Controls
Maester & Zero Trust Assessment controls by Microsoft product, mapped to CIS and CISA.
Coverage this run
721 controls assessed 167 passing 5 accepted 368 skipped 181 failing
| Control | Title | Product | Standard | Severity | Status | |
|---|---|---|---|---|---|---|
| CIS.M365.1.1.1 | Ensure Administrative accounts are cloud-only | En Entra | CIS | High | Accepted | details → |
| CIS.M365.1.1.3 | Ensure that between two and four global admins are designated | En Entra | CIS | High | Failing | details → |
| CIS.M365.1.2.1 | Ensure that only organizationally managed/approved public groups exist | En Entra | CIS | Medium | Failing | details → |
| CIS.M365.1.3.1 | Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' | En Entra | CIS | High | Passing | details → |
| CIS.M365.1.3.4 | Ensure 'User owned apps and services' is restricted | En Entra | CIS | Unknown | Failing | details → |
| CIS.M365.1.3.5 | Ensure internal phishing protection for Forms is enabled | En Entra | CIS | Unknown | Passing | details → |
| CIS.M365.1.3.7 | Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web' | En Entra | CIS | Unknown | Accepted | details → |
| CIS.M365.4.1 | Ensure devices without a compliance policy are marked 'not compliant' | In Intune | CIS | Unknown | Failing | details → |
| CIS.M365.5.1.2.2 | Ensure third party integrated applications are not allowed | En Entra | CIS | Unknown | Passing | details → |
| CIS.M365.5.1.2.3 | Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' | En Entra | CIS | Unknown | Passing | details → |
| CIS.M365.5.1.3.1 | Ensure a dynamic group for guest users is created | En Entra | CIS | Unknown | Passing | details → |
| CIS.M365.5.1.5.1 | Ensure user consent to apps accessing company data on their behalf is not allowed | En Entra | CIS | Unknown | Failing | details → |
| CIS.M365.5.1.5.2 | Ensure the admin consent workflow is enabled | En Entra | CIS | Unknown | Failing | details → |
| CIS.M365.5.1.6.2 | Ensure that guest user access is restricted | En Entra | CIS | Unknown | Passing | details → |
| CIS.M365.5.2.3.5 | Ensure weak authentication methods are disabled | En Entra | CIS | Unknown | Failing | details → |
| CISA.MS.AAD.1.1 | Legacy authentication SHALL be blocked. | En Entra | CISA | High | Accepted | details → |
| CISA.MS.AAD.2.1 | Users detected as high risk SHALL be blocked. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.2.2 | A notification SHOULD be sent to the administrator when high-risk users are detected. | En Entra | CISA | High | Passing | details → |
| CISA.MS.AAD.2.3 | Sign-ins detected as high risk SHALL be blocked. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.3.1 | Phishing-resistant MFA SHALL be enforced for all users. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.3.2 | If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users. | En Entra | CISA | High | Passing | details → |
| CISA.MS.AAD.3.3 | If Microsoft Authenticator is enabled, it SHALL be configured to show login context information. | En Entra | CISA | Medium | Failing | details → |
| CISA.MS.AAD.3.4 | The Authentication Methods Manage Migration feature SHALL be set to Migration Complete. | En Entra | CISA | High | Passing | details → |
| CISA.MS.AAD.3.5 | The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.3.6 | Phishing-resistant MFA SHALL be required for highly privileged roles. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.3.7 | Managed devices SHOULD be required for authentication. | En Entra | CISA | High | Accepted | details → |
| CISA.MS.AAD.3.8 | Managed Devices SHOULD be required to register MFA. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.5.1 | Only administrators SHALL be allowed to register applications. | En Entra | CISA | High | Passing | details → |
| CISA.MS.AAD.5.2 | Only administrators SHALL be allowed to consent to applications. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.5.3 | An admin consent workflow SHALL be configured for applications. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.6.1 | User passwords SHALL NOT expire. | En Entra | CISA | High | Passing | details → |
| CISA.MS.AAD.7.1 | A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.7.2 | Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.7.3 | Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.7.4 | Permanent active role assignments SHALL NOT be allowed for highly privileged roles. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.7.5 | Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.7.6 | Activation of the Global Administrator role SHALL require approval. | En Entra | CISA | High | Passing | details → |
| CISA.MS.AAD.7.7 | Eligible and Active highly privileged role assignments SHALL trigger an alert. | En Entra | CISA | High | Accepted | details → |
| CISA.MS.AAD.7.8 | User activation of the Global Administrator role SHALL trigger an alert. | En Entra | CISA | High | Passing | details → |
| CISA.MS.AAD.7.9 | User activation of other highly privileged roles SHOULD trigger an alert. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.8.1 | Guest users SHOULD have limited or restricted access to Entra ID directory objects. | En Entra | CISA | Medium | Passing | details → |
| CISA.MS.AAD.8.2 | Only users with the Guest Inviter role SHOULD be able to invite guest users. | En Entra | CISA | High | Failing | details → |
| CISA.MS.AAD.8.3 | Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes. | En Entra | CISA | Medium | Failing | details → |
| CISA.MS.SHAREPOINT.1.1 | External sharing for SharePoint SHALL be limited to Existing guests or Only People in your organization. | Sp SharePoint | CISA | Medium | Failing | details → |
| CISA.MS.SHAREPOINT.1.3 | External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs. | Sp SharePoint | CISA | High | Failing | details → |
| EIDSCA.AF01 | Authentication Method - FIDO2 security key - State. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.AF02 | Authentication Method - FIDO2 security key - Allow self-service set up. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.AF03 | Authentication Method - FIDO2 security key - Enforce attestation. | En Entra | EIDSCA | High | Failing | details → |
| EIDSCA.AF04 | Authentication Method - FIDO2 security key - Enforce key restrictions. | En Entra | EIDSCA | High | Failing | details → |
| EIDSCA.AG01 | Authentication Method - General Settings - Manage migration. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.AG02 | Authentication Method - General Settings - Report suspicious activity - State. | En Entra | EIDSCA | Medium | Failing | details → |
| EIDSCA.AG03 | Authentication Method - General Settings - Report suspicious activity - Included users/groups. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.AM01 | Authentication Method - Microsoft Authenticator - State. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.AM02 | Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP. | En Entra | EIDSCA | Medium | Failing | details → |
| EIDSCA.AM03 | Authentication Method - Microsoft Authenticator - Require number matching for push notifications. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.AM04 | Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.AM06 | Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.AM07 | Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.AM09 | Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.AM10 | Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.AP01 | Default Authorization Settings - Enabled Self service password reset for administrators. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.AP04 | Default Authorization Settings - Guest invite restrictions. | En Entra | EIDSCA | Medium | Failing | details → |
| EIDSCA.AP05 | Default Authorization Settings - Sign-up for email based subscription. | En Entra | EIDSCA | Medium | Failing | details → |
| EIDSCA.AP06 | Default Authorization Settings - User can join the tenant by email validation. | En Entra | EIDSCA | Medium | Failing | details → |
| EIDSCA.AP07 | Default Authorization Settings - Guest user access. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.AP08 | Default Authorization Settings - User consent policy assigned for applications. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.AP09 | Default Authorization Settings - Allow user consent on risk-based apps. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.AP10 | Default Authorization Settings - Default User Role Permissions - Allowed to create Apps. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.AP14 | Default Authorization Settings - Default User Role Permissions - Allowed to read other users. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.AS04 | Authentication Method - SMS - Use for sign-in. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.AT01 | Authentication Method - Temporary Access Pass - State. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.AT02 | Authentication Method - Temporary Access Pass - One-time. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.AV01 | Authentication Method - Voice call - State. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.CP03 | Default Settings - Consent Policy Settings - Block user consent for risky apps. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.CP04 | Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to. | En Entra | EIDSCA | Medium | Failing | details → |
| EIDSCA.CR01 | Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature. | En Entra | EIDSCA | High | Failing | details → |
| EIDSCA.PR01 | Default Settings - Password Rule Settings - Password Protection - Mode. | En Entra | EIDSCA | High | Failing | details → |
| EIDSCA.PR02 | Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory. | En Entra | EIDSCA | High | Passing | details → |
| EIDSCA.PR03 | Default Settings - Password Rule Settings - Enforce custom list. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.PR05 | Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.PR06 | Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold. | En Entra | EIDSCA | Medium | Failing | details → |
| EIDSCA.ST08 | Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner. | En Entra | EIDSCA | Medium | Passing | details → |
| EIDSCA.ST09 | Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content. | En Entra | EIDSCA | Medium | Passing | details → |
| MT.1001 | At least one Conditional Access policy is configured with device compliance. | En Entra | Maester | Medium | Passing | details → |
| MT.1002 | App management restrictions on applications and service principals is configured and enabled. | En Entra | Maester | High | Passing | details → |
| MT.1003 | At least one Conditional Access policy is configured with All Apps. | En Entra | Maester | High | Passing | details → |
| MT.1004 | At least one Conditional Access policy is configured with All Apps and All Users. | En Entra | Maester | High | Passing | details → |
| MT.1005 | All Conditional Access policies are configured to exclude at least one emergency/break glass account or group. | En Entra | Maester | High | Failing | details → |
| MT.1006 | At least one Conditional Access policy is configured to require MFA for admins. | En Entra | Maester | High | Passing | details → |
| MT.1007 | At least one Conditional Access policy is configured to require MFA for all users. | En Entra | Maester | High | Passing | details → |
