PSGuerrilla Sample Report - All Checks Failing

Security Posture: OVERRUN

This sample report demonstrates what a worst-case scenario looks like with every security check failing across all theaters. In production, your organization will likely pass many of these checks. This report serves as a reference for all 431 checks PSGuerrilla evaluates.

431

Total Checks

Pass

399

Fail

Critical

179

High

131

Medium

Low

Severity Distribution

■ Critical (71) ■ High (179) ■ Medium (131) ■ Low (18) ■ Info (32)

Theater Overview

Theater	Categories	Critical	High	Medium	Low	Total
Active Directory	10	40	74	43	9	175
Entra ID / Azure / M365	14	22	66	47	0	158
Google Workspace	8	9	39	41	9	98

Category Breakdown

Category	Theater	Fail	Info	Total
AD Privileged Account Security	Active Directory	30	0	30
AD Group Policy	Active Directory	23	1	24
Email Security	Google Workspace	22	0	22
AD Password & Lockout Policies	Active Directory	21	1	22
AD Domain & Forest Configuration	Active Directory	19	1	20
Intune / Endpoint Management	Entra ID / Azure / M365	19	4	23
AD Certificate Services	Active Directory	17	2	19
AD ACL & Delegation	Active Directory	16	0	16
Entra ID Application & Service Principal Security	Entra ID / Azure / M365	16	3	19
Entra ID Authentication Methods & MFA	Entra ID / Azure / M365	14	3	17
Entra ID Conditional Access	Entra ID / Azure / M365	13	3	16
Admin & User Management	Google Workspace	13	0	13
Authentication & Access Controls	Google Workspace	13	0	13
Drive Security & Data Protection	Google Workspace	13	0	13
Exchange Online Security	Entra ID / Azure / M365	12	0	12
Entra ID Privileged Identity Management	Entra ID / Azure / M365	11	3	14
Device & Endpoint Management	Google Workspace	11	0	11
AD Stale & Obsolete Objects	Active Directory	11	0	11
Collaboration & Communication Security	Google Workspace	10	0	10
Entra ID Federation & Hybrid Identity	Entra ID / Azure / M365	10	2	12
AD Logon Scripts & Network Shares	Active Directory	10	1	11
AD Kerberos Security	Active Directory	10	1	11
OAuth & API Security	Google Workspace	10	0	10
Azure IAM & Resource Security	Entra ID / Azure / M365	9	1	10
AD Trust Relationships	Active Directory	9	2	11
Entra ID Tenant Configuration	Entra ID / Azure / M365	9	4	13
Microsoft Teams Security	Entra ID / Azure / M365	8	0	8
Logging, Alerting & Monitoring	Google Workspace	6	0	6
SharePoint & OneDrive Security	Entra ID / Azure / M365	5	0	5
Defender for Office 365	Entra ID / Azure / M365	3	0	3
Power Platform Security	Entra ID / Azure / M365	3	0	3
Unified Audit & Logging	Entra ID / Azure / M365	3	0	3

Google Workspace
  Admin & User Management (13)
  Authentication & Access Controls (13)
  Collaboration & Communication Security (10)
  Device & Endpoint Management (11)
  Drive Security & Data Protection (13)
  Email Security (22)
  Logging, Alerting & Monitoring (6)
  OAuth & API Security (10)

Active Directory
  AD ACL & Delegation (16)
  AD Certificate Services (19)
  AD Domain & Forest Configuration (20)
  AD Group Policy (24)
  AD Kerberos Security (11)
  AD Logon Scripts & Network Shares (11)
  AD Password & Lockout Policies (22)
  AD Privileged Account Security (30)
  AD Stale & Obsolete Objects (11)
  AD Trust Relationships (11)

Entra ID / Azure / M365
  Azure IAM & Resource Security (10)
  Defender for Office 365 (3)
  Entra ID Application & Service Principal Security (19)
  Entra ID Authentication Methods & MFA (17)
  Entra ID Conditional Access (16)
  Entra ID Federation & Hybrid Identity (12)
  Entra ID Privileged Identity Management (14)
  Entra ID Tenant Configuration (13)
  Exchange Online Security (12)
  Intune / Endpoint Management (23)
  Microsoft Teams Security (8)
  Power Platform Security (3)
  SharePoint & OneDrive Security (5)
  Unified Audit & Logging (3)

Google Workspace

Admin & User Management (13 checks, 13 failing)

ADMIN-001 — Super Admin Account Inventory

Critical FAIL

Description: All super admin accounts should be inventoried and reviewed. Super admins have unrestricted access to all organizational settings and data
Recommended: All super admin accounts documented and justified with clear business need
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Directory > Users > Filter by admin role > Review all super admin accounts and remove unnecessary assignments
Reference: https://admin.google.com/ac/users
Compliance: NIST AC-2(7)NIST AC-6(1)MITRE T1078.004MITRE T1087.004CIS 4.1

ADMIN-002 — Admin Role Assignments Audit

High FAIL

Description: Administrative role assignments should follow the principle of least privilege. Custom roles should be used instead of broad built-in roles
Recommended: All admin role assignments reviewed with least-privilege custom roles used where possible
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Account > Admin roles > Review each role assignment > Replace broad roles with scoped custom roles
Reference: https://admin.google.com/ac/roles
Compliance: NIST AC-6(1)NIST AC-2(7)MITRE T1078.004MITRE T1098.003CIS 4.2

ADMIN-004 — Inactive/Suspended Admin Accounts

High FAIL

Description: Suspended or inactive users should not retain admin role assignments. These accounts may be targeted for reactivation attacks
Recommended: No suspended or inactive users with admin role assignments
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Directory > Users > Filter suspended users > Remove admin roles from any suspended accounts
Reference: https://admin.google.com/ac/users
Compliance: NIST AC-2(3)NIST AC-2(4)MITRE T1078.004MITRE T1098CIS 4.4

ADMIN-010 — Groups Settings and External Membership

High FAIL

Description: Google Groups that allow external members can expose internal communications and data to unauthorized parties
Recommended: External group membership disabled or restricted to specific groups with documented justification
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Groups for Business > Sharing settings > Restrict external membership
Reference: https://admin.google.com/ac/appsettings/651400000067/sharing
Compliance: NIST AC-3NIST AC-4MITRE T1530MITRE T1213.003CIS 4.10

ADMIN-013 — Super Admin Count

High FAIL

Description: The number of super admin accounts should be between 2 and 4. Too few creates a single point of failure; too many increases the attack surface
Recommended: 2-4 super admin accounts
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Directory > Users > Filter by super admin role > Adjust count to 2-4 by removing unnecessary super admins or adding a backup
Reference: https://admin.google.com/ac/users
Compliance: NIST AC-6(1)NIST AC-2(7)MITRE T1078.004CIS 4.13

ADMIN-003 — Delegated Admin Permissions Review

Medium FAIL

Description: Custom admin roles should be reviewed to ensure delegated permissions are appropriately scoped and do not grant excessive access
Recommended: Custom admin roles scoped to minimum necessary permissions
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Account > Admin roles > Review each custom role > Verify permissions are scoped appropriately
Reference: https://admin.google.com/ac/roles
Compliance: NIST AC-6(1)NIST AC-3MITRE T1098.003CIS 4.3

ADMIN-005 — User Account Inventory

Medium FAIL

Description: User account inventory should be maintained with clear counts of active, suspended, and archived accounts for governance
Recommended: Complete user inventory with all accounts in appropriate active/suspended/archived state
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Directory > Users > Review user list > Suspend or archive accounts that are no longer needed
Reference: https://admin.google.com/ac/users
Compliance: NIST AC-2NIST CM-8MITRE T1087.004CIS 4.5

ADMIN-006 — Stale User Accounts

Medium FAIL

Description: User accounts with no login in 90 or more days may be orphaned and should be reviewed for suspension or deletion
Recommended: No user accounts inactive for more than 90 days without documented justification
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Directory > Users > Sort by last sign-in > Review and suspend accounts inactive for 90+ days
Reference: https://admin.google.com/ac/users
Compliance: NIST AC-2(3)MITRE T1078.004CIS 4.6

ADMIN-008 — Directory Sharing Settings

Medium FAIL

Description: Directory sharing controls who can view organizational contacts and profiles. External directory sharing should be limited
Recommended: Directory sharing restricted to internal users only
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Directory > Directory settings > Sharing settings > Restrict contact sharing to domain users
Reference: https://admin.google.com/ac/appsettings/986702928867/contactsharing
Compliance: NIST AC-3NIST AC-22MITRE T1087.004MITRE T1589CIS 4.8

ADMIN-011 — Group Creation Restrictions

Medium FAIL

Description: Group creation should be restricted to prevent proliferation of unmanaged groups that may expose organizational data
Recommended: Group creation restricted to admins or specific delegated roles
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Groups for Business > Sharing settings > Restrict who can create groups
Reference: https://admin.google.com/ac/appsettings/651400000067/sharing
Compliance: NIST CM-7NIST AC-6MITRE T1136.003CIS 4.11

ADMIN-012 — Groups for Business Settings

Medium FAIL

Description: Groups for Business settings control group features including external posting, member visibility, and content sharing
Recommended: Groups for Business configured with restricted external access and posting
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Groups for Business > Sharing settings > Review all settings
Reference: https://admin.google.com/ac/appsettings/651400000067/sharing
Compliance: NIST AC-3NIST AC-4MITRE T1530MITRE T1213.003CIS 4.12

ADMIN-007 — OU Structure Review

Low FAIL

Description: The organizational unit structure should be reviewed to ensure policies can be effectively applied at the appropriate scope
Recommended: OU structure documented with clear policy mapping
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Directory > Organizational units > Review OU hierarchy and ensure it aligns with policy application needs
Reference: https://admin.google.com/ac/orgunits
Compliance: NIST CM-6NIST AC-2MITRE T1087.004CIS 4.7

ADMIN-009 — User Profile Visibility

Low FAIL

Description: User profile information visibility should be controlled to limit reconnaissance potential from external actors
Recommended: User profile visibility restricted to internal users
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Directory > Directory settings > Profile sharing > Restrict profile visibility
Reference: https://admin.google.com/ac/appsettings/986702928867/profilesharing
Compliance: NIST AC-22NIST AC-3MITRE T1589.002CIS 4.9

Authentication & Access Controls (13 checks, 13 failing)

AUTH-001 — 2SV Enforcement

Critical FAIL

Description: Two-step verification (2SV/MFA) should be enforced for all users to prevent account takeover via stolen credentials
Recommended: Enforced for all organizational units
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Authentication > 2-step verification > Set Enforcement to 'On'
Reference: https://admin.google.com/ac/security/2sv
Compliance: NIST IA-2(1)NIST IA-2(2)MITRE T1078.004CIS 1.1

AUTH-012 — Super Admin 2SV Enrollment

Critical FAIL

Description: All super admin accounts must have 2SV enrolled. Super admins have unrestricted access to all settings and data
Recommended: 100% of super admins enrolled in 2SV
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Reporting > User Reports > Security > Filter by admin status > Ensure all super admins have 2SV enrolled
Reference: https://admin.google.com/ac/reporting/report/user/security
Compliance: NIST IA-2(1)NIST IA-2(11)MITRE T1078.004CIS 1.12

AUTH-002 — 2SV Enrollment Rate

High FAIL

Description: All active users should have 2SV enrolled. Low enrollment rates leave accounts vulnerable to credential-based attacks
Recommended: 95% or higher enrollment among active users
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Reporting > User Reports > Security > Review users without 2SV. Set enrollment deadline via Security > 2-Step Verification
Reference: https://admin.google.com/ac/reporting/report/user/security
Compliance: NIST IA-2(1)MITRE T1078.004CIS 1.2

AUTH-004 — Password Minimum Length

High FAIL

Description: Password minimum length should be at least 12 characters to resist brute-force and dictionary attacks
Recommended: Minimum 12 characters
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Authentication > Password management > Set minimum length to 12 or higher
Reference: https://admin.google.com/ac/security/passwordmanagement
Compliance: NIST IA-5(1)MITRE T1110.001MITRE T1110.003CIS 1.4

AUTH-008 — Less Secure Apps Access

High FAIL

Description: Less secure apps (apps that don't support modern authentication) should be blocked to prevent credential exposure
Recommended: Disabled for all users
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Authentication > Less secure apps > Set to 'Disable access to less secure apps'
Reference: https://admin.google.com/ac/security/lsa
Compliance: NIST IA-5(2)MITRE T1078.004MITRE T1110CIS 1.8

