Master Test

Test summary

Test	Status
CIS 1.1.1 (L1) Ensure Administrative accounts are separate and cloud-only
CIS 1.1.3 (L1) Ensure that between two and four global admins are designated
CIS 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist
CIS 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
CIS 1.3.3 (L2) Ensure ‘External sharing’ of calendars is not available
CIS 1.3.6 (L2) Ensure the customer lockbox feature is enabled
CIS 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled (Only Checks Default Policy)
CIS 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy)
CIS 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy)
CIS 2.1.4 (L2) Ensure Safe Attachments policy is enabled (Only Checks Default Policy)
CIS 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
CIS 2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy)
CIS 2.1.7 (L1) Ensure that an anti-phishing policy has been created (Only Checks Default Policy)
EIDSCA.AF01: Authentication Method - FIDO2 security key - State.
EIDSCA.AG01: Authentication Method - General Settings - Manage migration.
EIDSCA.AG02: Authentication Method - General Settings - Report suspicious activity - State.
EIDSCA.AG03: Authentication Method - General Settings - Report suspicious activity - Included users/groups.
EIDSCA.AM01: Authentication Method - Microsoft Authenticator - State.
EIDSCA.AP01: Default Authorization Settings - Enabled Self service password reset for administrators.
EIDSCA.AP04: Default Authorization Settings - Guest invite restrictions.
EIDSCA.AP05: Default Authorization Settings - Sign-up for email based subscription.
EIDSCA.AP06: Default Authorization Settings - User can join the tenant by email validation.
EIDSCA.AP07: Default Authorization Settings - Guest user access.
EIDSCA.AP08: Default Authorization Settings - User consent policy assigned for applications.
EIDSCA.AP09: Default Authorization Settings - Risk-based step-up consent.
EIDSCA.AP10: Default Authorization Settings - Default User Role Permissions - Allowed to create Apps.
EIDSCA.AP14: Default Authorization Settings - Default User Role Permissions - Allowed to read other users.
EIDSCA.AT01: Authentication Method - Temporary Access Pass - State.
EIDSCA.AV01: Authentication Method - Voice call - State.
EIDSCA.CR01: Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature.
EIDSCA.PR02: Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory.
EIDSCA.PR05: Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds.
EIDSCA.PR06: Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold.
EIDSCA.ST08: Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner.
EIDSCA.ST09: Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content.
MS.AAD.1.1: Legacy authentication SHALL be blocked.
MS.AAD.2.1: Users detected as high risk SHALL be blocked.
MS.AAD.2.2: A notification SHOULD be sent to the administrator when high-risk users are detected.
MS.AAD.2.3: Sign-ins detected as high risk SHALL be blocked.
MS.AAD.3.1: Phishing-resistant MFA SHALL be enforced for all users.
MS.AAD.3.2: If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.
MS.AAD.3.3: If phishing-resistant MFA has not been enforced and Microsoft Authenticator is enabled, it SHALL be configured to show login context information.
MS.AAD.3.4: The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.
MS.AAD.3.5: The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.
MS.AAD.3.6: Phishing-resistant MFA SHALL be required for highly privileged roles.
MS.AAD.3.7: Managed devices SHOULD be required for authentication.
MS.AAD.3.8: Managed Devices SHOULD be required to register MFA.
MS.AAD.4.1: Security logs SHALL be sent to the agency’s security operations center for monitoring.
MS.AAD.5.1: Only administrators SHALL be allowed to register applications.
MS.AAD.5.2: Only administrators SHALL be allowed to consent to applications.
MS.AAD.5.3: An admin consent workflow SHALL be configured for applications.
MS.AAD.5.4: Group owners SHALL NOT be allowed to consent to applications.
MS.AAD.6.1: User passwords SHALL NOT expire.
MS.AAD.7.1: A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role.
MS.AAD.7.2: Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator.
MS.AAD.7.3: Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.
MS.AAD.7.4: Permanent active role assignments SHALL NOT be allowed for highly privileged roles.
MS.AAD.7.5: Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.
MS.AAD.7.6: Activation of the Global Administrator role SHALL require approval.
MS.AAD.7.7: Eligible and Active highly privileged role assignments SHALL trigger an alert.
MS.AAD.7.8: User activation of the Global Administrator role SHALL trigger an alert.
MS.AAD.7.9: User activation of other highly privileged roles SHOULD trigger an alert.
MS.AAD.8.1: Guest users SHOULD have limited or restricted access to Azure AD directory objects.
MS.AAD.8.2: Only users with the Guest Inviter role SHOULD be able to invite guest users.
MS.AAD.8.3: Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.
MS.EXO.01.1: Automatic forwarding to external domains SHALL be disabled.
MS.EXO.02.1: A list of approved IP addresses for sending mail SHALL be maintained.
MS.EXO.02.2: An SPF policy SHALL be published for each domain, designating only these addresses as approved senders.
MS.EXO.03.1: DKIM SHOULD be enabled for all domains.
MS.EXO.04.1: A DMARC policy SHALL be published for every second-level domain.
MS.EXO.04.2: The DMARC message rejection option SHALL be p=reject.
MS.EXO.05.1: SMTP AUTH SHALL be disabled.
MS.EXO.06.1: Contact folders SHALL NOT be shared with all domains.
MS.EXO.06.2: Calendar details SHALL NOT be shared with all domains.
MS.EXO.07.1: External sender warnings SHALL be implemented.
MS.EXO.08.1: A DLP solution SHALL be used.
MS.EXO.08.2: The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.
MS.EXO.08.4: At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.
MS.EXO.09.1: Emails SHALL be filtered by attachment file types.
MS.EXO.09.2: The attachment filter SHOULD attempt to determine the true file type and assess the file extension.
MS.EXO.09.3: Disallowed file types SHALL be determined and enforced.
MS.EXO.09.5: At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).
MS.EXO.10.1: Emails SHALL be scanned for malware.
MS.EXO.10.2: Emails identified as containing malware SHALL be quarantined or dropped.
MS.EXO.10.3: Email scanning SHALL be capable of reviewing emails after delivery.
MS.EXO.11.1: Impersonation protection checks SHOULD be used.
MS.EXO.11.2: User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.
MS.EXO.11.3: The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.
MS.EXO.12.1: IP allow lists SHOULD NOT be created.
MS.EXO.12.2: Safe lists SHOULD NOT be enabled.
MS.EXO.13.1: Mailbox auditing SHALL be enabled.
MS.EXO.14.1: A spam filter SHALL be enabled.
MS.EXO.14.2: Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.
MS.EXO.14.3: Allowed domains SHALL NOT be added to inbound anti-spam protection policies.
MS.EXO.15.1: URL comparison with a block-list SHOULD be enabled.
MS.EXO.15.2: Direct download links SHOULD be scanned for malware.
MS.EXO.15.3: User click tracking SHOULD be enabled.
MS.EXO.16.1: Alerts SHALL be enabled.
MS.EXO.17.1: Microsoft Purview Audit (Standard) logging SHALL be enabled.
MS.EXO.17.2: Microsoft Purview Audit (Premium) logging SHALL be enabled.
MS.EXO.17.3: Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C).
MS.SHAREPOINT.1.1: External sharing for SharePoint SHALL be limited to Existing guests or Only People in your organization.
MS.SHAREPOINT.1.3: External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.
MT.1001: At least one Conditional Access policy is configured with device compliance.
MT.1003: At least one Conditional Access policy is configured with All Apps.
MT.1004: At least one Conditional Access policy is configured with All Apps and All Users.
MT.1005: All Conditional Access policies are configured to exclude at least one emergency/break glass account or group.
MT.1006: At least one Conditional Access policy is configured to require MFA for admins.
MT.1007: At least one Conditional Access policy is configured to require MFA for all users.
MT.1008: At least one Conditional Access policy is configured to require MFA for Azure management.
MT.1009: At least one Conditional Access policy is configured to block other legacy authentication.
MT.1010: At least one Conditional Access policy is configured to block legacy authentication for Exchange ActiveSync.
MT.1011: At least one Conditional Access policy is configured to secure security info registration only from a trusted location.
MT.1012: At least one Conditional Access policy is configured to require MFA for risky sign-ins.
MT.1013: At least one Conditional Access policy is configured to require new password when user risk is high.
MT.1014: At least one Conditional Access policy is configured to require compliant or Entra hybrid joined devices for admins.
MT.1015: At least one Conditional Access policy is configured to block access for unknown or unsupported device platforms.
MT.1016: At least one Conditional Access policy is configured to require MFA for guest access.
MT.1017: At least one Conditional Access policy is configured to enforce non persistent browser session for non-corporate devices.
MT.1018: At least one Conditional Access policy is configured to enforce sign-in frequency for non-corporate devices.
MT.1019: At least one Conditional Access policy is configured to enable application enforced restrictions.
MT.1020: All Conditional Access policies are configured to exclude directory synchronization accounts or do not scope them.
MT.1022: All users utilizing a P1 license should be licensed.
MT.1023: All users utilizing a P2 license should be licensed.
MT.1024: Entra Recommendation - Remove unused applications.
MT.1024: Entra Recommendation - Remove unused credentials from applications.
MT.1024: Entra Recommendation - Renew expiring application credentials.
MT.1024: Entra Recommendation - Renew expiring service principal credentials.
MT.1024: Entra Recommendation - Do not allow users to grant consent to unreliable applications.
MT.1024: Entra Recommendation - Do not expire passwords.
MT.1024: Entra Recommendation - Enable password hash sync if hybrid.
MT.1024: Entra Recommendation - Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph.
MT.1024: Entra Recommendation - Use least privileged administrative roles .
MT.1024: Entra Recommendation - Enable self-service password reset.
MT.1024: Entra Recommendation - Protect your tenant with Insider Risk condition in Conditional Access policy.
MT.1024: Entra Recommendation - Designate more than one global admin.
MT.1025: No external user with permanent role assignment on Control Plane.
MT.1026: No hybrid user with permanent role assignment on Control Plane.
MT.1027: No Service Principal with Client Secret and permanent role assignment on Control Plane.
MT.1028: No user with mailbox and permanent role assignment on Control Plane.
MT.1029: Stale accounts are not assigned to privileged roles.
MT.1030: Eligible role assignments on Control Plane are in use by administrators.
MT.1031: Privileged role on Control Plane are managed by PIM only.
MT.1032: Limited number of Global Admins are assigned.
MT.1035: All security groups assigned to Conditional Access Policies should be protected by RMAU.
MT.1036: All excluded objects should have a fallback include in another policy.
MT.1038: Conditional Access policies should not include or exclude deleted groups.
CIS 1.3.1 (L1) Ensure the ‘Password expiration policy’ is set to ‘Set passwords to never expire (recommended)’
EIDSCA.AF02: Authentication Method - FIDO2 security key - Allow self-service set up.
EIDSCA.AF03: Authentication Method - FIDO2 security key - Enforce attestation.
EIDSCA.AF04: Authentication Method - FIDO2 security key - Enforce key restrictions.
EIDSCA.AF05: Authentication Method - FIDO2 security key - Restricted.
EIDSCA.AF06: Authentication Method - FIDO2 security key - Restrict specific keys.
EIDSCA.AM02: Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP.
EIDSCA.AM03: Authentication Method - Microsoft Authenticator - Require number matching for push notifications.
EIDSCA.AM04: Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications.
EIDSCA.AM06: Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications.
EIDSCA.AM07: Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications.
EIDSCA.AM09: Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications.
EIDSCA.AM10: Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications.
EIDSCA.AS04: Authentication Method - SMS - Use for sign-in.
EIDSCA.AT02: Authentication Method - Temporary Access Pass - One-time.
EIDSCA.CP01: Default Settings - Consent Policy Settings - Group owner consent for apps accessing data.
EIDSCA.CP03: Default Settings - Consent Policy Settings - Block user consent for risky apps.
EIDSCA.CP04: Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to.
EIDSCA.CR02: Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests.
EIDSCA.CR03: Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire.
EIDSCA.CR04: Consent Framework - Admin Consent Request - Consent request duration (days).
EIDSCA.PR01: Default Settings - Password Rule Settings - Password Protection - Mode.
EIDSCA.PR03: Default Settings - Password Rule Settings - Enforce custom list.
MS.EXO.04.3: The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov.
MS.EXO.08.3: The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.
MS.EXO.09.4: Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender’s Common Attachment Filter.
MS.EXO.14.4: If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft.
MS.EXO.16.2: Alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system.
MT.1002: App management restrictions on applications and service principals is configured and enabled.
MT.1021: Security Defaults are enabled.
MT.1033: User should be blocked from using legacy authentication ()
MT.1033: User should be blocked from using legacy authentication ()
MT.1033: User should be blocked from using legacy authentication ()
MT.1033: User should be blocked from using legacy authentication ()
MT.1033: User should be blocked from using legacy authentication ()
MT.1037 Only users with Presenter role are allowed to present in Teams meetings
MT.1038 Only invited users should be automatically admitted to Teams meetings
MT.1039 Restrict anonymous users from joining meetings
MT.1040 Restrict anonymous users from starting Teams meetings
MT.1041 Limit external participants from having control in a Teams meeting
MT.1042 Restrict dial-in users from bypassing a meeting lobby

Test details

CIS 1.1.1 (L1) Ensure Administrative accounts are separate and cloud-only

Overview

1.1.1 (L1) Ensure Administrative accounts are separate and cloud-only

Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for administrative tasks and care should be taken, in the case of a hybrid environment, to keep Administrative accounts separated from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, SharePoint, etc.) and only access to perform tasks as needed for administrative purposes.

Remediation action:

To created licensed, separate Administrative accounts for Administrative users:

Navigate to Microsoft 365 admin center https://admin.microsoft.com.
Click to expand Users select Active users
Click Add a user.
Fill out the appropriate fields for Name, user, etc.
When prompted to assign licenses select as needed Microsoft Entra ID P1 or Microsoft Entra ID P2, then click Next.
Under the Option settings screen you may choose from several types of Administrative access roles. Choose Admin center access followed by the appropriate role then click Next.
Select Finish adding.

Test Results

Well done. Your tenant has no hybrid Global Administrators:

Display Name	Cloud Only
Joi Jons	✅ Pass

Tag: CIS 1.1.1 L1 CIS E3 Level 1 CIS E3 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisCloudAdmin.Tests.ps1

CIS 1.1.3 (L1) Ensure that between two and four global admins are designated

Overview

1.1.3 (L1) Ensure that between two and four global admins are designated

More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant. Ideally global administrators will have no licenses assigned to them.

Remediation action:

To correct the number of global tenant administrators:

Navigate to Microsoft 365 admin center https://admin.microsoft.com.
Select Users > Active Users.
In the Search field enter the name of the user to be made a Global Administrator.
To create a new Global Admin:
Select the user’s name.
A window will appear to the right.
Select Manage roles.
Select Admin center access.
Check Global Administrator.
Click Save changes.

To remove Global Admins:

Select User.
Under Roles select Manage roles.
De-Select the appropriate role.
Click Save changes.

Test Results

Well done. Your tenant has two or more and four or fewer Global Administrators:

Joi Jons

Tag: CIS 1.1.3 L1 CIS E3 Level 1 CIS E3 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisGlobalAdminCount.Tests.ps1

CIS 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist

Overview

1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist

Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different group types this recommendation concerns Microsoft 365 Groups.

Ensure that only organizationally managed and approved public groups exist.

Remediation action:

To enable only organizationally managed/approved public groups exist:

Navigate to Microsoft 365 admin center https://admin.microsoft.com.
Click to expand Teams & groups select Active teams & groups.
On the Active teams and groups page, select the group’s name that is public.
On the popup groups name page, Select Settings.
Under Privacy, select Private.

Test Results

Your tenant has 1 or more public 365 groups:

Display Name	Group Public
All Company	❌ Fail
Retail	❌ Fail
Digital Initiative Public Relations	❌ Fail
Mark 8 Project Team	❌ Fail
U.S. Sales	❌ Fail
Sample Team Site	❌ Fail
Results limited to 6

Tag: CIS 1.2.1 L2 CIS E3 Level 2 CIS E3 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCis365PublicGroup.Tests.ps1

CIS 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked

Overview

1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked

The intent of the shared mailbox is the only allow delegated access from other mailboxes. An admin could reset the password, or an attacker could potentially gain access to the shared mailbox allowing the direct sign-in to the shared mailbox and subsequently the sending of email from a sender that does not have a unique identity. To prevent this, block sign-in for the account that is associated with the shared mailbox.

Remediation action:

Block sign-in to shared mailboxes in the UI:

Navigate to Microsoft 365 admin center https://admin.microsoft.com.
Click to expand Teams & groups and select Shared mailboxes.
Take note of all shared mailboxes.
Click to expand Users and select Active users.
Select a shared mailbox account to open it’s properties pane and then select Block sign-in.
Check the box for Block this user from signing in.
Repeat for any additional shared mailboxes.

Test Results

Well done. Your tenant has no shared mailboxes with sign-in enabled:

Display Name	Shared Mailbox

Tag: CIS 1.2.2 L1 CIS E3 Level 1 CIS E3 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisSharedMailboxSignIn.Tests.ps1

CIS 1.3.3 (L2) Ensure ‘External sharing’ of calendars is not available

Overview

1.3.3 (L2) Ensure ‘External sharing’ of calendars is not available

Attackers often spend time learning about organizations before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling.

Remediation action:

To remediate using the UI:

Navigate to Microsoft 365 admin center https://admin.microsoft.com.
Click to expand Settings select Org settings.
In the Services section click Calendar.
Uncheck Let your users share their calendars with people outside of your organization who have Office 365 or Exchange.
Click Save.

Test Results

Your tenant allows uncontrolled calendar sharing.

Policy Name	Test Result
Default Sharing Policy	❌ Fail

Tag: CIS 1.3.3 L2 CIS E3 Level 2 CIS E3 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisCalendarSharing.Tests.ps1

CIS 1.3.6 (L2) Ensure the customer lockbox feature is enabled

Overview

1.3.6 (L2) Ensure the customer lockbox feature is enabled

Customer Lockbox is a security feature that provides an additional layer of control and transparency to customer data in Microsoft 365. Enabling this feature protects organizational data against data spillage and exfiltration.

Test implementation checks Exchange Online service only.

Remediation action:

To enable the Customer Lockbox feature:

Navigate to Microsoft 365 admin center https://admin.microsoft.com.
Click to expand Settings then select Org settings.
Select Security & privacy tab.
Click Customer lockbox.
Check the box Require approval for all data access requests.
Click Save.

Test Results

Your tenant does not have the customer lockbox enabled:

Customer Lockbox
❌ Fail

Tag: CIS 1.3.6 L2 CIS E5 Level 2 CIS E5 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisCustomerLockBox.Tests.ps1

CIS 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled (Only Checks Default Policy)

Overview

2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled

Safe Links for Office applications extends phishing protection to documents and emails that contain hyperlinks, even after they have been delivered to a user.

Remediation action:

To create a Safe Links policy:

Navigate to Microsoft 365 admin center https://admin.microsoft.com.
Under Email & collaboration select Policies & rules
Select Threat policies then Safe Links
Click on +Create
Name the policy then click Next
In Domains select all valid domains for the organization and Next
Ensure the following URL & click protection settings are defined:

Email

Checked On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default
Checked Apply Safe Links to email messages sent within the organization
Checked Apply real-time URL scanning for suspicious links and links that point to files
Checked Wait for URL scanning to complete before delivering the message
Unchecked Do not rewrite URLs, do checks via Safe Links API only.

Teams

Checked On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten.

Office 365 Apps

Checked On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten

Click protection settings

Checked: Track user clicks
Unchecked: Let users click through the original URL
There is no recommendation for organization branding

Click Next twice and finally Submit.

Test Results

Your tenants default safe link policy does not match CIS recommendations (https://security.microsoft.com/presetSecurityPolicies).

