Entra ID Security Config Analyzer

Official / Regulatory

Microsoft Entra ID security configuration checks maintained by the identity security community with Microsoft endorsement.

Official documentation

Controls

Auto-Remediable

Domains

Entra ID(50)

EIDSCA-AF01

Authentication Method - FIDO2 security key - State.

high

Auto-remediable

EIDSCA AF01405D 3.M.C

EIDSCA-AF02

Authentication Method - FIDO2 security key - Allow self-service set up.

medium

Auto-remediable

EIDSCA AF02405D 3.M.C

EIDSCA-AF03

Authentication Method - FIDO2 security key - Enforce attestation.

high

Auto-remediable

EIDSCA AF03405D 3.M.C

EIDSCA-AF04

Authentication Method - FIDO2 security key - Enforce key restrictions.

high

EIDSCA AF04405D 3.M.C

EIDSCA-AF05

Authentication Method - FIDO2 security key - Restricted.

high

EIDSCA AF05405D 3.M.C

EIDSCA-AF06

Authentication Method - FIDO2 security key - Restrict specific keys.

medium

EIDSCA AF06405D 3.M.C

EIDSCA-AG01

Authentication Method - General Settings - Manage migration.

high

Auto-remediable

EIDSCA AG01

EIDSCA-AG02

Authentication Method - General Settings - Report suspicious activity - State.

medium

Auto-remediable

EIDSCA AG02

EIDSCA-AG03

Authentication Method - General Settings - Report suspicious activity - Included users/groups.

medium

Auto-remediable

EIDSCA AG03

EIDSCA-AM01

Authentication Method - Microsoft Authenticator - State.

high

Auto-remediable

EIDSCA AM01

EIDSCA-AM02

Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP.

medium

Auto-remediable

EIDSCA AM02

EIDSCA-AM03

Authentication Method - Microsoft Authenticator - Require number matching for push notifications.

medium

Auto-remediable

EIDSCA AM03

EIDSCA-AM04

Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications.

medium

Auto-remediable

EIDSCA AM04

EIDSCA-AM06

Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications.

medium

Auto-remediable

EIDSCA AM06

EIDSCA-AM07

Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications.

medium

Auto-remediable

EIDSCA AM07

EIDSCA-AM09

Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications.

medium

Auto-remediable

EIDSCA AM09

EIDSCA-AM10

Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications.

medium

Auto-remediable

EIDSCA AM10

EIDSCA-AP01

Microsoft Authenticator enabled

high

Auto-remediable

CIS 6.1NIST IA-2SOC2 CC6.1ISO27001 A.5.16CSF PR.AC-1CSF PR.AC-6CSF PR.AC-7GDPR Art.32GDPR Art.5(1)(f)

EIDSCA-AP04

Authenticator shows application name in notifications

medium

Auto-remediable

NIST IA-2(6)SOC2 CC6.1ISO27001 A.8.5GDPR Art.32

EIDSCA-AP05

Authenticator shows geographic location in notifications

medium

Auto-remediable

NIST IA-2(6)SOC2 CC6.1ISO27001 A.8.5GDPR Art.32

EIDSCA-AP06

Default Authorization Settings - User can join the tenant by email validation.

medium

Auto-remediable

EIDSCA AP06

EIDSCA-AP07

Temporary Access Pass enabled for emergency access

medium

Auto-remediable

NIST IA-5(1)SOC2 CC6.1ISO27001 A.8.5GDPR Art.32405D 3.M.C

EIDSCA-AP08

Default Authorization Settings - User consent policy assigned for applications.

medium

Auto-remediable

EIDSCA AP08

EIDSCA-AP09

Email OTP enabled for guest users

low

Auto-remediable

NIST IA-2SOC2 CC6.1ISO27001 A.5.16CSF PR.AC-1CSF PR.AC-6CSF PR.AC-7GDPR Art.32GDPR Art.5(1)(f)

EIDSCA-AP10

X.509 Certificate-based authentication enabled

low

Auto-remediable

NIST IA-2(12)SOC2 CC6.1ISO27001 A.8.5GDPR Art.32405D 3.M.C

EIDSCA-AP11

Software OATH tokens authentication method should be disabled

medium

Auto-remediable

NIST IA-2(2)SOC2 CC6.1

EIDSCA-AP14

Authenticator requires number matching for MFA

high

CIS 6.1.2NIST AC-1NIST AC-2NIST AC-2(1)NIST AU-12NIST AU-2NIST AU-7NIST IA-2(6)ISO27001 A.5.1ISO27001 A.5.15ISO27001 A.5.16ISO27001 A.5.18ISO27001 A.5.2ISO27001 A.5.31ISO27001 A.5.36ISO27001 A.5.37ISO27001 A.5.4ISO27001 A.8.15ISO27001 A.8.2CSF DE.CM-1CSF DE.CM-3CSF DE.CM-7CSF PR.AC-3CSF PR.AC-4CSF PR.PT-1CSF RS.AN-3GDPR Art.24GDPR Art.32GDPR Art.33GDPR Art.5(1)(f)SOC2 CC6.1SOC2 CC7.2405D 3.M.D

EIDSCA-AS04

Authentication Method - SMS - Disable for sign-in.

high

Auto-remediable

EIDSCA AS04

EIDSCA-AT01

Authentication Method - Temporary Access Pass - State.

