS High Skipped details →
CIS.M365.2.1.5 Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled Do Defender O365 CIS High Skipped details →
CIS.M365.2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy) Do Defender O365 CIS Medium Skipped details →
CIS.M365.2.1.7 Ensure that an anti-phishing policy has been created (Only Checks Default Policy) Do Defender O365 CIS Medium Skipped details →
CIS.M365.2.1.9 Ensure that DKIM is enabled for all Exchange Online Domains Do Defender O365 CIS High Skipped details →
CIS.M365.2.4.4 Ensure Zero-hour auto purge for Microsoft Teams is on (Only Checks ZAP is enabled) Do Defender O365 CIS Medium Skipped details →
CIS.M365.3.1.1 Ensure Microsoft 365 audit log search is Enabled Pv Purview CIS High Skipped details →
CIS.M365.6.5.3 Ensure additional storage providers are restricted in Outlook on the web Ex Exchange CIS Unknown Skipped details →
CIS.M365.8.1.1 Ensure external file sharing in Teams is enabled for only approved cloud storage services Te Teams CIS Medium Skipped details →
CIS.M365.8.2.2 Ensure communication with unmanaged Teams users is disabled Te Teams CIS Medium Skipped details →
CIS.M365.8.2.3 Ensure external Teams users cannot initiate conversations Te Teams CIS Unknown Skipped details →
CIS.M365.8.4.1 Ensure all or a majority of third-party and custom apps are blocked Te Teams CIS High Skipped details →
CIS.M365.8.5.3 Ensure only people in my org can bypass the lobby Te Teams CIS Medium Skipped details →
CIS.M365.8.6.1 Ensure users can report security concerns in Teams to internal destination Te Teams CIS Medium Skipped details →
CISA.MS.AAD.4.1 Security logs SHALL be sent to the agency's security operations center for monitoring. En Entra CISA High Skipped details →
CISA.MS.AAD.5.4 Group owners SHALL NOT be allowed to consent to applications. En Entra CISA High Skipped details →
CISA.MS.EXO.1.1 Automatic forwarding to external domains SHALL be disabled. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.10.1 Emails SHALL be scanned for malware. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.10.2 Emails identified as containing malware SHALL be quarantined or dropped. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.10.3 Email scanning SHALL be capable of reviewing emails after delivery. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.11.1 Impersonation protection checks SHOULD be used. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.11.2 User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.11.3 The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.12.1 IP allow lists SHOULD NOT be created. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.12.2 Safe lists SHOULD NOT be enabled. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.13.1 Mailbox auditing SHALL be enabled. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.14.1 A spam filter SHALL be enabled. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.14.2 Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.14.3 Allowed domains SHALL NOT be added to inbound anti-spam protection policies. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.14.4 If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.15.1 URL comparison with a block-list SHOULD be enabled. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.15.2 Direct download links SHOULD be scanned for malware. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.15.3 User click tracking SHOULD be enabled. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.16.1 Alerts SHALL be enabled. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.16.2 Alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.17.1 Microsoft Purview Audit (Standard) logging SHALL be enabled. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.17.2 Microsoft Purview Audit (Premium) logging SHALL be enabled. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.17.3 Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C). Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.2.1 A list of approved IP addresses for sending mail SHALL be maintained. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.2.2 An SPF policy SHALL be published for each domain, designating only these addresses as approved senders. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.3.1 DKIM SHOULD be enabled for all domains. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.4.1 A DMARC policy SHALL be published for every second-level domain. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.4.2 The DMARC message rejection option SHALL be p=reject. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.4.3 The DMARC point of contact for aggregate reports SHALL include [email protected]. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.5.1 SMTP AUTH SHALL be disabled. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.6.1 Contact folders SHALL NOT be shared with all domains. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.6.2 Calendar details SHALL NOT be shared with all domains. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.7.1 External sender warnings SHALL be implemented. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.8.1 A DLP solution SHALL be used. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.8.2 The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.8.3 The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.8.4 At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.9.1 Emails SHALL be filtered by attachment file types. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.9.2 The attachment filter SHOULD attempt to determine the true file type and assess the file extension. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.9.3 Disallowed file types SHALL be determined and enforced. Ex Exchange CISA High Skipped details →
CISA.MS.EXO.9.4 Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter. Ex Exchange CISA Medium Skipped details →
CISA.MS.EXO.9.5 At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe). Ex Exchange CISA High Skipped details →
EIDSCA.AF05 Authentication Method - FIDO2 security key - Restricted. En Entra EIDSCA High Skipped details →
EIDSCA.AF06 Authentication Method - FIDO2 security key - Restrict specific keys. En Entra EIDSCA Medium Skipped details →
EIDSCA.CP01 Default Settings - Consent Policy Settings - Group owner consent for apps accessing data. En Entra EIDSCA High Skipped details →
EIDSCA.CR02 Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests. En Entra EIDSCA Medium Skipped details →
EIDSCA.CR03 Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire. En Entra EIDSCA Medium Skipped details →
EIDSCA.CR04 Consent Framework - Admin Consent Request - Consent request duration (days). En Entra EIDSCA High Skipped details →
MT.1020 All Conditional Access policies are configured to exclude Directory/OnPremises synchronization accounts or do not scope them. En Entra Maester High Failing details →
MT.1021 Security Defaults are enabled. En Entra Maester High Skipped details →
MT.1033.0 User should be blocked from using legacy authentication ([email protected]) En Entra Maester High Skipped details →
MT.1033.1 User should be blocked from using legacy authentication ([email protected]) En Entra Maester High Skipped details →