Check Name	Result
EnableSafeLinksForEmail	✅ Pass
EnableSafeLinksForTeams	✅ Pass
EnableSafeLinksForOffice	✅ Pass
TrackClicks	✅ Pass
AllowClickThrough	❌ Fail
ScanUrls	✅ Pass
EnableForInternalSenders	❌ Fail
DeliverMessageAfterScan	✅ Pass
DisableUrlRewrite	✅ Pass

Tag: CIS 2.1.1 L2 CIS E5 Level 2 CIS E5 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisSafeLink.Tests.ps1

CIS 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy)

Overview

2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled

Rationale: Blocking known malicious file types can help prevent malware-infested files from infecting a host.

Remediation action:

To enable the Common Attachment Types Filter:

Navigate to Microsoft 365 Defender https://security.microsoft.com.
Click to expand Email & collaboration select Policies & rules.
On the Policies & rules page select Threat policies.
Under polices select Anti-malware and click on the Default (Default) policy.
On the Policy page that appears on the right hand pane scroll to the bottom and click on Edit protection settings, check the Enable the common attachments filter.
Click Save.

Test Results

Well done. Your tenants default malware filter policy has the common attachment file filter enabled (https://security.microsoft.com/presetSecurityPolicies).

Policy	Result
EnableFileFilter	✅ Pass

Tag: CIS 2.1.2 L1 CIS E3 Level 1 CIS E3 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisAttachmentFilter.Tests.ps1

CIS 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy)

Overview

2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled

Rationale: This setting alerts administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated.

Remediation action:

To enable notifications for internal users sending malware:

Navigate to Microsoft 365 Defender https://security.microsoft.com.
Click to expand E-mail & Collaboration select Policies & rules.
On the Policies & rules page select Threat policies.
Under Policies select Anti-malware.
Click on the Default (Default) policy.
Click on Edit protection settings and change the settings for Notify an admin about undelivered messages from internal senders to On and enter the email address of the administrator who should be notified under Administrator email address.
Click Save.

Test Results

Your tenants default anti malware policy does not have the recommended internal malware notifications configured (https://security.microsoft.com/antimalwarev2).

Policy	Result
EnableInternalSenderAdminNotification	❌ Fail
InternalSenderAdminAddress	✅ Pass

Tag: CIS 2.1.3 L1 CIS E3 Level 1 CIS E3 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisInternalMalwareNotification.Tests.ps1

CIS 2.1.4 (L2) Ensure Safe Attachments policy is enabled (Only Checks Default Policy)

Overview

2.1.4 (L2) Ensure Safe Attachments policy is enabled

Rationale: Enabling Safe Attachments policy helps protect against malware threats in email attachments by analyzing suspicious attachments in a secure, cloud-based environment before they are delivered to the user’s inbox. This provides an additional layer of security and can prevent new or unseen types of malware from infiltrating the organization’s network.

Remediation action:

To enable the Safe Attachments policy:

Navigate to Microsoft 365 Defender https://security.microsoft.com.
Click to expand E-mail & Collaboration select Policies & rules.
On the Policies & rules page select Threat policies.
Under Policies select Safe Attachments.
Click + Create.
Create a Policy Name and Description, and then click Next.
Select all valid domains and click Next.
Select Block.
Quarantine policy is AdminOnlyAccessPolicy.
Leave Enable redirect unchecked.
Click Next and finally Submit.

Test Results

Well done. Your tenants default safe attachments policy matches CIS recommendations (https://security.microsoft.com/safeattachmentv2).

Check Name	Result
Enable	✅ Pass
Action	✅ Pass
QuarantineTag	✅ Pass

Tag: CIS 2.1.4 L2 CIS E5 Level 2 CIS E5 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisSafeAttachment.Tests.ps1

CIS 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled

Overview

2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled

Description: Safe Attachments for SharePoint, OneDrive, and Microsoft Teams scans these services for malicious files.

Remediation action:

To enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams:

Navigate to Microsoft 365 Defender https://security.microsoft.com
Under Email & collaboration select Policies & rules
Select Threat policies then Safe Attachments
Click on Global settings
Click to Enable Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
Click to Enable Turn on Safe Documents for Office clients
Click to Disable Allow people to click through Protected View even if Safe Documents identified the file as malicious
Click Save.

Test Results

Your tenant does not have Safe Attachments for SharePoint, OneDrive, and Microsoft Teams enabled (https://security.microsoft.com/safeattachmentv2).

Check Name	Result
EnableATPForSPOTeamsODB	❌ Fail
EnableSafeDocs	❌ Fail
AllowSafeDocsOpen	✅ Pass

Tag: CIS 2.1.5 L2 CIS E5 Level 2 CIS E5 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisSafeAttachmentsAtpPolicy.Tests.ps1

CIS 2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy)

Overview

2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators

Description: Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in the organization has been blocked for sending spam emails.

Remediation action:

To set the Exchange Online Spam Policies:

Navigate to Microsoft 365 Defender https://security.microsoft.com
Under Email & collaboration select Policies & rules
Select Threat policies then Anti-spam
Click on the Anti-spam outbound policy (default)
Select Edit protection settings then under Notifications
Check Send a copy of outbound messages that exceed these limits to these users and groups then enter the desired email addresses
Check Notify these users and groups if a sender is blocked due to sending outbound spam then enter the desired email addresses.
Click Save.

Test Results

Your tenants default Exchange Online Spam policy is not set to notify administrators (https://security.microsoft.com/antispam).

Check Name	Result
BccSuspiciousOutboundMail	❌ Fail
NotifyOutboundSpam	❌ Fail

Tag: CIS 2.1.6 L1 CIS E3 Level 1 CIS E3 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisOutboundSpamFilterPolicy.Tests.ps1

CIS 2.1.7 (L1) Ensure that an anti-phishing policy has been created (Only Checks Default Policy)

Overview

2.1.7 (L1) Ensure that an anti-phishing policy has been created

Description: Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks.

Remediation action:

To enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams:

Navigate to Microsoft 365 Defender https://security.microsoft.com
Under Email & collaboration select Policies & rules
Select Threat policies then Anti-Phishing
Select the Office365 AntiPhish Default (Default) policy and click Edit protection settings
Set the Phishing email threshold to at least 2 - Aggressive.

Test Results

Your tenants default anti-phishing policy does not match CIS recommendations (https://security.microsoft.com/antiphishing).

Check Name	Result
Enabled	✅ Pass
EnableMailboxIntelligenceProtection	❌ Fail
EnableMailboxIntelligence	✅ Pass
EnableSpoofIntelligence	✅ Pass
PhishThresholdLevel	❌ Fail

Tag: CIS 2.1.7 L1 CIS E5 Level 1 CIS E5 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisSafeAntiPhishingPolicy.Tests.ps1

EIDSCA.AF01: Authentication Method - FIDO2 security key - State.

Overview

Whether the FIDO2 security keys is enabled in the tenant.

enabled

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
.state -eq 'enabled'

Test Results

Your tenant is configured as disabled.

The recommended value is ’enabled’ for policies/authenticationMethodsPolicy/authenticationMethodConfigurations(‘Fido2’)

Learn more: https://maester.dev/docs/tests/EIDSCA.AF01

Tag: EIDSCA Security All EIDSCA.AF01

Category: Authentication Method - FIDO2 security key

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AG01: Authentication Method - General Settings - Manage migration.

Overview

The state of migration of the authentication methods policy from the legacy multifactor authentication and self-service password reset (SSPR) policies. In January 2024, the legacy multifactor authentication and self-service password reset policies will be deprecated and you’ll manage all authentication methods here in the authentication methods policy. Use this control to manage your migration from the legacy policies to the new unified policy.

On September 30th, 2025, the legacy multifactor authentication and self-service password reset policies will be deprecated and you’ll manage all authentication methods here in the authentication methods policy. Use this control to manage your migration from the legacy policies to the new unified policy.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
.policyMigrationState -eq 'migrationComplete'

Test Results

Your tenant is configured as migrationInProgress.

The recommended value is ‘migrationComplete’ for policies/authenticationMethodsPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.AG01

Tag: EIDSCA Security All EIDSCA.AG01

Category: Authentication Method - General Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AG02: Authentication Method - General Settings - Report suspicious activity - State.

Overview

Allows users to report suspicious activities if they receive an authentication request that they did not initiate. This control is available when using the Microsoft Authenticator app and voice calls. Reporting suspicious activity will set the user’s risk to high. If the user is subject to risk-based Conditional Access policies, they may be blocked.

Allows to integrate report of fraud attempt by users to identity protection: Users who report an MFA prompt as suspicious are set to High User Risk. Administrators can use risk-based policies to limit access for these users, or enable self-service password reset (SSPR) for users to remediate problems on their own.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
.reportSuspiciousActivitySettings.state -eq 'enabled'

Test Results

Your tenant is configured as default.

The recommended value is ’enabled’ for policies/authenticationMethodsPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.AG02

Tag: EIDSCA Security All EIDSCA.AG02

Category: Authentication Method - General Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AG03: Authentication Method - General Settings - Report suspicious activity - Included users/groups.

Overview

Object Id or scope of users which will be included to report suspicious activities if they receive an authentication request that they did not initiate.

Apply this feature to all users.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
.reportSuspiciousActivitySettings.includeTarget.id -eq 'all_users'

Test Results

Well done. The configuration in your tenant and recommended value is ‘all_users’ for policies/authenticationMethodsPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.AG03

Tag: EIDSCA Security All EIDSCA.AG03

Category: Authentication Method - General Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AM01: Authentication Method - Microsoft Authenticator - State.

Overview

Whether the Authenticator App is enabled in the tenant.

enabled

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
.state -eq 'enabled'

Test Results

Your tenant is configured as disabled.

The recommended value is ’enabled’ for policies/authenticationMethodsPolicy/authenticationMethodConfigurations(‘MicrosoftAuthenticator’)

Learn more: https://maester.dev/docs/tests/EIDSCA.AM01

Tag: EIDSCA Security All EIDSCA.AM01

Category: Authentication Method - Microsoft Authenticator

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AP01: Default Authorization Settings - Enabled Self service password reset for administrators.

Overview

Indicates whether administrators of the tenant can use the Self-Service Password Reset (SSPR). The policy applies to some critical critical roles in Microsoft Entra ID.

Administrators with sensitive roles should use phishing-resistant authentication methods only and therefore not able to reset their password using SSPR.

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.allowedToUseSSPR -eq 'false'

Test Results

Your tenant is configured as True.

The recommended value is ‘false’ for policies/authorizationPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.AP01

Tag: EIDSCA Security All EIDSCA.AP01

Category: Default Authorization Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AP04: Default Authorization Settings - Guest invite restrictions.

Overview

Manages controls who can invite guests to your directory to collaborate on resources secured by your Azure AD, such as SharePoint sites or Azure resources.

CISA SCuBA 2.18: Only users with the Guest Inviter role SHOULD be able to invite guest users

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.allowInvitesFrom -in @('adminsAndGuestInviters','none')

Test Results

Your tenant is configured as everyone.

The recommended value is one of the following values @(‘adminsAndGuestInviters’,’none’) for policies/authorizationPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.AP04

Tag: EIDSCA Security All EIDSCA.AP04

Category: Default Authorization Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AP05: Default Authorization Settings - Sign-up for email based subscription.

Overview

Indicates whether users can sign up for email based subscriptions.

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.allowedToSignUpEmailBasedSubscriptions -eq 'false'

Test Results

Your tenant is configured as True.

The recommended value is ‘false’ for policies/authorizationPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.AP05

Tag: EIDSCA Security All EIDSCA.AP05

Category: Default Authorization Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AP06: Default Authorization Settings - User can join the tenant by email validation.

Overview

Controls whether users can join the tenant by email validation. To join, the user must have an email address in a domain which matches one of the verified domains in the tenant.

Self-service sign up for email-verified users - Microsoft Entra ID - Microsoft Learn

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.allowEmailVerifiedUsersToJoinOrganization -eq 'false'

Test Results

Well done. The configuration in your tenant and recommended value is ‘false’ for policies/authorizationPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.AP06

Tag: EIDSCA Security All EIDSCA.AP06

Category: Default Authorization Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AP07: Default Authorization Settings - Guest user access.

Overview

Represents role templateId for the role that should be granted to guest user.

CISA SCuBA 2.18: Guest users SHOULD have limited access to Azure AD directory objects.

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.guestUserRoleId -eq '2af84b1e-32c8-42b7-82bc-daa82404023b'

Test Results

Your tenant is configured as 10dae51f-b6af-4016-8d66-8c2a99b929b3.

The recommended value is ‘2af84b1e-32c8-42b7-82bc-daa82404023b’ for policies/authorizationPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.AP07

Tag: EIDSCA Security All EIDSCA.AP07

Category: Default Authorization Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AP08: Default Authorization Settings - User consent policy assigned for applications.

Overview

Defines if user consent to apps is allowed, and if it is, which app consent policy (permissionGrantPolicy) governs the permissions.

Microsoft recommends to allow to user consent for apps from verified publisher for selected permissions. CISA SCuBA 2.7 defines that all Non-Admin Users SHALL Be Prevented From Providing Consent To Third-Party Applications.

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low'

Test Results

Your tenant is configured as ManagePermissionGrantsForSelf.microsoft-user-default-legacy.

The recommended value is ‘ManagePermissionGrantsForSelf.microsoft-user-default-low’ for policies/authorizationPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.AP08

Tag: EIDSCA Security All EIDSCA.AP08

Category: Default Authorization Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AP09: Default Authorization Settings - Risk-based step-up consent.

Overview

Indicates whether user consent for risky apps is allowed. For example, consent requests for newly registered multi-tenant apps that are not publisher verified and require non-basic permissions are considered risky.

Configure risk-based step-up consent - Microsoft Entra ID - Microsoft Learn

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.allowUserConsentForRiskyApps -eq 'false'

Test Results

Your tenant is configured as ****.

The recommended value is ‘false’ for policies/authorizationPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.AP09

Tag: EIDSCA Security All EIDSCA.AP09

Category: Default Authorization Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AP10: Default Authorization Settings - Default User Role Permissions - Allowed to create Apps.

Overview

Controls if non-admin users may register custom-developed applications for use within this directory.

CISA SCuBA 2.6: Only Administrators SHALL Be Allowed To Register Third-Party Applications

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.defaultUserRolePermissions.allowedToCreateApps -eq 'false'

Test Results

Your tenant is configured as True.

The recommended value is ‘false’ for policies/authorizationPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.AP10

Tag: EIDSCA Security All EIDSCA.AP10

Category: Default Authorization Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AP14: Default Authorization Settings - Default User Role Permissions - Allowed to read other users.

Overview

Prevents all non-admins from reading user information from the directory. This flag doesn’t prevent reading user information in other Microsoft services like Exchange Online.

Restrict this default permissions for members have huge impact on collaboration features and user lookup.

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.defaultUserRolePermissions.allowedToReadOtherUsers -eq 'true'

Test Results

Well done. The configuration in your tenant and recommended value is ’true’ for policies/authorizationPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.AP14

Tag: EIDSCA Security All EIDSCA.AP14

Category: Default Authorization Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AT01: Authentication Method - Temporary Access Pass - State.

Overview

Whether the Temporary Access Pass is enabled in the tenant.

Use Temporary Access Pass for secure onboarding users (initial password replacement) and enforce MFA for registering security information in Conditional Access Policy.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('TemporaryAccessPass')
.state -eq 'enabled'

Test Results

Your tenant is configured as disabled.

The recommended value is ’enabled’ for policies/authenticationMethodsPolicy/authenticationMethodConfigurations(‘TemporaryAccessPass’)

Learn more: https://maester.dev/docs/tests/EIDSCA.AT01

Tag: EIDSCA Security All EIDSCA.AT01

Category: Authentication Method - Temporary Access Pass

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AV01: Authentication Method - Voice call - State.

Overview

Whether the Voice call is enabled in the tenant.

Choose authentication methods with number matching (Authenticator)

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Voice')
.state -eq 'disabled'

Test Results

Well done. The configuration in your tenant and recommended value is ‘disabled’ for policies/authenticationMethodsPolicy/authenticationMethodConfigurations(‘Voice’)

Learn more: https://maester.dev/docs/tests/EIDSCA.AV01

Tag: EIDSCA Security All EIDSCA.AV01

Category: Authentication Method - Voice call

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.CR01: Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature.

Overview

Defines if admin consent request feature is enabled or disabled

Test script

https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy
.isEnabled -eq 'true'

Test Results

Your tenant is configured as False.

The recommended value is ’true’ for policies/adminConsentRequestPolicy

Learn more: https://maester.dev/docs/tests/EIDSCA.CR01

Tag: EIDSCA Security All EIDSCA.CR01

Category: Consent Framework - Admin Consent Request

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.PR02: Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory.

Overview

If set to Yes, password protection is turned on for Active Directory domain controllers when the appropriate agent is installed.

Azure identity & access security best practices - Microsoft Learn

Test script

https://graph.microsoft.com/beta/settings
.values | where-object name -eq 'EnableBannedPasswordCheckOnPremises' | select-object -expand value -eq 'True'

Test Results

Your tenant is not configured explicitly.

The recommended value is ‘True’ for settings. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be.

Learn more: https://maester.dev/docs/tests/EIDSCA.PR02

Tag: EIDSCA Security All EIDSCA.PR02

Category: Default Settings - Password Rule Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.PR05: Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds.

Overview

The minimum length in seconds of each lockout. If an account locks repeatedly, this duration increases.

Prevent attacks using smart lockout - Microsoft Entra ID - Microsoft Learn

Test script

https://graph.microsoft.com/beta/settings
.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value -ge '60'

Test Results

Your tenant is configured as 0.

The recommended value is greater than or equal to ‘60’ for settings

Learn more: https://maester.dev/docs/tests/EIDSCA.PR05

Tag: EIDSCA Security All EIDSCA.PR05

Category: Default Settings - Password Rule Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.PR06: Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold.

Overview

How many failed sign-ins are allowed on an account before its first lockout. If the first sign-in after a lockout also fails, the account locks out again.

Prevent attacks using smart lockout - Microsoft Entra ID - Microsoft Learn

Test script

https://graph.microsoft.com/beta/settings
.values | where-object name -eq 'LockoutThreshold' | select-object -expand value -eq '10'

Test Results

Your tenant is configured as 0.

The recommended value is ‘10’ for settings

Learn more: https://maester.dev/docs/tests/EIDSCA.PR06

Tag: EIDSCA Security All EIDSCA.PR06

Category: Default Settings - Password Rule Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.ST08: Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner.

Overview

Indicating whether or not a guest user can be an owner of groups, manage

CISA SCuBA 2.18: Guest users SHOULD have limited access to Azure AD directory objects

Test script

https://graph.microsoft.com/beta/settings
.values | where-object name -eq 'AllowGuestsToBeGroupOwner' | select-object -expand value -eq 'false'

Test Results

Your tenant is not configured explicitly.

The recommended value is ‘false’ for settings. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be.

Learn more: https://maester.dev/docs/tests/EIDSCA.ST08

Tag: EIDSCA Security All EIDSCA.ST08

Category: Default Settings - Classification and M365 Groups

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.ST09: Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content.

Overview

Indicating whether or not a guest user can have access to Microsoft 365 groups content. This setting does not require an Azure Active Directory Premium P1 license.

Manages if guest accounts can access resources through Microsoft 365 Group membership and could break collaboration if you disable it.

Test script

https://graph.microsoft.com/beta/settings
.values | where-object name -eq 'AllowGuestsToAccessGroups' | select-object -expand value -eq 'True'

Test Results

Your tenant is not configured explicitly.

Learn more: https://maester.dev/docs/tests/EIDSCA.ST09

Tag: EIDSCA Security All EIDSCA.ST09

Category: Default Settings - Classification and M365 Groups

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

MS.AAD.1.1: Legacy authentication SHALL be blocked.

Overview

Legacy authentication SHALL be blocked.

Rationale: The security risk of allowing legacy authentication protocols is they do not support MFA. Blocking legacy protocols reduces the impact of user credential theft.

Remediation action:

Follow the guide below to create a conditional access policy that blocks legacy authentication.

Block legacy authentication - Microsoft Learn

Test Results

Your tenant does not have any conditional access policies that block legacy authentication.

Tag: MS.AAD MS.AAD.1.1 CISA Security All Entra ID P1

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaBlockLegacyAuth.Tests.ps1

MS.AAD.2.1: Users detected as high risk SHALL be blocked.

