| CIS.M365.1.1.1 | (L1) Ensure Administrative accounts are cloud-only | CIS | High | CIS E3 Level 1 |
| CIS.M365.1.1.3 | (L1) Ensure that between two and four global admins are designated | CIS | High | CIS E3 Level 1 |
| CIS.M365.1.2.1 | (L2) Ensure that only organizationally managed/approved public groups exist | CIS | Medium | CIS E3 Level 2 |
| CIS.M365.1.2.2 | (L1) Ensure sign-in to shared mailboxes is blocked | CIS | High | CIS E3 Level 1 |
| CIS.M365.1.3.1 | (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' | CIS | High | CIS E3 Level 1 |
| CIS.M365.1.3.3 | (L2) Ensure 'External sharing' of calendars is not available | CIS | Medium | CIS E3 Level 2 |
| CIS.M365.1.3.4 | Ensure | CIS | Unknown | CIS E3 Level 1 |
| CIS.M365.1.3.5 | Ensure internal phishing protection for Forms is enabled | CIS | Unknown | CIS E3 Level 1 |
| CIS.M365.1.3.6 | (L2) Ensure the customer lockbox feature is enabled | CIS | High | CIS E5 Level 2 |
| CIS.M365.1.3.7 | Ensure | CIS | Unknown | CIS E3 Level 2 |
| CIS.M365.2.1.1 | (L2) Ensure Safe Links for Office Applications is Enabled (Only Checks Default Policy) | CIS | Medium | CIS E5 Level 2 |
| CIS.M365.2.1.11 | (L2) Ensure comprehensive attachment filtering is applied | CIS | High | CIS E3 Level 2 |
| CIS.M365.2.1.12 | (L1) Ensure the connection filter IP allow list is not used (Only Checks Default Policy) | CIS | Medium | CIS E3 Level 1 |
| CIS.M365.2.1.13 | (L1) Ensure the connection filter safe list is off (Only Checks Default Policy) | CIS | Medium | CIS E3 Level 1 |
| CIS.M365.2.1.2 | (L1) Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy) | CIS | Medium | CIS E3 Level 1 |
| CIS.M365.2.1.3 | (L1) Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy) | CIS | Medium | CIS E3 Level 1 |
| CIS.M365.2.1.4 | (L2) Ensure Safe Attachments policy is enabled (Only Checks Default Policy) | CIS | High | CIS E5 Level 2 |
| CIS.M365.2.1.5 | (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled | CIS | High | CIS E5 Level 2 |
| CIS.M365.2.1.6 | (L1) Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy) | CIS | Medium | CIS E3 Level 1 |
| CIS.M365.2.1.7 | (L1) Ensure that an anti-phishing policy has been created (Only Checks Default Policy) | CIS | Medium | CIS E5 Level 1 |
| CIS.M365.2.1.9 | (L1) Ensure that DKIM is enabled for all Exchange Online Domains | CIS | High | CIS E3 Level 1 |
| CIS.M365.2.4.4 | (L1) Ensure Zero-hour auto purge for Microsoft Teams is on (Only Checks ZAP is enabled) | CIS | Medium | CIS E5 Level 1 |
| CIS.M365.3.1.1 | (L1) Ensure Microsoft 365 audit log search is Enabled | CIS | High | CIS E3 Level 1 |
| CIS.M365.4.1 | Ensure devices without a compliance policy are marked | CIS | Unknown | CIS E3 Level 2 |
| CIS.M365.5.1.2.2 | Ensure third party integrated applications are not allowed | CIS | Unknown | CIS E3 Level 2 |
| CIS.M365.5.1.2.3 | Ensure | CIS | Unknown | CIS E3 Level 1 |
| CIS.M365.5.1.3.1 | Ensure a dynamic group for guest users is created | CIS | Unknown | CIS E3 Level 1 |
| CIS.M365.5.1.5.1 | Ensure user consent to apps accessing company data on their behalf is not allowed | CIS | Unknown | CIS E3 Level 2 |
| CIS.M365.5.1.5.2 | Ensure the admin consent workflow is enabled | CIS | Unknown | CIS E3 Level 1 |
| CIS.M365.5.1.6.2 | Ensure that guest user access is restricted | CIS | Unknown | CIS E3 Level 1 |
| CIS.M365.5.2.3.5 | Ensure weak authentication methods are disabled | CIS | Unknown | CIS E3 Level 1 |
| CIS.M365.6.5.3 | Ensure additional storage providers are restricted in Outlook on the web | CIS | Unknown | CIS E3 Level 2 |
| CIS.M365.8.1.1 | (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services | CIS | Medium | CIS M365 v6.0.1 |
| CIS.M365.8.2.2 | (L1) Ensure communication with unmanaged Teams users is disabled | CIS | Medium | CIS M365 v6.0.1 |
| CIS.M365.8.2.3 | Ensure external Teams users cannot initiate conversations | CIS | Unknown | CIS M365 v6.0.1 |
| CIS.M365.8.4.1 | (L1) Ensure all or a majority of third-party and custom apps are blocked | CIS | High | CIS M365 v6.0.1 |
| CIS.M365.8.5.3 | (L1) Ensure only people in my org can bypass the lobby | CIS | Medium | CIS E3 Level 1 |
| CIS.M365.8.6.1 | (L1) Ensure users can report security concerns in Teams to internal destination | CIS | Medium | CIS E3 Level 1 |
| CISA.MS.AAD.1.1 | Legacy authentication SHALL be blocked. | CISA | High | Entra ID P1 |
| CISA.MS.AAD.2.1 | Users detected as high risk SHALL be blocked. | CISA | High | Entra ID P2 |
| CISA.MS.AAD.2.2 | A notification SHOULD be sent to the administrator when high-risk users are detected. | CISA | High | Entra ID P2 |
| CISA.MS.AAD.2.3 | Sign-ins detected as high risk SHALL be blocked. | CISA | High | Entra ID P2 |
| CISA.MS.AAD.3.1 | Phishing-resistant MFA SHALL be enforced for all users. | CISA | High | Entra ID P1 |
| CISA.MS.AAD.3.2 | If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users. | CISA | High | Entra ID P1 |