MT.1033.2 User should be blocked from using legacy authentication ([email protected]) En Entra Maester High Skipped details →
MT.1033.3 User should be blocked from using legacy authentication ([email protected]) En Entra Maester High Skipped details →
MT.1033.4 User should be blocked from using legacy authentication ([email protected]) En Entra Maester High Skipped details →
MT.1037 Only users with Presenter role are allowed to present in Teams meetings Te Teams Maester High Skipped details →
MT.1039 Ensure MailTips are enabled for end users Ex Exchange Maester Low Skipped details →
MT.1041 Ensure users installing Outlook add-ins is not allowed Ex Exchange Maester High Skipped details →
MT.1042 Restrict dial-in users from bypassing a meeting lobby Te Teams Maester Medium Skipped details →
MT.1043 Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains Ex Exchange Maester Medium Skipped details →
MT.1044 Ensure modern authentication for Exchange Online is enabled Ex Exchange Maester High Skipped details →
MT.1046 Restrict anonymous users from joining meetings Te Teams Maester Medium Skipped details →
MT.1047 Restrict anonymous users from starting Teams meetings Te Teams Maester Medium Skipped details →
MT.1048 Limit external participants from having control in a Teams meeting Te Teams Maester Medium Skipped details →
MT.1050 Apps with high-risk permissions having a direct path to Global Admin En Entra Maester High Skipped details →
MT.1051 Apps with high-risk permissions having an indirect path to Global Admin En Entra Maester High Skipped details →
MT.1056 Ensure that no person has permanent access to all Azure subscriptions at the root scope Az Azure AzureConfig High Skipped details →
MT.1057 App registrations should no longer use secrets. En Entra Maester Medium Skipped details →
MT.1058 Exchange application access policies must be configured. En Entra Maester Medium Skipped details →
MT.1062 Ensure Direct Send is set to be rejected Ex Exchange Maester Medium Skipped details →
MT.1063 All App registration owners should have MFA registered En Entra Maester High Skipped details →
MT.1064 Ensure that write permissions are required to create new management groups Az Azure AzureConfig High Skipped details →
MT.1065 Ensure all Recovery Services Vaults have soft delete enabled Az Azure AzureConfig High Skipped details →
MT.1075 Require explicit assignment of Third Party Entra Apps. En Entra Maester Medium Skipped details →
MT.1077 App registrations with privileged API permissions should not have owners. Xm Exposure Mgmt Exposure Management Medium Skipped details →
MT.1078 App registrations with highly privileged directory roles should not have owners. Xm Exposure Mgmt Exposure Management Medium Skipped details →
MT.1079 Privileged API permissions on service principals should not remain unused. Xm Exposure Mgmt Exposure Management Medium Skipped details →
MT.1080 Credentials, tokens, or cookies from highly privileged users should not be exposed on vulnerable endpoints. Xm Exposure Mgmt Exposure Management Medium Skipped details →
MT.1081 Hybrid users should not be assigned Entra ID role assignments. Xm Exposure Mgmt Exposure Management Medium Skipped details →
MT.1083 Ensure Delicensing Resiliency is enabled Ex Exchange Maester Low Skipped details →
MT.1086 Devices should not share both critical and non-critical user credentials. Xm Exposure Mgmt Exposure Management Low Skipped details →
MT.1087 Devices should not be publicly exposed with remotely exploitable, highly likely to be exploited, high or critical severity CVE's. Xm Exposure Mgmt Exposure Management High Skipped details →
MT.1088 Devices with critical credentials should be protected by TPM. Xm Exposure Mgmt Exposure Management Medium Skipped details →
MT.1089 Devices with critical credentials should be protected by Credential Guard. Xm Exposure Mgmt Exposure Management Medium Skipped details →
MT.1093 Apple Automated Device Enrollment Tokens should be valid for more than 30 days In Intune Maester High Skipped details →
MT.1094 Apple Volume Purchase Program Tokens should be valid for more than 30 days In Intune Maester High Skipped details →
MT.1095 Android Enterprise account connection should be healthy In Intune Maester High Skipped details →
MT.1097 Ensure all Intune Certificate Connectors are healthy and running supported versions In Intune Maester High Skipped details →
MT.1098 Mobile Threat Defense Connectors should be healthy In Intune Maester Critical Skipped details →
MT.1100 Intune Diagnostic Settings should include Audit Logs In Intune Maester High Skipped details →
MT.1102 Windows Feature Update Policy Settings should not reference end of support builds In Intune Maester High Skipped details →
MT.1111 High privileged user should be linked to an identity. Xm Exposure Mgmt Exposure Management Low Skipped details →
MT.1112 Privileged user accounts should not remain enabled when the linked primary account is disabled. Xm Exposure Mgmt Exposure Management Medium Skipped details →
MT.1113 AI agents should not be shared with broad access control policies. Co Copilot Copilot Studio Agent Security High Skipped details →
MT.1114 AI agents should require user authentication. Co Copilot Copilot Studio Agent Security High Skipped details →
MT.1115 AI agents should not have risky HTTP configurations. Co Copilot Copilot Studio Agent Security Medium Skipped details →
MT.1116 AI agents should not send email with AI-controlled inputs. Co Copilot Copilot Studio Agent Security High Skipped details →
MT.1117 Published AI agents should not be dormant. Co Copilot Copilot Studio Agent Security Low Skipped details →
MT.1118 AI agents should not use author (maker) authentication for connections. Co Copilot Copilot Studio Agent Security Medium Skipped details →
MT.1119 AI agents should not have hard-coded credentials in topics. Co Copilot Copilot Studio Agent Security High Skipped details →
MT.1120 AI agents should not use MCP server tools without review. Co Copilot Copilot Studio Agent Security Medium Skipped details →
MT.1121 AI agents with generative orchestration should have custom instructions. Co Copilot Copilot Studio Agent Security Medium Skipped details →
MT.1122 AI agents should not have orphaned ownership. Co Copilot Copilot Studio Agent Security Medium Skipped details →
MT.1148 Archive Scanning should be enabled. Df Defender Maester High Skipped details →
MT.1149 Behavior Monitoring should be enabled. Df Defender Maester High Skipped details →
MT.1150 Cloud Protection should be enabled. Df Defender Maester High Skipped details →
MT.1151 Email Scanning should be enabled. Df Defender Maester High Skipped details →
MT.1152 Script Scanning should be enabled. Df Defender Maester High Skipped details →
MT.1153 Real-time Monitoring should be enabled. Df Defender Maester High Skipped details →
MT.1154 Full Scan Removable Drives should be enabled. Df Defender Maester High Skipped details →
MT.1155 Full Scan Mapped Drives should be disabled for performance. Df Defender Maester High Skipped details →
MT.1156 Scanning Network Files should be enabled. Df Defender Maester High Skipped details →