Overview

Users detected as high risk SHALL be blocked.

Rationale: Blocking high-risk users may prevent compromised accounts from accessing the tenant. This prevents compromised accounts from accessing the tenant.

Remediation action:

Create a conditional access policy blocking users categorized as high risk by the Identity Protection service. Configure the following policy settings in the new conditional access policy as per the values below:

Users > Include > All users
Target resources > Cloud apps > All cloud apps
Conditions > User risk > High
Access controls > Grant > Block Access

Note: While CISA recommends blocking, the Microsoft recommendation is to require multi-factor authentication for high-risk users.

Test Results

Your tenant does not have any conditional access policies that block high risk users.

Tag: MS.AAD MS.AAD.2.1 CISA Security All Entra ID P2

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaBlockHighRiskUsers.Tests.ps1

MS.AAD.2.2: A notification SHOULD be sent to the administrator when high-risk users are detected.

Overview

A notification SHOULD be sent to the administrator when high-risk users are detected.

Rationale: Notification enables the admin to monitor the event and remediate the risk. This helps the organization proactively respond to cyber intrusions as they occur.

Remediation action:

Follow the guide below to configure Entra ID Protection to send a regularly monitored security mailbox email notification when user accounts are determined to be high risk.

Configure Entra Identity Protection Notifications - Microsoft Learn

Test Results

Well done. Your tenant has one or more recipients for notifications of risky user logins:

Joi Jons

Tag: MS.AAD MS.AAD.2.2 CISA Security All Entra ID P2

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaNotifyHighRiskUsers.Tests.ps1

MS.AAD.2.3: Sign-ins detected as high risk SHALL be blocked.

Overview

Sign-ins detected as high risk SHALL be blocked.

Rationale: Blocking high-risk sign ins may prevent compromised sign-ins from accessing the tenant. This prevents compromised sign-ins from accessing the tenant.

Remediation action:

Create a Conditional Access policy blocking sign-ins determined high risk by the Identity Protection service. Configure the following policy settings in the new Conditional Access policy as per the values below:

Users > Include > All users
Target resources > Cloud apps > All cloud apps
Conditions > Sign-in risk > High
Access controls > Grant > Block Access

Note: While CISA recommends blocking, the Microsoft recommendation is to require multi-factor authentication for high-risk sign-ins.

Test Results

Your tenant does not have any conditional access policies that block high risk sign-ins.

Tag: MS.AAD MS.AAD.2.3 CISA Security All Entra ID P2

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaBlockHighRiskSignIns.Tests.ps1

MS.AAD.3.1: Phishing-resistant MFA SHALL be enforced for all users.

Overview

Phishing-resistant MFA SHALL be enforced for all users.

Rationale: Weaker forms of MFA do not protect against sophisticated phishing attacks. By enforcing methods resistant to phishing, those risks are minimized.

Remediation action:

Create a conditional access policy enforcing phishing-resistant MFA for all users. Configure the following policy settings in the new conditional access policy, per the values below:

Users > Include > All users
Target resources > Cloud apps > All cloud apps
Access controls > Grant > Grant Access > Require authentication strength > Phishing-resistant MFA

Test Results

Your tenant does not have any conditional access policies that require Phishing Resistant Authentication Strengths.

Tag: MS.AAD MS.AAD.3.1 CISA Security All Entra ID P1

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaPhishResistant.Tests.ps1

MS.AAD.3.2: If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.

Overview

If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.

Rationale: This is a stopgap security policy to help protect the tenant if phishing-resistant MFA has not been enforced. This policy requires MFA enforcement, thus reducing single-form authentication risk.

Remediation action:

If phishing-resistant MFA has not been enforced for all users yet, create a conditional access policy that enforces MFA but does not dictate MFA method. Configure the following policy settings in the new conditional access policy, per the values below:

Users > Include > All users
Target resources > Cloud apps > All cloud apps
Access controls > Grant > Grant Access > Require multifactor authentication

Test Results

Your tenant does not have any conditional access policies that require MFA.

Tag: MS.AAD MS.AAD.3.2 CISA Security All Entra ID P1

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaMfa.Tests.ps1

MS.AAD.3.3: If phishing-resistant MFA has not been enforced and Microsoft Authenticator is enabled, it SHALL be configured to show login context information.

Overview

If phishing-resistant MFA has not been enforced and Microsoft Authenticator is enabled, it SHALL be configured to show login context information.

Rationale: This stopgap security policy helps protect the tenant when phishing-resistant MFA has not been enforced and Microsoft Authenticator is used. This policy helps improve the security of Microsoft Authenticator by showing user context information, which helps reduce MFA phishing compromises.

Remediation action:

If phishing-resistant MFA has not been deployed yet and Microsoft Authenticator is in use, configure Authenticator to display context information to users when they log in.

In Azure Active Directory, click Security > Authentication methods > Microsoft Authenticator.
Click the Configure tab.
For Allow use of Microsoft Authenticator OTP select No.
Under Show application name in push and passwordless notifications select Status > Enabled and Target > Include > All users.
Under Show geographic location in push and passwordless notifications select Status > Enabled and Target > Include > All users.
Select Save.

Test Results

Your tenant does not have the Authentication Methods policy for Microsoft Authenticator set appropriately or migration to Authentication Methods is not complete.

Authentication Methods Migration Complete: ❌ Fail

Tag: MS.AAD MS.AAD.3.3 CISA Security All Entra ID P1

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaAuthenticatorContext.Tests.ps1

MS.AAD.3.4: The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.

Overview

The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.

Rationale: To disable the legacy authentication methods screen for the tenant, configure the Manage Migration feature to Migration Complete. The MFA and Self-Service Password Reset (SSPR) authentication methods are both managed from a central admin page, thereby reducing administrative complexity and potential security misconfigurations.

Remediation action:

Go through the process of migrating from the legacy Azure AD MFA and Self-Service Password Reset (SSPR) administration pages to the new unified Authentication Methods policy page.
Once ready to finish the migration, set the Manage Migration option to Migration Complete.

Test Results

Your tenant has not completed the migration to Authentication Methods.

Tag: MS.AAD MS.AAD.3.4 CISA Security All Entra ID P1

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaMethodsMigration.Tests.ps1

MS.AAD.3.5: The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.

Overview

The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.

Rationale: SMS, voice call, and email OTP are the weakest authenticators. This policy forces users to use stronger MFA methods.

Remediation action:

If phishing-resistant MFA has not been deployed yet and Microsoft Authenticator is in use, configure Authenticator to display context information to users when they log in.

In Azure Active Directory, click Security > Authentication methods
Click on the SMS, Voice Call, and Email OTP authentication methods and disable each of them. Their statuses should be Enabled > No on the Authentication methods > Policies page.

Test Results

One or more weak methods are enabled in your tenant, or migration to Authentication Methods is incomplete.

Authentication Methods Migration Complete: ❌ Fail

Authentication Method	State	Test Result
Sms	disabled	✅ Pass
Voice	disabled	✅ Pass
Email	enabled	❌ Fail

Tag: MS.AAD MS.AAD.3.5 CISA Security All Entra ID P1

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaWeakFactor.Tests.ps1

MS.AAD.3.6: Phishing-resistant MFA SHALL be required for highly privileged roles.

Overview

Phishing-resistant MFA SHALL be required for highly privileged roles.

Rationale: This is a backup security policy to help protect privileged access to the tenant if the conditional access policy, which requires MFA for all users, is disabled or misconfigured.

Remediation action:

Create a conditional access policy enforcing phishing-resistant MFA for highly privileged roles. Configure the following policy settings in the new conditional access policy, per the values below:

In Entra under Protection and Conditional Access, select Policies.
Click on New policy
Under New Conditional Access policy, configure the following policy settings in the new conditional access policy, per the values below:
- Users > Include > Select users and groups > Directory roles > select each of the roles listed in the Highly Privileged Roles listed.
- Target resources > Cloud apps > All cloud apps
- Access controls > Grant > Grant Access > Require authentication strength > Phishing-resistant MFA
Click Save.

Test Results

Your tenant does not have any conditional access policies that require phishing resistant MFA for highly privileged users.

Tag: MS.AAD MS.AAD.3.6 CISA Security All Entra ID P1

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaPrivilegedPhishResistant.Tests.ps1

MS.AAD.3.7: Managed devices SHOULD be required for authentication.

Overview

Managed devices SHOULD be required for authentication.

Rationale: The security risk of an adversary authenticating to the tenant from their own device is reduced by requiring a managed device to authenticate. Managed devices are under the provisioning and control of the agency. OMB-22-09 states, “When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.”

Remediation action:

Create a conditional access policy requiring a user’s device to be either Microsoft Entra hybrid joined or compliant during authentication. Configure the following policy settings in the new conditional access policy, per the values below:

In Entra under Protection and Conditional Access, select Policies.
Click on New policy
Under New Conditional Access policy, configure the following policy settings in the new conditional access policy, per the values below:
- Users > Include > All users
- Target resources > Cloud apps > All cloud apps
- Access controls > Grant > Grant Access > Require device to be marked as compliant and Require Microsoft Entra hybrid joined device > For multiple controls > Require one of the selected controls
Click Save.

Test Results

Your tenant does not have any conditional access policies that require managed devices.

Tag: MS.AAD MS.AAD.3.7 CISA Security All Entra ID P1

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaManagedDevice.Tests.ps1

MS.AAD.3.8: Managed Devices SHOULD be required to register MFA.

Overview

Managed Devices SHOULD be required to register MFA.

Rationale: Reduce risk of an adversary using stolen user credentials and then registering their own MFA device to access the tenant by requiring a managed device provisioned and controlled by the agency to perform registration actions. This prevents the adversary from using their own unmanaged device to perform the registration.

Remediation action:

Create a conditional access policy requiring a user to be on a managed device when registering for MFA.

In Entra under Protection and Conditional Access, select Policies.
Click on New policy
Under New Conditional Access policy, configure the following policy settings in the new conditional access policy, per the values below:
- Users > Include > All users
- Target resources > User actions > Register security information
- Access controls > Grant > Grant Access > Require device to be marked as compliant and Require Microsoft Entra hybrid joined device > For multiple controls > Require one of the selected controls
Click Save.

Test Results

Your tenant does not have any conditional access policies that require managed devices for registration.

Tag: MS.AAD MS.AAD.3.8 CISA Security All Entra ID P1

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaManagedDeviceRegistration.Tests.ps1

MS.AAD.4.1: Security logs SHALL be sent to the agency’s security operations center for monitoring.

Overview

Security logs SHALL be sent to the agency’s security operations center for monitoring.

Rationale: The security risk of not having visibility into cyber attacks is reduced by collecting logs in the agency’s centralized security detection infrastructure. This makes security events available for auditing, query, and incident response.

Note: The following logs (configured in Entra diagnostic settings), are required: AuditLogs, SignInLogs, RiskyUsers, UserRiskEvents, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ADFSSignInLogs, RiskyServicePrincipals, ServicePrincipalRiskEvents, EnrichedOffice365AuditLogs, MicrosoftGraphActivityLogs. If managed identities are used for Azure resources, also send the ManagedIdentitySignInLogs log type. If the Entra ID Provisioning Service is used to provision users to software-as-a-service (SaaS) apps or other systems, also send the ProvisioningLogs log type.

Note: Agencies can benefit from security detection capabilities offered by the CISA Cloud Log Aggregation Warehouse (CLAW) system. Agencies are urged to send the logs to CLAW. Contact CISA at cyberliason@cisa.dhs.gov to request integration instructions.

Remediation action:

Follow the configuration instructions unique to the products and integration patterns at your organization to send the security logs to the security operations center for monitoring.

Test Results

Your tenant does not have diagnostic settings configured for all logs:

Log Name	Result
ADFSSignInLogs	❌ Fail
AuditLogs	❌ Fail
B2CRequestLogs	❔ Optional
EnrichedOffice365AuditLogs	❌ Fail
ManagedIdentitySignInLogs	❌ Fail
MicrosoftGraphActivityLogs	❌ Fail
NetworkAccessAlerts	❔ Optional
NetworkAccessTrafficLogs	❔ Optional
NonInteractiveUserSignInLogs	❌ Fail
ProvisioningLogs	❔ Optional
RemoteNetworkHealthLogs	❔ Optional
RiskyServicePrincipals	❌ Fail
RiskyUsers	❌ Fail
ServicePrincipalRiskEvents	❌ Fail
ServicePrincipalSignInLogs	❌ Fail
SignInLogs	❌ Fail
UserRiskEvents	❌ Fail

Tag: MS.AAD MS.AAD.4.1 CISA Security All Entra ID P1

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaDiagnosticSettings.Tests.ps1

MS.AAD.5.1: Only administrators SHALL be allowed to register applications.

Overview

Only administrators SHALL be allowed to register applications.

Rationale: Application access for the tenant presents a heightened security risk compared to interactive user access because applications are typically not subject to critical security protections, such as MFA policies. Reduce risk of unauthorized users installing malicious applications into the tenant by ensuring that only specific privileged users can register applications.

Remediation action:

In Entra, under Identity and Users, select User settings.
For Users can register applications, select No.
Click Save.

Test Results

Your tenant is configured with Users can register applications set to Yes. The recommended setting is No.

Tag: MS.AAD MS.AAD.5.1 CISA Security All Entra ID Free

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaAppRegistration.Tests.ps1

MS.AAD.5.2: Only administrators SHALL be allowed to consent to applications.

Overview

Only administrators SHALL be allowed to consent to applications.

Rationale: Limiting applications consent to only specific privileged users reduces risk of users giving insecure applications access to their data via consent grant attacks.

Remediation action:

In Entra under Identity and Applications, select Enterprise applications.
Under Security, select Consent and permissions.
Under Manage, select User consent settings.
Under User consent for applications, select Do not allow user consent.
Click Save.

Test Results

Your tenant allows users to consent for applications. The recommended setting is Do not allow user consent.

Tag: MS.AAD MS.AAD.5.2 CISA Security All Entra ID Free

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaAppUserConsent.Tests.ps1

MS.AAD.5.3: An admin consent workflow SHALL be configured for applications.

Overview

An admin consent workflow SHALL be configured for applications.

Rationale: Configuring an admin consent workflow reduces the risk of the previous policy by setting up a process for users to securely request access to applications necessary for business purposes. Administrators have the opportunity to review the permissions requested by new applications and approve or deny access based on a risk assessment.

Remediation action:

In Entra create a new Group that contains admin users responsible for reviewing and adjudicating application consent requests. Group members will be notified when users request consent for new applications.
Then in Entra under Identity and Applications, select Enterprise applications.
Under Security, select Consent and permissions.
Under Manage, select Admin consent settings.
Under Admin consent requests and Users can request admin consent to apps they are unable to consent to select Yes.
Under Who can review admin consent requests, select + Add groups and select the group responsible for reviewing and adjudicating app requests (created in step one above).
Click Save.

Test Results

Your tenant admin consent request policy is not configured.

Tag: MS.AAD MS.AAD.5.3 CISA Security All Entra ID Free

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaAppAdminConsent.Tests.ps1

MS.AAD.5.4: Group owners SHALL NOT be allowed to consent to applications.

Overview

Group owners SHALL NOT be allowed to consent to applications.

Rationale: In M365, group owners and team owners can consent to applications accessing data in the tenant. By requiring consent requests to go through an approval workflow, risk of exposure to malicious applications is reduced.

Remediation action:

In Entra under Identity and Applications, select Enterprise applications.
Under Security, select Consent and permissions.
Under Manage, select User consent settings.
Under Group owner consent for apps accessing data, select Do not allow group owner consent.
Click Save.

Test Results

Your tenant allows group owners to consent to applications.

Tag: MS.AAD MS.AAD.5.4 CISA Security All Entra ID Free

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaAppGroupOwnerConsent.Tests.ps1

MS.AAD.6.1: User passwords SHALL NOT expire.

Overview

User passwords SHALL NOT expire.

The National Institute of Standards and Technology (NIST), OMB, and Microsoft have published guidance indicating mandated periodic password changes make user accounts less secure. For example, OMB-22-09 states, “Password policies must not require use of special characters or regular rotation.”

Remediation action:

Configure password policies to set passwords to never expire.

In Microsoft 365 admin center under Settings and Org settings, select the tab Security & privacy.
Under Password expiration policy, set Set passwords to never expire.
Click Save.

Test Results

Well done. Your tenant password expiration policy is set to never expire.

Tag: MS.AAD MS.AAD.6.1 CISA Security All Entra ID Free

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaPasswordExpiration.Tests.ps1

MS.AAD.7.1: A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role.

Overview

A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role.

Rationale: The Global Administrator role provides unfettered access to the tenant (Azure and Microsoft 365). Limiting the number of users with this level of access makes tenant compromise more challenging. Microsoft recommends fewer than five users in the Global Administrator role. However, additional user accounts, up to eight, may be necessary to support emergency access and some operational scenarios.

Remediation action:

When counting the number of users assigned to the Global Administrator role, count each user only once.

In Entra under Roles & adminis and All roles, search for Global Administrator and click on it to go to the role and see who is assiged. Count users that are assigned directly to the role and users assigned via group membership.
If you have Entra ID PIM, count both the Eligible assignments and Active assignments.
If any of the groups assigned to Global Administrator are enrolled in PIM for Groups, also count the number of group members from the PIM for Groups portal Eligible assignments.
Validate that there are a total of two to eight users assigned to the Global Administrator role.

Test Results

Well done. Your tenant has two or more and eight or fewer Global Administrators:

Joi Jons

Tag: MS.AAD MS.AAD.7.1 CISA Security All Entra ID Free

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaGlobalAdminCount.Tests.ps1

MS.AAD.7.2: Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator.

Overview

Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator.

Rationale: Many privileged administrative users do not need unfettered access to the tenant to perform their duties. By assigning them to roles based on least privilege, the risks associated with having their accounts compromised are reduced.

Remediation action:

This policy is based on the ratio below:

X = (Number of users assigned to the Global Administrator role) / (Number of users assigned to other highly privileged roles)

Follow the instructions for policy MS.AAD.7.1v1 above to get a count of users assigned to the Global Administrator role.
Follow the instructions for policy MS.AAD.7.1v1 above but get a count of users assigned to the other highly privileged roles (not Global Administrator). If a user is assigned to both Global Administrator and other roles, only count that user for the Global Administrator assignment.
Divide the value from step 2 from the value from step 1 to calculate X. If X is less than or equal to 1 then the tenant is compliant with the policy.

Test Results

Your tenant does not have enough granular role assignments.

Current Ratio: 0 = 2 / 0

Ratio >= 1 - False

Tag: MS.AAD MS.AAD.7.2 CISA Security All Entra ID Free

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaGlobalAdminRatio.Tests.ps1

MS.AAD.7.3: Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.

Overview

Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.

Remediation action:

Perform the steps below for each highly privileged role.
Review the users listed that have an OnPremisesImmutableId and have OnPremisesSyncEnabled set.
Create a cloud only user account for that individual and remove their hybrid identity from privileged roles.

Test Results

Well done. Your tenant has no hybrid Global Administrators.

Tag: MS.AAD MS.AAD.7.3 CISA Security All Entra ID Free

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaCloudGlobalAdmin.Tests.ps1

MS.AAD.7.4: Permanent active role assignments SHALL NOT be allowed for highly privileged roles.

Overview

Permanent active role assignments SHALL NOT be allowed for highly privileged roles.

Rationale: Instead of giving users permanent assignments to privileged roles, provisioning access just in time lessens exposure if those accounts become compromised. In Azure AD PIM or an alternative PAM system, just in time access can be provisioned by assigning users to roles as eligible instead of perpetually active.

Note: Exceptions to this policy are:

Emergency access accounts that need perpetual access to the tenant in the rare event of system degradation or other scenarios.
Some types of service accounts that require a user account with privileged roles; since these accounts are used by software programs, they cannot perform role activation.