| CISA.MS.AAD.3.3 | If Microsoft Authenticator is enabled, it SHALL be configured to show login context information. | CISA | Medium | Entra ID P1 |
| CISA.MS.AAD.3.4 | The Authentication Methods Manage Migration feature SHALL be set to Migration Complete. | CISA | High | Entra ID P1 |
| CISA.MS.AAD.3.5 | The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled. | CISA | High | Entra ID P1 |
| CISA.MS.AAD.3.6 | Phishing-resistant MFA SHALL be required for highly privileged roles. | CISA | High | Entra ID P1 |
| CISA.MS.AAD.3.7 | Managed devices SHOULD be required for authentication. | CISA | High | Entra ID P1 |
| CISA.MS.AAD.3.8 | Managed Devices SHOULD be required to register MFA. | CISA | High | Entra ID P1 |
| CISA.MS.AAD.4.1 | Security logs SHALL be sent to the agency's security operations center for monitoring. | CISA | High | Entra ID P1 |
| CISA.MS.AAD.5.1 | Only administrators SHALL be allowed to register applications. | CISA | High | Entra ID Free |
| CISA.MS.AAD.5.2 | Only administrators SHALL be allowed to consent to applications. | CISA | High | Entra ID Free |
| CISA.MS.AAD.5.3 | An admin consent workflow SHALL be configured for applications. | CISA | High | Entra ID Free |
| CISA.MS.AAD.5.4 | Group owners SHALL NOT be allowed to consent to applications. | CISA | High | Entra ID Free |
| CISA.MS.AAD.6.1 | User passwords SHALL NOT expire. | CISA | High | Entra ID Free |
| CISA.MS.AAD.7.1 | A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role. | CISA | High | Entra ID Free |
| CISA.MS.AAD.7.2 | Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator. | CISA | High | Entra ID Free |
| CISA.MS.AAD.7.3 | Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers. | CISA | High | Entra ID Free |
| CISA.MS.AAD.7.4 | Permanent active role assignments SHALL NOT be allowed for highly privileged roles. | CISA | High | Entra ID P2 |
| CISA.MS.AAD.7.5 | Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system. | CISA | High | Entra ID P2 |
| CISA.MS.AAD.7.6 | Activation of the Global Administrator role SHALL require approval. | CISA | High | Entra ID P2 |
| CISA.MS.AAD.7.7 | Eligible and Active highly privileged role assignments SHALL trigger an alert. | CISA | High | Entra ID P2 |
| CISA.MS.AAD.7.8 | User activation of the Global Administrator role SHALL trigger an alert. | CISA | High | Entra ID P2 |
| CISA.MS.AAD.7.9 | User activation of other highly privileged roles SHOULD trigger an alert. | CISA | High | Entra ID P2 |
| CISA.MS.AAD.8.1 | Guest users SHOULD have limited or restricted access to Azure AD directory objects. | CISA | Medium | Entra ID Free |
| CISA.MS.AAD.8.2 | Only users with the Guest Inviter role SHOULD be able to invite guest users. | CISA | High | Entra ID Free |
| CISA.MS.AAD.8.3 | Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes. | CISA | Medium | Entra ID Free |
| CISA.MS.EXO.1.1 | Automatic forwarding to external domains SHALL be disabled. | CISA | High | exchange |
| CISA.MS.EXO.10.1 | Emails SHALL be scanned for malware. | CISA | High | exchange |
| CISA.MS.EXO.10.2 | Emails identified as containing malware SHALL be quarantined or dropped. | CISA | High | exchange |
| CISA.MS.EXO.10.3 | Email scanning SHALL be capable of reviewing emails after delivery. | CISA | High | exchange |
| CISA.MS.EXO.11.1 | Impersonation protection checks SHOULD be used. | CISA | High | exchange |
| CISA.MS.EXO.11.2 | User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed. | CISA | Medium | exchange |
| CISA.MS.EXO.11.3 | The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence. | CISA | Medium | exchange |
| CISA.MS.EXO.12.1 | IP allow lists SHOULD NOT be created. | CISA | Medium | exchange |
| CISA.MS.EXO.12.2 | Safe lists SHOULD NOT be enabled. | CISA | Medium | exchange |
| CISA.MS.EXO.13.1 | Mailbox auditing SHALL be enabled. | CISA | High | exchange |
| CISA.MS.EXO.14.1 | A spam filter SHALL be enabled. | CISA | High | exchange |
| CISA.MS.EXO.14.2 | Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder. | CISA | Medium | exchange |
| CISA.MS.EXO.14.3 | Allowed domains SHALL NOT be added to inbound anti-spam protection policies. | CISA | Medium | exchange |
| CISA.MS.EXO.14.4 | If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft. | CISA | Medium | exchange |
| CISA.MS.EXO.15.1 | URL comparison with a block-list SHOULD be enabled. | CISA | Medium | exchange |
| CISA.MS.EXO.15.2 | Direct download links SHOULD be scanned for malware. | CISA | High | exchange |
| CISA.MS.EXO.15.3 | User click tracking SHOULD be enabled. | CISA | Medium | exchange |
| CISA.MS.EXO.16.1 | Alerts SHALL be enabled. | CISA | High | exchange |
| CISA.MS.EXO.16.2 | Alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system. | CISA | Medium | exchange |
| CISA.MS.EXO.17.1 | Microsoft Purview Audit (Standard) logging SHALL be enabled. | CISA | High | exchange |