MT.1157 CPU Load Factor should be optimized (20-30%). Df Defender Maester High Skipped details →
MT.1158 Scan should be scheduled. Df Defender Maester High Skipped details →
MT.1159 Quick Scan Time configuration is not required. Df Defender Maester High Skipped details →
MT.1160 Signatures should be checked before scan. Df Defender Maester High Skipped details →
MT.1161 Cloud Block Level should be High or higher. Df Defender Maester High Skipped details →
MT.1162 Cloud Extended Timeout should be 30-50 seconds. Df Defender Maester High Skipped details →
MT.1163 Signature Update Interval should be 1-4 hours. Df Defender Maester High Skipped details →
MT.1164 PUA Protection should be enabled. Df Defender Maester High Skipped details →
MT.1165 Network Protection should be enabled. Df Defender Maester High Skipped details →
MT.1166 Local Admin Merge should be disabled. Df Defender Maester High Skipped details →
MT.1167 Real-Time Scan Direction should cover both directions. Df Defender Maester High Skipped details →
MT.1168 Cleaned Malware should be retained for at least 30 days. Df Defender Maester High Skipped details →
MT.1169 Catch-up Full Scan should be disabled. Df Defender Maester High Skipped details →
MT.1170 Catch-up Quick Scan should be disabled. Df Defender Maester High Skipped details →
MT.1171 Sample Submission should send safe samples automatically. Df Defender Maester High Skipped details →
ORCA.100 Bulk Complaint Level threshold is between 4 and 6. Do Defender O365 ORCA Medium Skipped details →
ORCA.101 Bulk is marked as spam. Do Defender O365 ORCA Medium Skipped details →
ORCA.102 Advanced Spam filter options are turned off. Do Defender O365 ORCA Medium Skipped details →
ORCA.103 Outbound spam filter policy settings configured. Do Defender O365 ORCA Medium Skipped details →
ORCA.104 High Confidence Phish action set to Quarantine message. Do Defender O365 ORCA High Skipped details →
ORCA.105 Safe Links Synchronous URL detonation is enabled. Do Defender O365 ORCA Medium Skipped details →
ORCA.106 Quarantine retention period is 30 days. Do Defender O365 ORCA Medium Skipped details →
ORCA.107 End-user spam notification is enabled. Do Defender O365 ORCA Low Skipped details →
ORCA.108 DKIM signing is set up for all your custom domains. Do Defender O365 ORCA Medium Skipped details →
ORCA.108.1 DNS Records have been set up to support DKIM. Do Defender O365 ORCA Medium Skipped details →
ORCA.109 Senders are not being allow listed in an unsafe manner. Do Defender O365 ORCA Medium Skipped details →
ORCA.110 Internal Sender notifications are disabled. Do Defender O365 ORCA Medium Skipped details →
ORCA.111 Anti-phishing policy exists and EnableUnauthenticatedSender is true. Do Defender O365 ORCA High Skipped details →
ORCA.112 Anti-spoofing protection action is configured to Move message to the recipients' Junk Email folders in Anti-phishing policy. Do Defender O365 ORCA Medium Skipped details →
ORCA.113 AllowClickThrough is disabled in Safe Links policies. Do Defender O365 ORCA Medium Skipped details →
ORCA.114 No IP Allow Lists have been configured. Do Defender O365 ORCA High Skipped details →
ORCA.115 Mailbox intelligence based impersonation protection is enabled in anti-phishing policies. Do Defender O365 ORCA Medium Skipped details →
ORCA.116 Mailbox intelligence based impersonation protection action set to move message to junk mail folder. Do Defender O365 ORCA Medium Skipped details →
ORCA.118.1 Domains are not being allow listed in an unsafe manner in Anti-Spam Policies. Do Defender O365 ORCA High Skipped details →
ORCA.118.2 Domains are not being allow listed in an unsafe manner in Transport Rules. Do Defender O365 ORCA High Skipped details →
ORCA.118.3 Your own domains are not being allow listed in an unsafe manner in Anti-Spam Policies. Do Defender O365 ORCA Medium Skipped details →
ORCA.118.4 Your own domains are not being allow listed in an unsafe manner in Transport Rules. Do Defender O365 ORCA Medium Skipped details →
ORCA.119 Similar Domains Safety Tips is enabled. Do Defender O365 ORCA Info Skipped details →
ORCA.120.1 Zero Hour Autopurge Enabled for Phish. Do Defender O365 ORCA Medium Skipped details →
ORCA.120.2 Zero Hour Autopurge Enabled for Malware. Do Defender O365 ORCA Medium Skipped details →
ORCA.120.3 Zero Hour Autopurge Enabled for Spam. Do Defender O365 ORCA Medium Skipped details →
ORCA.121 Supported filter policy action used. Do Defender O365 ORCA Low Skipped details →
ORCA.123 Unusual Characters Safety Tips is enabled. Do Defender O365 ORCA Info Skipped details →
ORCA.124 Safe attachments unknown malware response set to block messages. Do Defender O365 ORCA High Skipped details →
ORCA.139 Spam action set to move message to junk mail folder or quarantine. Do Defender O365 ORCA Low Skipped details →
ORCA.140 High Confidence Spam action set to Quarantine message. Do Defender O365 ORCA High Skipped details →
ORCA.141 Bulk action set to Move message to Junk Email Folder. Do Defender O365 ORCA Medium Skipped details →
ORCA.142 Phish action set to Quarantine message. Do Defender O365 ORCA Medium Skipped details →
ORCA.143 Safety Tips are enabled. Do Defender O365 ORCA Info Skipped details →
ORCA.156 Safe Links Policies are tracking when user clicks on safe links. Do Defender O365 ORCA Medium Skipped details →
ORCA.158 Safe Attachments is enabled for SharePoint and Teams. Do Defender O365 ORCA Medium Skipped details →
ORCA.179 Safe Links is enabled intra-organization. Do Defender O365 ORCA Medium Skipped details →
ORCA.180 Anti-phishing policy exists and EnableSpoofIntelligence is true. Do Defender O365 ORCA Medium Skipped details →
ORCA.189 Safe Attachments is not bypassed. Do Defender O365 ORCA Medium Skipped details →
ORCA.189.2 Safe Links is not bypassed. Do Defender O365 ORCA High Skipped details →
ORCA.205 Common attachment type filter is enabled. Do Defender O365 ORCA Medium Skipped details →
ORCA.220 Advanced Phish filter Threshold level is adequate. Do Defender O365 ORCA Medium Skipped details →
ORCA.221 Mailbox intelligence is enabled in anti-phishing policies. Do Defender O365 ORCA Medium Skipped details →
ORCA.222 Domain Impersonation action is set to move to Quarantine. Do Defender O365 ORCA Medium Skipped details →
ORCA.223 User impersonation action is set to move to Quarantine. Do Defender O365 ORCA High Skipped details →
ORCA.224 Similar Users Safety Tips is enabled. Do Defender O365 ORCA Info Skipped details →
ORCA.225 Safe Documents is enabled for Office clients. Do Defender O365 ORCA Medium Skipped details →
ORCA.226 Each domain has a Safe Link policy applied to it. Do Defender O365 ORCA Medium Skipped details →
ORCA.227 Each domain has a Safe Attachments policy applied to it. Do Defender O365 ORCA Medium Skipped details →
ORCA.228 No trusted senders in Anti-phishing policy. Do Defender O365 ORCA High Skipped details →
ORCA.229 No trusted domains in Anti-phishing policy. Do Defender O365 ORCA Medium Skipped details →
ORCA.230 Each domain has a Anti-phishing policy applied to it, or the default policy is being used. Do Defender O365 ORCA Medium Skipped details →
ORCA.231 Each domain has a anti-spam policy applied to it, or the default policy is being used. Do Defender O365 ORCA Medium Skipped details →