| MT.1008 | At least one Conditional Access policy is configured to require MFA for Azure management. | En Entra | Maester | High | Passing | details → |
| MT.1009 | At least one Conditional Access policy is configured to block other legacy authentication. | En Entra | Maester | High | Failing | details → |
| MT.1010 | At least one Conditional Access policy is configured to block legacy authentication for Exchange ActiveSync. | En Entra | Maester | High | Failing | details → |
| MT.1011 | At least one Conditional Access policy is configured to secure security info registration only from a trusted location. | En Entra | Maester | High | Failing | details → |
| MT.1012 | At least one Conditional Access policy is configured to require MFA for risky sign-ins. | En Entra | Maester | High | Failing | details → |
| MT.1013 | At least one Conditional Access policy is configured to require new password when user risk is high. | En Entra | Maester | High | Failing | details → |
| MT.1014 | At least one Conditional Access policy is configured to require compliant or Entra hybrid joined devices for admins. | En Entra | Maester | High | Failing | details → |
| MT.1015 | At least one Conditional Access policy is configured to block access for unknown or unsupported device platforms. | En Entra | Maester | Medium | Passing | details → |
| MT.1016 | At least one Conditional Access policy is configured to require MFA for guest access. | En Entra | Maester | High | Passing | details → |
| MT.1017 | At least one Conditional Access policy is configured to enforce non persistent browser session for non-corporate devices. | En Entra | Maester | High | Failing | details → |
| MT.1018 | At least one Conditional Access policy is configured to enforce sign-in frequency for non-corporate devices. | En Entra | Maester | Medium | Failing | details → |
| MT.1019 | At least one Conditional Access policy is configured to enable application enforced restrictions. | En Entra | Maester | Medium | Failing | details → |
| MT.1022 | All users utilizing a P1 license should be licensed. | En Entra | Maester | Medium | Passing | details → |
| MT.1023 | All users utilizing a P2 license should be licensed. | En Entra | Maester | Medium | Passing | details → |
| MT.1024.adminMFAV2 | Require multifactor authentication for administrative roles. | En Entra | Maester | High | Failing | details → |
| MT.1024.applicationCredentialExpiry | Renew expiring application credentials. | En Entra | Maester | High | Failing | details → |
| MT.1024.blockLegacyAuthentication | Enable policy to block legacy authentication. | En Entra | Maester | High | Failing | details → |
| MT.1024.DefenderForIdentityIsNotInstalled | Start your Defender for Identity deployment, installing Sensors on Domain Controllers and other eligible servers.. | En Entra | Maester | Low | Failing | details → |
| MT.1024.insiderRiskPolicy | Protect your tenant with Insider Risk condition in Conditional Access policy. | En Entra | Maester | Medium | Failing | details → |
| MT.1024.integratedApps | Do not allow users to grant consent to unreliable applications. | En Entra | Maester | Medium | Passing | details → |
| MT.1024.mfaRegistrationV2 | Ensure all users can complete multifactor authentication. | En Entra | Maester | High | Failing | details → |
| MT.1024.oneAdmin | Designate more than one global admin. | En Entra | Maester | Low | Passing | details → |
| MT.1024.passwordHashSync | Enable password hash sync if hybrid. | En Entra | Maester | Medium | Failing | details → |
| MT.1024.pwagePolicyNew | Do not expire passwords. | En Entra | Maester | High | Passing | details → |
| MT.1024.roleOverlap | Use least privileged administrative roles . | En Entra | Maester | Low | Passing | details → |
| MT.1024.selfServicePasswordReset | Enable self-service password reset. | En Entra | Maester | Low | Passing | details → |
| MT.1024.servicePrincipalKeyExpiry | Renew expiring service principal credentials. | En Entra | Maester | High | Passing | details → |
| MT.1024.signinRiskPolicy | Protect all users with a sign-in risk policy. | En Entra | Maester | High | Failing | details → |
| MT.1024.staleAppCreds | Remove unused credentials from applications. | En Entra | Maester | Medium | Failing | details → |
| MT.1024.staleApps | Remove unused applications. | En Entra | Maester | Medium | Failing | details → |
| MT.1024.userRiskPolicy | Protect all users with a user risk policy . | En Entra | Maester | High | Failing | details → |
| MT.1025 | No external user with permanent role assignment on Control Plane. | En Entra | Maester | High | Failing | details → |
| MT.1026 | No hybrid user with permanent role assignment on Control Plane. | En Entra | Maester | High | Failing | details → |
| MT.1027 | No Service Principal with Client Secret and permanent role assignment on Control Plane. | En Entra | Maester | High | Failing | details → |
| MT.1028 | No user with mailbox and permanent role assignment on Control Plane. | En Entra | Maester | High | Failing | details → |
| MT.1029 | Stale accounts are not assigned to privileged roles. | En Entra | Maester | High | Passing | details → |
| MT.1030 | Eligible role assignments on Control Plane are in use by administrators. | En Entra | Maester | High | Failing | details → |
| MT.1031 | Privileged role on Control Plane are managed by PIM only. | En Entra | Maester | High | Failing | details → |
| MT.1032 | Limited number of Global Admins are assigned. | En Entra | Maester | High | Failing | details → |
| MT.1035 | All security groups assigned to Conditional Access Policies should be protected by RMAU. | En Entra | Maester | High | Failing | details → |
| MT.1036 | All excluded objects should have a fallback include in another policy. | En Entra | Maester | Medium | Failing | details → |
| MT.1038 | Conditional Access policies should not include or exclude deleted groups. | En Entra | Maester | Medium | Failing | details → |
| MT.1045 | Only invited users should be automatically admitted to Teams meetings | Te Teams | Maester | Medium | Failing | details → |
| MT.1049 | Conditional Access policies for User Risk and Sign-in Risk should be configured separately. | En Entra | Maester | High | Failing | details → |
| MT.1052 | At least one Conditional Access policy is targeting the Device Code authentication flow. | En Entra | Maester | High | Passing | details → |
| MT.1053 | Ensure intune device clean-up rule is configured | In Intune | Maester | Medium | Failing | details → |
| MT.1054 | Ensure built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant' | In Intune | Maester | Medium | Failing | details → |
| MT.1055 | Microsoft 365 Group (and Team) creation should be restricted to approved users. | En Entra | Maester | Medium | Passing | details → |
| MT.1061 | Device registration MFA control conflicts with Conditional Access policies. | En Entra | Maester | Medium | Passing | details → |
| MT.1066 | Conditional Access policies should not reference non-existent users, groups, or roles. | En Entra | Maester | Medium | Failing | details → |
| MT.1067 | Authentication method policies should not reference non-existent groups. | En Entra | Maester | Medium | Passing | details → |
| MT.1068 | Restrict non-admin users from creating tenants. | En Entra | Maester | Medium | Passing | details → |
| MT.1069 | Restrict non-admin users from creating security groups. | En Entra | Maester | Low | Passing | details → |
| MT.1070 | Restrict device join to selected users/groups or none. | En Entra | Maester | Medium | Passing | details → |
| MT.1071 | At least one Conditional Access policy explicitly includes Azure DevOps. | En Entra | Maester | Medium | Failing | details → |
| MT.1072 | Conditional access policies should not use the deprecated Approved Client App grant. | En Entra | Maester | High | Passing | details → |
| MT.1073 | Soft- and hard-matching of synchronized objects should be blocked. | En Entra | Maester | Medium | Failing | details → |
| MT.1074 | Ensure no more then 100 outbound mails per day are send using the .onmicrosoft.com domain | Ex Exchange | Maester | Medium | Passing | details → |
| MT.1076 | MOERA SHOULD NOT be used for sent mail | Ex Exchange | Maester | High | Passing | details → |
| MT.1084 | Microsoft Entra seamless single sign-on should be disabled for all domains in EntraID Connect servers. | En Entra | Maester | High | Passing | details → |
| MT.1085 | Pending approvals for Critical Asset Management should not be present. | Xm Exposure Mgmt | Exposure Management | Medium | Passing | details → |
| MT.1090 | Global administrator role should not be added as local administrator on the device during Microsoft Entra join | En Entra | Maester | Medium | Failing | details → |
| MT.1091 | Registering user should not be added as local administrator on the device during Microsoft Entra join | En Entra | Maester | Medium | Failing | details → |
| MT.1092 | Intune APNS certificate should be valid for more than 30 days | In Intune | Maester | High | Failing | details → |
| MT.1096 | Ensure at least one Intune Multi Admin Approval policy is configured | In Intune | Maester | Medium | Passing | details → |
| MT.1099 | Windows Diagnostic Data Processing should be enabled | In Intune | Maester | Low | Failing | details → |
| MT.1101 | Default Branding Profile should be customized | In Intune | Maester | Low | Passing | details → |
| MT.1103 | Ensure Intune RBAC groups are protected by Restricted Management Administrative Units or Role Assignable groups | In Intune | Maester | High | Passing | details → |
| MT.1105 | Ensure MDM Authority is set to Intune | In Intune | Maester | Low | Passing | details → |
| MT.1106 | Catalog resources must have valid roles (no stale / removed app roles or SPNs). | En Entra | Maester | Medium | Passing | details → |
| MT.1107 | Access packages and catalogs should not reference deleted groups. | En Entra | Maester | Medium | Passing | details → |
| MT.1108 | Access packages should not reference inactive or orphaned assignment policies. | En Entra | Maester | Medium | Failing | details → |
| MT.1109 | Access package approval workflows must have valid approvers. | En Entra | Maester | Medium | Passing | details → |
| MT.1110 | No catalog should contain resources without any associated access packages. | En Entra | Maester | Medium | Failing | details → |
| MT.1123 | Ensure BitLocker full disk encryption is configured | In Intune | Maester | High | Failing | details → |
| MT.1147 | Do not sync krbtgt_AzureAD to Entra ID. | En Entra | Maester | High | Passing | details → |
| AZDO.1000 | Azure DevOps OAuth apps can access resources in your organization through OAuth. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1001 | Identities can connect to your organization's Git repos through SSH. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1002 | Log Audit Events. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1003 | Restrict public projects. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1004 | Additional protections when using public package registries. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1005 | IP Conditional Access policy validation. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1006 | External Users access. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1007 | Team and project administrator are allowed to invite new users. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1008 | Request access to Azure DevOps by e-mail notifications to administrators. | Ad Azure DevOps | Azure DevOps | Medium | Skipped | details → |
