Microsoft Entra ID Security Checks
All security checks Aether365 performs for Microsoft Entra ID.
| ID | Title | Severity | Framework |
|---|---|---|---|
| AE.1068 | Restrict non-admin users from creating tenants. | Medium | Other |
| AE.1069 | Restrict non-admin users from creating security groups. | Medium | Other |
| AE.1070 | Restrict device join to selected users/groups or none. | Medium | Other |
| AE.1077 | App registrations with privileged API permissions should have no owners | Medium | Other |
| AE.1078 | App registrations with highly privileged directory roles should not have owners | Medium | Other |
| AE.1079 | Privileged API permissions on service principals should not remain unused | Medium | Other |
| AE.1080 | Credentials, tokens, or cookies from highly privileged users should not be exposed on vulnerable endpoints | Medium | Other |
| AE.1081 | Hybrid users should not be assigned Entra ID role assignments | Medium | Other |
| AE.1084 | Seamless Single SignOn should be disabled for all domains in EntraID Connect servers. | Medium | Other |
| AE.1085 | Pending approvals for Critical Asset Management should not be present | Medium | Other |
| AE.1090 | Global administrator role should not be added as local administrator on the device during Microsoft Entra join | Medium | Other |
| AE.1091 | Registering user should not be added as local administrator on the device during Microsoft Entra join | Medium | Other |
| AE.1106 | Catalog resources must have valid roles (no stale / removed app roles or SPNs) | Medium | Other |
| AE.1107 | Access packages and catalogs should not reference deleted groups | Medium | Other |
| AE.1108 | Access packages should not reference inactive or orphaned assignment policies | Medium | Other |
| AE.1109 | Access package approval workflows must have valid approvers | Medium | Other |
| AE.1110 | No catalog should contain resources without any associated access packages | Medium | Other |
| AE.1111 | High privileged user should be linked to an identity. | Medium | Other |
| AE.1112 | Privileged user accounts should not remain enabled when the linked primary account is disabled. | Medium | Other |
| CISA.MS.AAD.1.1 | Legacy authentication SHALL be blocked. | Medium | CIS |
| CISA.MS.AAD.2.1 | Users detected as high risk SHALL be blocked. | Medium | CIS |
| CISA.MS.AAD.2.2 | A notification SHOULD be sent to the administrator when high-risk users are detected. | Medium | CIS |
| CISA.MS.AAD.2.3 | Sign-ins detected as high risk SHALL be blocked. | Medium | CIS |
| CISA.MS.AAD.3.1 | Phishing-resistant MFA SHALL be enforced for all users. | Medium | CIS |
| CISA.MS.AAD.3.2 | If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users. | Medium | CIS |
| CISA.MS.AAD.3.3 | If Microsoft Authenticator is enabled, it SHALL be configured to show login context information. | Medium | CIS |
| CISA.MS.AAD.3.4 | The Authentication Methods Manage Migration feature SHALL be set to Migration Complete. | Medium | CIS |
| CISA.MS.AAD.3.5 | The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled. | Medium | CIS |
| CISA.MS.AAD.3.6 | Phishing-resistant MFA SHALL be required for highly privileged roles. | Medium | CIS |
| CISA.MS.AAD.3.7 | Managed devices SHOULD be required for authentication. | Medium | CIS |
| CISA.MS.AAD.3.8 | Managed Devices SHOULD be required to register MFA. | Medium | CIS |
| CISA.MS.AAD.4.1 | Security logs SHALL be sent to the agency's security operations center for monitoring. | Medium | CIS |
| CISA.MS.AAD.5.1 | Only administrators SHALL be allowed to register applications. | Medium | CIS |
| CISA.MS.AAD.5.2 | Only administrators SHALL be allowed to consent to applications. | Medium | CIS |
| CISA.MS.AAD.5.3 | An admin consent workflow SHALL be configured for applications. | Medium | CIS |
| CISA.MS.AAD.5.4 | Group owners SHALL NOT be allowed to consent to applications. | Medium | CIS |
| CISA.MS.AAD.6.1 | User passwords SHALL NOT expire. | Medium | CIS |
| CISA.MS.AAD.7.1 | A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role. | Medium | CIS |
| CISA.MS.AAD.7.2 | Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator. | Medium | CIS |
| CISA.MS.AAD.7.3 | Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers. | Medium | CIS |
| CISA.MS.AAD.7.4 | Permanent active role assignments SHALL NOT be allowed for highly privileged roles. | Medium | CIS |
| CISA.MS.AAD.7.5 | Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system. | Medium | CIS |
| CISA.MS.AAD.7.6 | Activation of the Global Administrator role SHALL require approval. | Medium | CIS |
| CISA.MS.AAD.7.7 | Eligible and Active highly privileged role assignments SHALL trigger an alert. | Medium | CIS |
| CISA.MS.AAD.7.8 | User activation of the Global Administrator role SHALL trigger an alert. | Medium | CIS |
| CISA.MS.AAD.7.9 | User activation of other highly privileged roles SHOULD trigger an alert. | Medium | CIS |
| CISA.MS.AAD.8.1 | Guest users SHOULD have limited or restricted access to Entra ID directory objects. | Medium | CIS |
| CISA.MS.AAD.8.2 | Only users with the Guest Inviter role SHOULD be able to invite guest users. | Medium | CIS |
| CISA.MS.AAD.8.3 | Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes. | Medium | CIS |
| EIDSCA.AF01 | Authentication Method - FIDO2 security key - State | Medium | EIDSCA |
| EIDSCA.AF02 | Authentication Method - FIDO2 security key - Allow self-service set up | Medium | EIDSCA |
| EIDSCA.AF03 | Authentication Method - FIDO2 security key - Enforce attestation | Medium | EIDSCA |
| EIDSCA.AF04 | Authentication Method - FIDO2 security key - Enforce key restrictions | Medium | EIDSCA |