| CISA.MS.EXO.17.2 | Microsoft Purview Audit (Premium) logging SHALL be enabled. | CISA | Medium | Deprecated |
| CISA.MS.EXO.17.3 | Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C). | CISA | Medium | exchange |
| CISA.MS.EXO.2.1 | A list of approved IP addresses for sending mail SHALL be maintained. | CISA | Medium | exchange |
| CISA.MS.EXO.2.2 | An SPF policy SHALL be published for each domain, designating only these addresses as approved senders. | CISA | Medium | exchange |
| CISA.MS.EXO.3.1 | DKIM SHOULD be enabled for all domains. | CISA | Medium | exchange |
| CISA.MS.EXO.4.1 | A DMARC policy SHALL be published for every second-level domain. | CISA | Medium | exchange |
| CISA.MS.EXO.4.2 | The DMARC message rejection option SHALL be p=reject. | CISA | High | exchange |
| CISA.MS.EXO.4.3 | The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov. | CISA | Medium | exchange |
| CISA.MS.EXO.5.1 | SMTP AUTH SHALL be disabled. | CISA | High | exchange |
| CISA.MS.EXO.6.1 | Contact folders SHALL NOT be shared with all domains. | CISA | Medium | exchange |
| CISA.MS.EXO.6.2 | Calendar details SHALL NOT be shared with all domains. | CISA | Medium | exchange |
| CISA.MS.EXO.7.1 | External sender warnings SHALL be implemented. | CISA | Medium | exchange |
| CISA.MS.EXO.8.1 | A DLP solution SHALL be used. | CISA | High | exchange |
| CISA.MS.EXO.8.2 | The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency. | CISA | Medium | exchange |
| CISA.MS.EXO.8.3 | The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft. | CISA | Medium | exchange |
| CISA.MS.EXO.8.4 | At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email. | CISA | High | exchange |
| CISA.MS.EXO.9.1 | Emails SHALL be filtered by attachment file types. | CISA | Medium | exchange |
| CISA.MS.EXO.9.2 | The attachment filter SHOULD attempt to determine the true file type and assess the file extension. | CISA | Medium | exchange |
| CISA.MS.EXO.9.3 | Disallowed file types SHALL be determined and enforced. | CISA | High | exchange |
| CISA.MS.EXO.9.4 | Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter. | CISA | Medium | exchange |
| CISA.MS.EXO.9.5 | At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe). | CISA | High | exchange |
| CISA.MS.SHAREPOINT.1.1 | External sharing for SharePoint SHALL be limited to Existing guests or Only People in your organization. | CISA | Medium | spo |
| CISA.MS.SHAREPOINT.1.3 | External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs. | CISA | High | spo |
| EIDSCA.AF01 | Authentication Method - FIDO2 security key - State. | Entra ID SCA | High | General |
| EIDSCA.AF02 | Authentication Method - FIDO2 security key - Allow self-service set up. | Entra ID SCA | Medium | General |
| EIDSCA.AF03 | Authentication Method - FIDO2 security key - Enforce attestation. | Entra ID SCA | High | General |
| EIDSCA.AF04 | Authentication Method - FIDO2 security key - Enforce key restrictions. | Entra ID SCA | High | General |
| EIDSCA.AF05 | Authentication Method - FIDO2 security key - Restricted. | Entra ID SCA | High | General |
| EIDSCA.AF06 | Authentication Method - FIDO2 security key - Restrict specific keys. | Entra ID SCA | Medium | General |
| EIDSCA.AG01 | Authentication Method - General Settings - Manage migration. | Entra ID SCA | High | General |
| EIDSCA.AG02 | Authentication Method - General Settings - Report suspicious activity - State. | Entra ID SCA | Medium | General |
| EIDSCA.AG03 | Authentication Method - General Settings - Report suspicious activity - Included users/groups. | Entra ID SCA | Medium | General |
| EIDSCA.AM01 | Authentication Method - Microsoft Authenticator - State. | Entra ID SCA | High | General |
| EIDSCA.AM02 | Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP. | Entra ID SCA | Medium | General |
| EIDSCA.AM03 | Authentication Method - Microsoft Authenticator - Require number matching for push notifications. | Entra ID SCA | Medium | General |
| EIDSCA.AM04 | Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications. | Entra ID SCA | Medium | General |
| EIDSCA.AM06 | Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications. | Entra ID SCA | Medium | General |
| EIDSCA.AM07 | Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications. | Entra ID SCA | Medium | General |
| EIDSCA.AM09 | Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications. | Entra ID SCA | Medium | General |
| EIDSCA.AM10 | Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications. | Entra ID SCA | Medium | General |
| EIDSCA.AP01 | Default Authorization Settings - Enabled Self service password reset for administrators. | Entra ID SCA | High | General |
| EIDSCA.AP04 | Default Authorization Settings - Guest invite restrictions. | Entra ID SCA | Medium | General |
| EIDSCA.AP05 | Default Authorization Settings - Sign-up for email based subscription. | Entra ID SCA | Medium | General |