AUTH-010 — Recovery Options Configuration

High FAIL

Description: User self-service recovery should be configured appropriately. Super admins should not have personal recovery options to prevent social engineering
Recommended: Super admins: no personal recovery. Regular users: recovery options allowed with admin override
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Authentication > Account recovery > Disable personal recovery for super admin OU
Reference: https://admin.google.com/ac/security/accountrecovery
Compliance: NIST IA-5(1)NIST AC-2(4)MITRE T1078.004MITRE T1098CIS 1.10

AUTH-013 — Stale Super Admin Accounts

High FAIL

Description: Super admin accounts that have not logged in recently may be orphaned and at risk of compromise. All super admin accounts should be actively managed
Recommended: No super admin accounts inactive for more than 90 days
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Directory > Users > Filter by admin role > Review and remove or suspend inactive super admin accounts
Reference: https://admin.google.com/ac/users
Compliance: NIST AC-2(3)NIST AC-2(4)MITRE T1078.004CIS 1.13

AUTH-003 — 2SV Method Strength

Medium FAIL

Description: Security keys should be the primary 2SV method. SMS and voice-based 2SV are vulnerable to SIM-swapping and interception attacks
Recommended: Security keys enforced as primary method
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Authentication > 2-step verification > Set allowed methods to 'Security key only'
Reference: https://admin.google.com/ac/security/2sv
Compliance: NIST IA-2(1)NIST IA-2(12)MITRE T1111MITRE T1078.004CIS 1.3

AUTH-005 — Password Reuse Restriction

Medium FAIL

Description: Users should not be able to reuse recent passwords, preventing credential cycling attacks
Recommended: Password reuse not allowed
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Authentication > Password management > Enable 'Enforce password policy at next sign-in' and restrict reuse
Reference: https://admin.google.com/ac/security/passwordmanagement
Compliance: NIST IA-5(1)MITRE T1110.004CIS 1.5

AUTH-006 — Session Duration

Medium FAIL

Description: Web session duration should be limited to reduce the window for session hijacking and unauthorized access from shared devices
Recommended: Session duration of 12 hours or less
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Google Session Control > Set web session duration
Reference: https://admin.google.com/ac/security/session
Compliance: NIST AC-12NIST SC-23MITRE T1550.004CIS 1.6

AUTH-007 — SSO Configuration

Medium FAIL

Description: If SSO is configured, it should use secure protocols and trusted identity providers
Recommended: SAML SSO properly configured with trusted IdP
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Authentication > SSO with third-party IdP > Verify configuration
Reference: https://admin.google.com/ac/security/ssoprofile
Compliance: NIST IA-2(6)NIST IA-8MITRE T1078.004CIS 1.7

AUTH-009 — App Passwords Policy

Medium FAIL

Description: App-specific passwords bypass 2SV and should be controlled. If allowed, they should require 2SV enrollment first
Recommended: App passwords restricted or disabled
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Authentication > 2-step verification > Review app password settings
Reference: https://admin.google.com/ac/security/2sv
Compliance: NIST IA-5(1)MITRE T1078.004CIS 1.9

AUTH-011 — Login Challenge Settings

Medium FAIL

Description: Login challenges should be enabled to provide additional verification when suspicious login attempts are detected
Recommended: Login challenges enabled with employee ID or other verification
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Authentication > Login challenges > Enable
Reference: https://admin.google.com/ac/security/loginchallenges
Compliance: NIST IA-2(13)MITRE T1078.004CIS 1.11

Collaboration & Communication Security (10 checks, 10 failing)

COLLAB-004 — Chat External Communication

High FAIL

Description: External chat communication should be restricted to prevent data leakage through direct messages with external users
Recommended: External chat restricted or disabled for most users
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Google Chat > Chat settings > External chat > Restrict external chat to specific OUs
Reference: https://admin.google.com/ac/appsettings/553322/chatsettings
Compliance: NIST AC-4NIST SC-7MITRE T1567MITRE T1048CIS 5.4

COLLAB-008 — Calendar External Sharing

High FAIL

Description: Calendar sharing with external users should be limited to free/busy information to prevent exposure of meeting details and attendees
Recommended: External calendar sharing limited to free/busy information only
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Calendar > Sharing settings > External sharing options > Set to 'Only free/busy information'
Reference: https://admin.google.com/ac/appsettings/435070579839/sharing
Compliance: NIST AC-3NIST AC-22MITRE T1530MITRE T1589CIS 5.8

COLLAB-001 — Meet Recording Settings

Medium FAIL

Description: Meeting recording settings should be controlled to prevent unauthorized capture of sensitive discussions
Recommended: Recording restricted to meeting organizers or disabled for sensitive OUs
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Google Meet > Meet video settings > Recording > Configure recording permissions
Reference: https://admin.google.com/ac/appsettings/625702498764/meetingsettings
Compliance: NIST AC-3NIST AU-14MITRE T1125CIS 5.1

COLLAB-002 — Meet External Participant Settings

Medium FAIL

Description: External participant access to meetings should be controlled to prevent unauthorized attendance and information disclosure
Recommended: External participants require approval or knocking to join
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Google Meet > Meet video settings > Participants > Require approval for external participants
Reference: https://admin.google.com/ac/appsettings/625702498764/meetingsettings
Compliance: NIST AC-3NIST AC-17MITRE T1040CIS 5.2

COLLAB-003 — Meet Anonymous Join Settings

Medium FAIL

Description: Anonymous users (without Google accounts) should not be able to join meetings without explicit host approval
Recommended: Anonymous join disabled or requires host approval
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Google Meet > Meet video settings > Participants > Disable anonymous join or require knocking
Reference: https://admin.google.com/ac/appsettings/625702498764/meetingsettings
Compliance: NIST AC-3NIST IA-2MITRE T1040CIS 5.3

COLLAB-005 — Chat History Settings

Medium FAIL

Description: Chat history should be enabled and retained for compliance and audit purposes. Disabling history can hide malicious communications
Recommended: Chat history enabled and retained according to retention policy
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Google Chat > Chat settings > History > Enable history and configure retention
Reference: https://admin.google.com/ac/appsettings/553322/chatsettings
Compliance: NIST AU-11NIST AU-3MITRE T1070.008CIS 5.5

COLLAB-006 — Chat Spaces External Access

Medium FAIL

Description: Chat spaces (rooms) that allow external members can expose internal communications and shared files to unauthorized parties
Recommended: External access to Chat spaces restricted or disabled
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Google Chat > Chat settings > Spaces > Restrict external access to spaces
Reference: https://admin.google.com/ac/appsettings/553322/chatsettings
Compliance: NIST AC-3NIST AC-4MITRE T1530MITRE T1213CIS 5.6

COLLAB-009 — Calendar External Invitations

Medium FAIL

Description: Users should be warned or restricted when sending calendar invitations to external recipients to prevent accidental information disclosure
Recommended: External invitation warnings enabled
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Calendar > Sharing settings > Enable external invitation warnings
Reference: https://admin.google.com/ac/appsettings/435070579839/sharing
Compliance: NIST AC-4NIST SI-11MITRE T1589CIS 5.9

COLLAB-007 — Chat App Installation Settings

Low FAIL

Description: Chat app (bot) installation should be controlled to prevent unauthorized integrations from accessing conversation data
Recommended: Chat app installation restricted to admin-approved apps
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Google Chat > Chat settings > Apps > Restrict app installation to approved apps
Reference: https://admin.google.com/ac/appsettings/553322/chatsettings
Compliance: NIST CM-7NIST CM-11MITRE T1195.002CIS 5.7

COLLAB-010 — Calendar Appointment Slots External Visibility

Low FAIL

Description: Calendar appointment slot visibility should be controlled to limit external exposure of availability and scheduling details
Recommended: Appointment slot external visibility restricted
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Calendar > Sharing settings > Review appointment slot visibility settings
Reference: https://admin.google.com/ac/appsettings/435070579839/sharing
Compliance: NIST AC-22MITRE T1589.002CIS 5.10

Device & Endpoint Management (11 checks, 11 failing)

DEVICE-001 — MDM Policy Audit

High FAIL

Description: Mobile devices accessing organizational data should be managed through MDM policies to enforce security controls
Recommended: All mobile devices under MDM management with enforced security policies
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Devices > Mobile devices > Review device management status > Enable advanced MDM for unmanaged devices
Reference: https://admin.google.com/ac/devices/mobile
Compliance: NIST AC-19NIST CM-6MITRE T1458MITRE T1078.004CIS 6.1

DEVICE-002 — Device Approval Requirements

High FAIL

Description: Mobile devices should require admin approval before accessing organizational data to prevent unauthorized device access
Recommended: Device approval required before accessing organizational data
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Devices > Mobile & endpoints > Settings > General > Require admin approval for device access
Reference: https://admin.google.com/ac/devices/mobile/settings
Compliance: NIST AC-19(4)NIST IA-3MITRE T1078.004CIS 6.2

DEVICE-003 — Screen Lock Enforcement

High FAIL

Description: Screen lock should be enforced on all mobile devices to prevent unauthorized physical access to organizational data
Recommended: Screen lock enforced with minimum PIN/password requirements
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Devices > Mobile & endpoints > Settings > Universal settings > Screen lock > Enforce screen lock with minimum complexity
Reference: https://admin.google.com/ac/devices/mobile/settings
Compliance: NIST AC-11NIST AC-7MITRE T1458CIS 6.3

DEVICE-004 — Device Encryption Requirements

High FAIL

Description: Device encryption should be required on all mobile devices to protect data at rest from physical theft or loss
Recommended: Encryption required on all managed devices
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Devices > Mobile & endpoints > Settings > Universal settings > Encryption > Require device encryption
Reference: https://admin.google.com/ac/devices/mobile/settings
Compliance: NIST SC-28NIST MP-5MITRE T1005CIS 6.4

DEVICE-005 — Compromised Device Blocking

High FAIL

Description: Compromised devices should be automatically blocked from accessing organizational data to prevent data exposure
Recommended: Compromised device detection and blocking enabled
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Devices > Mobile & endpoints > Settings > Universal settings > Compromised devices > Block compromised devices from accessing data
Reference: https://admin.google.com/ac/devices/mobile/settings
Compliance: NIST SI-4NIST AC-19MITRE T1458CIS 6.5

DEVICE-006 — Jailbroken/Rooted Device Policy

High FAIL

Description: Jailbroken (iOS) or rooted (Android) devices bypass OS-level security controls and should be blocked from accessing organizational data
Recommended: Jailbroken/rooted devices blocked from organizational data access
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Devices > Mobile & endpoints > Settings > Universal settings > Compromised devices > Block jailbroken/rooted devices
Reference: https://admin.google.com/ac/devices/mobile/settings
Compliance: NIST SI-7NIST AC-19MITRE T1398CIS 6.6

DEVICE-008 — Chrome Extension Whitelist/Blocklist

High FAIL

Description: Chrome extensions should be managed through an allowlist or blocklist to prevent malicious extensions from accessing organizational data
Recommended: Extension installation restricted to admin-approved extensions via allowlist
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Devices > Chrome > Apps & extensions > Configure extension allowlist and blocklist
Reference: https://admin.google.com/ac/chrome/apps/user
Compliance: NIST CM-7NIST CM-11MITRE T1176CIS 6.8

DEVICE-007 — Chrome Browser Management

Medium FAIL

Description: Chrome browsers used to access organizational data should be enrolled in Chrome Browser Cloud Management for policy enforcement
Recommended: Chrome browsers enrolled in Cloud Management with policies enforced
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Devices > Chrome > Settings > Review and configure Chrome browser policies for managed browsers
Reference: https://admin.google.com/ac/chrome/settings
Compliance: NIST CM-6NIST CM-7MITRE T1189MITRE T1185CIS 6.7

DEVICE-009 — Chrome OS Device Policies

Medium FAIL

Description: Chrome OS devices should have appropriate policies enforced including auto-update, login restrictions, and security settings
Recommended: Chrome OS devices managed with enforced policies for updates, login, and security
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Devices > Chrome > Settings > Device settings > Configure auto-update, login restrictions, and security policies
Reference: https://admin.google.com/ac/chrome/settings/device
Compliance: NIST CM-6NIST SI-2MITRE T1189CIS 6.9

DEVICE-010 — Endpoint Verification Settings

Medium FAIL

Description: Endpoint verification provides device trust signals for context-aware access policies and should be enabled
Recommended: Endpoint verification enabled for context-aware access
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Devices > Mobile & endpoints > Settings > General > Enable endpoint verification for context-aware access policies
Reference: https://admin.google.com/ac/devices/settings/general
Compliance: NIST AC-19NIST IA-3MITRE T1078.004CIS 6.10