Remediation action:

In Entra admin center select Show more and Roles & adminis and then All roles.
Perform the steps below for each highly privileged role. We reference the Global Administrator role as an example.
Select the Global administrator role.
Under Manage, select Assignments and click the Active assignments tab.
Verify there are no users or groups with a value of Permanent in the End time column. If there are any, recreate those assignments to have an expiration date using Entra ID PIM or an alternative PAM system. If a group is identified and it is enrolled in PIM for Groups, see the exception cases below for details.

Test Results

Your tenant has active assignments without expiration to privileged roles.

Tag: MS.AAD MS.AAD.7.4 CISA Security All Entra ID P2

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaPermanentRoleAssignment.Tests.ps1

MS.AAD.7.5: Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.

Overview

Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.

Rationale: Provisioning users to privileged roles within a PAM system enables enforcement of numerous privileged access policies and monitoring. If privileged users are assigned directly to roles in the M365 admin center or via PowerShell outside of the context of a PAM system, a significant set of critical security capabilities are bypassed.

Remediation action:

In Entra admin center select Show more > Roles & admins and then select All roles.
Perform the steps below for each highly privileged role. We reference the Global Administrator role as an example.
Select the Global administrator role.
Under Manage, select Assignments and click the Active assignments tab.
For each user or group listed, examine the value in the Start time column. If it contains a value of -, this indicates the respective user/group was assigned to that role outside of Entra ID PIM. If the role was assigned outside of Entra ID PIM, delete the assignment and recreate it using Entra ID PIM.

Test Results

Well done. Your tenant has no unmanaged active role assignments.

Tag: MS.AAD MS.AAD.7.5 CISA Security All Entra ID P2

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaUnmanagedRoleAssignments.Tests.ps1

MS.AAD.7.6: Activation of the Global Administrator role SHALL require approval.

Overview

Activation of the Global Administrator role SHALL require approval.

Rationale: Requiring approval for a user to activate Global Administrator, which provides unfettered access, makes it more challenging for an attacker to compromise the tenant with stolen credentials and it provides visibility of activities indicating a compromise is taking place.

Remediation action:

In Entra admin center select Identity governance and Privileged Identity Management.
Under Manage, select Microsoft Entra roles.
Under Manage, select Roles.
Select the Global Administrator role in the list.
Click Settings.
Click Edit.
Select the Require approval to activate option.
Click Update.
Review the list of groups that are actively assigned to the Global Administrator role. If any of the groups are enrolled in PIM for Groups, then also apply the same configurations under step 2 above to each PIM group’s Member settings.

Test Results

Your tenant has active assignments without a start date.

Tag: MS.AAD MS.AAD.7.6 CISA Security All Entra ID P2

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaRequireActivationApproval.Tests.ps1

MS.AAD.7.7: Eligible and Active highly privileged role assignments SHALL trigger an alert.

Overview

Eligible and Active highly privileged role assignments SHALL trigger an alert.

Rationale: Closely monitor assignment of the highest privileged roles for signs of compromise. Send assignment alerts to enable the security monitoring team to detect compromise attempts.

Remediation action:

In Entra admin center select Identity governance and Privileged Identity Management.
Under Manage, select Microsoft Entra roles.
Under Manage, select Roles.
Perform the steps below for each highly privileged role. We reference the Global Administrator role as an example.
Click the Global Administrator role.
Click Settings and then click Edit.
Click the Notifications tab.
Under Send notifications when members are assigned as eligible to this role, in the Role assignment alert > Additional recipients textbox, enter the email address of the security monitoring mailbox configured to receive privileged role assignment alerts.
Under Send notifications when members are assigned as active to this role, in the Role assignment alert > Additional recipients textbox, enter the email address of the security monitoring mailbox configured to receive privileged role assignment alerts.
Click Update.
For each of the highly privileged roles, if they have any PIM groups actively assigned to them, then also apply the same configurations per the steps above to each PIM group’s Member settings.

Test Results

Your tenant has highly privileged roles without notifications.

Tag: MS.AAD MS.AAD.7.7 CISA Security All Entra ID P2

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaAssignmentNotification.Tests.ps1

MS.AAD.7.8: User activation of the Global Administrator role SHALL trigger an alert.

Overview

User activation of the Global Administrator role SHALL trigger an alert.

Rationale: Closely monitor activation of the Global Administrator role for signs of compromise. Send activation alerts to enable the security monitoring team to detect compromise attempts.

User activation of other highly privileged roles SHOULD trigger an alert.

Rationale: Closely monitor activation of high-risk roles for signs of compromise. Send activation alerts to enable the security monitoring team to detect compromise attempts. In some environments, activating privileged roles can generate a significant number of alerts.

Remediation action:

In Entra admin center select Identity governance and Privileged Identity Management.
Under Manage, select Microsoft Entra roles.
Under Manage, select Roles.
Search and click the Global Administrator role.
For each of the highly privileged roles (other than Global Administrator), follow the same steps but enter a security monitoring mailbox different from the one used to monitor Global Administrator activations.
Click Settings and then click Edit.
Click the Notifications tab.
Under Send notifications when eligible members activate this role, in the Role activation alert > Additional recipients textbox, enter the email address of the security monitoring mailbox configured to receive role activation alerts.
Click Update.
If the role has any PIM groups actively assigned to it, then also apply the same configurations per the steps above to each PIM group’s Member settings.

Test Results

Your tenant does not have notifications on role activations.

Role Name	Result
Global Administrator	❌ Fail

Tag: MS.AAD MS.AAD.7.8 CISA Security All Entra ID P2

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1

MS.AAD.7.9: User activation of other highly privileged roles SHOULD trigger an alert.

Overview

User activation of the Global Administrator role SHALL trigger an alert.

Rationale: Closely monitor activation of the Global Administrator role for signs of compromise. Send activation alerts to enable the security monitoring team to detect compromise attempts.

User activation of other highly privileged roles SHOULD trigger an alert.

Remediation action:

In Entra admin center select Identity governance and Privileged Identity Management.
Under Manage, select Microsoft Entra roles.
Under Manage, select Roles.
Search and click the Global Administrator role.
For each of the highly privileged roles (other than Global Administrator), follow the same steps but enter a security monitoring mailbox different from the one used to monitor Global Administrator activations.
Click Settings and then click Edit.
Click the Notifications tab.
Under Send notifications when eligible members activate this role, in the Role activation alert > Additional recipients textbox, enter the email address of the security monitoring mailbox configured to receive role activation alerts.
Click Update.
If the role has any PIM groups actively assigned to it, then also apply the same configurations per the steps above to each PIM group’s Member settings.

Test Results

Your tenant does not have notifications on role activations.

Role Name	Result
User Administrator	❌ Fail
Exchange Administrator	❌ Fail
SharePoint Administrator	❌ Fail
Application Administrator	❌ Fail
Privileged Role Administrator	❌ Fail
Cloud Application Administrator	❌ Fail
Hybrid Identity Administrator	❌ Fail

Tag: MS.AAD MS.AAD.7.9 CISA Security All Entra ID P2

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaActivationNotificationOther.Tests.ps1

MS.AAD.8.1: Guest users SHOULD have limited or restricted access to Azure AD directory objects.

Overview

Guest users SHOULD have limited or restricted access to Azure AD directory objects.

Rationale: Limiting the amount of object information available to guest users in the tenant, reduces malicious reconnaissance exposure, should a guest account become compromised or be created by an adversary.

Remediation action

In Entra ID and External Identities, select External collaboration settings.
Under Guest user access, select either Guest users have limited access to properties and memberships of directory objects or Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).
Click Save.

Test Results

Well done. Guest users have limited access to properties and memberships of directory objects

Tag: MS.AAD MS.AAD.8.1 CISA Security All Entra ID Free

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaGuestUserAccess.Tests.ps1

MS.AAD.8.2: Only users with the Guest Inviter role SHOULD be able to invite guest users.

Overview

Only users with the Guest Inviter role SHOULD be able to invite guest users.

Rationale: By only allowing an authorized group of individuals to invite external users to create accounts in the tenant, an agency can enforce a guest user account approval process, reducing the risk of unauthorized account creation.

Remediation action:

In Entra ID and External Identities, select External collaboration settings.
Under Guest invite settings, select Only users assigned to specific admin roles can invite guest users or No one in the organization can invite guest users including admins (most restrictive).
Click Save.

Test Results

Your tenant allows anyone to invite guests.

allowInvitesFrom : everyone

Tag: MS.AAD MS.AAD.8.2 CISA Security All Entra ID Free

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaGuestInvitation.Tests.ps1

MS.AAD.8.3: Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.

Overview

Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.

Rationale: Limiting which domains can be invited to create guest accounts in the tenant helps reduce the risk of users from unauthorized external organizations getting access.

⚠️ WARNING: This test utilizes a technical mechanism that differs from CISA’s, though the outcome is the same.

Remediation action:

In Entra admin center select External Identities and Cross-tenant access settings.
Under Default settings, select Edit inbound defaults.
Under B2B collaboration, and External users and groups, ensure Access status is set to Block access.
Under B2B collaboration, and Applications, ensure Access status is set to Block access.

This configuration will only allow B2B collaboration with other Entra tenants.

Test Results

Your tenant’s default cross-tenant inbound access policy is not set to block:

External Users & Groups	Applications
❌ Fail	❌ Fail

Tag: MS.AAD MS.AAD.8.3 CISA Security All Entra ID Free

Category: CISA SCuBA

Source: C:\maester-tests\cisa\entra\Test-MtCisaCrossTenantInboundDefault.Tests.ps1

MS.EXO.01.1: Automatic forwarding to external domains SHALL be disabled.

Overview

Automatic forwarding to external domains SHALL be disabled.

Rationale: Adversaries can use automatic forwarding to gain persistent access to a victim’s email. Disabling forwarding to external domains prevents this technique when the adversary is external to the organization but does not impede legitimate internal forwarding.

Remediation action:

To disable automatic forwarding to external domains:

Sign in to the Exchange admin center.
Select Mail flow, then Remote domains.
Select Default.
Under Email reply types, select Edit reply types.
Clear the checkbox next to Allow automatic forwarding, then click Save.
Return to Remote domains and repeat steps 4 and 5 for each additional remote domain in the list.

Test Results

Your tenant does not have automatic forwarding disabled for all domains.

Name	Domain	Automatic forwarding	Test Result
Default	*	Allow automatic forwarding	❌ Fail

Tag: MS.EXO MS.EXO.1.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaAutoExternalForwarding.Tests.ps1

MS.EXO.02.1: A list of approved IP addresses for sending mail SHALL be maintained.

Overview

A list of approved IP addresses for sending mail SHALL be maintained.

Rationale: Failing to maintain an accurate list of authorized IP addresses may result in spoofed email messages or failure to deliver legitimate messages when SPF is enabled. Maintaining such a list helps ensure that unauthorized servers sending spoofed messages can be detected, and permits message delivery from legitimate senders.

Remediation action:

Identify any approved senders specific to your agency.
Perform regular review of SPF record and update as necessary.
Additionally, see External DNS records required for SPF for inclusions required for Microsoft to send email on behalf of your domain.

Test Results

Well done. Your tenant’s domains have a restricted SPF, review authorized senders for accuracy.

Domain	Result	Reason	Addresses
alit.is	✅ Pass	Last directive is ‘-all’	40.92.0.0/15, 40.107.0.0/16, & …9 addresses
vxcnx.mail.onmicrosoft.com	✅ Pass	Last directive is ‘-all’	157.56.232.0/21, 157.56.240.0/20, & …65 addresses
vxcnx.onmicrosoft.com	✅ Pass	Last directive is ‘-all’	40.92.0.0/15, 40.107.0.0/16, & …9 addresses

Tag: MS.EXO MS.EXO.2.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaSpfRestriction.Tests.ps1

MS.EXO.02.2: An SPF policy SHALL be published for each domain, designating only these addresses as approved senders.

Overview

An SPF policy SHALL be published for each domain, designating only these addresses as approved senders.

Rationale: An adversary may modify the FROM field of an email such that it appears to be a legitimate email sent by an agency, facilitating phishing attacks. Publishing an SPF policy for each agency domain mitigates forged FROM fields by providing a means for recipients to detect emails spoofed in this way. SPF is required for FCEB departments and agencies by Binding Operational Directive (BOD) 18-01, “Enhance Email and Web Security”.

Remediation action:

SPF is not configured through the Exchange admin center, but rather via DNS records hosted by the agency’s domain. Thus, the exact steps needed to set up SPF varies from agency to agency. See Add or edit an SPF TXT record to help prevent email spam (Outlook, Exchange Online) | Microsoft Learn for more details.

To test your SPF configuration, consider using a web-based tool, such as those listed under How can I validate SPF records for my domain? | Microsoft Learn. Additionally, SPF records can be requested using the PowerShell tool Resolve-DnsName. For example:

Resolve-DnsName example.onmicrosoft.com txt

If SPF is configured, you will see a response resembling v=spf1 include:spf.protection.outlook.com -all returned; though by necessity, the contents of the SPF policy may vary by agency. In this example, the SPF policy indicates the IP addresses listed by the policy for “spf.protection.outlook.com” are the only approved senders for “example.onmicrosoft.com.” These IPs can be determined via an additional SPF lookup, this time for “spf.protection.outlook.com.” Ensure the IP addresses listed as approved senders for your domain are those identified for MS.EXO.2.1v1. See SPF TXT record syntax for Microsoft 365 | Microsoft Learn for a more in-depth discussion of SPF record syntax.

Test Results

Your tenant’s domains do not restrict authorized senders with SPF fully. Ensure authorized senders are specified.

Domain	Result	Reason	Directives
alit.is	✅ Pass	1+ mechanism targets	include:spf.protection.outlook.com
vxcnx.mail.onmicrosoft.com	❌ Fail	No EXO directive	include:outlook.com
vxcnx.onmicrosoft.com	✅ Pass	1+ mechanism targets	include:spf.protection.outlook.com

Tag: MS.EXO MS.EXO.2.2 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaSpfDirective.Tests.ps1

MS.EXO.03.1: DKIM SHOULD be enabled for all domains.

Overview

DKIM SHOULD be enabled for all domains.

Rationale: An adversary may modify the FROM field of an email such that it appears to be a legitimate email sent by an agency, facilitating phishing attacks. Enabling DKIM is another means for recipients to detect spoofed emails and verify the integrity of email content.

Remediation action:

To enable DKIM, follow the instructions listed on Steps to Create, enable and disable DKIM from Microsoft 365 Defender portal | Microsoft Learn.

Test Results

Your tenant’s domains do not have DKIM fully deployed. Review EXO configuration and DNS records.

Domain	Result	Reason
alit.is	❌ Fail	Failure to obtain record
vxcnx.mail.onmicrosoft.com	❌ Fail	Failure to obtain record
vxcnx.onmicrosoft.com	❌ Fail	Failure to obtain record

Tag: MS.EXO MS.EXO.3.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaDkim.Tests.ps1

MS.EXO.04.1: A DMARC policy SHALL be published for every second-level domain.

Overview

$cisaDmarcRecordExist = Test-MtCisaDmarcRecordExist

    if ($null -ne $cisaDmarcRecordExist) {
        $cisaDmarcRecordExist | Should -Be $true -Because "DMARC record should exist."
    }

Tag: MS.EXO MS.EXO.4.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaDmarcRecordExist.Tests.ps1

MS.EXO.04.2: The DMARC message rejection option SHALL be p=reject.

Overview

$cisaDmarcRecordReject = Test-MtCisaDmarcRecordReject

    if ($null -ne $cisaDmarcRecordReject) {
        $cisaDmarcRecordReject | Should -Be $true -Because "DMARC record policy should be reject."
    }

Tag: MS.EXO MS.EXO.4.2 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaDmarcRecordReject.Tests.ps1

MS.EXO.05.1: SMTP AUTH SHALL be disabled.

Overview

SMTP AUTH SHALL be disabled.

Rationale: SMTP AUTH is not used or needed by modern email clients. Therefore, disabling it as the global default conforms to the principle of least functionality.

Remediation action:

To disable SMTP AUTH for the organization:
Sign in to the Exchange admin center.
On the left hand pane, select Settings; then from the settings list, select Mail Flow.
Make sure the setting Turn off SMTP AUTH protocol for your organization is checked.

Test Results

Well done. Your tenant has SMTP Authentication disabled.

Tag: MS.EXO MS.EXO.5.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaSmtpAuthentication.Tests.ps1

MS.EXO.06.1: Contact folders SHALL NOT be shared with all domains.

Overview

Contact folders SHALL NOT be shared with all domains.

Rationale: Contact folders may contain information that should not be shared by default with all domains. Disabling sharing with all domains closes an avenue for data exfiltration while still allowing for specific legitimate use as needed.

Remediation action:

To restrict sharing with all domains:

Sign in to the Exchange admin center.
On the left-hand pane under Organization, select Sharing.
Select Individual Sharing.
For all existing policies, select the policy, then select Manage domains.
For all sharing rules under all existing policies, ensure Sharing with everyone and Anonymous do not include ContactsSharing.

Test Results

Well done. Your tenant does not allow uncontrolled contact sharing.

Policy Name	Test Result
Default Sharing Policy	✅ Pass

Tag: MS.EXO MS.EXO.6.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaContactSharing.Tests.ps1

MS.EXO.06.2: Calendar details SHALL NOT be shared with all domains.

Overview

Calendar details SHALL NOT be shared with all domains.

Rationale: Calendar details may contain information that should not be shared by default with all domains. Disabling sharing with all domains closes an avenue for data exfiltration while still allowing for legitimate use as needed.

Remediation action:

To restrict sharing with all domains:

Sign in to the Exchange admin center.
On the left-hand pane under Organization, select Sharing.
Select Individual Sharing.
For all existing policies, select the policy, then select Manage domains.
For all sharing rules under all existing policies, ensure Sharing with everyone and Anonymous do not include CalendarSharing.

Test Results

Your tenant allows uncontrolled calendar sharing.

Policy Name	Test Result
Default Sharing Policy	❌ Fail

Tag: MS.EXO MS.EXO.6.2 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaCalendarSharing.Tests.ps1

MS.EXO.07.1: External sender warnings SHALL be implemented.

Overview

External sender warnings SHALL be implemented.

Rationale: Phishing is an ever-present threat. Alerting users when email originates from outside their organization can encourage them to exercise increased caution, especially if an email is one they expected from an internal sender.

⚠️ WARNING: This test allows the use of a technical mechanism that differs from CISA’s, though the outcome is the same.

Remediation action:

Option 1: Use external sender identification

This feature is only available for Outlook, Outlook for Mac, Outlook on the web, and Outlook for iOS and Android.

Connect to Exchange Online using PowerShell module ExchangeOnlineManagement
Enable the feature with the cmdlet Set-ExternalInOutlook

Connect-ExchangeOnline
Set-ExternalInOutlook -Enabled $true

Option 2: Prepend subject with “[External]”

To create a mail flow rule to produce external sender warnings:

Sign in to the Exchange admin center.
Under Mail flow, select Rules.
Click the plus (+) button to create a new rule.
Select Modify messages….
Give the rule an appropriate name.
Under Apply this rule if…, select The sender is external/internal.
Under select sender location, select Outside the organization, then click OK.
Under Do the following…, select Prepend the subject of the message with….
Under specify subject prefix, enter a message such as “[External]” (without the quotation marks), then click OK.
Click Next.
Under Choose a mode for this rule, select Enforce.
Leave the Severity as Not Specified.
Leave the Match sender address in message as Header and click Next.
Click Finish and then Done.
The new rule will be disabled. Re-select the new rule to show its settings and slide the Enable or disable rule slider to the right until it shows as Enabled.

Test Results

Your tenant does not have an external sender warning.

Tag: MS.EXO MS.EXO.7.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaExternalSenderWarning.Tests.ps1

MS.EXO.08.1: A DLP solution SHALL be used.

Overview

A DLP solution SHALL be used.

Rationale: Users may inadvertently disclose sensitive information to unauthorized individuals. A DLP solution may detect the presence of sensitive information in Exchange Online and block access to unauthorized entities.