| EIDSCA.AP06 | Default Authorization Settings - User can join the tenant by email validation. | Entra ID SCA | Medium | General |
| EIDSCA.AP07 | Default Authorization Settings - Guest user access. | Entra ID SCA | High | General |
| EIDSCA.AP08 | Default Authorization Settings - User consent policy assigned for applications. | Entra ID SCA | Medium | General |
| EIDSCA.AP09 | Default Authorization Settings - Allow user consent on risk-based apps. | Entra ID SCA | Medium | General |
| EIDSCA.AP10 | Default Authorization Settings - Default User Role Permissions - Allowed to create Apps. | Entra ID SCA | High | General |
| EIDSCA.AP14 | Default Authorization Settings - Default User Role Permissions - Allowed to read other users. | Entra ID SCA | High | General |
| EIDSCA.AS04 | Authentication Method - SMS - Use for sign-in. | Entra ID SCA | High | General |
| EIDSCA.AT01 | Authentication Method - Temporary Access Pass - State. | Entra ID SCA | High | General |
| EIDSCA.AT02 | Authentication Method - Temporary Access Pass - One-time. | Entra ID SCA | High | General |
| EIDSCA.AV01 | Authentication Method - Voice call - State. | Entra ID SCA | High | General |
| EIDSCA.CP01 | Default Settings - Consent Policy Settings - Group owner consent for apps accessing data. | Entra ID SCA | High | General |
| EIDSCA.CP03 | Default Settings - Consent Policy Settings - Block user consent for risky apps. | Entra ID SCA | High | General |
| EIDSCA.CP04 | Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to. | Entra ID SCA | Medium | General |
| EIDSCA.CR01 | Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature. | Entra ID SCA | High | General |
| EIDSCA.CR02 | Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests. | Entra ID SCA | Medium | General |
| EIDSCA.CR03 | Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire. | Entra ID SCA | Medium | General |
| EIDSCA.CR04 | Consent Framework - Admin Consent Request - Consent request duration (days). | Entra ID SCA | High | General |
| EIDSCA.PR01 | Default Settings - Password Rule Settings - Password Protection - Mode. | Entra ID SCA | High | General |
| EIDSCA.PR02 | Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory. | Entra ID SCA | High | General |
| EIDSCA.PR03 | Default Settings - Password Rule Settings - Enforce custom list. | Entra ID SCA | Medium | General |
| EIDSCA.PR05 | Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds. | Entra ID SCA | Medium | General |
| EIDSCA.PR06 | Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold. | Entra ID SCA | Medium | General |
| EIDSCA.ST08 | Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner. | Entra ID SCA | Medium | General |
| EIDSCA.ST09 | Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content. | Entra ID SCA | Medium | General |
| MT.1001 | At least one Conditional Access policy is configured with device compliance. | Maester | Medium | CA |
| MT.1002 | App management restrictions on applications and service principals is configured and enabled. | Maester | High | App |
| MT.1003 | At least one Conditional Access policy is configured with All Apps. | Maester | High | CA |
| MT.1004 | At least one Conditional Access policy is configured with All Apps and All Users. | Maester | High | CA |
| MT.1005 | All Conditional Access policies are configured to exclude at least one emergency/break glass account or group. | Maester | High | CA |
| MT.1006 | At least one Conditional Access policy is configured to require MFA for admins. | Maester | High | CA |
| MT.1007 | At least one Conditional Access policy is configured to require MFA for all users. | Maester | High | CA |
| MT.1008 | At least one Conditional Access policy is configured to require MFA for Azure management. | Maester | High | CA |
| MT.1009 | At least one Conditional Access policy is configured to block other legacy authentication. | Maester | High | CA |
| MT.1010 | At least one Conditional Access policy is configured to block legacy authentication for Exchange ActiveSync. | Maester | High | CA |
| MT.1011 | At least one Conditional Access policy is configured to secure security info registration only from a trusted location. | Maester | High | CA |
| MT.1012 | At least one Conditional Access policy is configured to require MFA for risky sign-ins. | Maester | High | CA |
| MT.1013 | At least one Conditional Access policy is configured to require new password when user risk is high. | Maester | High | CA |
| MT.1014 | At least one Conditional Access policy is configured to require compliant or Entra hybrid joined devices for admins. | Maester | High | CA |
| MT.1015 | At least one Conditional Access policy is configured to block access for unknown or unsupported device platforms. | Maester | Medium | CA |
| MT.1016 | At least one Conditional Access policy is configured to require MFA for guest access. | Maester | High | CA |
| MT.1017 | At least one Conditional Access policy is configured to enforce non persistent browser session for non-corporate devices. | Maester | High | CA |