DEVICE-011 — Company-Owned Device Inventory

Low FAIL

Description: Company-owned devices should be inventoried to maintain visibility over organizational assets accessing corporate data
Recommended: Complete inventory of all company-owned devices maintained
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Devices > Mobile devices > Review device inventory > Ensure all company-owned devices are registered and accounted for
Reference: https://admin.google.com/ac/devices/mobile
Compliance: NIST CM-8NIST PM-5MITRE T1087CIS 6.11

Drive Security & Data Protection (13 checks, 13 failing)

DRIVE-001 — External Sharing Defaults

High FAIL

Description: Sharing outside the organization should be restricted or disabled by default to prevent accidental data exposure to external parties
Recommended: External sharing restricted to allowlisted domains or disabled
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Set sharing outside the organization to 'Off' or 'Allowlisted domains'
Reference: https://admin.google.com/ac/appsettings/55656082996/sharing
Compliance: NIST AC-3NIST AC-4MITRE T1567MITRE T1537CIS 2.1

DRIVE-002 — Link Sharing Default Settings

High FAIL

Description: Default link sharing should be set to 'Restricted' (specific people) rather than broad access to prevent unintended data exposure
Recommended: Default link sharing set to 'Restricted' (specific people only)
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Set default link sharing to 'Restricted'
Reference: https://admin.google.com/ac/appsettings/55656082996/sharing
Compliance: NIST AC-3NIST AC-6MITRE T1530CIS 2.2

DRIVE-003 — Anyone With the Link Sharing Audit

High FAIL

Description: Files shared with 'Anyone with the link' are accessible to anyone on the internet and represent a significant data exposure risk
Recommended: 'Anyone with the link' sharing disabled or tightly controlled
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Disable 'Anyone with the link' option or restrict to 'Domain users with the link'
Reference: https://admin.google.com/ac/appsettings/55656082996/sharing
Compliance: NIST AC-3NIST AC-22MITRE T1530MITRE T1213CIS 2.3

DRIVE-006 — Shared Drive External Sharing

High FAIL

Description: External sharing on Shared Drives should be restricted to prevent sensitive organizational data from being shared outside the domain
Recommended: External sharing on Shared Drives disabled or restricted to allowlisted domains
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Shared drive sharing > Restrict external sharing
Reference: https://admin.google.com/ac/appsettings/55656082996/sharing
Compliance: NIST AC-3NIST AC-4MITRE T1537MITRE T1567CIS 2.6

DRIVE-009 — Third-Party App Drive Access

High FAIL

Description: Third-party applications with access to Drive data should be reviewed and restricted to prevent unauthorized data exfiltration
Recommended: Third-party app access to Drive data restricted and reviewed
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > API controls > Third-party app access > Review and restrict apps with Drive access
Reference: https://admin.google.com/ac/owl/list?tab=apps
Compliance: NIST AC-3NIST AC-20MITRE T1530MITRE T1567.002CIS 2.9

DRIVE-004 — Shared Drive Creation Restrictions

Medium FAIL

Description: Shared Drive creation should be restricted to prevent uncontrolled proliferation and ensure proper governance of shared data repositories
Recommended: Shared Drive creation restricted to specific groups or admins
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Shared drive creation > Restrict who can create shared drives
Reference: https://admin.google.com/ac/appsettings/55656082996/sharing
Compliance: NIST CM-7NIST AC-6MITRE T1530CIS 2.4

DRIVE-005 — Shared Drive Member Management

Medium FAIL

Description: Shared Drive member management should be controlled to prevent unauthorized users from being added or permissions being escalated
Recommended: Only managers can add members and change access levels
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Shared drive settings > Configure member management permissions
Reference: https://admin.google.com/ac/appsettings/55656082996/sharing
Compliance: NIST AC-3NIST AC-6(1)MITRE T1098CIS 2.5

DRIVE-007 — File Ownership Transfer Settings

Medium FAIL

Description: File ownership transfer should be controlled to prevent unauthorized data migration and maintain proper data governance chains
Recommended: File ownership transfer restricted to admins or controlled process
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Drive and Docs > Transfer ownership settings > Configure restrictions
Reference: https://admin.google.com/ac/appsettings/55656082996/sharing
Compliance: NIST AC-3NIST MP-5MITRE T1537CIS 2.7

DRIVE-008 — Drive for Desktop Allowed/Blocked

Medium FAIL

Description: Drive for Desktop syncs files locally and should be controlled to prevent data from being stored on unmanaged endpoints
Recommended: Drive for Desktop restricted to managed devices or disabled
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Drive and Docs > Features and Applications > Drive for Desktop > Configure access
Reference: https://admin.google.com/ac/appsettings/55656082996/drivefordesktop
Compliance: NIST SC-28NIST MP-7MITRE T1530MITRE T1005CIS 2.8

DRIVE-010 — Drive DLP Rules Audit

Medium FAIL

Description: Data Loss Prevention rules should be configured to detect and prevent sharing of sensitive data through Google Drive
Recommended: DLP rules configured for sensitive data types (PII, financial, health data)
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Data protection > Manage rules > Create rules for sensitive data types in Drive
Reference: https://admin.google.com/ac/dp/rules
Compliance: NIST SC-7NIST SI-4MITRE T1567MITRE T1048CIS 2.10

DRIVE-011 — Target Audience Settings

Medium FAIL

Description: Target audience settings control who can be suggested when sharing files and should be configured to limit accidental sharing
Recommended: Target audiences configured to limit sharing suggestions appropriately
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Directory > Target audiences > Review and configure target audience groups
Reference: https://admin.google.com/ac/targetaudiences
Compliance: NIST AC-3NIST AC-6MITRE T1530CIS 2.11

DRIVE-013 — Offline Access Settings

Medium FAIL

Description: Offline access allows Drive files to be cached locally on devices and should be controlled to prevent data exposure on shared or unmanaged devices
Recommended: Offline access disabled or restricted to managed devices
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Drive and Docs > Features and Applications > Offline > Disable or restrict offline access
Reference: https://admin.google.com/ac/appsettings/55656082996/offlineaccess
Compliance: NIST SC-28NIST AC-19MITRE T1005MITRE T1530CIS 2.13

DRIVE-012 — Drive Add-ons Settings

Low FAIL

Description: Drive add-ons can access file content and should be controlled to prevent data exposure through untrusted extensions
Recommended: Drive add-on installation restricted to admin-approved add-ons
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Drive and Docs > Features and Applications > Add-ons > Configure installation restrictions
Reference: https://admin.google.com/ac/appsettings/55656082996/addons
Compliance: NIST CM-7NIST CM-11MITRE T1195.002CIS 2.12

Email Security (22 checks, 22 failing)

EMAIL-001 — SPF Record Validation

Critical FAIL

Description: Sender Policy Framework (SPF) records must exist and be valid for all domains. SPF prevents email spoofing by specifying which mail servers are authorized to send email on behalf of a domain
Recommended: Valid v=spf1 record published for all domains with -all or ~all qualifier
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > Authenticate email > Publish SPF record: v=spf1 include:_spf.google.com ~all for each domain
Reference: https://admin.google.com/ac/apps/gmail/authenticateemail
Compliance: NIST SI-8NIST SC-7MITRE T1566.001MITRE T1566.002CIS 2.1

EMAIL-002 — DKIM Signing Enabled

Critical FAIL

Description: DomainKeys Identified Mail (DKIM) signing must be enabled and valid for all domains. DKIM provides cryptographic proof that email content has not been tampered with in transit
Recommended: DKIM signing enabled with valid key published for all domains
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > Authenticate email > Generate DKIM key and publish DNS record for each domain
Reference: https://admin.google.com/ac/apps/gmail/authenticateemail
Compliance: NIST SI-8NIST SC-8MITRE T1566.001MITRE T1566.002CIS 2.2

EMAIL-003 — DMARC Policy Audit

Critical FAIL

Description: Domain-based Message Authentication, Reporting and Conformance (DMARC) policy must be set to reject or quarantine for all domains. A DMARC policy of none provides no protection against spoofing
Recommended: DMARC policy set to reject or quarantine for all domains
Current Value: Not configured / Non-compliant
Remediation: Publish DMARC TXT record at _dmarc.<domain> with p=reject or p=quarantine. Start with p=none for monitoring, then escalate to quarantine and finally reject
Reference: https://admin.google.com/ac/apps/gmail/authenticateemail
Compliance: NIST SI-8NIST SC-7MITRE T1566.001MITRE T1566.002MITRE T1036.005CIS 2.3

EMAIL-017 — Spoofing and Authentication Protection

Critical FAIL

Description: Spoofing and authentication protections guard against domain spoofing, employee name spoofing, and unauthenticated email from domains that appear similar to the organization
Recommended: All spoofing and authentication protections enabled with quarantine action
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > Safety > Spoofing and authentication > Enable all protections: domain spoofing, employee name spoofing, inbound email spoofing, and unauthenticated email
Reference: https://admin.google.com/ac/apps/gmail/safety
Compliance: NIST SI-8NIST IA-9MITRE T1566.001MITRE T1566.002MITRE T1036.005CIS 2.17

EMAIL-005 — TLS Enforcement

High FAIL

Description: Transport Layer Security (TLS) should be required for email transmission to prevent eavesdropping. Compliance TLS settings ensure encrypted connections with specified partner domains
Recommended: TLS required for all outbound and inbound connections
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > Compliance > Secure transport (TLS) compliance > Add rule requiring TLS for all domains or specific partner domains
Reference: https://admin.google.com/ac/apps/gmail/compliance
Compliance: NIST SC-8NIST SC-8(1)NIST SC-23MITRE T1557MITRE T1040CIS 2.5

EMAIL-009 — Auto-Forwarding Policy

High FAIL

Description: Automatic email forwarding to external addresses should be disabled to prevent data exfiltration. Attackers frequently set up forwarding rules after compromising an account
Recommended: Auto-forwarding disabled for all organizational units
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > End User Access > Disable automatic forwarding for all OUs. Review existing forwarding rules via Gmail API
Reference: https://admin.google.com/ac/apps/gmail/enduseraccess
Compliance: NIST AC-4NIST SC-7MITRE T1114.003MITRE T1020CIS 2.9

EMAIL-011 — POP/IMAP Access Settings

High FAIL

Description: POP and IMAP access should be disabled unless specifically required. These legacy protocols bypass modern security controls and can be used for credential-based attacks
Recommended: POP and IMAP disabled for all users
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > End User Access > Disable POP and IMAP access. Review individual user settings via Gmail API
Reference: https://admin.google.com/ac/apps/gmail/enduseraccess
Compliance: NIST AC-17(2)NIST CM-7MITRE T1078.004MITRE T1110CIS 2.11

EMAIL-012 — Spam and Phishing Filter Settings

High FAIL

Description: Enhanced spam and phishing filters should be enabled to provide maximum protection against social engineering attacks and malicious email campaigns
Recommended: Enhanced spam filtering and aggressive phishing detection enabled
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > Spam, phishing and malware > Enable 'Be more aggressive when filtering spam' and all phishing protection options
Reference: https://admin.google.com/ac/apps/gmail/spam
Compliance: NIST SI-8NIST SI-3MITRE T1566.001MITRE T1566.002CIS 2.12

EMAIL-013 — Enhanced Pre-Delivery Message Scanning

High FAIL

Description: Enhanced pre-delivery message scanning uses advanced heuristics and sandboxing to detect malware and threats before messages are delivered to user inboxes
Recommended: Enhanced pre-delivery message scanning enabled
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > Spam, phishing and malware > Enable 'Enhanced pre-delivery message scanning' to identify suspicious content
Reference: https://admin.google.com/ac/apps/gmail/spam
Compliance: NIST SI-3NIST SI-8MITRE T1566.001MITRE T1204.001CIS 2.13

EMAIL-015 — Attachment Safety Settings

High FAIL

Description: All attachment safety protections should be enabled to detect and block malicious file attachments including encrypted archives, anomalous file types, and scripts
Recommended: All attachment protection options enabled with quarantine action
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > Safety > Attachments > Enable all protections: encrypted attachments, scripts from untrusted senders, and anomalous attachment types
Reference: https://admin.google.com/ac/apps/gmail/safety
Compliance: NIST SI-3NIST SI-8MITRE T1566.001MITRE T1204.002CIS 2.15

EMAIL-016 — Links and External Images Protection

High FAIL

Description: Link protection should be enabled to scan URLs for phishing and malware. External image proxying prevents tracking pixels and IP disclosure
Recommended: URL scanning, click-time warnings, and external image proxying enabled
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > Safety > Links and external images > Enable 'Identify links behind shortened URLs', 'Scan linked images', and 'Show warning prompt for click on links to untrusted domains'
Reference: https://admin.google.com/ac/apps/gmail/safety
Compliance: NIST SI-3NIST SI-8MITRE T1566.002MITRE T1204.001CIS 2.16