ORCA.232 Each domain has a malware filter policy applied to it, or the default policy is being used. Do Defender O365 ORCA High Skipped details →
ORCA.233 Domains are pointed directly at EOP or enhanced filtering is used. Do Defender O365 ORCA Medium Skipped details →
ORCA.233.1 Domains are pointed directly at EOP or enhanced filtering is configured on all default connectors. Do Defender O365 ORCA Medium Skipped details →
ORCA.234 Click through is disabled for Safe Documents. Do Defender O365 ORCA Medium Skipped details →
ORCA.235 SPF records is set up for all your custom domains. Do Defender O365 ORCA Medium Skipped details →
ORCA.236 Safe Links is enabled for emails. Do Defender O365 ORCA Medium Skipped details →
ORCA.237 Safe Links is enabled for teams messages. Do Defender O365 ORCA Medium Skipped details →
ORCA.238 Safe Links is enabled for office documents. Do Defender O365 ORCA Medium Skipped details →
ORCA.239 No exclusions for the built-in protection policies. Do Defender O365 ORCA High Skipped details →
ORCA.240 Outlook is configured to display external tags for external emails. Do Defender O365 ORCA Medium Skipped details →
ORCA.241 Anti-phishing policy exists and EnableFirstContactSafetyTips is true. Do Defender O365 ORCA Medium Skipped details →
ORCA.242 Important protection alerts responsible for AIR activities are enabled. Do Defender O365 ORCA High Skipped details →
ORCA.243 Authenticated Receive Chain is set up for domains not pointing to EOP/MDO, or all domains point to EOP/MDO. Do Defender O365 ORCA Medium Skipped details →
ORCA.244 Policies are configured to honor sending domains DMARC. Do Defender O365 ORCA Medium Skipped details →
ZT.22659 All risky workload identity sign-ins are triaged En Entra Zero Trust High Skipped details →
ZT.21778 Line-of-business and partner apps use MSAL ·· Other Zero Trust Medium Skipped details →
ZT.25481 All Private Access apps have user or group assignments Ga Secure Access Zero Trust High Skipped details →
ZT.25533 DDoS Protection is enabled for all Public IP Addresses in VNETs Ga Secure Access Zero Trust High Failing details →
ZT.21897 All app assignment and group membership is governed En Entra Zero Trust Medium Skipped details →
ZT.35024 Azure RMS Licensing Enabled Pv Purview Zero Trust High Passing details →
ZT.27016 Rate Limiting is Enabled in Application Gateway WAF Ga Secure Access Zero Trust High Skipped details →
ZT.26889 Diagnostic logging is enabled in Azure Front Door WAF Ga Secure Access Zero Trust High Skipped details →
ZT.21788 Global Administrators don't have standing elevated access to all Azure subscriptions in the tenant En Entra Zero Trust High Failing details →
ZT.1ff0b4c9-ed56-4de6-be9c-d7ab39645926 Disabled accounts with read and write permissions on Azure resources should be removed Az Azure Zero Trust High Passing details →
ZT.24576 Intune Endpoint Analytics policy is created and assigned In Intune Zero Trust Low Failing details →
ZT.21874 Allow/Deny lists of domains to restrict external collaboration are configured En Entra Zero Trust Medium Failing details →
ZT.35017 Default label configured for sensitivity labels Pv Purview Zero Trust Medium Passing details →
ZT.25391 Private network connectors are active and healthy to maintain Zero Trust access to internal resources Ga Secure Access Zero Trust Medium Skipped details →
ZT.21790 Outbound cross-tenant access settings are configured En Entra Zero Trust High Failing details →
ZT.21804 Weak authentication methods are disabled En Entra Zero Trust High Failing details →
ZT.26884 Bot protection rule set is enabled and assigned in Azure Front Door WAF Ga Secure Access Zero Trust High Skipped details →
ZT.25383 Global and GSA admin privileges are tightly limited to prevent tenant-wide compromise Ga Secure Access Zero Trust High Failing details →
ZT.24823 Company Portal branding and support settings enhance user experience and trust In Intune Zero Trust Medium Failing details →
ZT.21838 Security key authentication method enabled En Entra Zero Trust High Passing details →
ZT.21808 Restrict device code flow En Entra Zero Trust High Passing details →
ZT.21801 Users have strong authentication methods configured En Entra Zero Trust Medium Failing details →
ZT.21881 Azure subscriptions used by Identity Governance are secured consistently with Identity Governance roles En Entra Zero Trust High Skipped details →
ZT.25409 Web content filtering uses category-based rules Ga Secure Access Zero Trust Medium Skipped details →
ZT.27001 TLS inspection bypass rules are regularly reviewed Ga Secure Access Zero Trust Medium Skipped details →
ZT.21806 Secure the MFA registration (My Security Info) page En Entra Zero Trust High Passing details →
ZT.21876 Use PIM for Microsoft Entra privileged roles En Entra Zero Trust Medium Skipped details →
ZT.21899 All privileged role assignments have a recipient that can receive notifications En Entra Zero Trust Medium Skipped details →
ZT.21786 User sign-in activity uses token protection En Entra Zero Trust High Failing details →
ZT.21848 Enable custom banned passwords En Entra Zero Trust Medium Passing details →
ZT.21793 Tenant restrictions v2 are configured En Entra Zero Trust High Passing details →
ZT.35036 Trainable Classifiers Usage in Policies Pv Purview Zero Trust Medium Passing details →
ZT.21829 Use cloud authentication En Entra Zero Trust High Passing details →
ZT.21892 All sign-in activity comes from managed devices En Entra Zero Trust High Failing details →
ZT.35006 PDF labeling is enabled in SharePoint Pv Purview Zero Trust Medium Skipped details →
ZT.35028 Email retention policies are configured Pv Purview Zero Trust Medium Failing details →
ZT.25537 Threat intelligence is Enabled in Deny Mode on Azure Firewall Ga Secure Access Zero Trust High Skipped details →
ZT.21770 Inactive applications don't have highly privileged permissions En Entra Zero Trust Medium Failing details →
ZT.35022 On-Demand scans configured for sensitive information discovery Pv Purview Zero Trust Medium Passing details →
ZT.21985 Turn off Seamless SSO if there are is no usage En Entra Zero Trust Medium Skipped details →
ZT.25411 TLS inspection is enabled and correctly configured for outbound traffic Ga Secure Access Zero Trust High Skipped details →
ZT.24870 Corporate Wi-Fi Network on macOS Devices is Securely Managed In Intune Zero Trust High Failing details →
ZT.21855 Privileged roles have access reviews En Entra Zero Trust Medium Skipped details →
ZT.21823 Guest self-service sign-up via user flow is disabled En Entra Zero Trust Medium Passing details →
ZT.2c79b4af-f830-b61e-92b9-63dfa30f16e4 There should be more than one owner assigned to subscriptions Az Azure Zero Trust High Passing details →
ZT.21796 Block legacy authentication policies are configured En Entra Zero Trust Medium Passing details →
ZT.21953 Local Admin Password Solution is deployed En Entra Zero Trust High Passing details →
ZT.21800 All user sign-in activity uses strong authentication methods En Entra Zero Trust Medium Skipped details →
ZT.21983 No Active Medium priority Entra recommendations found En Entra Zero Trust Medium Skipped details →
ZT.21849 Smart lockout duration is set to a minimum of 60 En Entra Zero Trust Medium Passing details →