| MT.1018 | At least one Conditional Access policy is configured to enforce sign-in frequency for non-corporate devices. | Maester | Medium | CA |
| MT.1019 | At least one Conditional Access policy is configured to enable application enforced restrictions. | Maester | Medium | CA |
| MT.1020 | All Conditional Access policies are configured to exclude directory synchronization accounts or do not scope them. | Maester | High | CA |
| MT.1021 | Security Defaults are enabled. | Maester | High | CA |
| MT.1022 | All users utilizing a P1 license should be licensed. | Maester | Medium | CA |
| MT.1023 | All users utilizing a P2 license should be licensed. | Maester | Medium | CA |
| MT.1024 | MT.1024.$($RecommendationId -replace | Maester | Unknown | Entra |
| MT.1025 | No external user with permanent role assignment on Control Plane. | Maester | High | Privileged |
| MT.1026 | No hybrid user with permanent role assignment on Control Plane. | Maester | High | Privileged |
| MT.1027 | No Service Principal with Client Secret and permanent role assignment on Control Plane. | Maester | High | Privileged |
| MT.1028 | No user with mailbox and permanent role assignment on Control Plane. | Maester | High | Privileged |
| MT.1029 | Stale accounts are not assigned to privileged roles. | Maester | High | Privileged |
| MT.1030 | Eligible role assignments on Control Plane are in use by administrators. | Maester | High | Privileged |
| MT.1031 | Privileged role on Control Plane are managed by PIM only. | Maester | High | Privileged |
| MT.1032 | Limited number of Global Admins are assigned. | Maester | High | Privileged |
| MT.1033 | MT.1033.$($RegularUsers.IndexOf($)): User should be blocked from using legacy authentication ($($.userPrincipalName)) | Maester | Unknown | CA |
| MT.1034 | MT.1034.$($EmergencyAccessUsers.IndexOf($)): Emergency access users should not be blocked ($($.userPrincipalName)) | Maester | Unknown | CA |
| MT.1035 | All security groups assigned to Conditional Access Policies should be protected by RMAU. | Maester | High | CA |
| MT.1036 | All excluded objects should have a fallback include in another policy. | Maester | Medium | CA |
| MT.1037 | Only users with Presenter role are allowed to present in Teams meetings | Maester | High | Teams |
| MT.1038 | Conditional Access policies should not include or exclude deleted groups. | Maester | Medium | CA |
| MT.1039 | Ensure MailTips are enabled for end users | Maester | Low | Exchange |
| MT.1041 | Ensure users installing Outlook add-ins is not allowed | Maester | High | Exchange |
| MT.1042 | Restrict dial-in users from bypassing a meeting lobby | Maester | Medium | Teams |
| MT.1043 | Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains | Maester | Medium | Exchange |
| MT.1044 | Ensure modern authentication for Exchange Online is enabled | Maester | High | Exchange |
| MT.1045 | Only invited users should be automatically admitted to Teams meetings | Maester | Medium | Teams |
| MT.1046 | Restrict anonymous users from joining meetings | Maester | Medium | Teams |
| MT.1047 | Restrict anonymous users from starting Teams meetings | Maester | Medium | Teams |
| MT.1048 | Limit external participants from having control in a Teams meeting | Maester | Medium | Teams |
| MT.1049 | Conditional Access policies for User Risk and Sign-in Risk should be configured separately. | Maester | High | CA |
| MT.1050 | Apps with high-risk permissions having a direct path to Global Admin | Maester | High | App |
| MT.1051 | Apps with high-risk permissions having an indirect path to Global Admin | Maester | High | App |
| MT.1052 | At least one Conditional Access policy is targeting the Device Code authentication flow. | Maester | High | CA |
| MT.1053 | Ensure intune device clean-up rule is configured | Maester | Medium | Intune |
| MT.1054 | Ensure built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant' | Maester | Medium | Intune |
| MT.1055 | Microsoft 365 Group (and Team) creation should be restricted to approved users. | Maester | Medium | Group |
| MT.1056 | Ensure that no person has permanent access to all Azure subscriptions at the root scope | Maester | High | Privileged |
| MT.1057 | Ensure Microsoft 365 Group (and Team) expiration is configured to notify users. | Maester | Medium | App |
| MT.1058 | Ensure Microsoft 365 Group (and Team) expiration is configured to auto-expire groups. | Maester | Medium | App |
| MT.1059 | Microsoft Defender for Identity health issues should be resolved | Maester | Medium | Defender |
| MT.1061 | Device registration MFA control conflicts with Conditional Access policies | Maester | Medium | CA |
| MT.1062 | Ensure Direct Send is set to be rejected | Maester | Medium | Exchange |
| MT.1063 | All app registration owners should have MFA registered | Maester | High | App |