| AZDO.1009 | Feedback Collection. | Ad Azure DevOps | Azure DevOps | Info | Skipped | details → |
| AZDO.1010 | Audit streaming. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1011 | Project Resource Limits. | Ad Azure DevOps | Azure DevOps | Info | Skipped | details → |
| AZDO.1012 | Work Items Tags Limits. | Ad Azure DevOps | Azure DevOps | Info | Skipped | details → |
| AZDO.1013 | Organization Owner should not be an individual. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1014 | Anonymous access to pipeline badges. | Ad Azure DevOps | Azure DevOps | Medium | Skipped | details → |
| AZDO.1015 | Limit variables that can be set at queue time. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1016 | Limit job authorization scope to current project for non-release pipelines. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1017 | Limit job authorization scope to current project for classic release pipelines. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1018 | Protect access to repositories in YAML pipelines. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1019 | Stage chooser. | Ad Azure DevOps | Azure DevOps | Medium | Skipped | details → |
| AZDO.1020 | Creation of classic build pipelines. | Ad Azure DevOps | Azure DevOps | Medium | Skipped | details → |
| AZDO.1021 | Creation of classic release pipelines. | Ad Azure DevOps | Azure DevOps | Medium | Skipped | details → |
| AZDO.1022 | Limit building pull requests from forked GitHub repositories. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1023 | Disable Marketplace tasks. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1024 | Disable Node 6 tasks. | Ad Azure DevOps | Azure DevOps | Medium | Skipped | details → |
| AZDO.1025 | Enable shell tasks arguments validation. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1026 | Enable automatic enrollment to Advanced Security for Azure DevOps. | Ad Azure DevOps | Azure DevOps | Medium | Skipped | details → |
| AZDO.1027 | Disable showing Gravatar images for users outside of your enterprise. | Ad Azure DevOps | Azure DevOps | Medium | Skipped | details → |
| AZDO.1028 | Disable creation of TFVC repositories. | Ad Azure DevOps | Azure DevOps | Medium | Skipped | details → |
| AZDO.1029 | Storage Usage Limit. | Ad Azure DevOps | Azure DevOps | Medium | Skipped | details → |
| AZDO.1030 | Project Collection Administrators. | Ad Azure DevOps | Azure DevOps | Critical | Skipped | details → |
| AZDO.1031 | Validate SSH Key Expiration. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1032 | (Tenant) Restrict creation of global Personal Access Tokens. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1033 | (Tenant) Enable automatic revocation of leaked Personal Access Tokens. | Ad Azure DevOps | Azure DevOps | Critical | Skipped | details → |
| AZDO.1034 | (Tenant) Restrict creation of new Azure DevOps organizations. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1035 | (Tenant) Restrict Personal Access Token lifespan. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1036 | (Tenant) Restrict Personal Access Token full scope. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1037 | (Organization) Restrict Personal Access Token creation. | Ad Azure DevOps | Azure DevOps | High | Skipped | details → |
| AZDO.1038 | (Organization) Disallow extensions from accessing resources on the local network. | Ad Azure DevOps | Azure DevOps | Medium | Skipped | details → |
| CIS.M365.1.2.2 | Ensure sign-in to shared mailboxes is blocked | En Entra | CIS | High | Skipped | details → |
| CIS.M365.1.3.3 | Ensure 'External sharing' of calendars is not available | En Entra | CIS | Medium | Skipped | details → |
| CIS.M365.1.3.6 | Ensure the customer lockbox feature is enabled | En Entra | CIS | High | Skipped | details → |
| CIS.M365.2.1.1 | Ensure Safe Links for Office Applications is Enabled (Only Checks Priority 0 Policy) | Do Defender O365 | CIS | Medium | Skipped | details → |
| CIS.M365.2.1.11 | Ensure comprehensive attachment filtering is applied | Do Defender O365 | CIS | High | Skipped | details → |
| CIS.M365.2.1.12 | Ensure the connection filter IP allow list is not used (Only Checks Default Policy) | Do Defender O365 | CIS | Medium | Skipped | details → |
| CIS.M365.2.1.13 | Ensure the connection filter safe list is off (Only Checks Default Policy) | Do Defender O365 | CIS | Medium | Skipped | details → |
| CIS.M365.2.1.2 | Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy) | Do Defender O365 | CIS | Medium | Skipped | details → |
| CIS.M365.2.1.3 | Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy) | Do Defender O365 | CIS | Medium | Skipped | details → |
| CIS.M365.2.1.4 | Ensure Safe Attachments policy is enabled (Only Checks Default Policy) | Do Defender O365 | CIS | High | Skipped | details → |
| CIS.M365.2.1.5 | Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled | Do Defender O365 | CIS | High | Skipped | details → |
| CIS.M365.2.1.6 | Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy) | Do Defender O365 | CIS | Medium | Skipped | details → |
| CIS.M365.2.1.7 | Ensure that an anti-phishing policy has been created (Only Checks Default Policy) | Do Defender O365 | CIS | Medium | Skipped | details → |
| CIS.M365.2.1.9 | Ensure that DKIM is enabled for all Exchange Online Domains | Do Defender O365 | CIS | High | Skipped | details → |
| CIS.M365.2.4.4 | Ensure Zero-hour auto purge for Microsoft Teams is on (Only Checks ZAP is enabled) | Do Defender O365 | CIS | Medium | Skipped | details → |
| CIS.M365.3.1.1 | Ensure Microsoft 365 audit log search is Enabled | Pv Purview | CIS | High | Skipped | details → |
| CIS.M365.6.5.3 | Ensure additional storage providers are restricted in Outlook on the web | Ex Exchange | CIS | Unknown | Skipped | details → |
| CIS.M365.8.1.1 | Ensure external file sharing in Teams is enabled for only approved cloud storage services | Te Teams | CIS | Medium | Skipped | details → |
| CIS.M365.8.2.2 | Ensure communication with unmanaged Teams users is disabled | Te Teams | CIS | Medium | Skipped | details → |
| CIS.M365.8.2.3 | Ensure external Teams users cannot initiate conversations | Te Teams | CIS | Unknown | Skipped | details → |
| CIS.M365.8.4.1 | Ensure all or a majority of third-party and custom apps are blocked | Te Teams | CIS | High | Skipped | details → |
| CIS.M365.8.5.3 | Ensure only people in my org can bypass the lobby | Te Teams | CIS | Medium | Skipped | details → |
| CIS.M365.8.6.1 | Ensure users can report security concerns in Teams to internal destination | Te Teams | CIS | Medium | Skipped | details → |
| CISA.MS.AAD.4.1 | Security logs SHALL be sent to the agency's security operations center for monitoring. | En Entra | CISA | High | Skipped | details → |
| CISA.MS.AAD.5.4 | Group owners SHALL NOT be allowed to consent to applications. | En Entra | CISA | High | Skipped | details → |
| CISA.MS.EXO.1.1 | Automatic forwarding to external domains SHALL be disabled. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.10.1 | Emails SHALL be scanned for malware. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.10.2 | Emails identified as containing malware SHALL be quarantined or dropped. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.10.3 | Email scanning SHALL be capable of reviewing emails after delivery. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.11.1 | Impersonation protection checks SHOULD be used. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.11.2 | User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.11.3 | The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.12.1 | IP allow lists SHOULD NOT be created. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.12.2 | Safe lists SHOULD NOT be enabled. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.13.1 | Mailbox auditing SHALL be enabled. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.14.1 | A spam filter SHALL be enabled. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.14.2 | Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.14.3 | Allowed domains SHALL NOT be added to inbound anti-spam protection policies. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.14.4 | If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.15.1 | URL comparison with a block-list SHOULD be enabled. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.15.2 | Direct download links SHOULD be scanned for malware. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.15.3 | User click tracking SHOULD be enabled. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.16.1 | Alerts SHALL be enabled. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.16.2 | Alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.17.1 | Microsoft Purview Audit (Standard) logging SHALL be enabled. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.17.2 | Microsoft Purview Audit (Premium) logging SHALL be enabled. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.17.3 | Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C). | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.2.1 | A list of approved IP addresses for sending mail SHALL be maintained. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.2.2 | An SPF policy SHALL be published for each domain, designating only these addresses as approved senders. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.3.1 | DKIM SHOULD be enabled for all domains. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.4.1 | A DMARC policy SHALL be published for every second-level domain. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.4.2 | The DMARC message rejection option SHALL be p=reject. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.4.3 | The DMARC point of contact for aggregate reports SHALL include [email protected]. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.5.1 | SMTP AUTH SHALL be disabled. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.6.1 | Contact folders SHALL NOT be shared with all domains. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.6.2 | Calendar details SHALL NOT be shared with all domains. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.7.1 | External sender warnings SHALL be implemented. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.8.1 | A DLP solution SHALL be used. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.8.2 | The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.8.3 | The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.8.4 | At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.9.1 | Emails SHALL be filtered by attachment file types. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.9.2 | The attachment filter SHOULD attempt to determine the true file type and assess the file extension. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.9.3 | Disallowed file types SHALL be determined and enforced. | Ex Exchange | CISA | High | Skipped | details → |
| CISA.MS.EXO.9.4 | Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter. | Ex Exchange | CISA | Medium | Skipped | details → |
| CISA.MS.EXO.9.5 | At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe). | Ex Exchange | CISA | High | Skipped | details → |