Remediation action:

Sign in to the Microsoft Purview compliance portal.
Under the Solutions section, select Data loss prevention.
Select Policies from the left menu.
Select Create policy.
From the Categories list, select Custom.
From the Templates list, select Custom policy and then click Next.
Edit the name and description of the policy if desired, then click Next.
Under Choose locations to apply the policy, set Status to On for at least the Exchange email, OneDrive accounts, SharePoint sites, Teams chat and channel messages, and Devices locations, then click Next.
Under Define policy settings, select Create or customize advanced DLP rules, and then click Next.
Click Create rule. Assign the rule an appropriate name and description.
Click Add condition, then Content contains.
Click Add, then Sensitive info types.
Add information types that protect information sensitive to the agency.
At a minimum, the agency should protect:
- Credit card numbers
- U.S. Individual Taxpayer Identification Numbers (ITIN)
- U.S. Social Security Numbers (SSN)
- All agency-defined PII and sensitive information
Click Add.
Under Actions, click Add an action.
Check Restrict Access or encrypt the content in Microsoft 365 locations.
Under this action, select Block Everyone.
Under User notifications, turn on Use notifications to inform your users and help educate them on the proper use of sensitive info.
Under Microsoft 365 services, a section that appears after user notifications are turned on, check the box next to Notify users in Office 365 service with a policy tip.
Click Save, then Next.
Select Turn it on right away, then click Next.
Click Submit.

Test Results

Your tenant does not have Purview Data Loss Prevention Policies enabled.

Name	Status	Description

Tag: MS.EXO MS.EXO.8.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaDlp.Tests.ps1

MS.EXO.08.2: The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.

Overview

The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.

Reference your organization’s policy defining PII.

Rationale: Users may inadvertently share sensitive information with others who should not have access to it. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized disclosures.

Remediation action:

Sign in to the Microsoft Purview compliance portal.
Under the Solutions section, select Data loss prevention.
Select Policies from the left menu.
Select Create policy.
From the Categories list, select Custom.
From the Templates list, select Custom policy and then click Next.
Edit the name and description of the policy if desired, then click Next.
Under Choose locations to apply the policy, set Status to On for at least the Exchange email, OneDrive accounts, SharePoint sites, Teams chat and channel messages, and Devices locations, then click Next.
Under Define policy settings, select Create or customize advanced DLP rules, and then click Next.
Click Create rule. Assign the rule an appropriate name and description.
Click Add condition, then Content contains.
Click Add, then Sensitive info types.
Add information types that protect information sensitive to the agency.
At a minimum, the agency should protect:
- Credit card numbers
- U.S. Individual Taxpayer Identification Numbers (ITIN)
- U.S. Social Security Numbers (SSN)
- All agency-defined PII and sensitive information
Click Add.
Under Actions, click Add an action.
Check Restrict Access or encrypt the content in Microsoft 365 locations.
Under this action, select Block Everyone.
Under User notifications, turn on Use notifications to inform your users and help educate them on the proper use of sensitive info.
Under Microsoft 365 services, a section that appears after user notifications are turned on, check the box next to Notify users in Office 365 service with a policy tip.
Click Save, then Next.
Select Turn it on right away, then click Next.
Click Submit.

Test Results

Your tenant does not have Purview Data Loss Prevention Policies enabled with the Sensitive Info Type of All Full Names.

Status	Policy	Rule

Tag: MS.EXO MS.EXO.8.2 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaDlpPii.Tests.ps1

MS.EXO.08.4: At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.

Overview

At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.

Reference your organization’s policy defining restricted information.

Remediation action:

Sign in to the Microsoft Purview compliance portal.
Under the Solutions section, select Data loss prevention.
Select Policies from the left menu.
Select Create policy.
From the Categories list, select Custom.
From the Templates list, select Custom policy and then click Next.
Edit the name and description of the policy if desired, then click Next.
Under Choose locations to apply the policy, set Status to On for at least the Exchange email, OneDrive accounts, SharePoint sites, Teams chat and channel messages, and Devices locations, then click Next.
Under Define policy settings, select Create or customize advanced DLP rules, and then click Next.
Click Create rule. Assign the rule an appropriate name and description.
Click Add condition, then Content contains.
Click Add, then Sensitive info types.
Add information types that protect information sensitive to the agency.
At a minimum, the agency should protect:
- Credit card numbers
- U.S. Individual Taxpayer Identification Numbers (ITIN)
- U.S. Social Security Numbers (SSN)
- All agency-defined PII and sensitive information
Click Add.
Under Actions, click Add an action.
Check Restrict Access or encrypt the content in Microsoft 365 locations.
Under this action, select Block Everyone.
Under User notifications, turn on Use notifications to inform your users and help educate them on the proper use of sensitive info.
Under Microsoft 365 services, a section that appears after user notifications are turned on, check the box next to Notify users in Office 365 service with a policy tip.
Click Save, then Next.
Select Turn it on right away, then click Next.
Click Submit.

Test Results

Your tenant does not have Purview Data Loss Prevention Policies enabled with the Sensitive Info Type of credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).

Required Rules:

Credit Card Number	U.S. Social Security Number	U.S. Individual Taxpayer Identification Number
❌ Fail	❌ Fail	❌ Fail

Rule Relationships:

Status	Policy	Rule

Tag: MS.EXO MS.EXO.8.4 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaDlpBaselineRule.Tests.ps1

MS.EXO.09.1: Emails SHALL be filtered by attachment file types.

Overview

Emails SHALL be filtered by attachment file types.

Rationale: Malicious attachments often take the form of click-to-run files. Sharing high risk file types, when necessary, is better left to a means other than email; the dangers of allowing them to be sent over email outweigh any potential benefits. Filtering email attachments based on file types can prevent spread of malware distributed via click-to-run email attachments.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Note: If the toggle slider in step 5 is grayed out, click on Manage protection settings instead and configure the policy settings according to Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users | Microsoft Learn.

Test Results

Your tenant does not have standard and strict preset security policies enabled.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	File Filter Enabled	Extensions
Default	✅ Pass	ace, apk, app, appx, ani, & 48 others

Tag: MS.EXO MS.EXO.9.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaAttachmentFilter.Tests.ps1

MS.EXO.09.2: The attachment filter SHOULD attempt to determine the true file type and assess the file extension.

Overview

The attachment filter SHOULD attempt to determine the true file type and assess the file extension.

Rationale: Users can change a file extension at the end of a file name (e.g., notepad.exe to notepad.txt) to obscure the actual file type. Verifying the file type and checking that this matches the designated file extension can help detect instances where the file extension was changed.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Your tenant does not have standard and strict preset security policies enabled.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	File Filter Enabled
Default	✅ Pass

Tag: MS.EXO MS.EXO.9.2 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaAttachmentFileType.Tests.ps1

MS.EXO.09.3: Disallowed file types SHALL be determined and enforced.

Overview

The attachment filter SHOULD attempt to determine the true file type and assess the file extension.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Your tenant does not have standard and strict preset security policies enabled.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	File Filter Enabled
Default	✅ Pass

Tag: MS.EXO MS.EXO.9.3 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaBlockFileType.Tests.ps1

MS.EXO.09.5: At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).

Overview

At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).

Rationale: Malicious attachments often take the form of click-to-run files. Blocking a list of common executable files helps mitigate the risk of adversarial exploitation.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Your tenant does not have standard and strict preset security policies enabled.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	File Filter Enabled	Extensions
Default	✅ Pass	cmd, exe, vbe

Tag: MS.EXO MS.EXO.9.5 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaBlockExecutable.Tests.ps1

MS.EXO.10.1: Emails SHALL be scanned for malware.

Overview

Emails SHALL be filtered by attachment file types.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Your tenant does not have standard and strict preset security policies enabled.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	File Filter Enabled	Extensions
Default	✅ Pass	ace, apk, app, appx, ani, & 48 others

Tag: MS.EXO MS.EXO.10.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaMalwareScan.Tests.ps1

MS.EXO.10.2: Emails identified as containing malware SHALL be quarantined or dropped.

Overview

Emails identified as containing malware SHALL be quarantined or dropped.

Rationale: Email can be used as a mechanism for delivering malware. Preventing emails with known malware from reaching user mailboxes helps ensure users cannot interact with those emails.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Your tenant does not have standard and strict preset security policies enabled.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	Quarantine Tag	Result
Default	AdminOnlyAccessPolicy	✅ Pass

Tag: MS.EXO MS.EXO.10.2 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaMalwareAction.Tests.ps1

MS.EXO.10.3: Email scanning SHALL be capable of reviewing emails after delivery.

Overview

Email scanning SHALL be capable of reviewing emails after delivery.

Rationale: As known malware signatures are updated, it is possible for an email to be retroactively identified as containing malware after delivery. By scanning emails, the number of malware-infected in users’ mailboxes can be reduced.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Your tenant does not have standard and strict preset security policies enabled.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	Result
Default	✅ Pass

Tag: MS.EXO MS.EXO.10.3 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaMalwareZap.Tests.ps1

MS.EXO.11.1: Impersonation protection checks SHOULD be used.

Overview

Impersonation protection checks SHOULD be used.

Rationale: Users might not be able to reliably identify phishing emails, especially if the FROM address is nearly indistinguishable from that of a known entity. By automatically identifying senders who appear to be impersonating known senders, the risk of a successful phishing attempt can be reduced.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Your tenant does not have standard and strict preset security policies enabled.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	Result
Office365 AntiPhish Default	❌ Fail

Tag: MS.EXO MS.EXO.11.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaImpersonation.Tests.ps1

MS.EXO.11.2: User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.

Overview

User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.

Rationale: Many tasks are better suited for automated processes, such as identifying unusual characters in the FROM address or identifying a first-time sender. User warnings can handle these tasks, reducing the burden on end users and the risk of successful phishing attempts.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Your tenant does not have standard and strict preset security policies enabled.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	Result
Office365 AntiPhish Default	❌ Fail

Tag: MS.EXO MS.EXO.11.2 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaImpersonationTip.Tests.ps1

MS.EXO.11.3: The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.

Overview

The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.

Rationale: Phishing attacks can result in unauthorized data disclosure and unauthorized access. Using AI-based phishing detection tools to improve the detection rate of phishing attempts helps reduce the risk of successful phishing attacks.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Your tenant does not have standard and strict preset security policies enabled.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	Result
Office365 AntiPhish Default	❌ Fail

Tag: MS.EXO MS.EXO.11.3 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaMailboxIntelligence.Tests.ps1

MS.EXO.12.1: IP allow lists SHOULD NOT be created.

Overview

IP allow lists SHOULD NOT be created.

Rationale: Messages sent from IP addresses on an allow list bypass important security mechanisms, including spam filtering and sender authentication checks. Avoiding use of IP allow lists prevents potential threats from circumventing security mechanisms.

Remediation action:

To modify the connection filters, follow the instructions found in Use the Microsoft 365 Defender portal to modify the default connection filter policy.

Sign in to Microsoft 365 Defender portal.
From the left-hand menu, find Email & collaboration and select Policies and Rules.
Select Threat Policies from the list of policy names.
Under Policies, select Anti-spam.
Select Connection filter policy (Default).
Click Edit connection filter policy.
Ensure no addresses are specified under Always allow messages from the following IP addresses or address range.

Test Results

Well done. Your tenant does not have any Anti-spam IP allow lists.

Tag: MS.EXO MS.EXO.12.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaAntiSpamAllowList.Tests.ps1

MS.EXO.12.2: Safe lists SHOULD NOT be enabled.

Overview

Safe lists SHOULD NOT be enabled.

Rationale: Messages sent from allowed safe list addresses bypass important security mechanisms, including spam filtering and sender authentication checks. Avoiding use of safe lists prevents potential threats from circumventing security mechanisms. While blocking all malicious senders is not feasible, blocking specific known, malicious IP addresses may reduce the threat from specific senders.

Remediation action:

To modify the connection filters, follow the instructions found in Use the Microsoft 365 Defender portal to modify the default connection filter policy.

Sign in to Microsoft 365 Defender portal.
From the left-hand menu, find Email & collaboration and select Policies and Rules.
Select Threat Policies from the list of policy names.
Under Policies, select Anti-spam.
Select Connection filter policy (Default).
Click Edit connection filter policy.
Ensure Turn on safe list is not selected.

Test Results

Well done. Safe List is disabled in your tenant.

Tag: MS.EXO MS.EXO.12.2 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaAntiSpamSafeList.Tests.ps1

MS.EXO.13.1: Mailbox auditing SHALL be enabled.

Overview

Mailbox auditing SHALL be enabled.

Rationale: Exchange Online user accounts can be compromised or misused. Enabling mailbox auditing provides a valuable source of information to detect and respond to mailbox misuse.

Remediation action:

Mailbox auditing can be managed from the Exchange Online PowerShell module. Follow the instructions listed on Manage mailbox auditing in Office 365.

To enable mailbox auditing by default for your organization via PowerShell:
Connect to the Exchange Online PowerShell.
Run the following command: Set-OrganizationConfig –AuditDisabled $false

Test Results

Well done. Your tenant has mailbox auditing enabled.

✅ Pass

Tag: MS.EXO MS.EXO.13.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaMailboxAuditing.Tests.ps1

MS.EXO.14.1: A spam filter SHALL be enabled.

Overview

A spam filter SHALL be enabled.

Rationale: Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments. Filtering out spam reduces user workload burden, prevents junk mail congestion, and reduces potentially malicious content exposure.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Your tenant does not have standard and strict preset security policies.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	Spam Action	High Confidence Spam Action	Bulk Spam Action	Phish Spam Action
Default	MoveToJmf	MoveToJmf	MoveToJmf	MoveToJmf

Tag: MS.EXO MS.EXO.14.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaSpamFilter.Tests.ps1

MS.EXO.14.2: Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.

Overview

Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.

Rationale: Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments. Moving spam messages to a separate junk or quarantine folder helps users filter out spam while still giving them the ability to review messages, as needed, in case a message is filtered incorrectly.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Your tenant does not have standard and strict preset security policies.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	Spam Action	High Confidence Spam Action
Default	✅ Pass	✅ Pass

Tag: MS.EXO MS.EXO.14.2 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaSpamAction.Tests.ps1

MS.EXO.14.3: Allowed domains SHALL NOT be added to inbound anti-spam protection policies.

Overview

Allowed domains SHALL NOT be added to inbound anti-spam protection policies.

Rationale: Legitimate emails may be incorrectly filtered by spam protections. Adding allowed senders is an acceptable method of combating these false positives. Allowing an entire domain, especially a common domain like office.com, however, provides for a large number of potentially unknown users to bypass spam protections.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Your tenant does not have standard and strict preset security policies.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	Policy Result	Allowed Domains
Default	✅ Pass

Tag: MS.EXO MS.EXO.14.3 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaSpamBypass.Tests.ps1

MS.EXO.15.1: URL comparison with a block-list SHOULD be enabled.

Overview

URL comparison with a block-list SHOULD be enabled.

Rationale: Users may be directed to malicious websites via links in email. Blocking access to known, malicious URLs can prevent users from accessing known malicious websites.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under either Standard protection or Strict protection, select Manage protection settings.
Select Next until you reach the Apply Defender for Office 365 protection page.
On the Apply Defender for Office 365 protection page, select All recipients.
(Optional) Under Exclude these recipients, add Users and Groups to be exempted from the preset policies.
Select Next on each page until the Review and confirm your changes page.
On the Review and confirm your changes page, select Confirm.

Test Results

Your tenant does not have standard and strict preset security policies.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	Policy Result
Built-In Protection Policy	✅ Pass

Tag: MS.EXO MS.EXO.15.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaSafeLink.Tests.ps1

MS.EXO.15.2: Direct download links SHOULD be scanned for malware.

Overview

Direct download links SHOULD be scanned for malware.

Rationale: URLs in emails may direct users to download and run malware. Scanning direct download links in real-time for known malware and blocking access can prevent users from infecting their devices.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under either Standard protection or Strict protection, select Manage protection settings.
Select Next until you reach the Apply Defender for Office 365 protection page.
On the Apply Defender for Office 365 protection page, select All recipients.
(Optional) Under Exclude these recipients, add Users and Groups to be exempted from the preset policies.
Select Next on each page until the Review and confirm your changes page.
On the Review and confirm your changes page, select Confirm.

Test Results

Your tenant does not have standard and strict preset security policies.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	Policy Result
Built-In Protection Policy	✅ Pass

Tag: MS.EXO MS.EXO.15.2 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaSafeLinkDownloadScan.Tests.ps1

MS.EXO.15.3: User click tracking SHOULD be enabled.

Overview

User click tracking SHOULD be enabled.

Rationale: Users may click on malicious links in emails, leading to compromise or unauthorized data disclosure. Enabling user click tracking lets agencies know if a malicious link may have been visited after the fact to help tailor a response to a potential incident.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under either Standard protection or Strict protection, select Manage protection settings.
Select Next until you reach the Apply Defender for Office 365 protection page.
On the Apply Defender for Office 365 protection page, select All recipients.
(Optional) Under Exclude these recipients, add Users and Groups to be exempted from the preset policies.
Select Next on each page until the Review and confirm your changes page.
On the Review and confirm your changes page, select Confirm.

Test Results

Your tenant does not have standard and strict preset security policies.

Policy	Status
Standard	❌ Fail
Strict	❌ Fail

Policy Name	Policy Result
Built-In Protection Policy	✅ Pass

Tag: MS.EXO MS.EXO.15.3 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaSafeLinkClickTracking.Tests.ps1

MS.EXO.16.1: Alerts SHALL be enabled.

Overview

At a minimum, the following alerts SHALL be enabled: a. Suspicious email sending patterns detected. b. Suspicious Connector Activity. c. Suspicious Email Forwarding Activity. d. Messages have been delayed. e. Tenant restricted from sending unprovisioned email. f. Tenant restricted from sending email. g. A potentially malicious URL click was detected.

Rationale: Potentially malicious or service impacting events may go undetected without a means of detecting these events. Setting up a mechanism to alert administrators to events listed above draws attention to them to help minimize impact to users and the agency.

Remediation action:

Sign in to Microsoft 365 Defender.
Under Email & collaboration, select Policies & rules.
Select (Alert Policy)[https://security.microsoft.com/alertpoliciesv2].
Select the checkbox next to each alert to enable as determined by the agency and at a minimum those referenced in the CISA M365 Security Configuration Baseline for Exchange Online which are: a. Suspicious email sending patterns detected. b. Suspicious connector activity. c. Suspicious Email Forwarding Activity. d. Messages have been delayed. e. Tenant restricted from sending unprovisioned email. f. Tenant restricted from sending email. g. A potentially malicious URL click was detected.
Click the pencil icon from the top menu.
Select the Enable selected policies action from the Bulk actions menu.

Test Results

Well done. Your tenant has alerts configured.

Alert Name	Alert Result
FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/A potentially malicious URL click was detected	✅ Pass
FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Messages have been delayed	✅ Pass
FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Suspicious connector activity	✅ Pass
FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Suspicious Email Forwarding Activity	✅ Pass
FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Suspicious email sending patterns detected	✅ Pass
FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Tenant restricted from sending email	✅ Pass
FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Tenant restricted from sending unprovisioned email	✅ Pass

Tag: MS.EXO MS.EXO.16.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaExoAlert.Tests.ps1

MS.EXO.17.1: Microsoft Purview Audit (Standard) logging SHALL be enabled.

Overview

Microsoft Purview Audit (Standard) logging SHALL be enabled.

Rationale: Responding to incidents without detailed information about activities that took place slows response actions. Enabling Microsoft Purview Audit (Standard) helps ensure agencies have visibility into user actions. Furthermore, Microsoft Purview Audit (Standard) is required for government agencies by OMB M-21-31 (referred to therein by its former name, Unified Audit Logs).

Remediation action:

To enable auditing via the Microsoft Purview compliance portal:

Sign in to the Microsoft Purview compliance portal.
Under Solutions, select Audit.
If auditing is not enabled, a banner is displayed to notify the administrator to start recording user and admin activity.
Click the Start recording user and admin activity.

Test Results

Your tenant does not have unified audit log enabled.

%TestResult%

Tag: MS.EXO MS.EXO.17.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaAuditLog.Tests.ps1

MS.EXO.17.2: Microsoft Purview Audit (Premium) logging SHALL be enabled.

Overview

Microsoft Purview Audit (Premium) logging SHALL be enabled.