| MT.1064 | Management group creation should be limited to users with explicit write access | Maester | High | Azure |
| MT.1065 | Soft Delete should be enabled on all Recovery Services Vaults | Maester | High | Backup |
| MT.1066 | Conditional Access policies should not include or exclude deleted users, groups, or roles. | Maester | Medium | CA |
| MT.1067 | Authentication methods policies should not reference deleted groups. | Maester | Medium | Authentication |
| MT.1068 | Restrict non-admin users from creating tenants | Maester | Medium | Entra |
| MT.1069 | Restrict non-admin users from creating security groups. | Maester | Low | Entra |
| MT.1070 | Restrict device join to selected users/groups or none. | Maester | Medium | Entra |
| MT.1071 | At least one Conditional Access policy explicitly includes Azure DevOps. | Maester | Medium | CA |
| MT.1072 | Conditional access policies should not use the deprecated Approved Client App grant. | Maester | High | CA |
| MT.1073 | Soft- and hard-matching of synchronized objects should be blocked. | Maester | Medium | Entra |
| MT.1074 | Mailboxes should not send outbound mails using the .onmicrosoft.com domain. | Maester | Medium | Exchange |
| MT.1075 | Third Party Entra Apps should only have explicitly assigned users instead of All Users. | Maester | Medium | App |
| MT.1076 | MOERA SHOULD NOT be used for sent mail. | Maester | High | Exchange |
| MT.1077 | App registrations with privileged API permissions should not have owners | Maester | Medium | Privileged |
| MT.1078 | App registrations with highly privileged directory roles should not have owners | Maester | Medium | Privileged |
| MT.1079 | Privileged API permissions on service principals should not remain unused | Maester | Medium | Privileged |
| MT.1080 | Credentials, tokens, or cookies from highly privileged users should not be exposed on vulnerable endpoints | Maester | Medium | Privileged |
| MT.1081 | Hybrid users should not be assigned Entra ID role assignments | Maester | Medium | Privileged |
| MT.1083 | Ensure Delicensing Resiliency is enabled | Maester | Low | Exchange |
| MT.1084 | Seamless Single SignOn should be disabled for all domains in EntraID Connect servers. | Maester | High | Entra |
| MT.1085 | Pending approvals for Critical Asset Management should not be present | Maester | Medium | Entra |
| MT.1086 | Devices should not share both critical and non-critical user credentials. | Maester | Low | XSPM |
| MT.1087 | Devices should not be publicly exposed with remotely exploitable, highly likely to be exploited, high or critical severity CVE's. | Maester | High | XSPM |
| MT.1088 | Devices with critical credentials should be protected by TPM. | Maester | Medium | XSPM |
| MT.1089 | Devices with critical credentials should be protected by Credential Guard. | Maester | Medium | XSPM |
| MT.1090 | Global administrator role should not be added as local administrator on the device during Microsoft Entra join | Maester | Medium | Entra |
| MT.1091 | Registering user should not be added as local administrator on the device during Microsoft Entra join | Maester | Medium | Entra |
| MT.1092 | Intune APNS certificate should be valid for more than 30 days | Maester | High | Intune |
| MT.1093 | Apple Automated Device Enrollment Tokens should be valid for more than 30 days | Maester | High | Intune |
| MT.1094 | Apple Volume Purchase Program Tokens should be valid for more than 30 days | Maester | High | Intune |
| MT.1095 | Android Enterprise Account Connection should be healthy | Maester | High | Intune |
| MT.1096 | Intune Multi Admin approval should be configured | Maester | Medium | Intune |
| MT.1097 | Certificate Connectors should be healthy and running supported versions | Maester | High | Intune |
| MT.1098 | Mobile Threat Defense Connectors should be healthy | Maester | Critical | Intune |
| MT.1099 | Windows Diagnostic Data Processing should be enabled | Maester | Low | Intune |
| MT.1100 | Intune Audit Logs should be retained | Maester | High | Intune |
| MT.1101 | Default Branding Profile should be customized | Maester | Low | Intune |
| MT.1102 | Windows Feature Update Policy Settings should not reference end of support builds | Maester | High | Intune |
| MT.1103 | Intune RBAC groups should be protected by Restricted Management Administrative Units or Role Assignable groups | Maester | High | Intune |
| MT.1105 | MDM Authority should be set to Microsoft Intune | Maester | Low | Intune |
| MT.1106 | Catalog resources must have valid roles (no stale app roles or deleted SPNs) | Maester | Medium | Governance |
| MT.1107 | Access packages and catalogs should not reference deleted groups | Maester | Medium | Governance |
| MT.1108 | Access packages should not have inactive or orphaned assignment policies | Maester | Medium | Governance |
| MT.1109 | Access package approval workflows must have valid approvers | Maester | Medium | Governance |