| EIDSCA.AF05 | Authentication Method - FIDO2 security key - Restricted. | En Entra | EIDSCA | High | Skipped | details → |
| EIDSCA.AF06 | Authentication Method - FIDO2 security key - Restrict specific keys. | En Entra | EIDSCA | Medium | Skipped | details → |
| EIDSCA.CP01 | Default Settings - Consent Policy Settings - Group owner consent for apps accessing data. | En Entra | EIDSCA | High | Skipped | details → |
| EIDSCA.CR02 | Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests. | En Entra | EIDSCA | Medium | Skipped | details → |
| EIDSCA.CR03 | Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire. | En Entra | EIDSCA | Medium | Skipped | details → |
| EIDSCA.CR04 | Consent Framework - Admin Consent Request - Consent request duration (days). | En Entra | EIDSCA | High | Skipped | details → |
| MT.1020 | All Conditional Access policies are configured to exclude Directory/OnPremises synchronization accounts or do not scope them. | En Entra | Maester | High | Failing | details → |
| MT.1021 | Security Defaults are enabled. | En Entra | Maester | High | Skipped | details → |
| MT.1033.0 | User should be blocked from using legacy authentication ([email protected]) | En Entra | Maester | High | Skipped | details → |
| MT.1033.1 | User should be blocked from using legacy authentication ([email protected]) | En Entra | Maester | High | Skipped | details → |
| MT.1033.2 | User should be blocked from using legacy authentication ([email protected]) | En Entra | Maester | High | Skipped | details → |
| MT.1033.3 | User should be blocked from using legacy authentication ([email protected]) | En Entra | Maester | High | Skipped | details → |
| MT.1033.4 | User should be blocked from using legacy authentication ([email protected]) | En Entra | Maester | High | Skipped | details → |
| MT.1037 | Only users with Presenter role are allowed to present in Teams meetings | Te Teams | Maester | High | Skipped | details → |
| MT.1039 | Ensure MailTips are enabled for end users | Ex Exchange | Maester | Low | Skipped | details → |
| MT.1041 | Ensure users installing Outlook add-ins is not allowed | Ex Exchange | Maester | High | Skipped | details → |
| MT.1042 | Restrict dial-in users from bypassing a meeting lobby | Te Teams | Maester | Medium | Skipped | details → |
| MT.1043 | Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains | Ex Exchange | Maester | Medium | Skipped | details → |
| MT.1044 | Ensure modern authentication for Exchange Online is enabled | Ex Exchange | Maester | High | Skipped | details → |
| MT.1046 | Restrict anonymous users from joining meetings | Te Teams | Maester | Medium | Skipped | details → |
| MT.1047 | Restrict anonymous users from starting Teams meetings | Te Teams | Maester | Medium | Skipped | details → |
| MT.1048 | Limit external participants from having control in a Teams meeting | Te Teams | Maester | Medium | Skipped | details → |
| MT.1050 | Apps with high-risk permissions having a direct path to Global Admin | En Entra | Maester | High | Skipped | details → |
| MT.1051 | Apps with high-risk permissions having an indirect path to Global Admin | En Entra | Maester | High | Skipped | details → |
| MT.1056 | Ensure that no person has permanent access to all Azure subscriptions at the root scope | Az Azure | AzureConfig | High | Skipped | details → |
| MT.1057 | App registrations should no longer use secrets. | En Entra | Maester | Medium | Skipped | details → |
| MT.1058 | Exchange application access policies must be configured. | En Entra | Maester | Medium | Skipped | details → |
| MT.1062 | Ensure Direct Send is set to be rejected | Ex Exchange | Maester | Medium | Skipped | details → |
| MT.1063 | All App registration owners should have MFA registered | En Entra | Maester | High | Skipped | details → |
| MT.1064 | Ensure that write permissions are required to create new management groups | Az Azure | AzureConfig | High | Skipped | details → |
| MT.1065 | Ensure all Recovery Services Vaults have soft delete enabled | Az Azure | AzureConfig | High | Skipped | details → |
| MT.1075 | Require explicit assignment of Third Party Entra Apps. | En Entra | Maester | Medium | Skipped | details → |
| MT.1077 | App registrations with privileged API permissions should not have owners. | Xm Exposure Mgmt | Exposure Management | Medium | Skipped | details → |
| MT.1078 | App registrations with highly privileged directory roles should not have owners. | Xm Exposure Mgmt | Exposure Management | Medium | Skipped | details → |
| MT.1079 | Privileged API permissions on service principals should not remain unused. | Xm Exposure Mgmt | Exposure Management | Medium | Skipped | details → |
| MT.1080 | Credentials, tokens, or cookies from highly privileged users should not be exposed on vulnerable endpoints. | Xm Exposure Mgmt | Exposure Management | Medium | Skipped | details → |
| MT.1081 | Hybrid users should not be assigned Entra ID role assignments. | Xm Exposure Mgmt | Exposure Management | Medium | Skipped | details → |
| MT.1083 | Ensure Delicensing Resiliency is enabled | Ex Exchange | Maester | Low | Skipped | details → |
| MT.1086 | Devices should not share both critical and non-critical user credentials. | Xm Exposure Mgmt | Exposure Management | Low | Skipped | details → |
| MT.1087 | Devices should not be publicly exposed with remotely exploitable, highly likely to be exploited, high or critical severity CVE's. | Xm Exposure Mgmt | Exposure Management | High | Skipped | details → |
| MT.1088 | Devices with critical credentials should be protected by TPM. | Xm Exposure Mgmt | Exposure Management | Medium | Skipped | details → |
| MT.1089 | Devices with critical credentials should be protected by Credential Guard. | Xm Exposure Mgmt | Exposure Management | Medium | Skipped | details → |
| MT.1093 | Apple Automated Device Enrollment Tokens should be valid for more than 30 days | In Intune | Maester | High | Skipped | details → |
| MT.1094 | Apple Volume Purchase Program Tokens should be valid for more than 30 days | In Intune | Maester | High | Skipped | details → |
| MT.1095 | Android Enterprise account connection should be healthy | In Intune | Maester | High | Skipped | details → |
| MT.1097 | Ensure all Intune Certificate Connectors are healthy and running supported versions | In Intune | Maester | High | Skipped | details → |
| MT.1098 | Mobile Threat Defense Connectors should be healthy | In Intune | Maester | Critical | Skipped | details → |
| MT.1100 | Intune Diagnostic Settings should include Audit Logs | In Intune | Maester | High | Skipped | details → |
| MT.1102 | Windows Feature Update Policy Settings should not reference end of support builds | In Intune | Maester | High | Skipped | details → |
| MT.1111 | High privileged user should be linked to an identity. | Xm Exposure Mgmt | Exposure Management | Low | Skipped | details → |
| MT.1112 | Privileged user accounts should not remain enabled when the linked primary account is disabled. | Xm Exposure Mgmt | Exposure Management | Medium | Skipped | details → |
| MT.1113 | AI agents should not be shared with broad access control policies. | Co Copilot | Copilot Studio Agent Security | High | Skipped | details → |
| MT.1114 | AI agents should require user authentication. | Co Copilot | Copilot Studio Agent Security | High | Skipped | details → |
| MT.1115 | AI agents should not have risky HTTP configurations. | Co Copilot | Copilot Studio Agent Security | Medium | Skipped | details → |
| MT.1116 | AI agents should not send email with AI-controlled inputs. | Co Copilot | Copilot Studio Agent Security | High | Skipped | details → |
| MT.1117 | Published AI agents should not be dormant. | Co Copilot | Copilot Studio Agent Security | Low | Skipped | details → |
| MT.1118 | AI agents should not use author (maker) authentication for connections. | Co Copilot | Copilot Studio Agent Security | Medium | Skipped | details → |
| MT.1119 | AI agents should not have hard-coded credentials in topics. | Co Copilot | Copilot Studio Agent Security | High | Skipped | details → |
| MT.1120 | AI agents should not use MCP server tools without review. | Co Copilot | Copilot Studio Agent Security | Medium | Skipped | details → |
| MT.1121 | AI agents with generative orchestration should have custom instructions. | Co Copilot | Copilot Studio Agent Security | Medium | Skipped | details → |
| MT.1122 | AI agents should not have orphaned ownership. | Co Copilot | Copilot Studio Agent Security | Medium | Skipped | details → |
| MT.1148 | Archive Scanning should be enabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1149 | Behavior Monitoring should be enabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1150 | Cloud Protection should be enabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1151 | Email Scanning should be enabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1152 | Script Scanning should be enabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1153 | Real-time Monitoring should be enabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1154 | Full Scan Removable Drives should be enabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1155 | Full Scan Mapped Drives should be disabled for performance. | Df Defender | Maester | High | Skipped | details → |
| MT.1156 | Scanning Network Files should be enabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1157 | CPU Load Factor should be optimized (20-30%). | Df Defender | Maester | High | Skipped | details → |
| MT.1158 | Scan should be scheduled. | Df Defender | Maester | High | Skipped | details → |
| MT.1159 | Quick Scan Time configuration is not required. | Df Defender | Maester | High | Skipped | details → |
| MT.1160 | Signatures should be checked before scan. | Df Defender | Maester | High | Skipped | details → |
| MT.1161 | Cloud Block Level should be High or higher. | Df Defender | Maester | High | Skipped | details → |
| MT.1162 | Cloud Extended Timeout should be 30-50 seconds. | Df Defender | Maester | High | Skipped | details → |
| MT.1163 | Signature Update Interval should be 1-4 hours. | Df Defender | Maester | High | Skipped | details → |
| MT.1164 | PUA Protection should be enabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1165 | Network Protection should be enabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1166 | Local Admin Merge should be disabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1167 | Real-Time Scan Direction should cover both directions. | Df Defender | Maester | High | Skipped | details → |
| MT.1168 | Cleaned Malware should be retained for at least 30 days. | Df Defender | Maester | High | Skipped | details → |
| MT.1169 | Catch-up Full Scan should be disabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1170 | Catch-up Quick Scan should be disabled. | Df Defender | Maester | High | Skipped | details → |
| MT.1171 | Sample Submission should send safe samples automatically. | Df Defender | Maester | High | Skipped | details → |