| EIDSCA.AF05 | Authentication Method - FIDO2 security key - Restricted | Medium | EIDSCA |
| EIDSCA.AF06 | Authentication Method - FIDO2 security key - Restrict specific keys | Medium | EIDSCA |
| EIDSCA.AG01 | Authentication Method - General Settings - Manage migration | Medium | EIDSCA |
| EIDSCA.AG02 | Authentication Method - General Settings - Report suspicious activity - State | Medium | EIDSCA |
| EIDSCA.AG03 | Authentication Method - General Settings - Report suspicious activity - Included users/groups | Medium | EIDSCA |
| EIDSCA.AM01 | Authentication Method - Microsoft Authenticator - State | Medium | EIDSCA |
| EIDSCA.AM02 | Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP | Medium | EIDSCA |
| EIDSCA.AM03 | Authentication Method - Microsoft Authenticator - Require number matching for push notifications | Medium | EIDSCA |
| EIDSCA.AM04 | Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications | Medium | EIDSCA |
| EIDSCA.AM06 | Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications | Medium | EIDSCA |
| EIDSCA.AM07 | Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications | Medium | EIDSCA |
| EIDSCA.AM09 | Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications | Medium | EIDSCA |
| EIDSCA.AM10 | Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications | Medium | EIDSCA |
| EIDSCA.AP01 | Default Authorization Settings - Enabled Self service password reset for administrators | Medium | EIDSCA |
| EIDSCA.AP04 | Default Authorization Settings - Guest invite restrictions | Medium | EIDSCA |
| EIDSCA.AP05 | Default Authorization Settings - Sign-up for email based subscription | Medium | EIDSCA |
| EIDSCA.AP06 | Default Authorization Settings - User can join the tenant by email validation | Medium | EIDSCA |
| EIDSCA.AP07 | Default Authorization Settings - Guest user access | Medium | EIDSCA |
| EIDSCA.AP08 | Default Authorization Settings - User consent policy assigned for applications | Medium | EIDSCA |
| EIDSCA.AP09 | Default Authorization Settings - Allow user consent on risk-based apps | Medium | EIDSCA |
| EIDSCA.AP10 | Default Authorization Settings - Default User Role Permissions - Allowed to create Apps | Medium | EIDSCA |
| EIDSCA.AP14 | Default Authorization Settings - Default User Role Permissions - Allowed to read other users | Medium | EIDSCA |
| EIDSCA.AS04 | Authentication Method - SMS - Use for sign-in | Medium | EIDSCA |
| EIDSCA.AT01 | Authentication Method - Temporary Access Pass - State | Medium | EIDSCA |
| EIDSCA.AT02 | Authentication Method - Temporary Access Pass - One-time | Medium | EIDSCA |
| EIDSCA.AV01 | Authentication Method - Voice call - State | Medium | EIDSCA |
| EIDSCA.CP01 | Default Settings - Consent Policy Settings - Group owner consent for apps accessing data | Medium | EIDSCA |
| EIDSCA.CP03 | Default Settings - Consent Policy Settings - Block user consent for risky apps | Medium | EIDSCA |
| EIDSCA.CP04 | Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to | Medium | EIDSCA |
| EIDSCA.CR01 | Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature | Medium | EIDSCA |
| EIDSCA.CR02 | Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests | Medium | EIDSCA |
| EIDSCA.CR03 | Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire | Medium | EIDSCA |
| EIDSCA.CR04 | Consent Framework - Admin Consent Request - Consent request duration (days) | Medium | EIDSCA |
| EIDSCA.PR01 | Default Settings - Password Rule Settings - Password Protection - Mode | Medium | EIDSCA |
| EIDSCA.PR02 | Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory | Medium | EIDSCA |
| EIDSCA.PR03 | Default Settings - Password Rule Settings - Enforce custom list | Medium | EIDSCA |
| EIDSCA.PR05 | Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds | Medium | EIDSCA |
| EIDSCA.PR06 | Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold | Medium | EIDSCA |
| EIDSCA.ST08 | Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner | Medium | EIDSCA |
| EIDSCA.ST09 | Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content | Medium | EIDSCA |
| ENTRA.1101 | Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1102 | Ensure 'User consent for applications' is set to 'Do not allow user consent' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1103 | Ensure That 'Users Can Register Applications' Is Set to 'No' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1104 | Ensure the admin consent workflow is enabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1106 | Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1107 | Ensure Multi-factor Authentication is Required for Azure Management | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1108 | Ensure multifactor authentication is enabled for all users in administrative roles | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1109 | Ensure Multi-factor Authentication is Required for Risky Sign-ins | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1110 | Ensure multifactor authentication is enabled for all users | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1111 | Ensure that an exclusionary Device code flow policy is considered | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1112 | Ensure that an exclusionary Geographic Access Policy is considered | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1113 | Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1114 | Ensure Trusted Locations Are Defined | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1115 | Enable Azure AD Identity Protection sign-in risk policies | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1116 | Enable Conditional Access policies to block legacy authentication | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1117 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1118 | Enable Identity Protection sign-in risk policies | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1119 | Enable Entra ID Identity Protection user risk policies | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1120 | Ensure that a phishing-resistant Multi-factor Authentication Policy Exists for High-Privileged Users | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1123 | Ensure 'LinkedIn account connections' is disabled | Low | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1124 | Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1125 | Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1126 | Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1127 | Ensure that password hash sync is enabled for hybrid deployments | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1128 | Ensure approval is required for Global Administrator role activation | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1129 | Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1130 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1131 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1132 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1134 | Ensure that only organizationally managed/approved public groups exist | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1135 | Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1136 | Ensure that guest user access is restricted | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1137 | Ensure 'Access reviews' for Guest Users are configured | Low | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1138 | Ensure Guest Users are reviewed at least biweekly | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1139 | Ensure fewer than ARG_0 users have global administrator assignment | Medium | CIS Microsoft Microsoft 365 Foundations |
| ENTRA.1140 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1141 | Ensure administrative accounts use licenses with a reduced application footprint | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1142 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1143 | Ensure two emergency access accounts have been defined | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1144 | Ensure 'Access reviews' for high privileged Entra ID roles are configured | Low | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1145 | Ensure Administrative accounts are separate and cloud-only | Medium | CIS Microsoft Microsoft 365 Foundations |
| ENTRA.1146 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1147 | Ensure all member users are 'MFA capable' | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1148 | Ensure weak authentication methods are disabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1149 | Ensure 'Privileged Identity Management' is used to manage roles | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1150 | Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' | Low | CIS Microsoft Azure Foundations |
| ENTRA.1151 | Ensure that account 'Lockout Threshold' is less than or equal to '10' | Low | CIS Microsoft Azure Foundations |
| ENTRA.1153 | Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' | Medium | CIS Microsoft 365 Foundations |
| ENTRA.1154 | Ensure the option to remain signed in is hidden | Low | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1155 | Ensure password protection is enabled for on-prem Active Directory | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1156 | Ensure that collaboration invitations are sent to allowed domains only | Low | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1157 | Ensure the Application Usage report is reviewed at least weekly | Low | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1158 | Ensure the Entra ID 'Risky sign-ins' report is reviewed at least weekly | Low | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1159 | Ensure the self-service password reset activity report is reviewed at least weekly | Low | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1160 | Ensure Security Defaults is enabled on Microsoft Entra ID | Medium | CIS Microsoft 365 Foundations |
| ENTRA.1161 | Ensure Security Defaults is enabled on Microsoft Entra ID | Medium | CIS Microsoft Azure Foundations Benchmark |
| ENTRA.1162 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1163 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1164 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1165 | Ensure that 'Number of days before users are asked to reconfirm their authentication information' is not set to '0' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1166 | Ensure That 'Number of methods required to reset' is set to '2' | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1167 | Ensure 'Self service password reset enabled' is set to 'All' | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1168 | Ensure 'Per-user MFA' is disabled | Low | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1170 | Ensure administrative accounts use licenses with a reduced application footprint | Medium | CIS Microsoft Azure Foundations |
| ENTRA.1171 | Ensure 'User owned apps and services' is restricted | Low | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1173 | Ensure the device code sign-in flow is blocked | Medium | CIS Microsoft 365 Foundations Benchmark |
| ENTRA.1174 | Ensure approval is required for Privileged Role Administrator activation | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2197 | Ensure sign-in to shared mailboxes is blocked | Medium | CIS Microsoft Azure Foundations |