EMAIL-022 — Mail Forwarding Rule Enumeration

High FAIL

Description: All user-level mail forwarding rules should be enumerated and reviewed. Attackers commonly set up forwarding rules to maintain persistent access to email after account compromise
Recommended: No unauthorized forwarding rules; all forwarding rules documented and approved
Current Value: Not configured / Non-compliant
Remediation: Enumerate forwarding rules via Gmail API for all users. Remove unauthorized forwarding addresses. Disable auto-forwarding at the OU level to prevent future abuse
Reference: https://admin.google.com/ac/apps/gmail/enduseraccess
Compliance: NIST AC-4NIST SI-4NIST AU-6MITRE T1114.003MITRE T1020CIS 2.22

EMAIL-004 — MTA-STS Policy

Medium FAIL

Description: Mail Transfer Agent Strict Transport Security (MTA-STS) prevents TLS downgrade attacks and man-in-the-middle interception of email in transit by requiring authenticated TLS connections
Recommended: MTA-STS TXT record published and policy hosted at https://mta-sts.<domain>/.well-known/mta-sts.txt
Current Value: Not configured / Non-compliant
Remediation: Publish _mta-sts.<domain> TXT record with v=STSv1; id=<unique_id> and host MTA-STS policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt
Reference: https://admin.google.com/ac/apps/gmail/compliance
Compliance: NIST SC-8NIST SC-8(1)MITRE T1557MITRE T1040CIS 2.4

EMAIL-006 — Email Allowlist/Blocklist Review

Medium FAIL

Description: Email allowlists and blocklists should be reviewed for overly permissive entries. Allowlisted senders bypass spam filtering and can be exploited if misconfigured
Recommended: Minimal allowlist entries with no wildcard domains; blocklist actively maintained
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > Spam, phishing and malware > Review Email allowlists and Blocked senders lists for overly broad entries
Reference: https://admin.google.com/ac/apps/gmail/spam
Compliance: NIST SI-8NIST SC-7(5)MITRE T1566.001CIS 2.6

EMAIL-007 — Inbound Gateway Configuration

Medium FAIL

Description: Inbound email gateways should be properly configured to preserve sender authentication results. Misconfigured gateways can strip SPF/DKIM/DMARC headers or bypass security filtering
Recommended: Inbound gateways configured with correct IP ranges and header preservation
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > Spam, phishing and malware > Inbound gateway > Verify gateway IPs and that authentication headers are preserved
Reference: https://admin.google.com/ac/apps/gmail/inboundgateway
Compliance: NIST SI-8NIST SC-7MITRE T1566.001MITRE T1566.002CIS 2.7

EMAIL-008 — Email Routing Rules Audit

Medium FAIL

Description: Email routing rules should be reviewed for suspicious or unauthorized configurations. Malicious routing rules can redirect email to attacker-controlled destinations
Recommended: All routing rules reviewed and documented with business justification
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > Routing > Review all routing rules, default routing, and recipient maps for unauthorized entries
Reference: https://admin.google.com/ac/apps/gmail/routing
Compliance: NIST SI-4NIST AU-6MITRE T1114.003MITRE T1020CIS 2.8

EMAIL-010 — Delegate Access Settings

Medium FAIL

Description: Mail delegation allows users to grant other users read and send access to their mailbox. Excessive delegation can lead to unauthorized access and impersonation
Recommended: Mail delegation restricted and reviewed periodically; no unexpected delegates
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > End User Access > Review mail delegation settings. Check individual users for unauthorized delegates via Gmail API
Reference: https://admin.google.com/ac/apps/gmail/enduseraccess
Compliance: NIST AC-3NIST AC-6(1)MITRE T1098.002MITRE T1114.002CIS 2.10

EMAIL-014 — External Recipient Warning

Medium FAIL

Description: Users should be warned when sending email to recipients outside the organization to prevent accidental data disclosure and social engineering
Recommended: External recipient warning enabled for all users
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > End User Access > Enable 'Warn users when they send messages outside the domain'
Reference: https://admin.google.com/ac/apps/gmail/enduseraccess
Compliance: NIST AC-4NIST AT-2MITRE T1048MITRE T1567CIS 2.14

EMAIL-018 — Compliance Rules Audit

Medium FAIL

Description: Content compliance rules should be reviewed to ensure sensitive data is appropriately handled. Rules can enforce encryption, quarantine, or rejection based on content patterns
Recommended: Content compliance rules configured for sensitive data types with appropriate actions
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > Compliance > Content compliance > Review existing rules and create rules for sensitive content types (PII, financial data, health records)
Reference: https://admin.google.com/ac/apps/gmail/compliance
Compliance: NIST AC-4NIST SI-4NIST SC-7MITRE T1048MITRE T1567CIS 2.18

EMAIL-019 — DLP Rules Configuration

Medium FAIL

Description: Data Loss Prevention (DLP) rules should be configured to detect and prevent sensitive data from leaving the organization via email. DLP provides automated content inspection and policy enforcement
Recommended: DLP rules configured for key data types (credit cards, SSNs, health records) with block or warn action
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Data protection > Manage rules > Create DLP rules for Gmail that detect sensitive content patterns and apply appropriate actions
Reference: https://admin.google.com/ac/apps/gmail/compliance
Compliance: NIST AC-4NIST SC-7NIST SI-4MITRE T1048MITRE T1567MITRE T1020CIS 2.19

EMAIL-020 — Gmail Confidential Mode

Low FAIL

Description: Gmail confidential mode allows senders to set expiration dates and revoke access to messages. Review whether this feature is enabled or restricted per organizational policy
Recommended: Gmail confidential mode enabled for users who handle sensitive data
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > End User Access > Review Gmail confidential mode settings and enable or restrict based on organizational requirements
Reference: https://admin.google.com/ac/apps/gmail/enduseraccess
Compliance: NIST AC-4NIST SC-28MITRE T1114.002CIS 2.20

EMAIL-021 — S/MIME Settings

Low FAIL

Description: S/MIME provides end-to-end email encryption and digital signatures. If required by compliance, S/MIME certificates should be properly configured and managed
Recommended: S/MIME enabled if required by compliance; certificates properly managed
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace > Gmail > End User Access > S/MIME > Enable hosted S/MIME if required and ensure certificates are uploaded and valid
Reference: https://admin.google.com/ac/apps/gmail/enduseraccess
Compliance: NIST SC-8(1)NIST SC-12MITRE T1557MITRE T1040CIS 2.21

Logging, Alerting & Monitoring (6 checks, 6 failing)

LOG-001 — Audit Log Retention Settings

High FAIL

Description: Audit logs should be retained for an adequate period to support incident investigation and compliance requirements. Default retention varies by Workspace edition
Recommended: Audit log retention of 12 months or longer; extended via BigQuery export for long-term retention
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Reporting > Audit and investigation > Review log availability. Configure BigQuery export via Admin Console > Reporting > BigQuery export for long-term retention
Reference: https://admin.google.com/ac/reporting/audit
Compliance: NIST AU-11NIST AU-4MITRE T1070MITRE T1562.008CIS 7.1

LOG-002 — Alert Center Rules Inventory

High FAIL

Description: Alert Center rules should be configured to detect and notify on security-relevant events including suspicious logins, data exfiltration, and policy violations
Recommended: Alert rules configured for key security events (suspicious login, data exfiltration, privilege changes)
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Alert center > Review existing rules > Create rules for missing security event categories
Reference: https://admin.google.com/ac/ac
Compliance: NIST SI-4NIST IR-5MITRE T1562.008CIS 7.2

LOG-003 — Activity Rules Coverage Analysis

Medium FAIL

Description: Activity rules should provide adequate coverage across security domains including login, Drive, Admin, and email events
Recommended: Activity rules covering login, Drive sharing, admin changes, email forwarding, and OAuth events
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Alert center > Rules > Review coverage across event categories > Add rules for uncovered security domains
Reference: https://admin.google.com/ac/ac/rules
Compliance: NIST SI-4(5)NIST AU-6MITRE T1562.008CIS 7.3

LOG-004 — Data Export Settings

Medium FAIL

Description: Google Takeout (data export) should be controlled to prevent users from bulk-exporting organizational data outside the domain
Recommended: Google Takeout disabled or restricted for most users
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Additional Google services > Google Takeout > Disable or restrict for applicable OUs
Reference: https://admin.google.com/ac/appsettings/986128702541/additional_services
Compliance: NIST AC-4NIST MP-5MITRE T1567MITRE T1537CIS 7.4

LOG-005 — Admin Email Alerts Configuration

Medium FAIL

Description: Email alerts should be configured for critical admin actions including super admin changes, security setting modifications, and bulk operations
Recommended: Email alerts enabled for critical admin actions and security events
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > Alert center > Configure email notification recipients for critical alert types
Reference: https://admin.google.com/ac/ac
Compliance: NIST SI-4NIST AU-5MITRE T1562.008CIS 7.5

LOG-006 — Reporting API Access

Low FAIL

Description: Access to the Reports API should be reviewed to ensure only authorized service accounts and applications can retrieve audit and usage data
Recommended: Reports API access restricted to authorized service accounts only
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > API controls > Domain-wide delegation > Review grants with Reports API scopes > Remove unauthorized access
Reference: https://admin.google.com/ac/owl/domainwidedelegation
Compliance: NIST AU-9NIST AC-3MITRE T1530CIS 7.6

OAuth & API Security (10 checks, 10 failing)

OAUTH-003 — OAuth Scope Analysis

Critical FAIL

Description: OAuth applications with high-risk scopes (Gmail, Drive, Admin) pose significant data exfiltration risk and must be reviewed and restricted
Recommended: No unauthorized apps with high-risk scopes (gmail, drive, admin)
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > API controls > App access control > Review apps with sensitive scopes > Revoke or restrict as needed
Reference: https://admin.google.com/ac/owl/list?tab=apps
Compliance: NIST AC-6NIST AC-3MITRE T1528MITRE T1114.002MITRE T1530CIS 3.3

OAUTH-008 — Domain-Wide Delegation Grants Audit

Critical FAIL

Description: Domain-wide delegation allows service accounts to impersonate any user and access their data. Unauthorized or overly permissive grants represent a critical security risk
Recommended: Minimal domain-wide delegation grants with scoped permissions; all grants reviewed and approved
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > API controls > Domain-wide delegation > Review all grants, remove unnecessary ones, and restrict scopes to minimum required
Reference: https://admin.google.com/ac/owl/domainwidedelegation
Compliance: NIST AC-6(1)NIST AC-2(7)MITRE T1098.003MITRE T1134.001CIS 3.8

OAUTH-001 — OAuth App Whitelist/Blocklist

High FAIL

Description: OAuth app access should be governed by an allowlist or blocklist to prevent unauthorized applications from accessing organizational data
Recommended: OAuth app allowlist configured with only approved applications
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > API controls > App access control > Manage third-party app access > Configure trusted/blocked apps
Reference: https://admin.google.com/ac/owl/list?tab=apps
Compliance: NIST CM-7NIST AC-3MITRE T1550.001MITRE T1528CIS 3.1

OAUTH-002 — Installed OAuth Apps Inventory

High FAIL

Description: All OAuth applications installed by users should be inventoried and reviewed to identify unauthorized or risky applications accessing organizational data
Recommended: All installed OAuth apps reviewed and approved by security team
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > API controls > App access control > Review installed apps and revoke access for unauthorized applications
Reference: https://admin.google.com/ac/owl/list?tab=apps
Compliance: NIST CM-8NIST CM-11MITRE T1528MITRE T1550.001CIS 3.2

OAUTH-004 — OAuth App Risk Scoring

High FAIL

Description: OAuth applications should be risk-scored based on their granted scopes and publisher trust to prioritize security review
Recommended: All high-risk apps reviewed and approved; no unreviewed apps with broad scopes
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > API controls > App access control > Review apps sorted by scope breadth > Address high-risk applications
Reference: https://admin.google.com/ac/owl/list?tab=apps
Compliance: NIST RA-3NIST CM-11MITRE T1528CIS 3.4

OAUTH-005 — Unverified App Access Policy

High FAIL

Description: Access to unverified third-party apps should be restricted to prevent users from granting permissions to potentially malicious applications
Recommended: Unverified app access blocked for all users
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > API controls > App access control > Settings > Block unverified apps
Reference: https://admin.google.com/ac/owl/list?tab=apps
Compliance: NIST CM-7NIST SI-7MITRE T1528MITRE T1204.003CIS 3.5