| ORCA.100 | Bulk Complaint Level threshold is between 4 and 6. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.101 | Bulk is marked as spam. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.102 | Advanced Spam filter options are turned off. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.103 | Outbound spam filter policy settings configured. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.104 | High Confidence Phish action set to Quarantine message. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.105 | Safe Links Synchronous URL detonation is enabled. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.106 | Quarantine retention period is 30 days. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.107 | End-user spam notification is enabled. | Do Defender O365 | ORCA | Low | Skipped | details → |
| ORCA.108 | DKIM signing is set up for all your custom domains. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.108.1 | DNS Records have been set up to support DKIM. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.109 | Senders are not being allow listed in an unsafe manner. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.110 | Internal Sender notifications are disabled. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.111 | Anti-phishing policy exists and EnableUnauthenticatedSender is true. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.112 | Anti-spoofing protection action is configured to Move message to the recipients' Junk Email folders in Anti-phishing policy. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.113 | AllowClickThrough is disabled in Safe Links policies. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.114 | No IP Allow Lists have been configured. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.115 | Mailbox intelligence based impersonation protection is enabled in anti-phishing policies. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.116 | Mailbox intelligence based impersonation protection action set to move message to junk mail folder. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.118.1 | Domains are not being allow listed in an unsafe manner in Anti-Spam Policies. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.118.2 | Domains are not being allow listed in an unsafe manner in Transport Rules. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.118.3 | Your own domains are not being allow listed in an unsafe manner in Anti-Spam Policies. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.118.4 | Your own domains are not being allow listed in an unsafe manner in Transport Rules. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.119 | Similar Domains Safety Tips is enabled. | Do Defender O365 | ORCA | Info | Skipped | details → |
| ORCA.120.1 | Zero Hour Autopurge Enabled for Phish. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.120.2 | Zero Hour Autopurge Enabled for Malware. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.120.3 | Zero Hour Autopurge Enabled for Spam. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.121 | Supported filter policy action used. | Do Defender O365 | ORCA | Low | Skipped | details → |
| ORCA.123 | Unusual Characters Safety Tips is enabled. | Do Defender O365 | ORCA | Info | Skipped | details → |
| ORCA.124 | Safe attachments unknown malware response set to block messages. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.139 | Spam action set to move message to junk mail folder or quarantine. | Do Defender O365 | ORCA | Low | Skipped | details → |
| ORCA.140 | High Confidence Spam action set to Quarantine message. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.141 | Bulk action set to Move message to Junk Email Folder. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.142 | Phish action set to Quarantine message. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.143 | Safety Tips are enabled. | Do Defender O365 | ORCA | Info | Skipped | details → |
| ORCA.156 | Safe Links Policies are tracking when user clicks on safe links. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.158 | Safe Attachments is enabled for SharePoint and Teams. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.179 | Safe Links is enabled intra-organization. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.180 | Anti-phishing policy exists and EnableSpoofIntelligence is true. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.189 | Safe Attachments is not bypassed. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.189.2 | Safe Links is not bypassed. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.205 | Common attachment type filter is enabled. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.220 | Advanced Phish filter Threshold level is adequate. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.221 | Mailbox intelligence is enabled in anti-phishing policies. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.222 | Domain Impersonation action is set to move to Quarantine. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.223 | User impersonation action is set to move to Quarantine. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.224 | Similar Users Safety Tips is enabled. | Do Defender O365 | ORCA | Info | Skipped | details → |
| ORCA.225 | Safe Documents is enabled for Office clients. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.226 | Each domain has a Safe Link policy applied to it. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.227 | Each domain has a Safe Attachments policy applied to it. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.228 | No trusted senders in Anti-phishing policy. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.229 | No trusted domains in Anti-phishing policy. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.230 | Each domain has a Anti-phishing policy applied to it, or the default policy is being used. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.231 | Each domain has a anti-spam policy applied to it, or the default policy is being used. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.232 | Each domain has a malware filter policy applied to it, or the default policy is being used. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.233 | Domains are pointed directly at EOP or enhanced filtering is used. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.233.1 | Domains are pointed directly at EOP or enhanced filtering is configured on all default connectors. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.234 | Click through is disabled for Safe Documents. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.235 | SPF records is set up for all your custom domains. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.236 | Safe Links is enabled for emails. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.237 | Safe Links is enabled for teams messages. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.238 | Safe Links is enabled for office documents. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.239 | No exclusions for the built-in protection policies. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.240 | Outlook is configured to display external tags for external emails. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.241 | Anti-phishing policy exists and EnableFirstContactSafetyTips is true. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.242 | Important protection alerts responsible for AIR activities are enabled. | Do Defender O365 | ORCA | High | Skipped | details → |
| ORCA.243 | Authenticated Receive Chain is set up for domains not pointing to EOP/MDO, or all domains point to EOP/MDO. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ORCA.244 | Policies are configured to honor sending domains DMARC. | Do Defender O365 | ORCA | Medium | Skipped | details → |
| ZT.22659 | All risky workload identity sign-ins are triaged | En Entra | Zero Trust | High | Skipped | details → |
| ZT.21778 | Line-of-business and partner apps use MSAL | ·· Other | Zero Trust | Medium | Skipped | details → |
| ZT.25481 | All Private Access apps have user or group assignments | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.25533 | DDoS Protection is enabled for all Public IP Addresses in VNETs | Ga Secure Access | Zero Trust | High | Failing | details → |
| ZT.21897 | All app assignment and group membership is governed | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.35024 | Azure RMS Licensing Enabled | Pv Purview | Zero Trust | High | Passing | details → |
| ZT.27016 | Rate Limiting is Enabled in Application Gateway WAF | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.26889 | Diagnostic logging is enabled in Azure Front Door WAF | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21788 | Global Administrators don't have standing elevated access to all Azure subscriptions in the tenant | En Entra | Zero Trust | High | Failing | details → |
| ZT.1ff0b4c9-ed56-4de6-be9c-d7ab39645926 | Disabled accounts with read and write permissions on Azure resources should be removed | Az Azure | Zero Trust | High | Passing | details → |
| ZT.24576 | Intune Endpoint Analytics policy is created and assigned | In Intune | Zero Trust | Low | Failing | details → |
| ZT.21874 | Allow/Deny lists of domains to restrict external collaboration are configured | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.35017 | Default label configured for sensitivity labels | Pv Purview | Zero Trust | Medium | Passing | details → |
| ZT.25391 | Private network connectors are active and healthy to maintain Zero Trust access to internal resources | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.21790 | Outbound cross-tenant access settings are configured | En Entra | Zero Trust | High | Failing | details → |
| ZT.21804 | Weak authentication methods are disabled | En Entra | Zero Trust | High | Failing | details → |
| ZT.26884 | Bot protection rule set is enabled and assigned in Azure Front Door WAF | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.25383 | Global and GSA admin privileges are tightly limited to prevent tenant-wide compromise | Ga Secure Access | Zero Trust | High | Failing | details → |
| ZT.24823 | Company Portal branding and support settings enhance user experience and trust | In Intune | Zero Trust | Medium | Failing | details → |
| ZT.21838 | Security key authentication method enabled | En Entra | Zero Trust | High | Passing | details → |
| ZT.21808 | Restrict device code flow | En Entra | Zero Trust | High | Passing | details → |
| ZT.21801 | Users have strong authentication methods configured | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.21881 | Azure subscriptions used by Identity Governance are secured consistently with Identity Governance roles | En Entra | Zero Trust | High | Skipped | details → |
| ZT.25409 | Web content filtering uses category-based rules | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.27001 | TLS inspection bypass rules are regularly reviewed | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.21806 | Secure the MFA registration (My Security Info) page | En Entra | Zero Trust | High | Passing | details → |
| ZT.21876 | Use PIM for Microsoft Entra privileged roles | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.21899 | All privileged role assignments have a recipient that can receive notifications | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.21786 | User sign-in activity uses token protection | En Entra | Zero Trust | High | Failing | details → |
| ZT.21848 | Enable custom banned passwords | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.21793 | Tenant restrictions v2 are configured | En Entra | Zero Trust | High | Passing | details → |