Rationale: Standard logging may not include relevant details necessary for visibility into user actions during an incident. Enabling Microsoft Purview Audit (Premium) captures additional event types not included with Standard. Furthermore, it is required for government agencies by OMB M-21-13 (referred to therein by its former name, Unified Audit Logs w/Advanced Features).

Remediation action:

To set up Microsoft Purview Audit (Premium), see Set up Microsoft Purview Audit (Premium) | Microsoft Learn.

Test Results

Well done. Your tenant has SearchQueryInitiated audit log enabled.

Mailbox	SearchQueryInitiated
AdeleV@vxcnx.onmicrosoft.com	❌ Fail
admin-alitis01@vxcnx.onmicrosoft.com	❌ Fail
AlexW@vxcnx.onmicrosoft.com	❌ Fail
alIT@alit.is	❌ Fail
bensi@alit.is	❌ Fail
DiegoS@vxcnx.onmicrosoft.com	❌ Fail
DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@vxcnx.onmicrosoft.com	❌ Fail
GradyA@vxcnx.onmicrosoft.com	❌ Fail
hbh@alit.is	❌ Fail
HenriettaM@vxcnx.onmicrosoft.com	❌ Fail
IsaiahL@vxcnx.onmicrosoft.com	❌ Fail
JohannaL@vxcnx.onmicrosoft.com	❌ Fail
JoniS@vxcnx.onmicrosoft.com	❌ Fail
LeeG@vxcnx.onmicrosoft.com	❌ Fail
LidiaH@vxcnx.onmicrosoft.com	❌ Fail
LynneR@vxcnx.onmicrosoft.com	❌ Fail
MeganB@vxcnx.onmicrosoft.com	❌ Fail
MiriamG@vxcnx.onmicrosoft.com	❌ Fail
NestorW@vxcnx.onmicrosoft.com	❌ Fail
PattiF@vxcnx.onmicrosoft.com	❌ Fail
PradeepG@vxcnx.onmicrosoft.com	❌ Fail

Tag: MS.EXO MS.EXO.17.2 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaAuditLogPremium.Tests.ps1

MS.EXO.17.3: Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C).

Overview

Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C).

Rationale: Audit logs may no longer be available when needed if they are not retained for a sufficient time. Increased log retention time gives an agency the necessary visibility to investigate incidents that occurred some time ago. OMB M-21-13, Appendix C, Table 5 specifically calls out Unified Audit Logs in the Cloud Azure log category.

Remediation action:

To create one or more custom audit retention policies, if the default retention policy is not sufficient for agency needs, follow Create an audit log retention policy instructions. Ensure the duration selected in the retention policies is at least one year, in accordance with OMB M-21-31.

Test Results

Your tenant does not have Exchange Online audit retention enabled.

Policy Result	Policy Name	Record Types	Retention Duration

Tag: MS.EXO MS.EXO.17.3 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaAuditLogRetention.Tests.ps1

MS.SHAREPOINT.1.1: External sharing for SharePoint SHALL be limited to Existing guests or Only People in your organization.

Overview

External sharing for SharePoint SHALL be limited to Existing guests or Only People in your organization.

Rationale: Sharing information outside the organization via SharePoint increases the risk of unauthorized access. By limiting external sharing, administrators decrease the risk of access to information.

Remediation action:

Sign in to the SharePoint admin center.
Select Policies > Sharing.
Adjust external sharing slider for SharePoint to Existing guests or Only people in your organization.

⚠️ WARNING: This will break existing sharing.

Select Save.

Test Results

Your tenant does not restrict SharePoint Online sharing.

externalUserAndGuestSharing

Tag: MS.SHAREPOINT MS.SHAREPOINT.1.1 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\spo\Test-MtCisaSpoSharing.Tests.ps1

MS.SHAREPOINT.1.3: External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.

Overview

External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.

Rationale: By limiting sharing to domains or approved security groups used for interagency collaboration purposes, administrators help prevent sharing with unknown organizations and individuals.

Remediation action:

This policy is only applicable if the external sharing slider on the admin page is set to any value other than Only People in your organization.

Sign in to the SharePoint admin center.
Select Policies > Sharing.
Expand More external sharing settings.
Select Limit external sharing by domain.
Select Add domains.
Add each approved external domain users are allowed to share files with.
Select Manage security groups
Add each approved security group. Members of these groups will be allowed to share files externally.
Select Save.

Test Results

Your tenant does not restrict SharePoint Online sharing to specific domains.

Tag: MS.SHAREPOINT MS.SHAREPOINT.1.3 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\spo\Test-MtCisaSpoSharingAllowedDomain.Tests.ps1

MT.1001: At least one Conditional Access policy is configured with device compliance.

Overview

It is recommended to have at least one conditional access policy that enforces the use of a compliant device.

See Require a compliant device, Microsoft Entra hybrid joined device, or MFA - Microsoft Learn

Test Results

There was no conditional access policy requiring device compliance.

Learn more: https://maester.dev/docs/tests/MT.1001

Tag: Maester CA Security All MT.1001

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1003: At least one Conditional Access policy is configured with All Apps.

Overview

Microsoft recommends creating at least one conditional access policy targetting all cloud apps and ideally all users.

See Plan a Conditional Access deployment - Microsoft Learn

Test Results

There was no conditional access policy targeting all cloud apps.

Learn more: https://maester.dev/docs/tests/MT.1003

Tag: Maester CA Security All MT.1003

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1004: At least one Conditional Access policy is configured with All Apps and All Users.

Overview

Microsoft recommends creating at least one conditional access policy targetting all cloud apps and ideally all users.

See Plan a Conditional Access deployment - Microsoft Learn

Test Results

There was no conditional access policy targeting all cloud apps and all users.

Learn more: https://maester.dev/docs/tests/MT.1004

Tag: Maester CA Security All MT.1004

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1005: All Conditional Access policies are configured to exclude at least one emergency/break glass account or group.

Overview

It is recommended to have at least one emergency/break glass account or account group excluded from all conditional access policies. This allows for emergency access to the tenant in case of a misconfiguration or other issues.

See Manage emergency access accounts in Microsoft Entra ID - Microsoft Learn

Test Results

These conditional access policies don’t have the emergency access excluded:

%TestResult%

Learn more: https://maester.dev/docs/tests/MT.1005

Tag: Maester CA Security All MT.1005

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1006: At least one Conditional Access policy is configured to require MFA for admins.

Overview

This test checks if the tenant has at least one conditional access policy requiring MFA for admins. The following roles are considered as admin roles:

Global Administrator
Application Administrator
Authentication Administrator
Billing Administrator
Cloud Application Administrator
Conditional Access Administrator
Exchange Administrator
Helpdesk Administrator
Password Administrator
Privileged Authentication Administrator
Privileged Role Administrator
Security Administrator
SharePoint Administrator
User Administrator

See Require MFA for administrators - Microsoft Learn"

Test Results

No conditional access policy requires multi-factor authentication for all admin roles.

Learn more: https://maester.dev/docs/tests/MT.1006

Tag: Maester CA Security All MT.1006

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1007: At least one Conditional Access policy is configured to require MFA for all users.

Overview

This test checks if the tenant has at least one conditional access policy requiring MFA for all users.

See Require MFA for all users - Microsoft Learn

Test Results

No conditional access policy requires multi-factor authentication for all users.

Learn more: https://maester.dev/docs/tests/MT.1007

Tag: Maester CA Security All MT.1007

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1008: At least one Conditional Access policy is configured to require MFA for Azure management.

Overview

Test-MtCaMfaForAdminManagement | Should -Be $true -Because “there is no policy that requires MFA for Azure management”

Reason for failure

Expected $true, because there is no policy that requires MFA for Azure management, but got $false.

Learn more: https://maester.dev/docs/tests/MT.1008

Tag: Maester CA Security All MT.1008

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1009: At least one Conditional Access policy is configured to block other legacy authentication.

Overview

Legacy authentication is an unsecure method to authenticate. This function checks if the tenant has at least one conditional access policy that blocks legacy authentication.

See Block legacy authentication - Microsoft Learn

Test Results

There was no conditional access policy blocking legacy authentication for other clients.

Learn more: https://maester.dev/docs/tests/MT.1009

Tag: Maester CA Security All MT.1009

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1010: At least one Conditional Access policy is configured to block legacy authentication for Exchange ActiveSync.

Overview

Legacy authentication is an unsecure method to authenticate. This function checks if the tenant has at least one conditional access policy that blocks legacy authentication.

See Block legacy authentication - Microsoft Learn

Test Results

There was no conditional access policy blocking legacy authentication for Exchange Active Sync.

Learn more: https://maester.dev/docs/tests/MT.1010

Tag: Maester CA Security All MT.1010

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1011: At least one Conditional Access policy is configured to secure security info registration only from a trusted location.

Overview

Checks if the tenant has at least one conditional access policy securing security info registration.

See Securing security info registration - Microsoft Learn

Test Results

No conditional access policy securing security info registration.

Learn more: https://maester.dev/docs/tests/MT.1011

Tag: Maester CA Security All MT.1011

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1012: At least one Conditional Access policy is configured to require MFA for risky sign-ins.

Overview

Checks if the tenant has at least one conditional access policy requiring multifactor authentication for risky sign-ins.

See Sign-in risk-based multifactor authentication - Microsoft Learn

Test Results

No conditional access policy requires multi-factor authentication for risky sign-ins.

Learn more: https://maester.dev/docs/tests/MT.1012

Tag: Maester CA Security All MT.1012

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1013: At least one Conditional Access policy is configured to require new password when user risk is high.

Overview

Checks if the tenant has at least one conditional access policy requiring password change for high user risk.

See User risk-based password change - Microsoft Learn

Test Results

No conditional access policy requires a password change for risky users.

Learn more: https://maester.dev/docs/tests/MT.1013

Tag: Maester CA Security All MT.1013

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1014: At least one Conditional Access policy is configured to require compliant or Entra hybrid joined devices for admins.

Overview

Microsoft recommends requiring device compliance for administrators that are members of the following roles:

Global administrator
Application administrator
Authentication Administrator
Billing administrator
Cloud application administrator
Conditional Access administrator
Exchange administrator
Helpdesk administrator
Password administrator
Privileged authentication administrator
Privileged Role Administrator
Security administrator
SharePoint administrator
User administrator

See Require compliant or Microsoft Entra hybrid joined device for administrators - Microsoft Learn

Test Results

There was no conditional access policy requiring compliant or Microsoft Entra hybrid joined device for administrators.

Learn more: https://maester.dev/docs/tests/MT.1014

Tag: Maester CA Security All MT.1014

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1015: At least one Conditional Access policy is configured to block access for unknown or unsupported device platforms.

Overview

Microsoft recommends blocking access for unknown or unsupported device platforms.

See Block access for unknown or unsupported device platform - Microsoft Learn

Test Results

There was no conditional access policy blocking access for unknown or unsupported device platforms.

Learn more: https://maester.dev/docs/tests/MT.1015

Tag: Maester CA Security All MT.1015

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1016: At least one Conditional Access policy is configured to require MFA for guest access.

Overview

This check verifies if there is at least one conditional access policy that requires multifactor authentication for all guest accounts.

See Require multifactor authentication for guest access - Microsoft Learn

Test Results

No conditional access policy requires multi-factor authentication for guest accounts.

Learn more: https://maester.dev/docs/tests/MT.1016

Tag: Maester CA Security All MT.1016

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1017: At least one Conditional Access policy is configured to enforce non persistent browser session for non-corporate devices.

Overview

Microsoft recommends disabling browser persistence for users accessing the tenant from a unmanaged device.

See Require reauthentication and disable browser persistence - Microsoft Learn

Test Results

There was no conditional access policy enforcing non persistent browser session for non-corporate devices.

Learn more: https://maester.dev/docs/tests/MT.1017

Tag: Maester CA Security All MT.1017

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1018: At least one Conditional Access policy is configured to enforce sign-in frequency for non-corporate devices.

Overview

Microsoft recommends disabling browser persistence for users accessing the tenant from a unmanaged device.

See Require reauthentication and disable browser persistence - Microsoft Learn

Test Results

There was no conditional access policy enforcing sign-in frequency for non-corporate devices.

Learn more: https://maester.dev/docs/tests/MT.1018

Tag: Maester CA Security All MT.1018

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1019: At least one Conditional Access policy is configured to enable application enforced restrictions.

Overview

Test-MtCaApplicationEnforcedRestriction | Should -Be $true -Because “there is no policy that enables application enforced restrictions”

Reason for failure

Expected $true, because there is no policy that enables application enforced restrictions, but got $false.

Learn more: https://maester.dev/docs/tests/MT.1019

Tag: Maester CA Security All MT.1019

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1020: All Conditional Access policies are configured to exclude directory synchronization accounts or do not scope them.

Overview

It is recommended to exclude directory synchronization accounts from all conditional access policies scoped to all cloud apps.

Test Results

All conditional access policies scoped to all cloud apps exclude the directory synchronization accounts.

Learn more: https://maester.dev/docs/tests/MT.1020

Tag: Maester CA Security All MT.1020

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1022: All users utilizing a P1 license should be licensed.

Overview

This test checks the utilization of Entra ID P1 licenses in the tenant.

Test Results

Total users entitled for Entra ID P1: 23

Total P1 licenses utilized: 0

Learn more: https://maester.dev/docs/tests/MT.1022

Tag: LicenseUtilization MT.1022

Category: License utilization

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1023: All users utilizing a P2 license should be licensed.

Overview

This test checks the utilization of Entra ID P2 licenses in the tenant.

Test Results

Total users entitled for Entra ID P2: 23

Total P2 licenses utilized: 0

Learn more: https://maester.dev/docs/tests/MT.1023

Tag: LicenseUtilization MT.1023

Category: License utilization

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1024: Entra Recommendation - Remove unused applications.

Overview

Removing unused applications helps reduce the attack surface area and helps declutter the app portfolio of a tenant.

Test Results

This recommendation will surface if your tenant has applications that have not been used for over 90 days. Applications that were created but never used, client applications which have not been issued a token or resource apps that have not been a target of a token request, will show under this recommendation.

If the recommendation is not applicable for your tenant, it can be marked as Dismissed for Maester to skip it in the future.

➡️ Open Recommendation - Remove unused applications in the Entra admin portal.

Impacted resources

Status	Name	First detected
❌ Fail	AdminDroid Service Application	09/14/2024 10:00:41
❌ Fail	Maester DevOps Account	12/01/2024 10:03:11
❌ Fail	Onboarding	01/06/2025 10:03:15
❌ Fail	demo-vpn	02/02/2025 10:00:55
❌ Fail	smtp-mail	02/04/2025 10:00:59
❌ Fail	SPSitesSelected	08/30/2024 10:01:26
❌ Fail	azure-cli-2024-03-12-12-48-34	08/30/2024 10:01:26
❌ Fail	bensi0279-alit.is-9015be5c-193f-4aea-8a9f-abee625826df	08/30/2024 10:01:26
❌ Fail	statictest	08/30/2024 10:01:26
❌ Fail	Portals-alit	08/30/2024 10:01:26
❌ Fail	WindowsAdminCenter-https://wac01.bge.internal	08/30/2024 10:01:26
❌ Fail	spn-azure-bicep-github	08/30/2024 10:01:26
❌ Fail	Alit-GraphAPI	08/30/2024 10:01:26
❌ Fail	WindowsAdminCenter-https://git-worker-01	08/30/2024 10:01:26

Remediation actions:

From the Impacted resources table, select More details to identify the impacted resources..
Select the Resource link to go directly to the associated App registration page..
Determine if the identified application is needed based on the application usage scenario. For example, an application could have usage gaps due to being deprecated or intentional long intermittent use through the year. .
If the application is no longer needed, remove it from your tenant by first soft deleting it, wait 15 days, and then remove it permanently. Find more details on how to soft or permanently delete applications, see How to: Restore or remove a recently deleted application with the Microsoft identity platform.
If the application is needed, you have the option to update the status of the recommendation for that application as Dismissed or Postponed. For more information, see How to update a recommendation..
For more information, see Recommendation to remove unused apps..

Learn more: https://maester.dev/docs/tests/MT.1024

Tag: Maester Entra Security All Recommendation MT.1024 staleApps

Category: Entra Recommendations

Source: C:\maester-tests\Maester\Entra\Test-EntraRecommendations.Tests.ps1

MT.1024: Entra Recommendation - Remove unused credentials from applications.

Overview

Removing unused application credentials helps reduce the attack surface area and helps declutter the app portfolio of a tenant.

Test Results

Your tenant has applications with credentials which have not been used in more than 30 days.

If the recommendation is not applicable for your tenant, it can be marked as Dismissed for Maester to skip it in the future.

➡️ Open Recommendation - Remove unused credentials from applications in the Entra admin portal.

Impacted resources

Status	Name	First detected
❌ Fail	P2P Server	10/28/2024 10:01:43

Remediation actions:

From the ‘Impacted resources’ table, select ‘More details’ to identify the Credential ID and the Origin of the credential..
Select ‘Update credential’ to go directly to the Application or Service principal area..
If the Origin of the credential is an application, select ‘Certificates & secrets’ then locate the unused credential and remove it..
If the Origin of the credential is a service principal, go to ‘Identity’ > ‘Enterprise applications’ > ‘Single sign-on’ > ‘SAML certificates’ then locate the unused credential and remove it..
In the instance where the origin of the credential in the recommendation is marked as service principal but there are no SAML certificates, you can use the Microsoft Graph API to query specific properties and remove the credential from the Service Principal. For more information, see Recommendation to remove unused apps.

Learn more: https://maester.dev/docs/tests/MT.1024

Tag: Maester Entra Security All Recommendation MT.1024 staleAppCreds

Category: Entra Recommendations

Source: C:\maester-tests\Maester\Entra\Test-EntraRecommendations.Tests.ps1

MT.1024: Entra Recommendation - Renew expiring application credentials.

Overview

Renewing an application’s credentials prior to their expiry date is crucial for maintaining uninterrupted operations and minimizing the risk of any downtime resulting from outdated credentials.

Test Results

Your tenant has applications with credentials that will expire soon.

➡️ Open Recommendation - Renew expiring application credentials in the Entra admin portal.

Remediation actions:

From the impacted resources table, click on “More details” to see and note the ID of the credential..
Click the “Update credential” link to navigate to the Application registration blade..
Navigate to the Certificates & Secrets section of the app registration..
Pick the credential type that you want to rotate and navigate to either Certificates or Client Secret tab and follow the prompts to add a new credential of that type..
Once the certificate or secret is successfully added, update the service code to ensure it works with the new credential..
Use the Microsoft Entra sign-in logs to validate that the Key ID of the credential matches the one that was recently added..
After validating the new credential, navigate back to App registrations > Certificates and Secrets for the app and remove the old credential..

Learn more: https://maester.dev/docs/tests/MT.1024

Tag: Maester Entra Security All Recommendation MT.1024 applicationCredentialExpiry

Category: Entra Recommendations

Source: C:\maester-tests\Maester\Entra\Test-EntraRecommendations.Tests.ps1

MT.1024: Entra Recommendation - Renew expiring service principal credentials.

Overview

Renewing the service principal credential(s) before expiration ensures the application continues to function and reduces the possibility of downtime due to an expired credential.

Test Results

Your tenant has service principals with credentials that will expire soon.

➡️ Open Recommendation - Renew expiring service principal credentials in the Entra admin portal.

Remediation actions:

Navigate to the Enterprise applications section and locate the Enterprise application for which the credential needs to be rotated..
Navigate to the “Single sign-on” blade..
Edit the ‘SAML signing certificate’ section and follow prompts to add a new certificate..
After adding the certificate, change its properties to make certificate active. This will make the previous certificate inactive..
Once the certificate is successfully added and activated, validate that your service is working with the new credential, and remove the old credential..
If the service principal does not show any credentials after navigating to the enterprise apps blade, we recommend checking the ‘passwordCredentials’ and ‘keyCredentials’ property of the service principal object using PowerShell or Microsoft Graph service principal API and use the Microsoft Graph API to rotate credentials..