OAUTH-009 — Service Account Key Enumeration

High FAIL

Description: Service account keys should be inventoried and rotated regularly. Leaked or stale keys provide persistent unauthorized access
Recommended: All service account keys inventoried, rotated within 90 days, and unused keys removed
Current Value: Not configured / Non-compliant
Remediation: Google Cloud Console > IAM & Admin > Service accounts > Review and rotate keys > Remove unused service account keys
Reference: https://console.cloud.google.com/iam-admin/serviceaccounts
Compliance: NIST IA-5(1)NIST AC-2(3)MITRE T1078.004MITRE T1552.004CIS 3.9

OAUTH-010 — Connected Apps With Sensitive Scopes

High FAIL

Description: Applications with access to Drive, Gmail, or Calendar data should be inventoried and validated to prevent data exfiltration through connected apps
Recommended: All apps with sensitive scopes (Drive, Gmail, Calendar) reviewed and approved
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > API controls > App access control > Filter by scope (Drive, Gmail, Calendar) > Review and restrict unauthorized apps
Reference: https://admin.google.com/ac/owl/list?tab=apps
Compliance: NIST AC-3NIST AC-6MITRE T1530MITRE T1114.002MITRE T1528CIS 3.10

OAUTH-006 — API Access Control

Medium FAIL

Description: API access should be controlled with appropriate scoping and restrictions to prevent unauthorized programmatic access to organizational data
Recommended: API access restricted to approved applications and scopes
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Security > API controls > Manage Google Services > Restrict API access to trusted apps only
Reference: https://admin.google.com/ac/owl/list?tab=services
Compliance: NIST AC-3NIST AC-17MITRE T1106CIS 3.6

OAUTH-007 — Marketplace App Installation Restrictions

Medium FAIL

Description: Google Workspace Marketplace app installation should be restricted to prevent users from installing unauthorized applications
Recommended: Marketplace app installation restricted to admin-approved apps or allowlisted apps only
Current Value: Not configured / Non-compliant
Remediation: Admin Console > Apps > Google Workspace Marketplace apps > Settings > Restrict marketplace app installation
Reference: https://admin.google.com/ac/appsettings/986702928867
Compliance: NIST CM-11NIST CM-7MITRE T1195.002MITRE T1204.003CIS 3.7

Active Directory

AD ACL & Delegation (16 checks, 16 failing)

ADACL-001 — Critical Object ACL Audit

Critical FAIL

Description: Access control lists on critical AD objects (Domain Root, AdminSDHolder, Schema, Configuration, Domain Controllers OU) must be audited for unauthorized or excessive permissions. Misconfigured ACLs on these objects can allow attackers to escalate privileges, modify directory services, or take full control of the domain
Recommended: Only default and explicitly authorized ACEs on critical AD objects; no unexpected principals with modify or full-control access
Current Value: Not configured / Non-compliant
Remediation: Review ACLs on critical objects using Get-Acl or dsacls.exe. Remove non-default ACEs that grant write, modify, or full-control permissions to unauthorized principals. Use AdminSDHolder to enforce consistent ACLs on protected groups. Document all intentional delegations.
Compliance: NIST AC-6NIST AC-6(5)NIST AU-6MITRE T1222.001MITRE T1003.006ANSSI vuln_permissions_adminsdholder

ADACL-002 — GenericAll Permissions on Critical Objects

Critical FAIL

Description: GenericAll grants full control over an AD object including the ability to modify attributes, reset passwords, change group membership, and modify the DACL. Non-default principals with GenericAll on critical objects such as domain admins, domain controllers, or the domain root represent a direct path to domain compromise
Recommended: No non-default principals with GenericAll on critical AD objects
Current Value: Not configured / Non-compliant
Remediation: Enumerate ACLs on critical objects using PowerShell or BloodHound. Remove GenericAll ACEs for any principal that does not require full control. Replace with least-privilege delegated permissions where operational needs exist. Monitor for ACL changes using Directory Service Changes auditing (Event ID 5136).
Compliance: NIST AC-6NIST AC-6(1)NIST AC-3MITRE T1222.001MITRE T1098ANSSI vuln_permissions_genericall

ADACL-004 — WriteDACL Permissions on Critical Objects

Critical FAIL

Description: WriteDACL permission allows a principal to modify the discretionary access control list of an object, effectively granting the ability to assign any permission including GenericAll to themselves or others. This is a critical privilege escalation vector as it enables an attacker to grant themselves full control without directly having it
Recommended: No non-default principals with WriteDACL on critical AD objects
Current Value: Not configured / Non-compliant
Remediation: Enumerate WriteDACL permissions on all critical objects including the domain root, AdminSDHolder, GPO objects, and privileged group objects. Remove WriteDACL for non-default principals. Enable auditing of ACL changes (Event ID 5136) to detect unauthorized DACL modifications. Review changes regularly.
Compliance: NIST AC-6NIST AC-6(1)NIST AC-3NIST AU-12MITRE T1222.001MITRE T1098ANSSI vuln_permissions_writedacl

ADACL-005 — WriteOwner Permissions on Critical Objects

Critical FAIL

Description: WriteOwner permission allows changing the owner of an AD object. The owner of an object implicitly has the ability to modify the DACL, making WriteOwner functionally equivalent to WriteDACL from an attack perspective. An attacker can take ownership and then grant themselves any desired permissions
Recommended: No non-default principals with WriteOwner on critical AD objects
Current Value: Not configured / Non-compliant
Remediation: Audit WriteOwner permissions on critical objects. Remove WriteOwner ACEs for non-default principals. Verify that object owners are appropriate privileged accounts. Enable ownership change auditing and monitor Event ID 4662 for WriteOwner operations.
Compliance: NIST AC-6NIST AC-6(1)NIST AC-3MITRE T1222.001MITRE T1098ANSSI vuln_permissions_writeowner

ADACL-007 — Excessive Delegation to Broad Groups

Critical FAIL

Description: Delegation of sensitive permissions to broad groups such as Authenticated Users, Domain Users, or Everyone creates a wide attack surface where any compromised account can abuse the delegated rights. This is a common misconfiguration that dramatically reduces the effort required for privilege escalation
Recommended: No sensitive permissions delegated to Authenticated Users, Domain Users, Everyone, or other broad groups
Current Value: Not configured / Non-compliant
Remediation: Audit all ACLs for ACEs granted to well-known broad groups (S-1-5-11 Authenticated Users, Domain Users, Everyone, Domain Computers). Replace broad-group delegations with specific security groups containing only the required principals. Apply delegations at the narrowest OU scope possible.
Compliance: NIST AC-6NIST AC-6(1)NIST AC-3(7)MITRE T1222.001MITRE T1069.002ANSSI vuln_delegation_broad_groups

ADACL-010 — Extended Rights Audit

Critical FAIL

Description: Extended rights in Active Directory include powerful operations such as DS-Replication-Get-Changes (DCSync), User-Force-Change-Password, and DS-Replication-Get-Changes-All. Unauthorized grants of these rights can lead to full domain compromise through credential theft or direct account takeover
Recommended: Extended rights limited to default and explicitly authorized principals; DCSync rights only on domain controllers
Current Value: Not configured / Non-compliant
Remediation: Enumerate all extended rights ACEs on the domain root and critical objects. Verify that DS-Replication-Get-Changes and DS-Replication-Get-Changes-All are only granted to domain controllers and authorized replication accounts. Remove any non-default extended rights grants. Monitor Event ID 4662 for extended rights usage.
Compliance: NIST AC-6NIST AC-6(5)NIST AU-12MITRE T1003.006MITRE T1098ANSSI vuln_dcsync_rights

ADACL-015 — Shadow Admins Detection

Critical FAIL

Description: Shadow Admins are accounts that have indirect paths to Domain Admin-equivalent access through ACL chains but are not members of any privileged groups. These accounts bypass AdminSDHolder protection and traditional privileged access monitoring. For example, an account with WriteDACL on the Domain Admins group can grant itself membership without being flagged by group membership monitoring
Recommended: No shadow admin paths identified; all admin-equivalent access is through explicit privileged group membership
Current Value: Not configured / Non-compliant
Remediation: Use BloodHound or similar tools to identify ACL-based attack paths to Domain Admin-equivalent access. Remove unnecessary ACEs that create indirect privilege escalation paths. Ensure all administrative access is granted through protected group membership. Implement regular attack path analysis as part of security operations.
Compliance: NIST AC-6NIST AC-6(5)NIST AC-2(7)MITRE T1222.001MITRE T1098MITRE T1069.002ANSSI vuln_shadow_admins

ADACL-016 — Attack Path Enumeration

Critical FAIL

Description: Active Directory attack paths are chains of permissions, group memberships, and trust relationships that can be traversed to escalate from a low-privileged account to domain administrator. Comprehensive attack path enumeration identifies risks that individual ACL checks may miss, such as multi-hop escalation chains through intermediate objects
Recommended: No viable attack paths from unprivileged users to Tier 0 assets; all identified paths remediated or documented as accepted risk
Current Value: Not configured / Non-compliant
Remediation: Perform attack path analysis using tools such as BloodHound. Focus on shortest paths from Domain Users or Authenticated Users to Domain Admins, Enterprise Admins, and Domain Controllers. Break identified attack chains by removing the weakest link in each path. Prioritize paths that can be exploited without any special tools or elevated access.
Compliance: NIST AC-6NIST RA-5NIST CA-8MITRE T1222.001MITRE T1069.002MITRE T1098ANSSI vuln_attack_paths

ADACL-003 — GenericWrite Permissions on Critical Objects

High FAIL

Description: GenericWrite allows modification of most attributes on an object, enabling attacks such as targeted Kerberoasting (writing an SPN), Resource-Based Constrained Delegation (writing msDS-AllowedToActOnBehalfOfOtherIdentity), or Shadow Credentials (writing msDS-KeyCredentialLink). Non-default principals with GenericWrite on critical objects should be investigated
Recommended: No non-default principals with GenericWrite on critical AD objects
Current Value: Not configured / Non-compliant
Remediation: Audit ACLs on user, computer, and group objects for GenericWrite permissions. Remove unnecessary GenericWrite ACEs and replace with specific attribute-level write permissions. Pay special attention to write access on msDS-AllowedToActOnBehalfOfOtherIdentity, servicePrincipalName, and msDS-KeyCredentialLink attributes.
Compliance: NIST AC-6NIST AC-6(1)NIST AC-3MITRE T1222.001MITRE T1098ANSSI vuln_permissions_genericwrite

ADACL-006 — ForceChangePassword Rights

High FAIL

Description: The Extended Right User-Force-Change-Password (also known as Reset Password) allows a principal to reset another user's password without knowing the current password. When granted to non-privileged accounts or broad groups, this creates a direct account takeover path that bypasses normal authentication requirements
Recommended: ForceChangePassword limited to authorized helpdesk and admin groups only; not granted to non-privileged accounts
Current Value: Not configured / Non-compliant
Remediation: Enumerate all principals with User-Force-Change-Password extended right on user objects. Verify each delegation is intentional and scoped appropriately. Remove rights from any principal that does not have a documented operational need. Use OU-scoped delegation rather than domain-wide grants.
Compliance: NIST AC-6NIST IA-5(1)MITRE T1098MITRE T1078.002ANSSI vuln_permissions_resetpassword

ADACL-009 — Machine Account Quota

High FAIL

Description: The ms-DS-MachineAccountQuota attribute on the domain root determines how many computer accounts any authenticated user can create. The default value of 10 allows any domain user to join computers to the domain, creating machine accounts that can be abused for resource-based constrained delegation attacks, relay attacks, and other privilege escalation techniques
Recommended: ms-DS-MachineAccountQuota set to 0
Current Value: Not configured / Non-compliant
Remediation: Set ms-DS-MachineAccountQuota to 0 on the domain root using Set-ADDomain -Identity (Get-ADDomain) -Replace @{'ms-DS-MachineAccountQuota'=0}. Delegate computer account creation to specific admin groups or use a prestaging workflow. Review existing computer accounts created by non-admin users.
Compliance: NIST CM-6NIST AC-6MITRE T1098MITRE T1136.002ANSSI vuln_machineaccountquota

ADACL-011 — Ownership of Critical Objects

High FAIL

Description: The owner of an AD object has implicit permission to modify the object's DACL regardless of the explicit ACL entries. If critical objects such as the domain root, AdminSDHolder, privileged groups, or GPOs are owned by non-privileged or unexpected accounts, those accounts have a hidden path to full control
Recommended: Critical objects owned by Domain Admins, Enterprise Admins, or SYSTEM only
Current Value: Not configured / Non-compliant
Remediation: Enumerate ownership of all critical objects including the domain root, AdminSDHolder, Schema container, Configuration container, privileged group objects, and GPO objects. Transfer ownership of any incorrectly owned objects to Domain Admins using Set-Acl or the Security tab in ADUC. Enable auditing for ownership changes.
Compliance: NIST AC-6NIST AC-3MITRE T1222.001ANSSI vuln_object_ownership