| ZT.35036 | Trainable Classifiers Usage in Policies | Pv Purview | Zero Trust | Medium | Passing | details → |
| ZT.21829 | Use cloud authentication | En Entra | Zero Trust | High | Passing | details → |
| ZT.21892 | All sign-in activity comes from managed devices | En Entra | Zero Trust | High | Failing | details → |
| ZT.35006 | PDF labeling is enabled in SharePoint | Pv Purview | Zero Trust | Medium | Skipped | details → |
| ZT.35028 | Email retention policies are configured | Pv Purview | Zero Trust | Medium | Failing | details → |
| ZT.25537 | Threat intelligence is Enabled in Deny Mode on Azure Firewall | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21770 | Inactive applications don't have highly privileged permissions | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.35022 | On-Demand scans configured for sensitive information discovery | Pv Purview | Zero Trust | Medium | Passing | details → |
| ZT.21985 | Turn off Seamless SSO if there are is no usage | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.25411 | TLS inspection is enabled and correctly configured for outbound traffic | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.24870 | Corporate Wi-Fi Network on macOS Devices is Securely Managed | In Intune | Zero Trust | High | Failing | details → |
| ZT.21855 | Privileged roles have access reviews | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.21823 | Guest self-service sign-up via user flow is disabled | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.2c79b4af-f830-b61e-92b9-63dfa30f16e4 | There should be more than one owner assigned to subscriptions | Az Azure | Zero Trust | High | Passing | details → |
| ZT.21796 | Block legacy authentication policies are configured | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.21953 | Local Admin Password Solution is deployed | En Entra | Zero Trust | High | Passing | details → |
| ZT.21800 | All user sign-in activity uses strong authentication methods | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.21983 | No Active Medium priority Entra recommendations found | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.21849 | Smart lockout duration is set to a minimum of 60 | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.21833 | Directory Sync account credentials haven't been rotated recently | En Entra | Zero Trust | Low | Skipped | details → |
| ZT.21872 | Require multifactor authentication for device join and device registration using user action | En Entra | Zero Trust | High | Passing | details → |
| ZT.21825 | Privileged users have short-lived sign-in sessions | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.21893 | Enable Microsoft Entra ID Protection policy to enforce multifactor authentication registration | En Entra | Zero Trust | Low | Skipped | details → |
| ZT.21795 | No legacy authentication sign-in activity | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.25380 | Global Secure Access signaling for Conditional Access is enabled | Ga Secure Access | Zero Trust | Medium | Failing | details → |
| ZT.24794 | Intune Terms and Conditions Policy is configured and assigned | In Intune | Zero Trust | Medium | Failing | details → |
| ZT.21886 | Applications that use Microsoft Entra for authentication and support provisioning are configured | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.21809 | Admin consent workflow is enabled | En Entra | Zero Trust | High | Failing | details → |
| ZT.24551 | Windows Hello for Business Policy is Configured and Assigned | In Intune | Zero Trust | High | Failing | details → |
| ZT.21883 | Workload Identities are configured with risk-based policies | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.21777 | App Instance Property Lock is configured for all multitenant applications | En Entra | Zero Trust | High | Failing | details → |
| ZT.25384 | Application admin rights are constrained to specific Private Access apps | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21836 | Workload Identities are not assigned privileged roles | En Entra | Zero Trust | High | Failing | details → |
| ZT.35039 | Communication compliance monitoring is configured for Microsoft Copilot | Pv Purview | Zero Trust | High | Passing | details → |
| ZT.24784 | A Microsoft Defender Antivirus policy is created and assigned in Intune for macOS | In Intune | Zero Trust | High | Passing | details → |
| ZT.3b20e985-f71f-483b-b078-f30d73936d43 | All network ports should be restricted on network security groups associated to your virtual machine | Az Azure | Zero Trust | High | Failing | details → |
| ZT.21846 | Temporary access pass restricted to one-time use | En Entra | Zero Trust | Low | Passing | details → |
| ZT.21807 | Creating new applications and service principles is restricted to privileged users | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.24573 | Windows Security Baseline is Configured and Assigned | In Intune | Zero Trust | High | Failing | details → |
| ZT.24553 | Windows Update policies are enforced to reduce risk from unpatched vulnerabilities | In Intune | Zero Trust | High | Passing | details → |
| ZT.24824 | Non-compliant Devices are Restricted from Accessing Corporate Data | In Intune | Zero Trust | High | Failing | details → |
| ZT.21784 | All user sign in activity uses phishing-resistant authentication methods | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.bc303248-3d14-44c2-96a0-55f5c326b5fe | Management ports should be closed on your virtual machines | Az Azure | Zero Trust | Medium | Failing | details → |
| ZT.26879 | Request Body Inspection is enabled in Application Gateway WAF | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.25370 | Source IP restoration is enabled | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.35004 | Published Label Policies | Pv Purview | Zero Trust | Low | Passing | details → |
| ZT.23183 | Service principals use safe redirect URIs | En Entra | Zero Trust | High | Failing | details → |
| ZT.21877 | All guests have a sponsor | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.21834 | Directory sync account is locked down to specific named location | En Entra | Zero Trust | Low | Skipped | details → |
| ZT.21992 | Application Certificates need to be rotated on a regular basis | En Entra | Zero Trust | High | Failing | details → |
| ZT.21828 | Authentication transfer is blocked | En Entra | Zero Trust | High | Passing | details → |
| ZT.21775 | Enforce standards for app secrets and certificates | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.21864 | All risk detections are triaged | En Entra | Zero Trust | High | Skipped | details → |
| ZT.21843 | Block legacy Microsoft Online PowerShell module | En Entra | Zero Trust | Low | Skipped | details → |
| ZT.24543 | Compliance policy assignment for iOS/iPadOS devices | In Intune | Zero Trust | High | Passing | details → |
| ZT.21929 | All entitlement management packages that apply to guests have expirations or access reviews configured in their assignment policies | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.21831 | Conditional Access protected actions are enabled | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.21984 | No Active low priority Entra recommendations found | En Entra | Zero Trust | Low | Skipped | details → |
| ZT.21859 | GDAP admin least privilege | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.25408 | Web content filtering policies are configured | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.35021 | Auto-Labeling Policies Enabled for SharePoint and OneDrive | Pv Purview | Zero Trust | High | Failing | details → |
| ZT.21862 | All risky workload identities are triaged | En Entra | Zero Trust | High | Skipped | details → |
| ZT.21798 | ID Protection notifications enabled | En Entra | Zero Trust | High | Skipped | details → |
| ZT.21964 | Enable protected actions to secure Conditional Access policy creation and changes | En Entra | Zero Trust | High | Passing | details → |
| ZT.21771 | Inactive applications don’t have highly privileged Microsoft Entra built-in roles | En Entra | Zero Trust | High | Passing | details → |
| ZT.24541 | Compliance policies protect Windows devices | In Intune | Zero Trust | High | Failing | details → |
| ZT.26883 | Default rule set is assigned in Azure Front Door WAF | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.24540 | Windows Firewall Policy is Created and Assigned | In Intune | Zero Trust | High | Passing | details → |
| ZT.21857 | Guest identities are lifecycle managed with access reviews | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.21814 | Privileged accounts are cloud native identities | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.35010 | Double Key Encryption (DKE) Labels | Pv Purview | Zero Trust | Low | Passing | details → |
| ZT.35029 | Mail flow rules with rights protection | Pv Purview | Zero Trust | Medium | Passing | details → |
| ZT.25375 | Global Secure Access licenses are available in the tenant and assigned to users | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21811 | Password expiration is disabled | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.24570 | Entra Connect Sync is configured with Service Principal Credentials | En Entra | Zero Trust | High | Failing | details → |
| ZT.26882 | Bot protection ruleset is enabled and assigned in Application Gateway WAF | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.35038 | Insider Risk Management Policies Enabled for Risky AI Usage | Pv Purview | Zero Trust | High | Failing | details → |
| ZT.35008 | Default sensitivity labels are configured for SharePoint document libraries | Pv Purview | Zero Trust | Medium | Skipped | details → |
| ZT.22072 | Self-Service Password Reset does not use Q & A | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.35041 | Browser data loss prevention is enabled for AI apps via Edge for Business | Pv Purview | Zero Trust | Medium | Passing | details → |
| ZT.21803 | Migrate from legacy MFA and SSPR policies | En Entra | Zero Trust | High | Passing | details → |
| ZT.26881 | Default Ruleset is enabled in Application Gateway WAF | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.24840 | Secure Wi-Fi profiles protect Android devices from unauthorized network access | In Intune | Zero Trust | High | Failing | details → |
| ZT.24568 | macOS - Platform SSO is configured and assigned | In Intune | Zero Trust | Medium | Passing | details → |
| ZT.25401 | Application Proxy applications require pre-authentication to block anonymous access to on-premises resources | Ga Secure Access | Zero Trust | High | Failing | details → |
| ZT.21839 | Passkey authentication method enabled | En Entra | Zero Trust | High | Passing | details → |
| ZT.21898 | All supported access lifecycle resources are managed with entitlement management packages | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.21816 | All Microsoft Entra privileged role assignments are managed with PIM | En Entra | Zero Trust | High | Skipped | details → |
| ZT.24802 | Device Clean-up Rule is Created | In Intune | Zero Trust | Low | Failing | details → |
| ZT.20606e75-05c4-48c0-9d97-add6daa2109a | Guest accounts with owner permissions on Azure resources should be removed | Az Azure | Zero Trust | High | Failing | details → |