high

Auto-remediable

EIDSCA AT01405D 3.M.C

EIDSCA-AT02

Authentication Method - Temporary Access Pass - One-time.

high

Auto-remediable

EIDSCA AT02405D 3.M.C

EIDSCA-AV01

Authentication Method - Voice call - State.

high

Auto-remediable

EIDSCA AV01

EIDSCA-CP01

Default Settings - Consent Policy Settings - Group owner consent for apps accessing data.

high

Auto-remediable

EIDSCA CP01

EIDSCA-CP03

Default Settings - Consent Policy Settings - Block user consent for risky apps.

high

Auto-remediable

EIDSCA CP03

EIDSCA-CP04

Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to.

medium

Auto-remediable

EIDSCA CP04

EIDSCA-CR01

Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature.

high

Auto-remediable

EIDSCA CR01

EIDSCA-CR02

Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests.

medium

Auto-remediable

EIDSCA CR02

EIDSCA-CR03

Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire.

medium

Auto-remediable

EIDSCA CR03

EIDSCA-CR04

Consent Framework - Admin Consent Request - Consent request duration (days).

high

Auto-remediable

EIDSCA CR04

EIDSCA-PR01

Block MSOL PowerShell legacy protocol

medium

Auto-remediable

CISA MS.AAD.1.1NIST AC-3SOC2 CC6.1ISO27001 A.5.15ISO27001 A.5.33ISO27001 A.8.18ISO27001 A.8.20ISO27001 A.8.26ISO27001 A.8.3ISO27001 A.8.4CSF PR.AC-4CSF PR.PT-3GDPR Art.32GDPR Art.5(1)(f)

EIDSCA-PR02

Restrict users from registering applications

medium

Auto-remediable

CIS 2.1.2SOC2 CC6.1NIST AC-3NIST AU-1NIST AU-2NIST SI-3NIST SI-8ISO27001 A.5.1ISO27001 A.5.15ISO27001 A.5.2ISO27001 A.5.31ISO27001 A.5.33ISO27001 A.5.36ISO27001 A.5.37ISO27001 A.5.4ISO27001 A.8.15ISO27001 A.8.18ISO27001 A.8.20ISO27001 A.8.26ISO27001 A.8.3ISO27001 A.8.4ISO27001 A.8.7CSF DE.CM-4CSF DE.DP-3CSF PR.AC-4CSF PR.PT-1CSF PR.PT-3GDPR Art.24GDPR Art.32GDPR Art.33GDPR Art.5(1)(f)

EIDSCA-PR03

Block email-verified users from joining the tenant

medium

Auto-remediable

NIST AC-3SOC2 CC6.1ISO27001 A.5.15ISO27001 A.5.33ISO27001 A.8.18ISO27001 A.8.20ISO27001 A.8.26ISO27001 A.8.3ISO27001 A.8.4CSF PR.AC-4CSF PR.PT-3GDPR Art.32GDPR Art.5(1)(f)

EIDSCA-PR04

Restrict guest invitations to admins only

medium

Auto-remediable

CISA MS.AAD.7.2SOC2 CC6.1NIST AC-5ISO27001 A.5.3CSF PR.AC-4CSF PR.DS-5GDPR Art.5(1)(f)

EIDSCA-PR05

Restrict users from creating security groups

low

Auto-remediable

NIST AC-3SOC2 CC6.1ISO27001 A.5.15ISO27001 A.5.33ISO27001 A.8.18ISO27001 A.8.20ISO27001 A.8.26ISO27001 A.8.3ISO27001 A.8.4CSF PR.AC-4CSF PR.PT-3GDPR Art.32GDPR Art.5(1)(f)

EIDSCA-PR06

Users cannot create tenants

medium

Auto-remediable

CIS 1.1.21SOC2 CC6.1ISO27001 A.8.2GDPR Art.32

EIDSCA-PR07

Self-service password reset enabled

medium

Auto-remediable

CIS 1.1.22NIST IA-5ISO27001 A.5.16ISO27001 A.5.17CSF PR.AC-1CSF PR.AC-6CSF PR.AC-7GDPR Art.32GDPR Art.5(1)(f)SOC2 CC6.2405D 3.M.C

EIDSCA-PR08

Email-based subscription sign-up disabled

low

Auto-remediable

EIDSCA PR08NIST AC-2SOC2 CC6.1ISO27001 A.5.16ISO27001 A.5.18ISO27001 A.8.2CSF DE.CM-3CSF PR.AC-4GDPR Art.32GDPR Art.5(1)(f)

EIDSCA-PR09

BitLocker key self-service read restricted

medium

EIDSCA PR09NIST SC-12ISO27001 A.8.24GDPR Art.32SOC2 CC6.1

EIDSCA-PR10

User consent for risky apps blocked

high

Auto-remediable

EIDSCA PR10CISA MS.AAD.5.3NIST AC-6SOC2 CC6.1ISO27001 A.5.15ISO27001 A.8.18ISO27001 A.8.2CSF PR.AC-4CSF PR.DS-5GDPR Art.32GDPR Art.5(1)(f)

EIDSCA-ST08

Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner.

medium

Auto-remediable

EIDSCA ST08

EIDSCA-ST09

Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content.

medium

Auto-remediable

EIDSCA ST09