ZT.21833 Directory Sync account credentials haven't been rotated recently En Entra Zero Trust Low Skipped details →
ZT.21872 Require multifactor authentication for device join and device registration using user action En Entra Zero Trust High Passing details →
ZT.21825 Privileged users have short-lived sign-in sessions En Entra Zero Trust Medium Failing details →
ZT.21893 Enable Microsoft Entra ID Protection policy to enforce multifactor authentication registration En Entra Zero Trust Low Skipped details →
ZT.21795 No legacy authentication sign-in activity En Entra Zero Trust Medium Skipped details →
ZT.25380 Global Secure Access signaling for Conditional Access is enabled Ga Secure Access Zero Trust Medium Failing details →
ZT.24794 Intune Terms and Conditions Policy is configured and assigned In Intune Zero Trust Medium Failing details →
ZT.21886 Applications that use Microsoft Entra for authentication and support provisioning are configured En Entra Zero Trust Medium Failing details →
ZT.21809 Admin consent workflow is enabled En Entra Zero Trust High Failing details →
ZT.24551 Windows Hello for Business Policy is Configured and Assigned In Intune Zero Trust High Failing details →
ZT.21883 Workload Identities are configured with risk-based policies En Entra Zero Trust Medium Skipped details →
ZT.21777 App Instance Property Lock is configured for all multitenant applications En Entra Zero Trust High Failing details →
ZT.25384 Application admin rights are constrained to specific Private Access apps Ga Secure Access Zero Trust High Skipped details →
ZT.21836 Workload Identities are not assigned privileged roles En Entra Zero Trust High Failing details →
ZT.35039 Communication compliance monitoring is configured for Microsoft Copilot Pv Purview Zero Trust High Passing details →
ZT.24784 A Microsoft Defender Antivirus policy is created and assigned in Intune for macOS In Intune Zero Trust High Passing details →
ZT.3b20e985-f71f-483b-b078-f30d73936d43 All network ports should be restricted on network security groups associated to your virtual machine Az Azure Zero Trust High Failing details →
ZT.21846 Temporary access pass restricted to one-time use En Entra Zero Trust Low Passing details →
ZT.21807 Creating new applications and service principles is restricted to privileged users En Entra Zero Trust Medium Passing details →
ZT.24573 Windows Security Baseline is Configured and Assigned In Intune Zero Trust High Failing details →
ZT.24553 Windows Update policies are enforced to reduce risk from unpatched vulnerabilities In Intune Zero Trust High Passing details →
ZT.24824 Non-compliant Devices are Restricted from Accessing Corporate Data In Intune Zero Trust High Failing details →
ZT.21784 All user sign in activity uses phishing-resistant authentication methods En Entra Zero Trust Medium Failing details →
ZT.bc303248-3d14-44c2-96a0-55f5c326b5fe Management ports should be closed on your virtual machines Az Azure Zero Trust Medium Failing details →
ZT.26879 Request Body Inspection is enabled in Application Gateway WAF Ga Secure Access Zero Trust High Skipped details →
ZT.25370 Source IP restoration is enabled Ga Secure Access Zero Trust Medium Skipped details →
ZT.35004 Published Label Policies Pv Purview Zero Trust Low Passing details →
ZT.23183 Service principals use safe redirect URIs En Entra Zero Trust High Failing details →
ZT.21877 All guests have a sponsor En Entra Zero Trust Medium Passing details →
ZT.21834 Directory sync account is locked down to specific named location En Entra Zero Trust Low Skipped details →
ZT.21992 Application Certificates need to be rotated on a regular basis En Entra Zero Trust High Failing details →
ZT.21828 Authentication transfer is blocked En Entra Zero Trust High Passing details →
ZT.21775 Enforce standards for app secrets and certificates En Entra Zero Trust Medium Failing details →
ZT.21864 All risk detections are triaged En Entra Zero Trust High Skipped details →
ZT.21843 Block legacy Microsoft Online PowerShell module En Entra Zero Trust Low Skipped details →
ZT.24543 Compliance policy assignment for iOS/iPadOS devices In Intune Zero Trust High Passing details →
ZT.21929 All entitlement management packages that apply to guests have expirations or access reviews configured in their assignment policies En Entra Zero Trust Medium Failing details →
ZT.21831 Conditional Access protected actions are enabled En Entra Zero Trust Medium Skipped details →
ZT.21984 No Active low priority Entra recommendations found En Entra Zero Trust Low Skipped details →
ZT.21859 GDAP admin least privilege En Entra Zero Trust Medium Skipped details →
ZT.25408 Web content filtering policies are configured Ga Secure Access Zero Trust Medium Skipped details →
ZT.35021 Auto-Labeling Policies Enabled for SharePoint and OneDrive Pv Purview Zero Trust High Failing details →
ZT.21862 All risky workload identities are triaged En Entra Zero Trust High Skipped details →
ZT.21798 ID Protection notifications enabled En Entra Zero Trust High Skipped details →
ZT.21964 Enable protected actions to secure Conditional Access policy creation and changes En Entra Zero Trust High Passing details →
ZT.21771 Inactive applications don’t have highly privileged Microsoft Entra built-in roles En Entra Zero Trust High Passing details →
ZT.24541 Compliance policies protect Windows devices In Intune Zero Trust High Failing details →
ZT.26883 Default rule set is assigned in Azure Front Door WAF Ga Secure Access Zero Trust High Skipped details →
ZT.24540 Windows Firewall Policy is Created and Assigned In Intune Zero Trust High Passing details →
ZT.21857 Guest identities are lifecycle managed with access reviews En Entra Zero Trust Medium Skipped details →
ZT.21814 Privileged accounts are cloud native identities En Entra Zero Trust Medium Failing details →
ZT.35010 Double Key Encryption (DKE) Labels Pv Purview Zero Trust Low Passing details →
ZT.35029 Mail flow rules with rights protection Pv Purview Zero Trust Medium Passing details →
ZT.25375 Global Secure Access licenses are available in the tenant and assigned to users Ga Secure Access Zero Trust High Skipped details →
ZT.21811 Password expiration is disabled En Entra Zero Trust Medium Passing details →
ZT.24570 Entra Connect Sync is configured with Service Principal Credentials En Entra Zero Trust High Failing details →
ZT.26882 Bot protection ruleset is enabled and assigned in Application Gateway WAF Ga Secure Access Zero Trust High Skipped details →
ZT.35038 Insider Risk Management Policies Enabled for Risky AI Usage Pv Purview Zero Trust High Failing details →
ZT.35008 Default sensitivity labels are configured for SharePoint document libraries Pv Purview Zero Trust Medium Skipped details →
ZT.22072 Self-Service Password Reset does not use Q & A En Entra Zero Trust Medium Skipped details →
ZT.35041 Browser data loss prevention is enabled for AI apps via Edge for Business Pv Purview Zero Trust Medium Passing details →
ZT.21803 Migrate from legacy MFA and SSPR policies En Entra Zero Trust High Passing details →
ZT.26881 Default Ruleset is enabled in Application Gateway WAF Ga Secure Access Zero Trust High Skipped details →
