Maester Community Tests

At least one Conditional Access policy is configured with device compliance.

App management restrictions on applications and service principals is configured and enabled.

At least one Conditional Access policy is configured with All Apps.

At least one Conditional Access policy is configured with All Apps and All Users.

All Conditional Access policies are configured to exclude at least one emergency/break glass account or group.

At least one Conditional Access policy is configured to require MFA for admins.

At least one Conditional Access policy is configured to require MFA for all users.

At least one Conditional Access policy is configured to require MFA for Azure management.

At least one Conditional Access policy is configured to block other legacy authentication.

At least one Conditional Access policy is configured to block legacy authentication for Exchange ActiveSync.

At least one Conditional Access policy is configured to secure security info registration only from a trusted location.

At least one Conditional Access policy is configured to require MFA for risky sign-ins.

At least one Conditional Access policy is configured to require new password when user risk is high.

At least one Conditional Access policy is configured to require compliant or Entra hybrid joined devices for admins.

At least one Conditional Access policy is configured to block access for unknown or unsupported device platforms.

At least one Conditional Access policy is configured to require MFA for guest access.

At least one Conditional Access policy is configured to enforce non persistent browser session for non-corporate devices.

At least one Conditional Access policy is configured to enforce sign-in frequency for non-corporate devices.

At least one Conditional Access policy is configured to enable application enforced restrictions.

All Conditional Access policies are configured to exclude directory synchronization accounts or do not scope them.

Security Defaults are enabled.

All users utilizing a P1 license should be licensed.

All users utilizing a P2 license should be licensed.

No external user with permanent role assignment on Control Plane.

No hybrid user with permanent role assignment on Control Plane.

No Service Principal with Client Secret and permanent role assignment on Control Plane.

No user with mailbox and permanent role assignment on Control Plane.

Stale accounts are not assigned to privileged roles.

Eligible role assignments on Control Plane are in use by administrators.

Privileged role on Control Plane are managed by PIM only.

Limited number of Global Admins are assigned.

User should be blocked from using legacy authentication (<userPrincipalName>)

User should be blocked from using legacy authentication (<userPrincipalName>)

User should be blocked from using legacy authentication (<userPrincipalName>)

User should be blocked from using legacy authentication (<userPrincipalName>)

User should be blocked from using legacy authentication (<userPrincipalName>)

Emergency access users should not be blocked (<userPrincipalName>)

Emergency access users should not be blocked (<userPrincipalName>)

Emergency access users should not be blocked (<userPrincipalName>)

Emergency access users should not be blocked (<userPrincipalName>)

Emergency access users should not be blocked (<userPrincipalName>)

All security groups assigned to Conditional Access Policies should be protected by RMAU.

All excluded objects should have a fallback include in another policy.

Only users with Presenter role are allowed to present in Teams meetings

Conditional Access policies should not include or exclude deleted groups.

Ensure MailTips are enabled for end users

Ensure additional storage providers are restricted in Outlook on the web

Ensure users installing Outlook add-ins is not allowed

Restrict dial-in users from bypassing a meeting lobby

Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains

Ensure modern authentication for Exchange Online is enabled

Only invited users should be automatically admitted to Teams meetings

Restrict anonymous users from joining meetings

Restrict anonymous users from starting Teams meetings

Limit external participants from having control in a Teams meeting

Conditional Access policies for User Risk and Sign-in Risk should be configured separately.

Apps with high-risk permissions having a direct path to Global Admin

Apps with high-risk permissions having an indirect path to Global Admin

At least one Conditional Access policy is targeting the Device Code authentication flow.

Ensure intune device clean-up rule is configured

Ensure built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant'

Microsoft 365 Group (and Team) creation should be restricted to approved users.

Ensure that no person has permanent access to all Azure subscriptions at the root scope

Ensure Microsoft 365 Group (and Team) expiration is configured to notify users.

Ensure Microsoft 365 Group (and Team) expiration is configured to auto-expire groups.

Microsoft Defender for Identity health issues should be resolved

Device registration MFA control conflicts with Conditional Access policies

Ensure Direct Send is set to be rejected

All app registration owners should have MFA registered

Management group creation should be limited to users with explicit write access

Soft Delete should be enabled on all Recovery Services Vaults

Conditional Access policies should not include or exclude deleted users, groups, or roles.

Authentication methods policies should not reference deleted groups.

Restrict non-admin users from creating tenants

Restrict non-admin users from creating security groups.

Restrict device join to selected users/groups or none.

At least one Conditional Access policy explicitly includes Azure DevOps.

Conditional access policies should not use the deprecated Approved Client App grant.

Soft- and hard-matching of synchronized objects should be blocked.

Mailboxes should not send outbound mails using the .onmicrosoft.com domain.

Third Party Entra Apps should only have explicitly assigned users instead of All Users.

MOERA SHOULD NOT be used for sent mail.

App registrations with privileged API permissions should not have owners

App registrations with highly privileged directory roles should not have owners

Privileged API permissions on service principals should not remain unused

Credentials, tokens, or cookies from highly privileged users should not be exposed on vulnerable endpoints

Hybrid users should not be assigned Entra ID role assignments

Ensure Delicensing Resiliency is enabled

Seamless Single SignOn should be disabled for all domains in EntraID Connect servers.

Pending approvals for Critical Asset Management should not be present

Devices should not share both critical and non-critical user credentials.

Devices should not be publicly exposed with remotely exploitable, highly likely to be exploited, high or critical severity CVE's.

Devices with critical credentials should be protected by TPM.

Devices with critical credentials should be protected by Credential Guard.

Global administrator role should not be added as local administrator on the device during Microsoft Entra join

Registering user should not be added as local administrator on the device during Microsoft Entra join

Intune APNS certificate should be valid for more than 30 days

Apple Automated Device Enrollment Tokens should be valid for more than 30 days

Apple Volume Purchase Program Tokens should be valid for more than 30 days

Android Enterprise Account Connection should be healthy

Intune Multi Admin approval should be configured

Certificate Connectors should be healthy and running supported versions

Mobile Threat Defense Connectors should be healthy

Windows Diagnostic Data Processing should be enabled

Intune Audit Logs should be retained

Default Branding Profile should be customized

Windows Feature Update Policy Settings should not reference end of support builds

Intune RBAC groups should be protected by Restricted Management Administrative Units or Role Assignable groups

MDM Authority should be set to Microsoft Intune