Entra ID Security Config Analyzer Tests
These tests are based on the Entra ID Security Config Analyzer and verify Microsoft Entra mitigations for common identity attack scenarios.
Tests
| Test ID | Title | Severity | Category |
|---|---|---|---|
| EIDSCA.AF01 | Authentication Method - FIDO2 security key - State. | High | General |
| EIDSCA.AF02 | Authentication Method - FIDO2 security key - Allow self-service set up. | Medium | General |
| EIDSCA.AF03 | Authentication Method - FIDO2 security key - Enforce attestation. | High | General |
| EIDSCA.AF04 | Authentication Method - FIDO2 security key - Enforce key restrictions. | High | General |
| EIDSCA.AF05 | Authentication Method - FIDO2 security key - Restricted. | High | General |
| EIDSCA.AF06 | Authentication Method - FIDO2 security key - Restrict specific keys. | Medium | General |
| EIDSCA.AG01 | Authentication Method - General Settings - Manage migration. | High | General |
| EIDSCA.AG02 | Authentication Method - General Settings - Report suspicious activity - State. | Medium | General |
| EIDSCA.AG03 | Authentication Method - General Settings - Report suspicious activity - Included users/groups. | Medium | General |
| EIDSCA.AM01 | Authentication Method - Microsoft Authenticator - State. | High | General |
| EIDSCA.AM02 | Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP. | Medium | General |
| EIDSCA.AM03 | Authentication Method - Microsoft Authenticator - Require number matching for push notifications. | Medium | General |
| EIDSCA.AM04 | Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications. | Medium | General |
| EIDSCA.AM06 | Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications. | Medium | General |
| EIDSCA.AM07 | Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications. | Medium | General |
| EIDSCA.AM09 | Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications. | Medium | General |
| EIDSCA.AM10 | Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications. | Medium | General |
| EIDSCA.AP01 | Default Authorization Settings - Enabled Self service password reset for administrators. | High | General |
| EIDSCA.AP04 | Default Authorization Settings - Guest invite restrictions. | Medium | General |
| EIDSCA.AP05 | Default Authorization Settings - Sign-up for email based subscription. | Medium | General |
| EIDSCA.AP06 | Default Authorization Settings - User can join the tenant by email validation. | Medium | General |
| EIDSCA.AP07 | Default Authorization Settings - Guest user access. | High | General |
| EIDSCA.AP08 | Default Authorization Settings - User consent policy assigned for applications. | Medium | General |
| EIDSCA.AP09 | Default Authorization Settings - Allow user consent on risk-based apps. | Medium | General |
| EIDSCA.AP10 | Default Authorization Settings - Default User Role Permissions - Allowed to create Apps. | High | General |
| EIDSCA.AP14 | Default Authorization Settings - Default User Role Permissions - Allowed to read other users. | High | General |
| EIDSCA.AS04 | Authentication Method - SMS - Use for sign-in. | High | General |
| EIDSCA.AT01 | Authentication Method - Temporary Access Pass - State. | High | General |
| EIDSCA.AT02 | Authentication Method - Temporary Access Pass - One-time. | High | General |
| EIDSCA.AV01 | Authentication Method - Voice call - State. | High | General |
| EIDSCA.CP01 | Default Settings - Consent Policy Settings - Group owner consent for apps accessing data. | High | General |
| EIDSCA.CP03 | Default Settings - Consent Policy Settings - Block user consent for risky apps. | High | General |
| EIDSCA.CP04 | Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to. | Medium | General |
| EIDSCA.CR01 | Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature. | High | General |
| EIDSCA.CR02 | Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests. | Medium | General |
| EIDSCA.CR03 | Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire. | Medium | General |
| EIDSCA.CR04 | Consent Framework - Admin Consent Request - Consent request duration (days). | High | General |
| EIDSCA.PR01 | Default Settings - Password Rule Settings - Password Protection - Mode. | High | General |
| EIDSCA.PR02 | Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory. | High | General |
| EIDSCA.PR03 | Default Settings - Password Rule Settings - Enforce custom list. | Medium | General |
| EIDSCA.PR05 | Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds. | Medium | General |
| EIDSCA.PR06 | Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold. | Medium | General |
| EIDSCA.ST08 | Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner. | Medium | General |
| EIDSCA.ST09 | Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content. | Medium | General |