ZT.24840 Secure Wi-Fi profiles protect Android devices from unauthorized network access In Intune Zero Trust High Failing details →
ZT.24568 macOS - Platform SSO is configured and assigned In Intune Zero Trust Medium Passing details →
ZT.25401 Application Proxy applications require pre-authentication to block anonymous access to on-premises resources Ga Secure Access Zero Trust High Failing details →
ZT.21839 Passkey authentication method enabled En Entra Zero Trust High Passing details →
ZT.21898 All supported access lifecycle resources are managed with entitlement management packages En Entra Zero Trust Medium Skipped details →
ZT.21816 All Microsoft Entra privileged role assignments are managed with PIM En Entra Zero Trust High Skipped details →
ZT.24802 Device Clean-up Rule is Created In Intune Zero Trust Low Failing details →
ZT.20606e75-05c4-48c0-9d97-add6daa2109a Guest accounts with owner permissions on Azure resources should be removed Az Azure Zero Trust High Failing details →
ZT.21789 Tenant creation events are triaged En Entra Zero Trust Medium Skipped details →
ZT.21896 Service principals don't have certificates or credentials associated with them En Entra Zero Trust Medium Skipped details →
ZT.26888 Diagnostic logging is enabled in Application Gateway WAF Ga Secure Access Zero Trust High Skipped details →
ZT.35013 Encryption-Enabled Labels Pv Purview Zero Trust High Passing details →
ZT.a9341235-9389-42f0-a0bf-9bfb57960d44 Non-internet-facing virtual machines should be protected with network security groups Az Azure Zero Trust Low Skipped details →
ZT.26880 Request Body Inspection is enabled in Azure Front Door WAF Ga Secure Access Zero Trust High Skipped details →
ZT.25420 Network access logs are retained for security analysis and compliance requirements Ga Secure Access Zero Trust High Skipped details →
ZT.21888 App registrations must not have dangling or abandoned domain redirect URIs En Entra Zero Trust High Failing details →
ZT.25393 Quick Access is enabled and bound to a connector Ga Secure Access Zero Trust High Failing details →
ZT.25410 Web content filtering policies are linked to security profiles Ga Secure Access Zero Trust Medium Skipped details →
ZT.25372 Global Secure Access client is deployed on all managed endpoints Ga Secure Access Zero Trust High Skipped details →
ZT.21812 Maximum number of Global Administrators doesn't exceed eight users En Entra Zero Trust Low Failing details →
ZT.21813 High Global Administrator to privileged user ratio En Entra Zero Trust High Failing details →
ZT.35018 Downgrade Justification Required for Sensitivity Labels Pv Purview Zero Trust Medium Passing details →
ZT.35026 Office 365 Message Encryption (OME) - SimplifiedClientAccessEnabled Pv Purview Zero Trust Medium Passing details →
ZT.21844 Block legacy Azure AD PowerShell module En Entra Zero Trust Medium Passing details →
ZT.21773 Applications don't have certificates with expiration longer than 180 days En Entra Zero Trust High Failing details →
ZT.27004 TLS inspection custom bypass rules don't duplicate system bypass destinations Ga Secure Access Zero Trust Low Skipped details →
ZT.35037 Purview audit logging enabled Pv Purview Zero Trust High Failing details →
ZT.21860 Diagnostic settings are configured for all Microsoft Entra logs En Entra Zero Trust High Failing details →
ZT.21889 Reduce the user-visible password surface area En Entra Zero Trust High Passing details →
ZT.35009 Co-Authoring Enabled for Encrypted Documents Pv Purview Zero Trust Low Passing details →
ZT.25407 Web content filtering integrates with Conditional Access Ga Secure Access Zero Trust High Skipped details →
ZT.21884 Conditional Access policies for workload identities based on known networks are configured En Entra Zero Trust High Skipped details →
ZT.24871 Automatic Enrollment to Defender is enabled for Android Devices In Intune Zero Trust High Failing details →
ZT.e3de1cc0-f4dd-3b34-e496-8b5381ba2d70 Azure DDoS Protection Standard should be enabled Az Azure Zero Trust Medium Skipped details →
ZT.21870 Enable SSPR En Entra Zero Trust Low Skipped details →
ZT.21824 Guests don't have long lived sign-in sessions En Entra Zero Trust Medium Failing details →
ZT.21776 User consent settings are restricted En Entra Zero Trust High Passing details →
ZT.22124 High priority Entra recommendations are addressed En Entra Zero Trust High Failing details →
ZT.e1145ab1-eb4f-43d8-911b-36ddf771d13f System updates should be installed on your machines (powered by Azure Update Manager) Az Azure Zero Trust High Skipped details →
ZT.21868 Guests don't own apps in the tenant En Entra Zero Trust Medium Passing details →
ZT.21954 Restrict nonadministrator users from recovering the BitLocker keys for their owned devices En Entra Zero Trust High Passing details →
ZT.25382 Traffic forwarding profiles are scoped to appropriate users and groups for controlled deployment Ga Secure Access Zero Trust High Skipped details →
ZT.25543 Azure Front Door WAF is Enabled in Prevention Mode Ga Secure Access Zero Trust High Skipped details →
ZT.24550 Windows BitLocker policy is configured and assigned In Intune Zero Trust High Failing details →
ZT.25396 Conditional Access policies enforce strong authentication for private apps Ga Secure Access Zero Trust High Skipped details →
ZT.25381 Network traffic is routed through Global Secure Access for security policy enforcement Ga Secure Access Zero Trust High Skipped details →
ZT.24549 An app protection policy for Android devices exists In Intune Zero Trust High Passing details →
ZT.27015 HTTP DDoS Protection Ruleset is Enabled in Application Gateway WAF Ga Secure Access Zero Trust High Skipped details →
ZT.21840 Security key attestation is enforced En Entra Zero Trust High Failing details →
ZT.21895 Application Certificate Credentials are managed using HSM En Entra Zero Trust Low Skipped details →
ZT.21810 Resource-Specific Consent is restricted En Entra Zero Trust Medium Failing details →
ZT.21780 No usage of ADAL in the tenant En Entra Zero Trust Medium Passing details →
ZT.35003 Total Sensitivity Labels Configured Pv Purview Zero Trust High Passing details →
ZT.24552 macOS - Firewall policy is created and assigned In Intune Zero Trust Medium Failing details →
ZT.21841 Microsoft Authenticator app report suspicious activity setting is enabled En Entra Zero Trust Medium Failing details →
ZT.21821 Guest access is restricted En Entra Zero Trust Medium Skipped details →
ZT.24574 Attack Surface Reduction rules are applied to Windows devices to prevent exploitation of vulnerable system components In Intune Zero Trust High Failing details →
ZT.25399 Private DNS is configured for internal name resolution Ga Secure Access Zero Trust Medium Skipped details →
ZT.21890 Require password reset notifications for user roles En Entra Zero Trust Medium Skipped details →
ZT.25394 Quick Access is bound to a Conditional Access policy Ga Secure Access Zero Trust High Skipped details →
ZT.21885 App registrations use safe redirect URIs En Entra Zero Trust High Failing details →
ZT.eade5b56-eefd-444f-95c8-23f29e5d93cb Subnets should be associated with a network security group Az Azure Zero Trust Low Failing details →