Learn more: https://maester.dev/docs/tests/MT.1024

Tag: Maester Entra Security All Recommendation MT.1024 servicePrincipalKeyExpiry

Category: Entra Recommendations

Source: C:\maester-tests\Maester\Entra\Test-EntraRecommendations.Tests.ps1

MT.1024: Entra Recommendation - Do not allow users to grant consent to unreliable applications.

Overview

To reduce the risk of malicious applications attempting to trick users into granting them access to your organization’s data, we recommend that you allow user consent only for applications that have been published by a verified publisher.

Test Results

You have no user consent policy in place.

If the recommendation is not applicable for your tenant, it can be marked as Dismissed for Maester to skip it in the future.

➡️ Open Recommendation - Do not allow users to grant consent to unreliable applications in the Entra admin portal.

Remediation actions:

Go to Microsoft Entra ID > Enterprise applications > Consent and permissions. Go to Consent and permissions.
Select “Allow user consent for apps from verified publishers, for selected permissions (Recommended)” to follow Microsoft’s best practice. Learn more.
Configure the low-impact permissions that users are allowed to consent to. Click “Select permissions to classify as low impact”. Learn more.
Optionally, you can help your users to consent to apps that require admin consent by setting up the admin consent workflow. This step is recommended but not required to get full score. Learn how to configure the admin consent workflow.

Learn more: https://maester.dev/docs/tests/MT.1024

Tag: Maester Entra Security All Recommendation MT.1024 integratedApps

Category: Entra Recommendations

Source: C:\maester-tests\Maester\Entra\Test-EntraRecommendations.Tests.ps1

MT.1024: Entra Recommendation - Do not expire passwords.

Overview

Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present), it should remain as strong in the future as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire.

Test Results

Your current policy is set to never let passwords expire.

➡️ Open Recommendation - Do not expire passwords in the Entra admin portal.

Remediation actions:

In the Microsoft 365 admin center, go to Settings > Org Settings > Security & privacy > Password expiration policy. Then check the box “Set passwords to never expire (recommended)”. You must be a global admin to edit the password policy. Go to Password expiration policy in Microsoft 365.
If your organization has an on-premises implementation, we recommend that you set the status for this action to “Completed” or “Resolved through alternate mitigation”..

Learn more: https://maester.dev/docs/tests/MT.1024

Tag: Maester Entra Security All Recommendation MT.1024 pwagePolicyNew

Category: Entra Recommendations

Source: C:\maester-tests\Maester\Entra\Test-EntraRecommendations.Tests.ps1

MT.1024: Entra Recommendation - Enable password hash sync if hybrid.

Overview

Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Microsoft Entra Connect synchronizes a hash of the hash of a user’s password from an on-premises Microsoft Entra Connect instance to a cloud-based Microsoft Entra Connect cloud sync instance. Password hash synchronization helps by reducing the number of passwords your users need to maintain to just one. Enabling password hash synchronization also allows for leaked credential reporting.

Test Results

You have enabled password hash sync.

➡️ Open Recommendation - Enable password hash sync if hybrid in the Entra admin portal.

Remediation actions:

To use password hash synchronization in your organization, you need to install Microsoft Entra Connect and configure directory synchronization between your on-premises Microsoft Entra Connect instance and your Microsoft Entra Connect cloud sync instance. Follow these steps to enable password hash synchronization.

Learn more: https://maester.dev/docs/tests/MT.1024

Tag: Maester Entra Security All Recommendation MT.1024 passwordHashSync

Category: Entra Recommendations

Source: C:\maester-tests\Maester\Entra\Test-EntraRecommendations.Tests.ps1

MT.1024: Entra Recommendation - Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph.

Overview

Azure AD Graph APIs are in the retirement cycle and have no SLA or maintenance commitment beyond security-related fixes. Applications that continue to use Azure AD Graph APIs and have not migrated to Microsoft Graph will be impacted by future retirement activity for Azure AD Graph. Microsoft Graph offers a single unified endpoint to access Microsoft Entra services and Microsoft 365 services. Microsoft Graph has all the capabilities that have been available in Azure AD Graph and many newer APIs and features. Its client libraries offer built-in support for features like retry handling, secure redirects, transparent authentication, and payload compression.

Test Results

1 Service Principals in your tenant are calling one or more retiring APIs from Azure AD Graph and need to be migrated to Microsoft Graph.

➡️ Open Recommendation - Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph in the Entra admin portal.

Remediation actions:

Review the list of Service Principals calling Azure AD Graph under Impacted Resources..
Working with the owner or publisher of the corresponding application, identify steps required to update the application to a version that is using Microsoft Graph APIs instead of Azure AD Graph APIs..
Learn more about Azure AD Graph retirement. Azure AD Graph Retirement.
Learn more about Microsoft Graph. Microsoft Graph.

Learn more: https://maester.dev/docs/tests/MT.1024

Tag: Maester Entra Security All Recommendation MT.1024 aadGraphDeprecationServicePrincipal

Category: Entra Recommendations

Source: C:\maester-tests\Maester\Entra\Test-EntraRecommendations.Tests.ps1

MT.1024: Entra Recommendation - Use least privileged administrative roles .

Overview

Ensure that your administrators can accomplish their work with the least amount of privilege assigned to their account. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached.

Test Results

You currently have 1 users with privileged administrative roles.

➡️ Open Recommendation - Use least privileged administrative roles in the Entra admin portal.

Remediation actions:

Identify the users in your organization with a persistent global administrator role assigned. Go to Microsoft Entra ID > Roles and administrators and select the Global administrator role in the table. Identify the global admins you want to reassign to a different role. Go to Roles and administrators in Microsoft Entra ID.
Assign these users to roles where they can complete necessary tasks with the least amount of privilege required. For example, if a user is primarily responsible for Exchange Online administration, they should be assigned that role instead of global administrator. Be sure to have at least two global admins designated to allow for full access to the network if one of the accounts is locked out or compromised. Check out this overview of available limited administrative roles.
After these persistent global admins have been reassigned new roles, return to Roles and administrators and select the Global administrator role. Select the users that no longer need persistent access and then click Remove. Go to Roles and administrators in Microsoft Entra ID.
Emergency access accounts: If the only other global admin accounts your organization has set up are for “break-glass” scenarios, which are ineligible for role reassignment, we recommend that you set the status of this action to “Dismissed” or “Risk accepted”. Learn more about emergency access accounts.

Learn more: https://maester.dev/docs/tests/MT.1024

Tag: Maester Entra Security All Recommendation MT.1024 roleOverlap

Category: Entra Recommendations

Source: C:\maester-tests\Maester\Entra\Test-EntraRecommendations.Tests.ps1

MT.1024: Entra Recommendation - Enable self-service password reset.

Overview

With self-service password reset in Microsoft Entra ID, users no longer need to engage helpdesk to reset passwords. This feature works well with Microsoft Entra ID dynamically banned passwords, which prevents easily guessable passwords from being used.

Test Results

You have 22 of users who don’t have self-service password reset enabled.

If the recommendation is not applicable for your tenant, it can be marked as Dismissed for Maester to skip it in the future.

➡️ Open Recommendation - Enable self-service password reset in the Entra admin portal.

Remediation actions:

Follow our step-by-step guidance to enable self-service password reset.
If you have users that are synced from on-premises Microsoft Entra Connect using Microsoft Entra Connect, you may also need to enable the password writeback feature. For more information, see this article.

Learn more: https://maester.dev/docs/tests/MT.1024

Tag: Maester Entra Security All Recommendation MT.1024 selfServicePasswordReset

Category: Entra Recommendations

Source: C:\maester-tests\Maester\Entra\Test-EntraRecommendations.Tests.ps1

MT.1024: Entra Recommendation - Protect your tenant with Insider Risk condition in Conditional Access policy.

Overview

Enabling an Insider Risk-based Conditional Access policy offers crucial benefits, including early detection of anomalies, adaptive access controls, and real-time responses to insider threats. It prevents unauthorized access, enforces compliance, and reduces the impact of insider incidents. By fostering a security-aware culture, the policy integrates with the broader security ecosystem, providing a comprehensive approach to mitigate risks originating from within the organization, safeguarding sensitive data, and enhancing overall security posture.

Test Results

You have 23 of 23 users that aren’t covered by the Insider Risk condition in a Conditional Access policy.

If the recommendation is not applicable for your tenant, it can be marked as Dismissed for Maester to skip it in the future.

➡️ Open Recommendation - Protect your tenant with Insider Risk condition in Conditional Access policy in the Entra admin portal.

Remediation actions:

Enable Adaptive Protection in Microsoft Purview. You must be a member of the Insider Risk Management or Insider Risk Management Admins role group in Microsoft Purview to configure Adaptive Protection. Go to Adaptive Protection..
Create a Conditional Access policy that includes the Insider Risk condition. Use this risk policy template.
For more information about this recommendation and the associated features, see Adaptive Protection and Insider Risk Conditional Access recommendation..

Learn more: https://maester.dev/docs/tests/MT.1024

Tag: Maester Entra Security All Recommendation MT.1024 insiderRiskPolicy

Category: Entra Recommendations

Source: C:\maester-tests\Maester\Entra\Test-EntraRecommendations.Tests.ps1

MT.1024: Entra Recommendation - Designate more than one global admin.

Overview

Having more than one global administrator helps if you’re unable to fulfill the needs or obligations of your organization. It’s important to have a delegate or an emergency access account that someone from your team can access if necessary. It also allows admins the ability to monitor each other for signs of a breach.

Test Results

You currently have 1 global admins.

If the recommendation is not applicable for your tenant, it can be marked as Dismissed for Maester to skip it in the future.

➡️ Open Recommendation - Designate more than one global admin in the Entra admin portal.

Remediation actions:

Assign more than one user a global administrator role in your organization. Go to Microsoft Entra ID > Roles and administrators and select the Global administrator role in the table. Then click Add assignments. Go to the Global administrator role in Microsoft Entra ID.

Learn more: https://maester.dev/docs/tests/MT.1024

Tag: Maester Entra Security All Recommendation MT.1024 oneAdmin

Category: Entra Recommendations

Source: C:\maester-tests\Maester\Entra\Test-EntraRecommendations.Tests.ps1

MT.1025: No external user with permanent role assignment on Control Plane.

Overview

Take attention on B2B collaboration user with Entra ID directory role assignments on ControlPlane. Verify the affected external users, the user source (e.g., MSSP/partner or managing tenant) and if the privileged accounts pass your requirements for Conditional Access, Lifecycle Workflow and Identity Protection. Learn more about the best practices for privileges users:

Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID

Test Results

Well done!

Learn more: https://maester.dev/docs/tests/MT.1025

Tag: Maester Privileged Security All MT.1025

Category: Directory Roles - Permanent assignments

Source: C:\maester-tests\Maester\Entra\Test-PrivilegedAssignments.Tests.ps1

MT.1026: No hybrid user with permanent role assignment on Control Plane.

Overview

It’s recommended to use cloud-only accounts for privileges with ControlPlane privileges to avoid attack paths from on-premises environment. Learn more about the best practices for privileges users:

Test Results

Well done!

Learn more: https://maester.dev/docs/tests/MT.1026

Tag: Maester Privileged Security All MT.1026

Category: Directory Roles - Permanent assignments

Source: C:\maester-tests\Maester\Entra\Test-PrivilegedAssignments.Tests.ps1

MT.1027: No Service Principal with Client Secret and permanent role assignment on Control Plane.

Overview

Review your Service Principals with Client Secrets and ControlPlane privileges. It’s recommended to use certificates for Service Principals. Review if you can replace client secrets by certificates or use managed identities instead of a Service Principal. Learn more about the best practices for issuing certificates for Service Principals:

Test Results

Well done!

Learn more: https://maester.dev/docs/tests/MT.1027

Tag: Maester Privileged Security All MT.1027

Category: Directory Roles - Permanent assignments

Source: C:\maester-tests\Maester\Entra\Test-PrivilegedAssignments.Tests.ps1

MT.1028: No user with mailbox and permanent role assignment on Control Plane.

Overview

Take attention on mail-enabled administrative accounts with ControlPlane privileges. It’s recommended to use mail forwarding to regular work account which allows to avoid direct mail access and phishing attacks on privileged user. Learn more about the best practices for securing privileged user accounts:

Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID

Test Results

These directory role assignments for UserMailbox exists:

Joi Jons with Global Administrator on scope directory (tenant-wide) Administrator on scope directory (tenant-wide)

Learn more: https://maester.dev/docs/tests/MT.1028

Tag: Maester Privileged Security All MT.1028

Category: Directory Roles - Permanent assignments

Source: C:\maester-tests\Maester\Entra\Test-PrivilegedAssignments.Tests.ps1

MT.1029: Stale accounts are not assigned to privileged roles.

Overview

Security Impact

Accounts in a privileged role have not signed in recently. These accounts might be service or shared accounts that aren’t being maintained and are vulnerable to attackers.

Mitigation steps

Review the accounts in the list. If they no longer need access, remove them from their privileged roles.

How to prevent

Regularly review accounts with privileged roles using access reviews and remove role assignments which are no longer needed.

Test Results

1 account(s) in privileged roles that have not signed in to Azure AD in the past 30 day(s)

Joi Jons with Global Administrator by AssigneeId 663f1ee9-74d5-4c94-833b-b5e8013942f5

Get more details from the PIM alert Potential stale accounts in a privileged role in the Azure Portal.

Learn more: https://maester.dev/docs/tests/MT.1029

Tag: Privileged Security All MT.1029

Category: Privileged Identity Management (PIM) - Alerts

Source: C:\maester-tests\Maester\Entra\Test-PrivilegedAssignments.Tests.ps1

MT.1030: Eligible role assignments on Control Plane are in use by administrators.

Overview

if ( ( Get-MtLicenseInformation EntraID ) -ne “P2” ) { Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2 } else { $Check = Test-MtPimAlertsExists -AlertId “RedundantAssignmentAlert” -FilteredAccessLevel “ControlPlane” $check.numberOfAffectedItems -eq “0” | Should -Be $true -Because $check.securityImpact }

Reason for failure

You cannot call a method on a null-valued expression.

Learn more: https://maester.dev/docs/tests/MT.1030

Tag: Privileged Security All MT.1030

Category: Privileged Identity Management (PIM) - Alerts

Source: C:\maester-tests\Maester\Entra\Test-PrivilegedAssignments.Tests.ps1

MT.1031: Privileged role on Control Plane are managed by PIM only.

Overview

if ( ( Get-MtLicenseInformation EntraID ) -ne “P2” ) { Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2 } else { $Check = Test-MtPimAlertsExists -AlertId “RolesAssignedOutsidePimAlert” -FilteredAccessLevel “ControlPlane” $check.numberOfAffectedItems -eq “0” | Should -Be $true -Because $check.securityImpact }

Reason for failure

You cannot call a method on a null-valued expression.

Learn more: https://maester.dev/docs/tests/MT.1031

Tag: Privileged Security All MT.1031

Category: Privileged Identity Management (PIM) - Alerts

Source: C:\maester-tests\Maester\Entra\Test-PrivilegedAssignments.Tests.ps1

MT.1032: Limited number of Global Admins are assigned.

Overview

if ( ( Get-MtLicenseInformation EntraID ) -ne “P2” ) { Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2 } else { $Check = Test-MtPimAlertsExists -AlertId “TooManyGlobalAdminsAssignedToTenantAlert” $check.numberOfAffectedItems -eq “0” | Should -Be $true -Because $check.securityImpact }

Reason for failure

You cannot call a method on a null-valued expression.

Learn more: https://maester.dev/docs/tests/MT.1032

Tag: Privileged Security All MT.1032

Category: Privileged Identity Management (PIM) - Alerts

Source: C:\maester-tests\Maester\Entra\Test-PrivilegedAssignments.Tests.ps1

MT.1035: All security groups assigned to Conditional Access Policies should be protected by RMAU.

Overview

Test Results

Well done! All security groups with assignment in Conditional Access are protected!

Learn more: https://maester.dev/docs/tests/MT.1035

Tag: Maester CA Security All MT.1035

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1036: All excluded objects should have a fallback include in another policy.

Overview

All excluded objects should have a fallback include in another policy

Test Results

All excluded objects seem to have a fallback in other policies.

Learn more: https://maester.dev/docs/tests/MT.1036

Tag: Maester CA Security All MT.1036 Warning

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1038: Conditional Access policies should not include or exclude deleted groups.

Overview

This test checks if there are any Conditional Access policies that target deleted security groups.

This usually happens when a group is deleted but is still referenced in a Conditional Access policy.

Deleted groups in your policy can lead to unexpected gaps. This may result in Conditional Access policies not being applied to the users you intended or the policy not being applied at all.

To fix this issue:

Open the impacted Conditional access policy.
If the group is no longer needed, click Save to remove the referenced group from the policy.
If the group is still needed, update the policy to target a valid group.

Test Results

Well done! All Conditional Access policies are targeting active groups.

Note: Names are not available for deleted groups. If the group was deleted in the last 30 days it may be available under Entra admin centre - Deleted groups.

Learn more: https://maester.dev/docs/tests/MT.1038

Tag: Maester CA Security All MT.1038 Warning

Category: Conditional Access Baseline Policies

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

CIS 1.3.1 (L1) Ensure the ‘Password expiration policy’ is set to ‘Set passwords to never expire (recommended)’

Overview

1.3.1 (L1) Ensure the ‘Password expiration policy’ is set to ‘Set passwords to never expire (recommended)’

Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it.

Remediation action:

To set Office 365 passwords are set to never expire:

Navigate to Microsoft 365 admin center https://admin.microsoft.com.
Click to expand Settings select Org Settings.
Click on Security & privacy.
Check the Set passwords to never expire (recommended) box.
Click Save.

Test Results

Skipped. Missing Scope Domain.Read.All

Tag: CIS 1.3.1 L1 CIS E3 Level 1 CIS E3 CIS Security All CIS M365 v3.1.0

Category: CIS

Source: C:\maester-tests\cis\Test-MtCisPasswordExpiry.Tests.ps1

EIDSCA.AF02: Authentication Method - FIDO2 security key - Allow self-service set up.

Overview

Allows users to register a FIDO key through the MySecurityInfo portal, even if enabled by Authentication Methods policy.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
.isSelfServiceRegistrationAllowed -eq 'true'

Test Results

Skipped. Authentication method of FIDO2 security keys is not enabled.

Learn more: https://maester.dev/docs/tests/EIDSCA.AF02

Tag: EIDSCA Security All EIDSCA.AF02

Category: Authentication Method - FIDO2 security key

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AF03: Authentication Method - FIDO2 security key - Enforce attestation.

Overview

Requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft’s additional set of validation testing.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
.isAttestationEnforced -eq 'true'

Test Results

Skipped. Authentication method of FIDO2 security keys is not enabled.

Learn more: https://maester.dev/docs/tests/EIDSCA.AF03

Tag: EIDSCA Security All EIDSCA.AF03

Category: Authentication Method - FIDO2 security key

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AF04: Authentication Method - FIDO2 security key - Enforce key restrictions.

Overview

Manages if registration of FIDO2 keys should be restricted.

Restrict usage of FIDO2 from unauthorized vendors or platforms

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
.keyRestrictions.isEnforced -eq 'true'

Test Results

Skipped. Authentication method of FIDO2 security keys is not enabled.

Learn more: https://maester.dev/docs/tests/EIDSCA.AF04

Tag: EIDSCA Security All EIDSCA.AF04

Category: Authentication Method - FIDO2 security key

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AF05: Authentication Method - FIDO2 security key - Restricted.

Overview

You can work with your Security key provider to determine the AAGuids of their devices for allowing or blocking usage.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
.keyRestrictions.aaGuids -notcontains $null -eq 'true'

Test Results

Skipped. Authentication method of FIDO2 security keys is not enabled and key restriction not enforced.

Learn more: https://maester.dev/docs/tests/EIDSCA.AF05

Tag: EIDSCA Security All EIDSCA.AF05

Category: Authentication Method - FIDO2 security key

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AF06: Authentication Method - FIDO2 security key - Restrict specific keys.

Overview

Defines if list of AADGUID will be used to allow or block registration.