ADACL-012 — Non-Default Domain Root Permissions

High FAIL

Description: The domain root object is the top of the AD hierarchy and permissions set here can inherit throughout the entire directory. Non-default ACEs on the domain root that grant write, modify, or extended rights to unexpected principals represent a significant risk as they can affect every object in the domain
Recommended: Only default Microsoft ACEs on the domain root; all custom ACEs documented and justified
Current Value: Not configured / Non-compliant
Remediation: Compare current domain root ACL against the default ACL for your domain functional level. Document any non-default ACEs and validate their operational necessity. Remove ACEs that are no longer required or that grant excessive permissions. Pay special attention to ACEs that apply to 'This object and all descendant objects'.
Compliance: NIST AC-6NIST AC-3NIST CM-6MITRE T1222.001MITRE T1003.006

ADACL-013 — GPO Link Permissions

High FAIL

Description: The ability to link Group Policy Objects to sites, domains, or OUs controls which policies apply to which objects. Unauthorized GPO link permissions allow an attacker to apply malicious GPOs to targeted OUs, potentially deploying malware, modifying security settings, or creating scheduled tasks on affected computers
Recommended: GPO link permissions restricted to authorized Group Policy administrators only
Current Value: Not configured / Non-compliant
Remediation: Audit gPLink and gPOptions write permissions on all OUs, the domain root, and site objects. Remove GPO link permissions from non-administrative principals. Use Group Policy Modeling to verify the impact of current GPO links. Implement change control for GPO linking operations.
Compliance: NIST AC-6NIST CM-5MITRE T1484.001ANSSI vuln_gpo_link_permissions

ADACL-014 — GPO Edit Permissions

High FAIL

Description: Permissions to edit Group Policy Objects allow modification of domain-wide security settings, software deployment, logon scripts, and scheduled tasks. Unauthorized GPO edit access is a high-value target for attackers as it enables widespread code execution and configuration changes across the environment
Recommended: GPO edit permissions restricted to Group Policy Creator Owners and authorized administrators only
Current Value: Not configured / Non-compliant
Remediation: Review the security filtering and delegation tabs on each GPO. Verify that only authorized principals have Edit settings, Delete, or Modify security permissions. Remove GPO edit permissions from non-administrative groups. Use the Group Policy Management Console to audit GPO permissions systematically.
Compliance: NIST AC-6NIST CM-5NIST CM-6MITRE T1484.001ANSSI vuln_gpo_edit_permissions

ADACL-008 — OU Delegation Analysis

Medium FAIL

Description: Organizational Unit delegation is the recommended method for granting administrative permissions in Active Directory, but misconfigured OU delegations can create unintended access paths. This check analyzes all OU-level permission delegations to identify overly permissive grants, inherited permissions that bypass intended scoping, and delegations that may have become stale
Recommended: All OU delegations documented, scoped to specific object types, and using least-privilege permissions
Current Value: Not configured / Non-compliant
Remediation: Review all non-default ACEs on each OU using dsacls.exe or PowerShell. Verify that delegations use the InheritedObjectType to scope permissions to specific object classes. Remove delegations that are no longer required. Document all intentional delegations in an authorization matrix.
Compliance: NIST AC-6NIST AC-6(3)NIST CM-5MITRE T1222.001

AD Certificate Services (19 checks, 17 failing)

ADCS-002 — ESC1 - Enrollee Supplies Subject Alternative Name

Critical FAIL

Description: ESC1 occurs when a certificate template allows the enrollee to specify a Subject Alternative Name (SAN) in the certificate request, has Client Authentication or any EKU that permits authentication, and allows enrollment by low-privileged users. An attacker can request a certificate with a SAN for any domain user including Domain Admins, then use the certificate to authenticate as that user
Recommended: No certificate templates with CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT that allow low-privileged enrollment and have authentication EKUs
Current Value: Not configured / Non-compliant
Remediation: Identify templates where msPKI-Certificate-Name-Flag includes CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT (0x1), the template has Client Authentication or Smart Card Logon EKU, and enrollment is permitted for non-admin users. Remove the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag, restrict enrollment permissions to privileged groups, or remove the authentication EKU. If SAN specification is operationally required, implement CA Manager approval.
Compliance: NIST AC-6NIST IA-5(2)NIST CM-6MITRE T1649MITRE T1556ANSSI vuln_adcs_esc1

ADCS-003 — ESC2 - Any Purpose Extended Key Usage

Critical FAIL

Description: ESC2 occurs when a certificate template specifies the Any Purpose EKU (OID 2.5.29.37.0) or no EKU at all (SubCA template equivalent). Certificates with Any Purpose EKU can be used for any purpose including client authentication, server authentication, and code signing. Combined with enrollee-controlled SANs or low enrollment requirements, this enables domain compromise
Recommended: No certificate templates with Any Purpose EKU or empty EKU that allow low-privileged enrollment
Current Value: Not configured / Non-compliant
Remediation: Identify templates where pKIExtendedKeyUsage contains the Any Purpose OID (2.5.29.37.0) or is empty, and enrollment is permitted for non-admin users. Replace the Any Purpose EKU with specific required EKUs (e.g., Client Authentication only). If a SubCA template, restrict enrollment to Enterprise Admins only. Implement CA Manager approval for any remaining templates with broad EKUs.
Compliance: NIST AC-6NIST IA-5(2)NIST CM-6MITRE T1649MITRE T1556ANSSI vuln_adcs_esc2

ADCS-006 — ESC4 - Vulnerable Certificate Template ACLs

Critical FAIL

Description: ESC4 occurs when low-privileged users have write permissions on certificate template objects in AD, allowing them to modify template attributes to create an ESC1, ESC2, or ESC3 condition. An attacker with write access can add CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT, change the EKU, modify enrollment permissions, or alter other security-relevant attributes to enable certificate-based privilege escalation
Recommended: No write permissions on certificate template objects for non-administrative principals
Current Value: Not configured / Non-compliant
Remediation: Enumerate ACLs on all certificate template objects in CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration. Remove WriteDACL, WriteOwner, WriteProperty, and GenericAll/GenericWrite ACEs for non-administrative principals. Only Enterprise Admins and designated PKI administrators should have write access to template objects. Monitor for ACL changes on certificate template objects.
Compliance: NIST AC-6NIST AC-3NIST IA-5(2)MITRE T1649MITRE T1222.001ANSSI vuln_adcs_esc4

ADCS-007 — ESC4 - Vulnerable Certificate Template Ownership

Critical FAIL

Description: If a certificate template object is owned by a non-administrative principal, that principal can modify the template's DACL to grant themselves write access and then modify the template to create exploitable conditions. Template ownership should be restricted to Enterprise Admins or the domain's PKI administration group
Recommended: All certificate template objects owned by Enterprise Admins or designated PKI administrators
Current Value: Not configured / Non-compliant
Remediation: Check the Owner field on every certificate template object in CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration. Transfer ownership of any incorrectly owned templates to Enterprise Admins using Set-Acl or the Security tab in adsiedit.msc. Investigate how non-admin accounts became owners to prevent recurrence.
Compliance: NIST AC-6NIST AC-3MITRE T1649MITRE T1222.001ANSSI vuln_adcs_esc4

ADCS-009 — ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 Flag

Critical FAIL

Description: When the EDITF_ATTRIBUTESUBJECTALTNAME2 flag is enabled on a CA, any certificate request can include a user-defined Subject Alternative Name regardless of the template configuration. This effectively makes every template on the CA vulnerable to ESC1-style attacks where an attacker specifies a SAN for a privileged user
Recommended: EDITF_ATTRIBUTESUBJECTALTNAME2 flag disabled on all CA servers
Current Value: Not configured / Non-compliant
Remediation: Check the CA configuration using certutil -getreg policy\EditFlags on each CA server. If the EDITF_ATTRIBUTESUBJECTALTNAME2 flag (0x00040000) is set, remove it using certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2. Restart the CertSvc service after the change. Review all recently issued certificates for unexpected SANs that may indicate prior exploitation.
Compliance: NIST CM-6NIST IA-5(2)NIST AC-6MITRE T1649MITRE T1556ANSSI vuln_adcs_esc6

ADCS-010 — ESC7 - Vulnerable CA ACLs

Critical FAIL

Description: ESC7 occurs when a non-admin principal has ManageCA or ManageCertificates permissions on the CA. ManageCA allows modifying CA configuration including enabling EDITF_ATTRIBUTESUBJECTALTNAME2 (creating an ESC6 condition). ManageCertificates allows approving pending certificate requests, bypassing CA Manager approval requirements on sensitive templates
Recommended: ManageCA and ManageCertificates permissions restricted to designated CA administrators only
Current Value: Not configured / Non-compliant
Remediation: Review CA security permissions using certsrv.msc > Properties > Security tab or certutil -getacl. Remove ManageCA permissions from non-administrative principals. Remove ManageCertificates from any principal that is not an authorized certificate manager. Document all principals with CA management permissions. Implement separation of duties between CA administrators and certificate managers.
Compliance: NIST AC-6NIST AC-6(1)NIST AC-5MITRE T1649ANSSI vuln_adcs_esc7

ADCS-011 — ESC8 - NTLM Relay to AD CS HTTP Endpoints

Critical FAIL

Description: ESC8 exploits the AD CS web enrollment (certsrv) and Certificate Enrollment Service (CES) HTTP endpoints that accept NTLM authentication. An attacker can coerce authentication from a domain controller or privileged account and relay the NTLM authentication to the CA HTTP endpoint to request a certificate as the relayed identity, leading to domain compromise
Recommended: No HTTP-based enrollment endpoints; if required, enforce HTTPS with Extended Protection for Authentication (EPA) enabled
Current Value: Not configured / Non-compliant
Remediation: Identify all CA web enrollment endpoints using Get-CertificateEnrollmentService and checking IIS bindings. Disable HTTP-based enrollment endpoints and require HTTPS. Enable Extended Protection for Authentication on IIS to prevent NTLM relay. Alternatively, disable the web enrollment role entirely and use only the DCOM-based enrollment interface. Disable NTLM authentication on CA servers where possible.
Compliance: NIST SC-8NIST SC-23NIST IA-5(2)MITRE T1649MITRE T1557MITRE T1187ANSSI vuln_adcs_esc8

ADCS-004 — ESC3 - Enrollment Agent Template Abuse Condition 1

High FAIL

Description: ESC3 Condition 1 identifies certificate templates that have the Certificate Request Agent EKU (OID 1.3.6.1.4.1.311.20.2.1) and allow enrollment by low-privileged users. An Enrollment Agent certificate allows its holder to enroll in other templates on behalf of any user, potentially including templates with authentication EKUs that normally require CA Manager approval
Recommended: Certificate Request Agent templates restricted to authorized enrollment agents only; not enrollable by low-privileged users
Current Value: Not configured / Non-compliant
Remediation: Identify templates with the Certificate Request Agent EKU that allow enrollment by non-administrative users. Restrict enrollment permissions on these templates to a dedicated Enrollment Agent security group. Configure Enrollment Agent restrictions on the CA to limit which templates and users enrollment agents can enroll for. Monitor Certificate Request Agent certificate issuance.
Compliance: NIST AC-6NIST IA-5(2)NIST CM-6MITRE T1649ANSSI vuln_adcs_esc3

ADCS-005 — ESC3 - Enrollment Agent Template Abuse Condition 2

High FAIL

Description: ESC3 Condition 2 identifies certificate templates that accept enrollment on behalf of other users (require an enrollment agent signature) and have an authentication EKU. When combined with ESC3 Condition 1, an attacker who obtains an Enrollment Agent certificate can enroll for authentication certificates on behalf of any user, including Domain Admins
Recommended: Templates requiring enrollment agent signatures restricted to specific target users via enrollment agent restrictions on the CA
Current Value: Not configured / Non-compliant
Remediation: Identify templates that require an authorized signature with the Certificate Request Agent application policy and have Client Authentication or Smart Card Logon EKU. Configure Enrollment Agent restrictions on the CA to limit which templates these enrollment agents can enroll for and which users they can enroll on behalf of. This is configured in the CA properties under Enrollment Agents restrictions.
Compliance: NIST AC-6NIST IA-5(2)NIST CM-6MITRE T1649ANSSI vuln_adcs_esc3