| ZT.21789 | Tenant creation events are triaged | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.21896 | Service principals don't have certificates or credentials associated with them | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.26888 | Diagnostic logging is enabled in Application Gateway WAF | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.35013 | Encryption-Enabled Labels | Pv Purview | Zero Trust | High | Passing | details → |
| ZT.a9341235-9389-42f0-a0bf-9bfb57960d44 | Non-internet-facing virtual machines should be protected with network security groups | Az Azure | Zero Trust | Low | Skipped | details → |
| ZT.26880 | Request Body Inspection is enabled in Azure Front Door WAF | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.25420 | Network access logs are retained for security analysis and compliance requirements | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21888 | App registrations must not have dangling or abandoned domain redirect URIs | En Entra | Zero Trust | High | Failing | details → |
| ZT.25393 | Quick Access is enabled and bound to a connector | Ga Secure Access | Zero Trust | High | Failing | details → |
| ZT.25410 | Web content filtering policies are linked to security profiles | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.25372 | Global Secure Access client is deployed on all managed endpoints | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21812 | Maximum number of Global Administrators doesn't exceed eight users | En Entra | Zero Trust | Low | Failing | details → |
| ZT.21813 | High Global Administrator to privileged user ratio | En Entra | Zero Trust | High | Failing | details → |
| ZT.35018 | Downgrade Justification Required for Sensitivity Labels | Pv Purview | Zero Trust | Medium | Passing | details → |
| ZT.35026 | Office 365 Message Encryption (OME) - SimplifiedClientAccessEnabled | Pv Purview | Zero Trust | Medium | Passing | details → |
| ZT.21844 | Block legacy Azure AD PowerShell module | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.21773 | Applications don't have certificates with expiration longer than 180 days | En Entra | Zero Trust | High | Failing | details → |
| ZT.27004 | TLS inspection custom bypass rules don't duplicate system bypass destinations | Ga Secure Access | Zero Trust | Low | Skipped | details → |
| ZT.35037 | Purview audit logging enabled | Pv Purview | Zero Trust | High | Failing | details → |
| ZT.21860 | Diagnostic settings are configured for all Microsoft Entra logs | En Entra | Zero Trust | High | Failing | details → |
| ZT.21889 | Reduce the user-visible password surface area | En Entra | Zero Trust | High | Passing | details → |
| ZT.35009 | Co-Authoring Enabled for Encrypted Documents | Pv Purview | Zero Trust | Low | Passing | details → |
| ZT.25407 | Web content filtering integrates with Conditional Access | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21884 | Conditional Access policies for workload identities based on known networks are configured | En Entra | Zero Trust | High | Skipped | details → |
| ZT.24871 | Automatic Enrollment to Defender is enabled for Android Devices | In Intune | Zero Trust | High | Failing | details → |
| ZT.e3de1cc0-f4dd-3b34-e496-8b5381ba2d70 | Azure DDoS Protection Standard should be enabled | Az Azure | Zero Trust | Medium | Skipped | details → |
| ZT.21870 | Enable SSPR | En Entra | Zero Trust | Low | Skipped | details → |
| ZT.21824 | Guests don't have long lived sign-in sessions | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.21776 | User consent settings are restricted | En Entra | Zero Trust | High | Passing | details → |
| ZT.22124 | High priority Entra recommendations are addressed | En Entra | Zero Trust | High | Failing | details → |
| ZT.e1145ab1-eb4f-43d8-911b-36ddf771d13f | System updates should be installed on your machines (powered by Azure Update Manager) | Az Azure | Zero Trust | High | Skipped | details → |
| ZT.21868 | Guests don't own apps in the tenant | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.21954 | Restrict nonadministrator users from recovering the BitLocker keys for their owned devices | En Entra | Zero Trust | High | Passing | details → |
| ZT.25382 | Traffic forwarding profiles are scoped to appropriate users and groups for controlled deployment | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.25543 | Azure Front Door WAF is Enabled in Prevention Mode | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.24550 | Windows BitLocker policy is configured and assigned | In Intune | Zero Trust | High | Failing | details → |
| ZT.25396 | Conditional Access policies enforce strong authentication for private apps | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.25381 | Network traffic is routed through Global Secure Access for security policy enforcement | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.24549 | An app protection policy for Android devices exists | In Intune | Zero Trust | High | Passing | details → |
| ZT.27015 | HTTP DDoS Protection Ruleset is Enabled in Application Gateway WAF | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21840 | Security key attestation is enforced | En Entra | Zero Trust | High | Failing | details → |
| ZT.21895 | Application Certificate Credentials are managed using HSM | En Entra | Zero Trust | Low | Skipped | details → |
| ZT.21810 | Resource-Specific Consent is restricted | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.21780 | No usage of ADAL in the tenant | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.35003 | Total Sensitivity Labels Configured | Pv Purview | Zero Trust | High | Passing | details → |
| ZT.24552 | macOS - Firewall policy is created and assigned | In Intune | Zero Trust | Medium | Failing | details → |
| ZT.21841 | Microsoft Authenticator app report suspicious activity setting is enabled | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.21821 | Guest access is restricted | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.24574 | Attack Surface Reduction rules are applied to Windows devices to prevent exploitation of vulnerable system components | In Intune | Zero Trust | High | Failing | details → |
| ZT.25399 | Private DNS is configured for internal name resolution | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.21890 | Require password reset notifications for user roles | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.25394 | Quick Access is bound to a Conditional Access policy | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21885 | App registrations use safe redirect URIs | En Entra | Zero Trust | High | Failing | details → |
| ZT.eade5b56-eefd-444f-95c8-23f29e5d93cb | Subnets should be associated with a network security group | Az Azure | Zero Trust | Low | Failing | details → |
| ZT.21891 | Require password reset notifications for administrator roles | En Entra | Zero Trust | High | Skipped | details → |
| ZT.27003 | TLS inspection failure rate is below 1% | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.24547 | Compliance Policy for Android Enterprise Personally-Owned Work Profile is configured and assigned | In Intune | Zero Trust | High | Passing | details → |
| ZT.483f12ed-ae23-447e-a2de-a67a10db4353 | Internet-facing virtual machines should be protected with network security groups | Az Azure | Zero Trust | High | Passing | details → |
| ZT.805651bc-6ecd-4c73-9b55-97a19d0582d0 | Management ports of virtual machines should be protected with just-in-time network access control | Az Azure | Zero Trust | High | Skipped | details → |
| ZT.27019 | JavaScript Challenge is Enabled in Azure Front Door WAF | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.35025 | Internal RMS Licensing Enabled | Pv Purview | Zero Trust | High | Passing | details → |
| ZT.27017 | JavaScript Challenge is Enabled in Application Gateway WAF | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.21879 | All entitlement management assignment policies that apply to external users require approval | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.21835 | Emergency access accounts are configured appropriately | En Entra | Zero Trust | High | Passing | details → |
| ZT.21787 | Permissions to create new tenants is limited to the Tenant Creator role | En Entra | Zero Trust | High | Passing | details → |
| ZT.6f90a6d6-d4d6-0794-0ec1-98fa77878c2e | A maximum of 3 owners should be designated for subscriptions | Az Azure | Zero Trust | High | Failing | details → |
| ZT.25392 | Private network connectors are running the latest version | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.21865 | Trusted network locations are configured to increase quality of risk detections | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.24554 | An iOS update policy is created and assigned | In Intune | Zero Trust | High | Passing | details → |
| ZT.26887 | Diagnostic logging is enabled in Azure Firewall | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21783 | Privileged Microsoft Entra built-in roles are targeted with Conditional Access policies to enforce phishing-resistant methods | En Entra | Zero Trust | High | Failing | details → |
| ZT.35001 | Conditional Access RMS Exclusions | Pv Purview | Zero Trust | High | Failing | details → |
| ZT.21863 | All high-risk sign-ins are triaged | En Entra | Zero Trust | High | Failing | details → |
| ZT.25466 | At least two Private Access connectors are active and healthy per connector group | Ga Secure Access | Zero Trust | High | Failing | details → |
| ZT.24548 | An app protection policy for iOS devices exists | In Intune | Zero Trust | High | Passing | details → |
| ZT.24561 | A macOS Cloud LAPS Policy is Created and Assigned | In Intune | Zero Trust | High | Failing | details → |
| ZT.1195afff-c881-495e-9bc5-1486211ae03f | Machines should have vulnerability findings resolved | Az Azure | Zero Trust | Low | Skipped | details → |
| ZT.25480 | Quick Access has user or group assignments | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.25413 | File transfer policies are configured to prevent data exfiltration | Ga Secure Access | Zero Trust | High | Failing | details → |
| ZT.25405 | Intelligent Local Access is enabled and configured | Ga Secure Access | Zero Trust | Medium | Passing | details → |
| ZT.25539 | IDPS Inspection is Enabled in Deny Mode on Azure Firewall | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.24827 | Unmanaged and unprotected Apps are restricted from Accessing Corporate Data | In Intune | Zero Trust | High | Passing | details → |
| ZT.25403 | Private Access sensors are enforcing strong authentication policies on domain controllers | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21882 | No nested groups in PIM for groups | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.21818 | Activation alert for highly privileged role assignments | En Entra | Zero Trust | High | Failing | details → |
| ZT.24542 | macOS Compliance Policy is Created and Assigned | In Intune | Zero Trust | High | Failing | details → |
| ZT.25377 | Universal tenant restrictions block unauthorized external tenant access | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.25398 | Domain controller RDP access is protected by phishing-resistant authentication through Global Secure Access | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.ffff0522-1e88-47fc-8382-2a80ba848f5d | Machines should have a vulnerability assessment solution | Az Azure | Zero Trust | Medium | Failing | details → |