| MT.1110 | No catalog should contain resources without any associated access packages | Maester | Medium | Governance |
| MT.1111 | High privileged user should be linked to an identity | Maester | Low | Privileged |
| MT.1112 | Privileged user accounts should not remain enabled when the linked primary account is disabled | Maester | Medium | Privileged |
| MT.1113 | AI agents should not be shared with broad access control policies | Maester | High | AIAgent |
| MT.1114 | AI agents should require user authentication | Maester | High | AIAgent |
| MT.1115 | AI agents should not have risky HTTP configurations | Maester | Medium | AIAgent |
| MT.1116 | AI agents should not send email with AI-controlled inputs | Maester | High | AIAgent |
| MT.1117 | Published AI agents should not be dormant | Maester | Low | AIAgent |
| MT.1118 | AI agents should avoid using author (maker) authentication for tools | Maester | Medium | AIAgent |
| MT.1119 | AI agents should not have hard-coded credentials in topics | Maester | High | AIAgent |
| MT.1120 | AI agents should not use MCP server tools without review | Maester | Medium | AIAgent |
| MT.1121 | AI agents with generative orchestration should have custom instructions | Maester | Medium | AIAgent |
| MT.1122 | AI agents should not have orphaned ownership | Maester | Medium | AIAgent |
| MT.1123 | Ensure BitLocker full disk encryption is configured via Intune | Maester | High | Intune |
| MT.1147 | Do not sync krbtgt_AzureAD to Entra ID | Maester | High | Entra |
| MT.1148 | Archive Scanning should be enabled | Maester | High | Defender |
| MT.1149 | Behavior Monitoring should be enabled | Maester | High | Defender |
| MT.1150 | Cloud Protection should be enabled | Maester | High | Defender |
| MT.1151 | Email Scanning should be enabled | Maester | High | Defender |
| MT.1152 | Script Scanning should be enabled | Maester | High | Defender |
| MT.1153 | Real-time Monitoring should be enabled | Maester | High | Defender |
| MT.1154 | Full Scan Removable Drives should be enabled | Maester | High | Defender |
| MT.1155 | Full Scan Mapped Drives should be disabled for performance | Maester | High | Defender |
| MT.1156 | Scanning Network Files should be enabled | Maester | High | Defender |
| MT.1157 | CPU Load Factor should be optimized (20-30%) | Maester | High | Defender |
| MT.1158 | Scan should be scheduled | Maester | High | Defender |
| MT.1159 | Quick Scan Time configuration is not required | Maester | High | Defender |
| MT.1160 | Signatures should be checked before scan | Maester | High | Defender |
| MT.1161 | Cloud Block Level should be High or higher | Maester | High | Defender |
| MT.1162 | Cloud Extended Timeout should be 30-50 seconds | Maester | High | Defender |
| MT.1163 | Signature Update Interval should be 1-4 hours | Maester | High | Defender |
| MT.1164 | PUA Protection should be enabled | Maester | High | Defender |
| MT.1165 | Network Protection should be enabled | Maester | High | Defender |
| MT.1166 | Local Admin Merge should be disabled | Maester | High | Defender |
| MT.1167 | Real-Time Scan Direction should cover both directions | Maester | High | Defender |
| MT.1168 | Cleaned Malware should be retained for at least 30 days | Maester | High | Defender |
| MT.1169 | Catch-up Full Scan should be disabled | Maester | High | Defender |
| MT.1170 | Catch-up Quick Scan should be disabled | Maester | High | Defender |
| MT.1171 | Sample Submission should send safe samples automatically | Maester | High | Defender |
| ORCA.100 | Bulk Complaint Level threshold is between 4 and 6. | ORCA | Medium | EXO |
| ORCA.101 | Bulk is marked as spam. | ORCA | Medium | EXO |
| ORCA.102 | Advanced Spam filter options are turned off. | ORCA | Medium | EXO |
| ORCA.103 | Outbound spam filter policy settings configured. | ORCA | Medium | EXO |
| ORCA.104 | High Confidence Phish action set to Quarantine message. | ORCA | High | EXO |
| ORCA.105 | Safe Links Synchronous URL detonation is enabled. | ORCA | Medium | EXO |
| ORCA.106 | Quarantine retention period is 30 days. | ORCA | Medium | EXO |
| ORCA.107 | End-user spam notification is enabled. | ORCA | Low | EXO |
| ORCA.108 | DKIM signing is set up for all your custom domains. | ORCA | Medium | EXO |
| ORCA.108.1 | DNS Records have been set up to support DKIM. | ORCA | Medium | EXO |
| ORCA.109 | Senders are not being allow listed in an unsafe manner. | ORCA | Medium | EXO |
| ORCA.110 | Internal Sender notifications are disabled. | ORCA | Medium | EXO |
| ORCA.111 | Anti-phishing policy exists and EnableUnauthenticatedSender is true. | ORCA | High | EXO |
| ORCA.112 | Anti-spoofing protection action is configured to Move message to the recipients' Junk Email folders in Anti-phishing policy. | ORCA | Medium | EXO |
| ORCA.113 | AllowClickThrough is disabled in Safe Links policies. | ORCA | Medium | EXO |