ZT.21891 Require password reset notifications for administrator roles En Entra Zero Trust High Skipped details →
ZT.27003 TLS inspection failure rate is below 1% Ga Secure Access Zero Trust High Skipped details →
ZT.24547 Compliance Policy for Android Enterprise Personally-Owned Work Profile is configured and assigned In Intune Zero Trust High Passing details →
ZT.483f12ed-ae23-447e-a2de-a67a10db4353 Internet-facing virtual machines should be protected with network security groups Az Azure Zero Trust High Passing details →
ZT.805651bc-6ecd-4c73-9b55-97a19d0582d0 Management ports of virtual machines should be protected with just-in-time network access control Az Azure Zero Trust High Skipped details →
ZT.27019 JavaScript Challenge is Enabled in Azure Front Door WAF Ga Secure Access Zero Trust Medium Skipped details →
ZT.35025 Internal RMS Licensing Enabled Pv Purview Zero Trust High Passing details →
ZT.27017 JavaScript Challenge is Enabled in Application Gateway WAF Ga Secure Access Zero Trust Medium Skipped details →
ZT.21879 All entitlement management assignment policies that apply to external users require approval En Entra Zero Trust Medium Passing details →
ZT.21835 Emergency access accounts are configured appropriately En Entra Zero Trust High Passing details →
ZT.21787 Permissions to create new tenants is limited to the Tenant Creator role En Entra Zero Trust High Passing details →
ZT.6f90a6d6-d4d6-0794-0ec1-98fa77878c2e A maximum of 3 owners should be designated for subscriptions Az Azure Zero Trust High Failing details →
ZT.25392 Private network connectors are running the latest version Ga Secure Access Zero Trust Medium Skipped details →
ZT.21865 Trusted network locations are configured to increase quality of risk detections En Entra Zero Trust Medium Passing details →
ZT.24554 An iOS update policy is created and assigned In Intune Zero Trust High Passing details →
ZT.26887 Diagnostic logging is enabled in Azure Firewall Ga Secure Access Zero Trust High Skipped details →
ZT.21783 Privileged Microsoft Entra built-in roles are targeted with Conditional Access policies to enforce phishing-resistant methods En Entra Zero Trust High Failing details →
ZT.35001 Conditional Access RMS Exclusions Pv Purview Zero Trust High Failing details →
ZT.21863 All high-risk sign-ins are triaged En Entra Zero Trust High Failing details →
ZT.25466 At least two Private Access connectors are active and healthy per connector group Ga Secure Access Zero Trust High Failing details →
ZT.24548 An app protection policy for iOS devices exists In Intune Zero Trust High Passing details →
ZT.24561 A macOS Cloud LAPS Policy is Created and Assigned In Intune Zero Trust High Failing details →
ZT.1195afff-c881-495e-9bc5-1486211ae03f Machines should have vulnerability findings resolved Az Azure Zero Trust Low Skipped details →
ZT.25480 Quick Access has user or group assignments Ga Secure Access Zero Trust Medium Skipped details →
ZT.25413 File transfer policies are configured to prevent data exfiltration Ga Secure Access Zero Trust High Failing details →
ZT.25405 Intelligent Local Access is enabled and configured Ga Secure Access Zero Trust Medium Passing details →
ZT.25539 IDPS Inspection is Enabled in Deny Mode on Azure Firewall Ga Secure Access Zero Trust High Skipped details →
ZT.24827 Unmanaged and unprotected Apps are restricted from Accessing Corporate Data In Intune Zero Trust High Passing details →
ZT.25403 Private Access sensors are enforcing strong authentication policies on domain controllers Ga Secure Access Zero Trust High Skipped details →
ZT.21882 No nested groups in PIM for groups En Entra Zero Trust Medium Skipped details →
ZT.21818 Activation alert for highly privileged role assignments En Entra Zero Trust High Failing details →
ZT.24542 macOS Compliance Policy is Created and Assigned In Intune Zero Trust High Failing details →
ZT.25377 Universal tenant restrictions block unauthorized external tenant access Ga Secure Access Zero Trust High Skipped details →
ZT.25398 Domain controller RDP access is protected by phishing-resistant authentication through Global Secure Access Ga Secure Access Zero Trust High Skipped details →
ZT.ffff0522-1e88-47fc-8382-2a80ba848f5d Machines should have a vulnerability assessment solution Az Azure Zero Trust Medium Failing details →
ZT.21837 Limit the maximum number of devices per user to 10 En Entra Zero Trust High Passing details →
ZT.21817 Global Administrator role activation triggers an approval workflow En Entra Zero Trust High Passing details →
ZT.27002 TLS inspection certificates have a sufficient validity period Ga Secure Access Zero Trust High Skipped details →
ZT.24545 Compliance policy assignment for Android Enterprise Fully managed device is configured and assigned In Intune Zero Trust High Passing details →
ZT.25422 Global Secure Access deployment logs are populated and reviewed Ga Secure Access Zero Trust Medium Skipped details →
ZT.24839 Corporate Wi-Fi network on iOS devices is securely managed In Intune Zero Trust High Failing details →
ZT.21955 Manage the local administrators on Microsoft Entra joined devices En Entra Zero Trust High Skipped details →
ZT.26885 Metrics are enabled for DDoS-protected public IPs Ga Secure Access Zero Trust Medium Skipped details →
ZT.26886 Diagnostic logging is enabled for DDoS-protected public IPs Ga Secure Access Zero Trust Medium Skipped details →
ZT.35032 Adaptive Protection in DLP Policies Pv Purview Zero Trust Medium Passing details →
ZT.27020 CAPTCHA challenge is enabled in Azure Front Door WAF Ga Secure Access Zero Trust Medium Skipped details →
ZT.35019 Auto-Labeling Policies Configured (All Workloads) Pv Purview Zero Trust High Passing details →
ZT.25376 Microsoft 365 traffic is actively flowing through Global Secure Access Ga Secure Access Zero Trust High Skipped details →
ZT.050ac097-3dda-4d24-ab6d-82568e7a50cf Disabled accounts with owner permissions on Azure resources should be removed Az Azure Zero Trust High Passing details →
ZT.35015 Global Scope Label Count Pv Purview Zero Trust Medium Passing details →
ZT.21850 Smart lockout threshold set to 10 or less En Entra Zero Trust Medium Failing details →
ZT.25395 Entra Private Access Application segments are defined to enforce least-privilege access Ga Secure Access Zero Trust High Skipped details →
ZT.35023 OCR is enabled for sensitive information detection Pv Purview Zero Trust Medium Failing details →
ZT.35030 Data loss prevention policies are enabled Pv Purview Zero Trust High Passing details →
ZT.22128 Guests are not assigned high privileged directory roles En Entra Zero Trust High Failing details →
ZT.21820 Activation alert for all privileged role assignments En Entra Zero Trust Low Passing details →
ZT.24690 macOS update policy is configured and assigned In Intune Zero Trust High Passing details →
ZT.25541 Application Gateway WAF is Enabled in Prevention mode Ga Secure Access Zero Trust High Skipped details →
ZT.35034 Exact Data Match (EDM) Configurations Pv Purview Zero Trust High Passing details →
ZT.21832 All groups in Conditional Access policies belong to a restricted management administrative unit En Entra Zero Trust Medium Skipped details →