ADCS-008 — ESC5 - Vulnerable PKI Object ACLs

High FAIL

Description: ESC5 covers write permissions on other PKI-related AD objects beyond certificate templates, including the CA server's AD object, the NTAuthCertificates object, the Enrollment Services container, and the Certificate Templates container. Write access to these objects can allow an attacker to add rogue CAs, modify enrollment settings, or publish malicious templates
Recommended: No write permissions on PKI container objects for non-administrative principals; write access limited to Enterprise Admins
Current Value: Not configured / Non-compliant
Remediation: Audit ACLs on all objects under CN=Public Key Services,CN=Services,CN=Configuration including the Enrollment Services container, AIA container, NTAuthCertificates object, and Certificate Templates container. Remove write permissions for non-administrative principals. Ensure the CA computer object in AD does not have write permissions for broad groups. Monitor these objects for unauthorized changes.
Compliance: NIST AC-6NIST AC-3NIST IA-5(2)MITRE T1649MITRE T1222.001ANSSI vuln_adcs_esc5

ADCS-012 — ESC9 - No Security Extension

High FAIL

Description: ESC9 exploits the absence of the szOID_NTDS_CA_SECURITY_EXT security extension in issued certificates. Without this extension and when StrongCertificateBindingEnforcement is not set to 2, an attacker who can modify a user's UPN attribute (via GenericWrite on the user object) can request a certificate, change the UPN back, and use the certificate to authenticate as the modified identity
Recommended: StrongCertificateBindingEnforcement set to 2 on all domain controllers; CT_FLAG_NO_SECURITY_EXTENSION not set on authentication templates
Current Value: Not configured / Non-compliant
Remediation: Check for templates with CT_FLAG_NO_SECURITY_EXTENSION (0x80000) in msPKI-Enrollment-Flag. Remove this flag from all authentication-capable templates. Set the registry value StrongCertificateBindingEnforcement to 2 under HKLM\SYSTEM\CurrentControlSet\Services\Kdc on all domain controllers to enforce strong certificate mapping. Test certificate-based authentication after enabling enforcement.
Compliance: NIST IA-5(2)NIST CM-6NIST AC-6MITRE T1649MITRE T1098ANSSI vuln_adcs_esc9

ADCS-013 — ESC11 - RPC Relay Without Encryption

High FAIL

Description: ESC11 targets the AD CS RPC enrollment interface (ICertPassage) when the CA does not enforce encryption on the RPC connection. Similar to ESC8 for HTTP, an attacker can relay NTLM authentication to the unencrypted RPC endpoint to request certificates as the relayed identity. This affects the default DCOM-based enrollment interface
Recommended: IF_ENFORCEENCRYPTICERTREQUEST flag enabled on all CA servers to require RPC encryption
Current Value: Not configured / Non-compliant
Remediation: Check CA interface flags using certutil -getreg CA\InterfaceFlags. Enable the IF_ENFORCEENCRYPTICERTREQUEST flag using certutil -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST. Restart the CertSvc service. Verify that certificate enrollment still functions correctly from domain-joined clients after enabling encryption enforcement.
Compliance: NIST SC-8NIST SC-8(1)NIST IA-5(2)MITRE T1649MITRE T1557ANSSI vuln_adcs_esc11

ADCS-014 — ESC13 - Issuance Policy OID Group Link

High FAIL

Description: ESC13 exploits the linkage between certificate issuance policy OIDs and AD security groups through the msDS-OIDToGroupLink attribute. When a certificate template has an issuance policy that maps to a security group, anyone who enrolls in that template effectively gains membership in the linked group for the duration of certificate-based authentication
Recommended: No issuance policy OIDs linked to privileged security groups; msDS-OIDToGroupLink only on non-sensitive groups
Current Value: Not configured / Non-compliant
Remediation: Query all OID objects in CN=OID,CN=Public Key Services,CN=Services,CN=Configuration for the msDS-OIDToGroupLink attribute. Identify any OIDs linked to privileged groups (Domain Admins, Enterprise Admins, etc.). Remove the msDS-OIDToGroupLink attribute from OIDs linked to sensitive groups. If the linkage is operationally required, restrict enrollment on templates using the issuance policy to authorized principals only.
Compliance: NIST AC-6NIST IA-5(2)NIST CM-6MITRE T1649MITRE T1098ANSSI vuln_adcs_esc13

ADCS-016 — ESC16 - UPN SAN Misconfiguration

High FAIL

Description: ESC16 exploits a misconfiguration where StrongCertificateBindingEnforcement is set to 1 (compatibility mode) and certificate templates with CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT or CT_FLAG_SUBJECT_ALT_REQUIRE_UPN allow the enrollee to set the UPN in the SAN. The weak binding allows certificates to be mapped to users based on UPN alone without the OID security extension, enabling impersonation
Recommended: StrongCertificateBindingEnforcement set to 2; no templates allowing enrollee-specified UPN SAN with low-privileged enrollment
Current Value: Not configured / Non-compliant
Remediation: Set StrongCertificateBindingEnforcement to 2 on all domain controllers under HKLM\SYSTEM\CurrentControlSet\Services\Kdc. Review all templates that allow enrollee-specified subjects or require UPN in the SAN. Restrict enrollment on these templates to authorized principals. Test certificate-based authentication after enforcing strong binding to identify any incompatibilities before full rollout.
Compliance: NIST IA-5(2)NIST CM-6NIST AC-6MITRE T1649MITRE T1556

ADCS-017 — EKEUwu - Extended Key Usage Abuse

High FAIL

Description: The EKEUwu attack targets certificate templates where the Extended Key Usage field can be influenced by the enrollee through the certificate request. This occurs with certain template configurations where the EKU is not strictly enforced by the template, allowing an attacker to add authentication EKUs to certificates that were not intended for authentication purposes
Recommended: All certificate templates strictly enforce EKU from the template definition; no enrollee-controllable EKUs
Current Value: Not configured / Non-compliant
Remediation: Review all certificate templates for EKU enforcement. Ensure templates are Schema v2 or later where EKU enforcement is more robust. Remove unnecessary templates that do not strictly define and enforce EKUs. Test certificate requests to verify that the issued certificate EKU matches the template definition. Implement CA issuance policy modules that validate EKU in requests.
Compliance: NIST IA-5(2)NIST CM-6MITRE T1649

ADCS-018 — CA Auditing Configuration

High FAIL

Description: AD CS Certificate Authority auditing controls which certificate-related events are logged including certificate requests, issuance, revocation, and CA configuration changes. Without adequate CA auditing, exploitation of certificate-based attack vectors (ESC1-ESC16) cannot be detected or investigated, and unauthorized certificate issuance goes unnoticed
Recommended: All CA audit categories enabled: Start/Stop, Backup/Restore, Certificate Issued, Certificate Revoked, Certificate Request, CA Security, CA Configuration Change
Current Value: Not configured / Non-compliant
Remediation: Configure CA auditing using certsrv.msc > CA Properties > Auditing tab. Enable all audit categories: Back up and restore the CA database, Change CA configuration, Change CA security settings, Issue and manage certificate requests, Revoke certificates and publish CRLs, Store and retrieve archived keys, Start and stop AD CS. Verify that the Windows Security event log has sufficient size and retention settings.
Compliance: NIST AU-2NIST AU-3NIST AU-12MITRE T1649MITRE T1562.002

ADCS-015 — ESC15 - Application Policies in Schema v1 Templates

Medium FAIL

Description: ESC15 (also known as EKUwu) exploits Schema Version 1 certificate templates where the Application Policies extension can be specified by the enrollee in the certificate request. Because Schema v1 templates do not enforce the Application Policies from the template, an attacker can add Client Authentication or any other EKU to the issued certificate, regardless of the template configuration
Recommended: No Schema v1 templates published that allow low-privileged enrollment; migrate all required templates to Schema v2 or later
Current Value: Not configured / Non-compliant
Remediation: Identify all Schema v1 templates (msPKI-Template-Schema-Version = 1) that are published on Enterprise CAs. Migrate Schema v1 templates to Schema v2 or later by creating new templates based on the v1 template with explicit EKU enforcement. Restrict enrollment on any remaining v1 templates to administrative accounts only. Unpublish v1 templates that are no longer required.
Compliance: NIST CM-6NIST IA-5(2)MITRE T1649

ADCS-001 — CA Server Inventory

Info INFO

Description: An inventory of all Certificate Authority servers in the environment provides the foundation for AD CS security assessment. This includes Enterprise CAs, Standalone CAs, their roles (Root vs Subordinate), operating system versions, and published certificate templates. Understanding the PKI hierarchy is essential for identifying the attack surface
Recommended: Complete CA inventory documented with CA type, role, OS version, and published templates for each CA server
Current Value: Not configured / Non-compliant
Remediation: Enumerate all CA servers by querying the PKI Enrollment Services container in AD (CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration). Document each CA's type (Enterprise/Standalone), role (Root/Subordinate), hostname, operating system version, and published certificate templates. Verify that all CA servers are running supported OS versions and have current patches.
Compliance: NIST CM-8NIST CM-8(1)NIST IA-5(2)MITRE T1649

ADCS-019 — Certificate Template Enumeration

Info INFO

Description: A comprehensive enumeration of all certificate templates with their security-relevant attributes provides the baseline for ESC vulnerability assessment. This includes template schema version, enrollment permissions, EKU configuration, name flags, enrollment flags, authorized signatures requirement, and validity period. This information feeds into all ESC-specific checks
Recommended: Complete template inventory with security attributes documented; all templates reviewed for least-privilege enrollment and appropriate EKU
Current Value: Not configured / Non-compliant
Remediation: Enumerate all certificate templates from CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration using certutil -template or PowerShell. For each template, document: display name, schema version, enrollment permissions, EKU, name flags (ENROLLEE_SUPPLIES_SUBJECT), enrollment flags, authorized signatures requirement, validity period, and renewal period. Cross-reference published templates on each CA.
Compliance: NIST CM-8NIST CM-8(1)NIST IA-5(2)MITRE T1649

AD Domain & Forest Configuration (20 checks, 19 failing)

ADDOM-005 — Obsolete OS on Domain Controllers

Critical FAIL

Description: Domain controllers running end-of-life operating systems (Windows Server 2012 R2 or earlier) do not receive security updates and are vulnerable to known exploits. These represent critical infrastructure risk as compromising a DC gives full domain control
Recommended: All domain controllers running Windows Server 2019 or later with current patches
Current Value: Not configured / Non-compliant
Remediation: Plan migration of DCs running obsolete OS versions. Build new DCs on Windows Server 2022, transfer FSMO roles if needed, replicate, then demote and decommission old DCs. Prioritize this remediation as legacy DCs are actively targeted
Compliance: NIST SI-2NIST CM-6NIST SA-22MITRE T1210MITRE T1078.002CIS 18.3.1ANSSI R8CIS AD 1.2.2

ADDOM-013 — LDAP Signing Requirements

Critical FAIL

Description: LDAP signing must be required on all domain controllers to prevent adversary-in-the-middle attacks on LDAP traffic. Without signing, attackers can intercept and modify LDAP queries and responses, potentially escalating privileges or exfiltrating data
Recommended: LDAP server signing requirement set to 'Require signing' on all DCs
Current Value: Not configured / Non-compliant
Remediation: Configure via Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > 'Domain controller: LDAP server signing requirements' = 'Require signing'. Apply to the Domain Controllers OU
Compliance: NIST SC-8NIST SC-8(1)NIST SC-23MITRE T1557CIS 2.3.5.1ANSSI R25NSA LDAP-1CIS AD 2.1.1

ADDOM-015 — SMB Signing Requirements

Critical FAIL

Description: SMB signing must be required on all domain controllers to prevent adversary-in-the-middle and relay attacks on SMB traffic. SMB relay attacks can be used to gain SYSTEM-level access on domain controllers, leading to full domain compromise
Recommended: SMB signing required on all domain controllers and member servers
Current Value: Not configured / Non-compliant
Remediation: Configure via Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > 'Microsoft network server: Digitally sign communications (always)' = Enabled. Apply to Domain Controllers OU and all server OUs
Compliance: NIST SC-8NIST SC-8(1)MITRE T1557MITRE T1021.002CIS 2.3.8.1CIS 2.3.8.2ANSSI R26NSA SMB-1CIS AD 2.2.1

ADDOM-016 — NTLMv1 Usage Detection

Critical FAIL

Description: NTLMv1 is a severely weakened authentication protocol that can be cracked in seconds with modern hardware. Any NTLMv1 usage in the environment must be identified and eliminated as it exposes credentials to trivial offline attacks
Recommended: Zero NTLMv1 authentication events detected; LAN Manager authentication level set to refuse NTLMv1
Current Value: Not configured / Non-compliant
Remediation: Enable NTLM auditing via Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > 'Network security: Restrict NTLM' settings. Review event logs for NTLMv1 usage and remediate applications, then set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM'
Compliance: NIST IA-5(2)NIST SC-8MITRE T1557MITRE T1003CIS 2.3.8.4ANSSI R27NSA NTLM-1CIS AD 2.3.1