You should use Block or Allow as value to allow- or blocklisting of AAGuids.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
.keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') -eq 'true'

Test Results

Skipped. Authentication method of FIDO2 security keys is not enabled and key restriction not enforced.

Learn more: https://maester.dev/docs/tests/EIDSCA.AF06

Tag: EIDSCA Security All EIDSCA.AF06

Category: Authentication Method - FIDO2 security key

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AM02: Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP.

Overview

Defines if users can use the OTP code generated by the Authenticator App.

true

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
.isSoftwareOathEnabled -eq 'true'

Test Results

Skipped. Authentication method of Microsoft Authenticator is not enabled.

Learn more: https://maester.dev/docs/tests/EIDSCA.AM02

Tag: EIDSCA Security All EIDSCA.AM02

Category: Authentication Method - Microsoft Authenticator

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AM03: Authentication Method - Microsoft Authenticator - Require number matching for push notifications.

Overview

Defines if number matching is required for MFA notifications.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
.featureSettings.numberMatchingRequiredState.state -eq 'enabled'

Test Results

Skipped. Authentication method of Microsoft Authenticator is not enabled.

Learn more: https://maester.dev/docs/tests/EIDSCA.AM03

Tag: EIDSCA Security All EIDSCA.AM03

Category: Authentication Method - Microsoft Authenticator

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AM04: Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications.

Overview

Object Id or scope of users which will be showing number matching in the Authenticator App.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
.featureSettings.numberMatchingRequiredState.includeTarget.id -eq 'all_users'

Test Results

Skipped. Authentication method of Microsoft Authenticator is not enabled.

Learn more: https://maester.dev/docs/tests/EIDSCA.AM04

Tag: EIDSCA Security All EIDSCA.AM04

Category: Authentication Method - Microsoft Authenticator

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AM06: Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications.

Overview

Determines whether the user’s Authenticator app will show them the client app they are signing into.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
.featureSettings.displayAppInformationRequiredState.state -eq 'enabled'

Test Results

Skipped. Authentication method of Microsoft Authenticator is not enabled.

Learn more: https://maester.dev/docs/tests/EIDSCA.AM06

Tag: EIDSCA Security All EIDSCA.AM06

Category: Authentication Method - Microsoft Authenticator

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AM07: Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications.

Overview

Object Id or scope of users which will be showing app information in the Authenticator App.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
.featureSettings.displayAppInformationRequiredState.includeTarget.id -eq 'all_users'

Test Results

Skipped. Authentication method of Microsoft Authenticator is not enabled.

Learn more: https://maester.dev/docs/tests/EIDSCA.AM07

Tag: EIDSCA Security All EIDSCA.AM07

Category: Authentication Method - Microsoft Authenticator

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AM09: Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications.

Overview

Determines whether the user’s Authenticator app will show them the geographic location of where the authentication request originated from.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
.featureSettings.displayLocationInformationRequiredState.state -eq 'enabled'

Test Results

Skipped. Authentication method of Microsoft Authenticator is not enabled.

Learn more: https://maester.dev/docs/tests/EIDSCA.AM09

Tag: EIDSCA Security All EIDSCA.AM09

Category: Authentication Method - Microsoft Authenticator

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AM10: Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications.

Overview

Object Id or scope of users which will be showing geographic location in the Authenticator App.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
.featureSettings.displayLocationInformationRequiredState.includeTarget.id -eq 'all_users'

Test Results

Skipped. Authentication method of Microsoft Authenticator is not enabled.

Learn more: https://maester.dev/docs/tests/EIDSCA.AM10

Tag: EIDSCA Security All EIDSCA.AM10

Category: Authentication Method - Microsoft Authenticator

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AS04: Authentication Method - SMS - Use for sign-in.

Overview

Determines if users can use this authentication method to sign in to Microsoft Entra ID. true if users can use this method for primary authentication, otherwise false.

Avoid to use SMS as primary sign in factor (instead of a password) and consider to implement a MFA or passwordless option also for your special user groups, such as front-line workers.

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')
.includeTargets.isUsableForSignIn -eq 'false'

Test Results

Skipped. Authentication method of Sms is not enabled.

Learn more: https://maester.dev/docs/tests/EIDSCA.AS04

Tag: EIDSCA Security All EIDSCA.AS04

Category: Authentication Method - SMS

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.AT02: Authentication Method - Temporary Access Pass - One-time.

Overview

Determines whether the pass is limited to a one-time use.

Avoid to allow reusable passes and restrict usage to one-time use (if applicable)

Test script

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('TemporaryAccessPass')
.isUsableOnce -eq 'true'

Test Results

Skipped. Authentication method of Temporary Access Pass is not enabled.

Learn more: https://maester.dev/docs/tests/EIDSCA.AT02

Tag: EIDSCA Security All EIDSCA.AT02

Category: Authentication Method - Temporary Access Pass

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.CP01: Default Settings - Consent Policy Settings - Group owner consent for apps accessing data.

Overview

Group and team owners can authorize applications, such as applications published by third-party vendors, to access your organization’s data associated with a group. For example, a team owner in Microsoft Teams can allow an app to read all Teams messages in the team, or list the basic profile of a group’s members.

CISA SCuBA 2.7: Non-Admin Users SHALL Be Prevented From Providing Consent To Third-Party Applications.

Test script

https://graph.microsoft.com/beta/settings
.values | where-object name -eq 'EnableGroupSpecificConsent' | select-object -expand value -eq 'False'

Test Results

Skipped. Settings value is not available. This may be due to the change that this API is no longer available for recent created tenants.

Learn more: https://maester.dev/docs/tests/EIDSCA.CP01

Tag: EIDSCA Security All EIDSCA.CP01

Category: Default Settings - Consent Policy Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.CP03: Default Settings - Consent Policy Settings - Block user consent for risky apps.

Overview

Defines whether user consent will be blocked when a risky request is detected

Configure risk-based step-up consent - Microsoft Entra ID - Microsoft Learn

Test script

https://graph.microsoft.com/beta/settings
.values | where-object name -eq 'BlockUserConsentForRiskyApps' | select-object -expand value -eq 'true'

Test Results

Skipped. Settings value is not available. This may be due to the change that this API is no longer available for recent created tenants.

Learn more: https://maester.dev/docs/tests/EIDSCA.CP03

Tag: EIDSCA Security All EIDSCA.CP03

Category: Default Settings - Consent Policy Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.CP04: Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to.

Overview

If this option is set to enabled, then users request admin consent to any app that requires access to data they do not have the permission to grant. If this option is set to disabled, then users must contact their admin to request to consent in order to use the apps they need.

CISA SCuBA 2.7: Non-Admin Users SHALL Be Prevented From Providing Consent To Third-Party Applications.

Test script

https://graph.microsoft.com/beta/settings
.values | where-object name -eq 'EnableAdminConsentRequests' | select-object -expand value -eq 'true'

Test Results

Skipped. Settings value is not available. This may be due to the change that this API is no longer available for recent created tenants.

Learn more: https://maester.dev/docs/tests/EIDSCA.CP04

Tag: EIDSCA Security All EIDSCA.CP04

Category: Default Settings - Consent Policy Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.CR02: Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests.

Overview

Specifies whether reviewers will receive notifications

Test script

https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy
.notifyReviewers -eq 'true'

Test Results

Skipped. Admin Consent Workflow is not enabled

Learn more: https://maester.dev/docs/tests/EIDSCA.CR02

Tag: EIDSCA Security All EIDSCA.CR02

Category: Consent Framework - Admin Consent Request

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.CR03: Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire.

Overview

Specifies whether reviewers will receive reminder emails

Test script

https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy
.remindersEnabled -eq 'true'

Test Results

Skipped. Admin Consent Workflow is not enabled

Learn more: https://maester.dev/docs/tests/EIDSCA.CR03

Tag: EIDSCA Security All EIDSCA.CR03

Category: Consent Framework - Admin Consent Request

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.CR04: Consent Framework - Admin Consent Request - Consent request duration (days).

Overview

Specifies the duration the request is active before it automatically expires if no decision is applied

Test script

https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy
.requestDurationInDays -le '30'

Test Results

Skipped. Admin Consent Workflow is not enabled

Learn more: https://maester.dev/docs/tests/EIDSCA.CR04

Tag: EIDSCA Security All EIDSCA.CR04

Category: Consent Framework - Admin Consent Request

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.PR01: Default Settings - Password Rule Settings - Password Protection - Mode.

Overview

If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged.

Microsoft Entra Password Protection - Microsoft Entra ID - Microsoft Learn

Test script

https://graph.microsoft.com/beta/settings
.values | where-object name -eq 'BannedPasswordCheckOnPremisesMode' | select-object -expand value -eq 'Enforce'

Test Results

Skipped. Settings value is not available. This may be due to the change that this API is no longer available for recent created tenants.

Learn more: https://maester.dev/docs/tests/EIDSCA.PR01

Tag: EIDSCA Security All EIDSCA.PR01

Category: Default Settings - Password Rule Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

EIDSCA.PR03: Default Settings - Password Rule Settings - Enforce custom list.

Overview

When enabled, the words in the list below are used in the banned password system to prevent easy-to-guess passwords.

Password protection in Microsoft Entra ID - Microsoft Entra ID - Microsoft Learn

Test script

https://graph.microsoft.com/beta/settings
.values | where-object name -eq 'EnableBannedPasswordCheck' | select-object -expand value -eq 'True'

Test Results

Skipped. Settings value is not available. This may be due to the change that this API is no longer available for recent created tenants.

Learn more: https://maester.dev/docs/tests/EIDSCA.PR03

Tag: EIDSCA Security All EIDSCA.PR03

Category: Default Settings - Password Rule Settings

Source: C:\maester-tests\EIDSCA\Test-EIDSCA.Generated.Tests.ps1

MS.EXO.04.3: The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov.

Overview

The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov.

Rationale: Email spoofing attempts are not inherently visible to domain owners. DMARC provides a mechanism to receive reports of spoofing attempts. Including reports@dmarc.cyber.dhs.gov as a point of contact for these reports gives CISA insight into spoofing attempts and is required by BOD 18-01 for FCEB departments and agencies.

Note: Only federal, executive branch, departments and agencies should include this email address in their DMARC record.

For other organization’s there are many services that offer managed DMARC analysis and reporting, though ensure you properly align your implementation with your organization’s policies for data handling.

Remediation action:

See MS.EXO.4.1v1 Instructions for an overview of how to publish and check a DMARC record.
Ensure the record published includes reports@dmarc.cyber.dhs.gov as one of the emails for the RUA field.

Test Results

Skipped. This test is only for federal, executive branch, departments and agencies. To override use Test-MtCisaDmarcAggregateCisa -Force

Tag: MS.EXO MS.EXO.4.3 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaDmarcAggregateCisa.Tests.ps1

MS.EXO.08.3: The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.

Overview

The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.

Rationale: Any alternative DLP solution should be able to detect sensitive information in Exchange Online and block access to unauthorized entities.

This test will always skip by default.

Test Results

Skipped. Unable to validate 3rd party solutions.

Tag: MS.EXO MS.EXO.8.3 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaDlpAlternate.Tests.ps1

MS.EXO.09.4: Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender’s Common Attachment Filter.

Overview

Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender’s Common Attachment Filter.

Note: This test will always result in a skip result.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Skipped. Only testing of MDO is supported

Tag: MS.EXO MS.EXO.9.4 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaEmailFilterAlternative.Tests.ps1

MS.EXO.14.4: If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft.

Overview

If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft.

Remediation action:

Sign in to Microsoft 365 Defender.
In the left-hand menu, go to Email & Collaboration > Policies & Rules.
Select Threat Policies.
From the Templated policies section, select Preset Security Policies.
Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.

Test Results

Skipped. Unable to validate 3rd party solutions.

Tag: MS.EXO MS.EXO.14.4 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaSpamAlternative.Tests.ps1

MS.EXO.16.2: Alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system.

Overview

Alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system.

Rationale: Suspicious or malicious events, if not resolved promptly, may have a greater impact to users and the agency. Sending alerts to a monitored email address or SIEM system helps ensure these suspicious or malicious events are acted upon in a timely manner to limit overall impact.

Remediation action:

Sign in to Microsoft 365 Defender.
Select Settings.
Select either: a. Microsoft Sentinel. b. Defender XDR, and under General, select Streaming API.
Ensure a SIEM integration is configured for your organization.

Test Results

Skipped. Not available for API validation.

Tag: MS.EXO MS.EXO.16.2 CISA Security All

Category: CISA SCuBA

Source: C:\maester-tests\cisa\exchange\Test-MtCisaExoAlertSiem.Tests.ps1

MT.1002: App management restrictions on applications and service principals is configured and enabled.

Overview

By default Microsoft Entra ID allows service principals and applications to be configured with weak credentials.

This can include

client secrets instead of certificates
secrets and certificates with long expiry (e.g. 10 year)

How to fix

Using shorter expiry periods and certificates instead of secrets can help reduce the risk of credentials being compromised and used by an attacker.

The sample policy below can be used to enforce credential configurations on apps and service principals.

Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
isEnabled = $true
applicationRestrictions = @{
    passwordCredentials = @(
    @{
        restrictionType = "passwordAddition"
        maxLifetime = $null
        restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2021-01-01T10:37:00Z")
    }
    @{
        restrictionType = "passwordLifetime"
        maxLifetime = "P365D"
        restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2017-01-01T10:37:00Z")
    }
    @{
        restrictionType = "symmetricKeyAddition"
        maxLifetime = $null
        restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2021-01-01T10:37:00Z")
    }
    @{
        restrictionType = "customPasswordAddition"
        maxLifetime = $null
        restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
    }
    @{
        restrictionType = "symmetricKeyLifetime"
        maxLifetime = "P365D"
        restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
    }
    )
    keyCredentials = @(
    @{
        restrictionType = "asymmetricKeyLifetime"
        maxLifetime = "P365D"
        restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
    }
    )
}
}

Update-MgPolicyDefaultAppManagementPolicy -BodyParameter $params

Learn more

Tenant App Management Policy - Microsoft Graph Reference

Test Results

Skipped. This test is for tenants that are licensed for Entra Workload ID. See Entra Workload ID licensing

Learn more: https://maester.dev/docs/tests/MT.1002

Tag: Maester App Security All MT.1002

Category: App Management Policies

Source: C:\maester-tests\Maester\Entra\Test-AppManagementPolicies.Tests.ps1

MT.1021: Security Defaults are enabled.

Overview

Test Results

Skipped. This test is for tenants that are not licensed for any Entra ID Premium license. See Entra ID licensing

Learn more: https://maester.dev/docs/tests/MT.1021

Tag: CA Security All MT.1021

Category: Security Defaults

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessBaseline.Tests.ps1

MT.1033: User should be blocked from using legacy authentication ()

Overview

Test-MtCaWIFBlockLegacyAuthentication -UserId $id | Should -Be $true

Tag: MT.1033

Category: Regular users

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessWhatIf.Tests.ps1

MT.1033: User should be blocked from using legacy authentication ()

Overview

Test-MtCaWIFBlockLegacyAuthentication -UserId $id | Should -Be $true

Tag: MT.1033

Category: Regular users

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessWhatIf.Tests.ps1

MT.1033: User should be blocked from using legacy authentication ()

Overview

Test-MtCaWIFBlockLegacyAuthentication -UserId $id | Should -Be $true

Tag: MT.1033

Category: Regular users

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessWhatIf.Tests.ps1

MT.1033: User should be blocked from using legacy authentication ()

Overview

Test-MtCaWIFBlockLegacyAuthentication -UserId $id | Should -Be $true

Tag: MT.1033

Category: Regular users

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessWhatIf.Tests.ps1

MT.1033: User should be blocked from using legacy authentication ()

Overview

Test-MtCaWIFBlockLegacyAuthentication -UserId $id | Should -Be $true

Tag: MT.1033

Category: Regular users

Source: C:\maester-tests\Maester\Entra\Test-ConditionalAccessWhatIf.Tests.ps1

MT.1037 Only users with Presenter role are allowed to present in Teams meetings

Overview

This test checks the Org-wide default meeting policy is configured to only allow users in the Presenter role to request control and share content during meetings.

Restricting who can present limits meeting disruptions and reduces the risk of unwanted or inappropriate content being shared.

Remediation action:

To prevent standard attendees from sharing content during Teams meetings:

Click here to open Org-wide default settings > Meetings
- Or navigate to Teams Admin Center.
- Click Settings & policies > Org-wide default settings > Meetings.
Scroll to the Content sharing section.
Set Participants can give or request control to Off.
Click Save.

Test Results

Skipped. Not connected to Teams. See Connecting to Teams

Tag: Maester Teams MeetingPolicy All MT.1037

Category: Teams Meeting policies

Source: C:\maester-tests\Maester\Teams\Test-TeamsMeeting.Tests.ps1

MT.1038 Only invited users should be automatically admitted to Teams meetings

Overview

Test Results

Skipped. Not connected to Teams. See Connecting to Teams

Tag: Maester Teams MeetingPolicy All MT.1038

Category: Teams Meeting policies

Source: C:\maester-tests\Maester\Teams\Test-TeamsMeeting.Tests.ps1

MT.1039 Restrict anonymous users from joining meetings

Overview

Test Results

Skipped. Not connected to Teams. See Connecting to Teams

Tag: Maester Teams MeetingPolicy All MT.1039

Category: Teams Meeting policies

Source: C:\maester-tests\Maester\Teams\Test-TeamsMeeting.Tests.ps1

MT.1040 Restrict anonymous users from starting Teams meetings

Overview

Test Results

Skipped. Not connected to Teams. See Connecting to Teams

Tag: Maester Teams MeetingPolicy All MT.1040

Category: Teams Meeting policies

Source: C:\maester-tests\Maester\Teams\Test-TeamsMeeting.Tests.ps1

MT.1041 Limit external participants from having control in a Teams meeting

Overview

Test Results

Skipped. Not connected to Teams. See Connecting to Teams

Tag: Maester Teams MeetingPolicy All MT.1041

Category: Teams Meeting policies

Source: C:\maester-tests\Maester\Teams\Test-TeamsMeeting.Tests.ps1

MT.1042 Restrict dial-in users from bypassing a meeting lobby

Overview

Test Results

Skipped. Not connected to Teams. See Connecting to Teams

Tag: Maester Teams MeetingPolicy All MT.1042

Category: Teams Meeting policies

Source: C:\maester-tests\Maester\Teams\Test-TeamsMeeting.Tests.ps1

Maester 1.0.0

Master Test

Test summary

Test details

CIS 1.1.1 (L1) Ensure Administrative accounts are separate and cloud-only

Overview

Remediation action:

Related links

Test Results

CIS 1.1.3 (L1) Ensure that between two and four global admins are designated

Overview

Remediation action:

Related links

Test Results

CIS 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist

Overview

Remediation action:

Related links

Test Results

CIS 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked

Overview

Remediation action:

Related links

Test Results

CIS 1.3.3 (L2) Ensure ‘External sharing’ of calendars is not available

Overview

Remediation action:

Related links

Test Results

CIS 1.3.6 (L2) Ensure the customer lockbox feature is enabled

Overview

Remediation action:

Related links

Test Results

CIS 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled (Only Checks Default Policy)

Overview

Remediation action:

Related links

Test Results

CIS 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy)

Overview

Remediation action:

Related links

Test Results

CIS 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy)

Overview

Remediation action:

Related links

Test Results

CIS 2.1.4 (L2) Ensure Safe Attachments policy is enabled (Only Checks Default Policy)

Overview

Remediation action:

Related links

Test Results

CIS 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled

Overview

Remediation action:

Related links

Test Results

CIS 2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy)

Overview

Remediation action:

Related links

Test Results

CIS 2.1.7 (L1) Ensure that an anti-phishing policy has been created (Only Checks Default Policy)

Overview

Remediation action:

Related links

Test Results

EIDSCA.AF01: Authentication Method - FIDO2 security key - State.

Overview

Test script

Related links

Test Results

EIDSCA.AG01: Authentication Method - General Settings - Manage migration.

Overview

Test script

Related links

Test Results

EIDSCA.AG02: Authentication Method - General Settings - Report suspicious activity - State.

Overview