ZT.25416 Global Secure Access cloud firewall protects branch office internet traffic Ga Secure Access Zero Trust High Skipped details →
ZT.35011 Super user membership is configured for Microsoft Purview Information Protection Pv Purview Zero Trust Medium Skipped details →
ZT.21782 Privileged accounts have phishing-resistant methods registered En Entra Zero Trust High Failing details →
ZT.21858 Inactive guest identities are disabled or removed from the tenant En Entra Zero Trust Medium Failing details →
ZT.fde1c0c9-0fd2-4ecc-87b5-98956cbc1095 Guest accounts with read permissions on Azure resources should be removed Az Azure Zero Trust High Passing details →
ZT.21781 Privileged users sign in with phishing-resistant methods En Entra Zero Trust High Skipped details →
ZT.21799 Block high risk sign-ins En Entra Zero Trust High Failing details →
ZT.21866 All Microsoft Entra recommendations are addressed En Entra Zero Trust Medium Failing details →
ZT.35020 Auto-labeling enforcement mode enabled Pv Purview Zero Trust High Failing details →
ZT.27018 Rate Limiting is Enabled in Azure Front Door WAF Ga Secure Access Zero Trust High Skipped details →
ZT.8c3d9ad0-3639-4686-9cd2-2b2ab2609bda Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration) Az Azure Zero Trust Low Skipped details →
ZT.21792 Guests have restricted access to directory objects En Entra Zero Trust Medium Passing details →
ZT.35027 OME Custom Branding Templates Pv Purview Zero Trust Low Failing details →
ZT.24564 Intune Local Users and Groups policy is created and assigned In Intune Zero Trust High Failing details →
ZT.21791 Guest can’t invite other guests En Entra Zero Trust Medium Passing details →
ZT.21842 Block administrators from using SSPR En Entra Zero Trust High Passing details →
ZT.35016 Mandatory labeling enabled for sensitivity labels Pv Purview Zero Trust High Passing details →
ZT.25419 Network access activity is visible to security operations for threat detection and response Ga Secure Access Zero Trust Medium Skipped details →
ZT.21772 Applications don't have secrets configured En Entra Zero Trust High Failing details →
ZT.21819 Activation alert for Global Administrator role assignments En Entra Zero Trust Medium Passing details →
ZT.24555 Intune Scope Tags are Configured for Delegated Administration In Intune Zero Trust Medium Passing details →
ZT.21941 Token protection policies are configured En Entra Zero Trust Medium Passing details →
ZT.21815 All privileged role assignments are activated just in time and not permanently active En Entra Zero Trust High Failing details →
ZT.21878 All entitlement management policies have an expiration date En Entra Zero Trust Medium Failing details →
ZT.21854 Privileged roles aren't assigned to stale identities En Entra Zero Trust Medium Skipped details →
ZT.24518 Enterprise applications have owners En Entra Zero Trust Medium Failing details →
ZT.21861 All risky users are triaged En Entra Zero Trust High Failing details →
ZT.21894 All certificates Microsoft Entra Application Registrations and Service Principals must be issued by an approved certification authority En Entra Zero Trust Low Skipped details →
ZT.21779 Use recent versions of Microsoft Applications ·· Other Zero Trust Medium Skipped details →
ZT.24575 A Windows Defender Antivirus policy is created and assigned In Intune Zero Trust High Failing details →
ZT.21822 Guest access is limited to approved tenants En Entra Zero Trust Medium Failing details →
ZT.35033 Custom Sensitive Information Types (SITs) Configured Pv Purview Zero Trust High Passing details →
ZT.21845 Temporary access pass is enabled En Entra Zero Trust Medium Passing details →
ZT.21847 Password protection for on-premises is enabled En Entra Zero Trust High Failing details →
ZT.35005 Sensitivity labels are enabled for SharePoint and OneDrive Pv Purview Zero Trust High Skipped details →
ZT.21851 All guests user strong authentication methods En Entra Zero Trust Medium Skipped details →
ZT.25400 DNS traffic for internal domains is routed through Private Access Ga Secure Access Zero Trust Low Skipped details →
ZT.c3b51c94-588b-426b-a892-24696f9e54cc IP forwarding on your virtual machine should be disabled Az Azure Zero Trust Medium Passing details →
ZT.35012 Container labels are configured for Teams, Groups, and Sites Pv Purview Zero Trust Medium Failing details →
ZT.21875 All entitlement management assignment policies that apply to external users require connected organizations En Entra Zero Trust Medium Failing details →
ZT.25550 Inspection of Outbound TLS Traffic is Enabled on Azure Firewall Ga Secure Access Zero Trust High Skipped details →
ZT.21774 Microsoft services applications don't have credentials configured En Entra Zero Trust High Passing details →
ZT.21802 Microsoft Authenticator app shows sign-in context En Entra Zero Trust Medium Passing details →
ZT.25371 Network validation is configured through Universal Continuous Access Evaluation Ga Secure Access Zero Trust High Skipped details →
ZT.24572 Device enrollment notification is configured and assigned In Intune Zero Trust Medium Failing details →
ZT.35040 Communication compliance monitoring is configured for enterprise AI tools Pv Purview Zero Trust High Passing details →
ZT.24560 Windows Cloud LAPS policy is created and assigned In Intune Zero Trust High Passing details →
ZT.21912 Azure resources used by Microsoft Entra only allow access from privileged roles En Entra Zero Trust High Skipped details →
ZT.27000 Web content filtering blocks high-risk categories Ga Secure Access Zero Trust High Failing details →
ZT.24569 Intune macOS FileVault policy is created and Assigned In Intune Zero Trust High Failing details →
ZT.21887 All registered redirect URIs must have proper DNS records and ownerships En Entra Zero Trust Medium Skipped details →
ZT.21830 Highly privileged roles are only activated in a PAW/SAW device En Entra Zero Trust High Failing details →
ZT.25406 Internet access forwarding profile is enabled Ga Secure Access Zero Trust High Skipped details →
ZT.21869 Enterprise applications must require explicit assignment or scoped provisioning En Entra Zero Trust Medium Failing details →
ZT.25415 AI Gateway protects enterprise generative AI applications from prompt injection attacks Ga Secure Access Zero Trust High Skipped details →
ZT.21867 Enterprise applications with high privilege Microsoft Graph API permissions have owners En Entra Zero Trust High Failing details →
ZT.25379 Conditional Access policies use compliant network controls Ga Secure Access Zero Trust Medium Failing details →
ZT.35007 Information Rights Management is enabled in SharePoint Online Pv Purview Zero Trust Low Skipped details →
ZT.35014 Email label inheritance from attachments configured Pv Purview Zero Trust Medium Failing details →
ZT.24546 Windows Automatic Enrollment is enabled In Intune Zero Trust High Passing details →
ZT.35035 Named Entity SITs Usage in Auto-Labeling and DLP Policies Pv Purview Zero Trust High Passing details →
ZT.0354476c-a12a-4fcc-a79d-f0ab7ffffdbb Guest accounts with write permissions on Azure resources should be removed Az Azure Zero Trust High Passing details →
ZT.21797 Restrict access to high risk users En Entra Zero Trust High Failing details →