| ZT.21837 | Limit the maximum number of devices per user to 10 | En Entra | Zero Trust | High | Passing | details → |
| ZT.21817 | Global Administrator role activation triggers an approval workflow | En Entra | Zero Trust | High | Passing | details → |
| ZT.27002 | TLS inspection certificates have a sufficient validity period | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.24545 | Compliance policy assignment for Android Enterprise Fully managed device is configured and assigned | In Intune | Zero Trust | High | Passing | details → |
| ZT.25422 | Global Secure Access deployment logs are populated and reviewed | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.24839 | Corporate Wi-Fi network on iOS devices is securely managed | In Intune | Zero Trust | High | Failing | details → |
| ZT.21955 | Manage the local administrators on Microsoft Entra joined devices | En Entra | Zero Trust | High | Skipped | details → |
| ZT.26885 | Metrics are enabled for DDoS-protected public IPs | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.26886 | Diagnostic logging is enabled for DDoS-protected public IPs | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.35032 | Adaptive Protection in DLP Policies | Pv Purview | Zero Trust | Medium | Passing | details → |
| ZT.27020 | CAPTCHA challenge is enabled in Azure Front Door WAF | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.35019 | Auto-Labeling Policies Configured (All Workloads) | Pv Purview | Zero Trust | High | Passing | details → |
| ZT.25376 | Microsoft 365 traffic is actively flowing through Global Secure Access | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.050ac097-3dda-4d24-ab6d-82568e7a50cf | Disabled accounts with owner permissions on Azure resources should be removed | Az Azure | Zero Trust | High | Passing | details → |
| ZT.35015 | Global Scope Label Count | Pv Purview | Zero Trust | Medium | Passing | details → |
| ZT.21850 | Smart lockout threshold set to 10 or less | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.25395 | Entra Private Access Application segments are defined to enforce least-privilege access | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.35023 | OCR is enabled for sensitive information detection | Pv Purview | Zero Trust | Medium | Failing | details → |
| ZT.35030 | Data loss prevention policies are enabled | Pv Purview | Zero Trust | High | Passing | details → |
| ZT.22128 | Guests are not assigned high privileged directory roles | En Entra | Zero Trust | High | Failing | details → |
| ZT.21820 | Activation alert for all privileged role assignments | En Entra | Zero Trust | Low | Passing | details → |
| ZT.24690 | macOS update policy is configured and assigned | In Intune | Zero Trust | High | Passing | details → |
| ZT.25541 | Application Gateway WAF is Enabled in Prevention mode | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.35034 | Exact Data Match (EDM) Configurations | Pv Purview | Zero Trust | High | Passing | details → |
| ZT.21832 | All groups in Conditional Access policies belong to a restricted management administrative unit | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.25416 | Global Secure Access cloud firewall protects branch office internet traffic | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.35011 | Super user membership is configured for Microsoft Purview Information Protection | Pv Purview | Zero Trust | Medium | Skipped | details → |
| ZT.21782 | Privileged accounts have phishing-resistant methods registered | En Entra | Zero Trust | High | Failing | details → |
| ZT.21858 | Inactive guest identities are disabled or removed from the tenant | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.fde1c0c9-0fd2-4ecc-87b5-98956cbc1095 | Guest accounts with read permissions on Azure resources should be removed | Az Azure | Zero Trust | High | Passing | details → |
| ZT.21781 | Privileged users sign in with phishing-resistant methods | En Entra | Zero Trust | High | Skipped | details → |
| ZT.21799 | Block high risk sign-ins | En Entra | Zero Trust | High | Failing | details → |
| ZT.21866 | All Microsoft Entra recommendations are addressed | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.35020 | Auto-labeling enforcement mode enabled | Pv Purview | Zero Trust | High | Failing | details → |
| ZT.27018 | Rate Limiting is Enabled in Azure Front Door WAF | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.8c3d9ad0-3639-4686-9cd2-2b2ab2609bda | Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration) | Az Azure | Zero Trust | Low | Skipped | details → |
| ZT.21792 | Guests have restricted access to directory objects | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.35027 | OME Custom Branding Templates | Pv Purview | Zero Trust | Low | Failing | details → |
| ZT.24564 | Intune Local Users and Groups policy is created and assigned | In Intune | Zero Trust | High | Failing | details → |
| ZT.21791 | Guest can’t invite other guests | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.21842 | Block administrators from using SSPR | En Entra | Zero Trust | High | Passing | details → |
| ZT.35016 | Mandatory labeling enabled for sensitivity labels | Pv Purview | Zero Trust | High | Passing | details → |
| ZT.25419 | Network access activity is visible to security operations for threat detection and response | Ga Secure Access | Zero Trust | Medium | Skipped | details → |
| ZT.21772 | Applications don't have secrets configured | En Entra | Zero Trust | High | Failing | details → |
| ZT.21819 | Activation alert for Global Administrator role assignments | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.24555 | Intune Scope Tags are Configured for Delegated Administration | In Intune | Zero Trust | Medium | Passing | details → |
| ZT.21941 | Token protection policies are configured | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.21815 | All privileged role assignments are activated just in time and not permanently active | En Entra | Zero Trust | High | Failing | details → |
| ZT.21878 | All entitlement management policies have an expiration date | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.21854 | Privileged roles aren't assigned to stale identities | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.24518 | Enterprise applications have owners | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.21861 | All risky users are triaged | En Entra | Zero Trust | High | Failing | details → |
| ZT.21894 | All certificates Microsoft Entra Application Registrations and Service Principals must be issued by an approved certification authority | En Entra | Zero Trust | Low | Skipped | details → |
| ZT.21779 | Use recent versions of Microsoft Applications | ·· Other | Zero Trust | Medium | Skipped | details → |
| ZT.24575 | A Windows Defender Antivirus policy is created and assigned | In Intune | Zero Trust | High | Failing | details → |
| ZT.21822 | Guest access is limited to approved tenants | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.35033 | Custom Sensitive Information Types (SITs) Configured | Pv Purview | Zero Trust | High | Passing | details → |
| ZT.21845 | Temporary access pass is enabled | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.21847 | Password protection for on-premises is enabled | En Entra | Zero Trust | High | Failing | details → |
| ZT.35005 | Sensitivity labels are enabled for SharePoint and OneDrive | Pv Purview | Zero Trust | High | Skipped | details → |
| ZT.21851 | All guests user strong authentication methods | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.25400 | DNS traffic for internal domains is routed through Private Access | Ga Secure Access | Zero Trust | Low | Skipped | details → |
| ZT.c3b51c94-588b-426b-a892-24696f9e54cc | IP forwarding on your virtual machine should be disabled | Az Azure | Zero Trust | Medium | Passing | details → |
| ZT.35012 | Container labels are configured for Teams, Groups, and Sites | Pv Purview | Zero Trust | Medium | Failing | details → |
| ZT.21875 | All entitlement management assignment policies that apply to external users require connected organizations | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.25550 | Inspection of Outbound TLS Traffic is Enabled on Azure Firewall | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21774 | Microsoft services applications don't have credentials configured | En Entra | Zero Trust | High | Passing | details → |
| ZT.21802 | Microsoft Authenticator app shows sign-in context | En Entra | Zero Trust | Medium | Passing | details → |
| ZT.25371 | Network validation is configured through Universal Continuous Access Evaluation | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.24572 | Device enrollment notification is configured and assigned | In Intune | Zero Trust | Medium | Failing | details → |
| ZT.35040 | Communication compliance monitoring is configured for enterprise AI tools | Pv Purview | Zero Trust | High | Passing | details → |
| ZT.24560 | Windows Cloud LAPS policy is created and assigned | In Intune | Zero Trust | High | Passing | details → |
| ZT.21912 | Azure resources used by Microsoft Entra only allow access from privileged roles | En Entra | Zero Trust | High | Skipped | details → |
| ZT.27000 | Web content filtering blocks high-risk categories | Ga Secure Access | Zero Trust | High | Failing | details → |
| ZT.24569 | Intune macOS FileVault policy is created and Assigned | In Intune | Zero Trust | High | Failing | details → |
| ZT.21887 | All registered redirect URIs must have proper DNS records and ownerships | En Entra | Zero Trust | Medium | Skipped | details → |
| ZT.21830 | Highly privileged roles are only activated in a PAW/SAW device | En Entra | Zero Trust | High | Failing | details → |
| ZT.25406 | Internet access forwarding profile is enabled | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21869 | Enterprise applications must require explicit assignment or scoped provisioning | En Entra | Zero Trust | Medium | Failing | details → |
| ZT.25415 | AI Gateway protects enterprise generative AI applications from prompt injection attacks | Ga Secure Access | Zero Trust | High | Skipped | details → |
| ZT.21867 | Enterprise applications with high privilege Microsoft Graph API permissions have owners | En Entra | Zero Trust | High | Failing | details → |
| ZT.25379 | Conditional Access policies use compliant network controls | Ga Secure Access | Zero Trust | Medium | Failing | details → |
| ZT.35007 | Information Rights Management is enabled in SharePoint Online | Pv Purview | Zero Trust | Low | Skipped | details → |
| ZT.35014 | Email label inheritance from attachments configured | Pv Purview | Zero Trust | Medium | Failing | details → |
| ZT.24546 | Windows Automatic Enrollment is enabled | In Intune | Zero Trust | High | Passing | details → |
| ZT.35035 | Named Entity SITs Usage in Auto-Labeling and DLP Policies | Pv Purview | Zero Trust | High | Passing | details → |
| ZT.0354476c-a12a-4fcc-a79d-f0ab7ffffdbb | Guest accounts with write permissions on Azure resources should be removed | Az Azure | Zero Trust | High | Passing | details → |
| ZT.21797 | Restrict access to high risk users | En Entra | Zero Trust | High | Failing | details → |
No controls match these filters.