| ORCA.114 | No IP Allow Lists have been configured. | ORCA | High | EXO |
| ORCA.115 | Mailbox intelligence based impersonation protection is enabled in anti-phishing policies. | ORCA | Medium | EXO |
| ORCA.116 | Mailbox intelligence based impersonation protection action set to move message to junk mail folder. | ORCA | Medium | EXO |
| ORCA.118.1 | Domains are not being allow listed in an unsafe manner in Anti-Spam Policies. | ORCA | High | EXO |
| ORCA.118.2 | Domains are not being allow listed in an unsafe manner in Transport Rules. | ORCA | High | EXO |
| ORCA.118.3 | Your own domains are not being allow listed in an unsafe manner in Anti-Spam Policies. | ORCA | Medium | EXO |
| ORCA.118.4 | Your own domains are not being allow listed in an unsafe manner in Transport Rules. | ORCA | Medium | EXO |
| ORCA.119 | Similar Domains Safety Tips is enabled. | ORCA | Info | EXO |
| ORCA.120.1 | Zero Hour Autopurge Enabled for Phish. | ORCA | Medium | EXO |
| ORCA.120.2 | Zero Hour Autopurge Enabled for Malware. | ORCA | Medium | EXO |
| ORCA.120.3 | Zero Hour Autopurge Enabled for Spam. | ORCA | Medium | EXO |
| ORCA.121 | Supported filter policy action used. | ORCA | Low | EXO |
| ORCA.123 | Unusual Characters Safety Tips is enabled. | ORCA | Info | EXO |
| ORCA.124 | Safe attachments unknown malware response set to block messages. | ORCA | High | EXO |
| ORCA.139 | Spam action set to move message to junk mail folder or quarantine. | ORCA | Low | EXO |
| ORCA.140 | High Confidence Spam action set to Quarantine message. | ORCA | High | EXO |
| ORCA.141 | Bulk action set to Move message to Junk Email Folder. | ORCA | Medium | EXO |
| ORCA.142 | Phish action set to Quarantine message. | ORCA | Medium | EXO |
| ORCA.143 | Safety Tips are enabled. | ORCA | Info | EXO |
| ORCA.156 | Safe Links Policies are tracking when user clicks on safe links. | ORCA | Medium | EXO |
| ORCA.158 | Safe Attachments is enabled for SharePoint and Teams. | ORCA | Medium | EXO |
| ORCA.179 | Safe Links is enabled intra-organization. | ORCA | Medium | EXO |
| ORCA.180 | Anti-phishing policy exists and EnableSpoofIntelligence is true. | ORCA | Medium | EXO |
| ORCA.189 | Safe Attachments is not bypassed. | ORCA | Medium | EXO |
| ORCA.189.2 | Safe Links is not bypassed. | ORCA | High | EXO |
| ORCA.205 | Common attachment type filter is enabled. | ORCA | Medium | EXO |
| ORCA.220 | Advanced Phish filter Threshold level is adequate. | ORCA | Medium | EXO |
| ORCA.221 | Mailbox intelligence is enabled in anti-phishing policies. | ORCA | Medium | EXO |
| ORCA.222 | Domain Impersonation action is set to move to Quarantine. | ORCA | Medium | EXO |
| ORCA.223 | User impersonation action is set to move to Quarantine. | ORCA | High | EXO |
| ORCA.224 | Similar Users Safety Tips is enabled. | ORCA | Info | EXO |
| ORCA.225 | Safe Documents is enabled for Office clients. | ORCA | Medium | EXO |
| ORCA.226 | Each domain has a Safe Link policy applied to it. | ORCA | Medium | EXO |
| ORCA.227 | Each domain has a Safe Attachments policy applied to it. | ORCA | Medium | EXO |
| ORCA.228 | No trusted senders in Anti-phishing policy. | ORCA | High | EXO |
| ORCA.229 | No trusted domains in Anti-phishing policy. | ORCA | Medium | EXO |
| ORCA.230 | Each domain has a Anti-phishing policy applied to it, or the default policy is being used. | ORCA | Medium | EXO |
| ORCA.231 | Each domain has a anti-spam policy applied to it, or the default policy is being used. | ORCA | Medium | EXO |
| ORCA.232 | Each domain has a malware filter policy applied to it, or the default policy is being used. | ORCA | High | EXO |
| ORCA.233 | Domains are pointed directly at EOP or enhanced filtering is used. | ORCA | Medium | EXO |
| ORCA.233.1 | Domains are pointed directly at EOP or enhanced filtering is configured on all default connectors. | ORCA | Medium | EXO |
| ORCA.234 | Click through is disabled for Safe Documents. | ORCA | Medium | EXO |
| ORCA.235 | SPF records is set up for all your custom domains. | ORCA | Medium | EXO |
| ORCA.236 | Safe Links is enabled for emails. | ORCA | Medium | EXO |
| ORCA.237 | Safe Links is enabled for teams messages. | ORCA | Medium | EXO |
| ORCA.238 | Safe Links is enabled for office documents. | ORCA | Medium | EXO |
| ORCA.239 | No exclusions for the built-in protection policies. | ORCA | High | EXO |
| ORCA.240 | Outlook is configured to display external tags for external emails. | ORCA | Medium | EXO |
| ORCA.241 | Anti-phishing policy exists and EnableFirstContactSafetyTips is true. | ORCA | Medium | EXO |
| ORCA.242 | Important protection alerts responsible for AIR activities are enabled. | ORCA | High | EXO |
| ORCA.243 | Authenticated Receive Chain is set up for domains not pointing to EOP/MDO, or all domains point to EOP/MDO. | ORCA | Medium | EXO |
| ORCA.244 | Policies are configured to honor sending domains DMARC. | ORCA | Medium | EXO |