ADDOM-001 — Forest Functional Level

High FAIL

Description: The Active Directory forest functional level should be at Windows Server 2016 or higher to enable modern security features such as Privileged Access Management and improved Kerberos protections. Running older functional levels exposes the environment to attacks that leverage legacy protocol weaknesses
Recommended: Windows Server 2016 or higher
Current Value: Not configured / Non-compliant
Remediation: Raise the forest functional level via Active Directory Domains and Trusts > Right-click the forest root > Raise Forest Functional Level. Ensure all domain controllers run a supported OS version before raising
Compliance: NIST CM-6NIST SI-2MITRE T1078.002CIS 18.3.1ANSSI R1CIS AD 1.1.1

ADDOM-002 — Domain Functional Level

High FAIL

Description: The Active Directory domain functional level should be at Windows Server 2016 or higher. Lower functional levels prevent the use of critical security features including Protected Users group functionality, authentication policies, and modern Kerberos armoring
Recommended: Windows Server 2016 or higher
Current Value: Not configured / Non-compliant
Remediation: Raise the domain functional level via Active Directory Domains and Trusts > Right-click the domain > Raise Domain Functional Level. Verify all DCs in the domain are running a compatible OS version first
Compliance: NIST CM-6NIST SI-2MITRE T1078.002CIS 18.3.1ANSSI R1CIS AD 1.1.2

ADDOM-004 — Domain Controller Inventory

High FAIL

Description: All domain controllers should be inventoried with their OS version, patch level, and location. Untracked domain controllers represent a significant security risk as they may miss patches or be compromised without detection
Recommended: All domain controllers documented with current OS version, site membership, and patch status
Current Value: Not configured / Non-compliant
Remediation: Query all DC computer objects from the Domain Controllers OU. Verify each DC is accounted for, running a supported OS, and receiving regular patches. Remove or demote any unauthorized DCs immediately
Compliance: NIST CM-8NIST CM-8(1)MITRE T1018MITRE T1078.002CIS 1.1ANSSI R8CIS AD 1.2.1

ADDOM-007 — AD Replication Health

High FAIL

Description: Active Directory replication failures can lead to inconsistent security policy application, stale credentials remaining valid, and split-brain scenarios. Persistent replication failures may also indicate a compromised or rogue DC
Recommended: All domain controllers replicating successfully with no errors in the last 24 hours
Current Value: Not configured / Non-compliant
Remediation: Run 'repadmin /replsummary' and 'repadmin /showrepl' to identify failures. Investigate and resolve DNS issues, network connectivity problems, or USN rollback conditions. Monitor replication status as part of routine operations
Compliance: NIST SC-36NIST CP-10MITRE T1207CIS 18.3.1CIS AD 1.3.1

ADDOM-012 — DNS Zone Security

High FAIL

Description: AD-integrated DNS zones should use secure dynamic updates only. Allowing nonsecure updates enables attackers to poison DNS records, redirect authentication traffic, and perform adversary-in-the-middle attacks against domain-joined systems
Recommended: Secure dynamic updates only on all AD-integrated DNS zones
Current Value: Not configured / Non-compliant
Remediation: Open DNS Manager > Right-click each AD-integrated zone > Properties > General tab > Change Dynamic Updates to 'Secure only'. Review all forward and reverse lookup zones. Verify DNSSEC signing if applicable
Compliance: NIST SC-20NIST SC-21MITRE T1557MITRE T1584.002CIS 18.5.4ANSSI R29CIS AD 1.6.1

ADDOM-014 — LDAP Channel Binding

High FAIL

Description: LDAP channel binding tokens prevent relay attacks by cryptographically binding the LDAP session to the TLS channel. Without channel binding, attackers can relay LDAP authentication to gain unauthorized access
Recommended: LDAP channel binding set to 'Always' on all domain controllers
Current Value: Not configured / Non-compliant
Remediation: Set the registry value LdapEnforceChannelBinding to 2 (Always) at HKLM\System\CurrentControlSet\Services\NTDS\Parameters on all DCs. Test with value 1 (When Supported) first to identify incompatible clients
Compliance: NIST SC-8NIST SC-8(1)NIST SC-23MITRE T1557CIS 18.3.5ANSSI R25NSA LDAP-2CIS AD 2.1.2

ADDOM-017 — NTLMv2 Enforcement

High FAIL

Description: The LAN Manager authentication level should be configured to send only NTLMv2 responses and refuse LM and NTLMv1. While NTLMv2 is still less secure than Kerberos, it is significantly stronger than NTLMv1 and should be the minimum NTLM standard
Recommended: LAN Manager authentication level set to 'Send NTLMv2 response only. Refuse LM & NTLM' (level 5)
Current Value: Not configured / Non-compliant
Remediation: Configure via Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > 'Network security: LAN Manager authentication level' = 'Send NTLMv2 response only. Refuse LM & NTLM'. Test thoroughly before enforcement
Compliance: NIST IA-5(2)NIST SC-8MITRE T1557MITRE T1003CIS 2.3.8.4ANSSI R27NSA NTLM-2CIS AD 2.3.2

ADDOM-018 — Null Session Enumeration

High FAIL

Description: Anonymous (null session) access to Active Directory allows unauthenticated attackers to enumerate users, groups, shares, and domain information. This reconnaissance data is used to plan credential attacks and lateral movement
Recommended: Null session enumeration disabled; RestrictAnonymous and RestrictAnonymousSAM set to prevent anonymous access
Current Value: Not configured / Non-compliant
Remediation: Configure via Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Set 'Network access: Restrict anonymous access to Named Pipes and Shares' = Enabled, 'Network access: Do not allow anonymous enumeration of SAM accounts' = Enabled, 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' = Enabled
Compliance: NIST AC-3NIST AC-14MITRE T1087.002MITRE T1069.002CIS 2.3.10.5CIS 2.3.10.6ANSSI R30CIS AD 2.4.1

ADDOM-019 — Print Spooler on Domain Controllers

High FAIL

Description: The Print Spooler service on domain controllers enables the PrintNightmare (CVE-2021-34527) and SpoolSample/PrinterBug attacks. An attacker can coerce a DC to authenticate to an attacker-controlled server, enabling credential relay and unconstrained delegation abuse
Recommended: Print Spooler service disabled on all domain controllers
Current Value: Not configured / Non-compliant
Remediation: Disable the Print Spooler service on all domain controllers via Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Print Spooler > Startup Mode = Disabled. Apply to the Domain Controllers OU. Verify no print functionality depends on DCs
Compliance: NIST CM-7NIST CM-7(1)MITRE T1187MITRE T1210CIS 5.2ANSSI R9CIS AD 1.2.3

ADDOM-003 — Schema Version Identification

Medium FAIL

Description: The AD schema version should be documented and correspond to the latest supported version. An outdated schema may lack attributes required by modern security features and applications
Recommended: Schema version corresponding to Windows Server 2022 (version 88) or later
Current Value: Not configured / Non-compliant
Remediation: Run adprep /forestprep and adprep /domainprep from the latest Windows Server installation media to update the schema. Verify the objectVersion attribute on CN=Schema,CN=Configuration,DC=domain
Compliance: NIST CM-6NIST CM-2MITRE T1078.002CIS 18.3.1CIS AD 1.1.3

ADDOM-008 — Tombstone Lifetime Configuration

Medium FAIL

Description: The tombstone lifetime defines how long deleted objects are retained before permanent removal and determines the maximum offline time for a DC before it must be rebuilt. A value too low can cause lingering objects; the default of 60 days should be increased to 180 days for modern environments
Recommended: 180 days
Current Value: Not configured / Non-compliant
Remediation: Modify the tombstoneLifetime attribute on CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain. Set to 180 using ADSIEdit or PowerShell. Ensure AD Recycle Bin is enabled before modifying
Compliance: NIST CP-9NIST CP-10MITRE T1485CIS AD 1.4.1

ADDOM-009 — AD Recycle Bin Status

Medium FAIL

Description: The Active Directory Recycle Bin allows recovery of deleted objects with all attributes intact. Without it, restoring accidentally or maliciously deleted objects requires authoritative restore from backup, which causes significant downtime
Recommended: Enabled
Current Value: Not configured / Non-compliant
Remediation: Enable AD Recycle Bin via Active Directory Administrative Center > right-click domain > Enable Recycle Bin, or run Enable-ADOptionalFeature 'Recycle Bin Feature' in PowerShell. Note: this action is irreversible
Compliance: NIST CP-9NIST CP-10MITRE T1485CIS 18.3.1CIS AD 1.4.2

ADDOM-010 — Sites and Subnets Configuration

Medium FAIL

Description: All IP subnets in use should be assigned to AD sites. Missing subnet-to-site mappings cause clients to authenticate against suboptimal DCs, potentially sending credentials across WAN links in cleartext and degrading security posture
Recommended: All IP subnets mapped to appropriate AD sites with no orphaned subnets
Current Value: Not configured / Non-compliant
Remediation: Review AD Sites and Services > Subnets container. Cross-reference with network documentation to identify unmapped subnets. Create subnet objects for all production networks and associate them with the correct site
Compliance: NIST SC-7NIST CM-6MITRE T1557CIS AD 1.5.1

ADDOM-020 — DSRM Password Configuration

Medium FAIL

Description: The Directory Services Restore Mode (DSRM) password provides local administrator access to a domain controller when booted in recovery mode. An attacker with physical or remote access who knows the DSRM password can extract the entire AD database. The DSRM password should be unique per DC and rotated regularly
Recommended: DSRM password unique per DC, rotated annually, and stored securely. DsrmAdminLogonBehavior set to 0 to prevent network DSRM logon
Current Value: Not configured / Non-compliant
Remediation: Reset DSRM passwords using 'ntdsutil > set dsrm password' on each DC. Set the registry value DsrmAdminLogonBehavior to 0 at HKLM\System\CurrentControlSet\Control\Lsa to prevent DSRM account from being used for network logon. Document and securely store passwords
Compliance: NIST IA-5(1)NIST AC-6MITRE T1003MITRE T1078.002ANSSI R10CIS AD 1.2.4

ADDOM-011 — Site Link Configuration

Low FAIL

Description: AD site links should be configured with appropriate cost, replication interval, and schedule to ensure timely replication while respecting network constraints. Misconfigured site links can delay security policy propagation
Recommended: Site links configured with appropriate costs and replication intervals of 15-60 minutes depending on link capacity
Current Value: Not configured / Non-compliant
Remediation: Review AD Sites and Services > Inter-Site Transports > IP. Verify each site link has appropriate cost values, replication interval (default 180 minutes is often too long), and schedule. Adjust based on network topology
Compliance: NIST SC-36NIST CM-6MITRE T1557CIS AD 1.5.2

ADDOM-006 — FSMO Role Holder Identification

Info INFO

Description: The five FSMO roles (Schema Master, Domain Naming Master, RID Master, PDC Emulator, Infrastructure Master) should be documented and placed on appropriate domain controllers. Knowing role placement is essential for disaster recovery and operational awareness
Recommended: All FSMO roles documented, placed on reliable DCs, and included in DR planning
Current Value: Not configured / Non-compliant
Remediation: Run 'netdom query fsmo' or query the AD schema and domain partitions to identify role holders. Document roles and verify they are on highly available DCs. Transfer roles if current holders are inappropriate
Compliance: NIST CP-2NIST CM-8MITRE T1018CIS AD 1.1.4

AD Group Policy (24 checks, 23 failing)

ADGPO-012 — cPassword/GPP Password Detection

Critical FAIL

Description: Group Policy Preferences stored passwords (cPassword) are encrypted with a publicly known AES key published by Microsoft (MS14-025). Any domain user can read the XML files in SYSVOL containing these passwords and trivially decrypt them. This is one of the most common and easily exploitable Active Directory vulnerabilities
Recommended: No cPassword values present in any GPP XML files in SYSVOL
Current Value: Not configured / Non-compliant
Remediation: Search all SYSVOL GPO folders for XML files containing cpassword attributes in Groups.xml, Services.xml, Scheduledtasks.xml, DataSources.xml, Printers.xml, and Drives.xml. Remove all GPP items that contain stored passwords. Use LAPS, gMSA, or other modern credential management solutions instead. Apply MS14-025 patch to prevent new cPassword creation.
Compliance: NIST IA-5(1)NIST SC-28MITRE T1552.006MITRE T1552.001ANSSI vuln_gpp_passwords

ADGPO-007 — GPO Permission Inconsistencies

High FAIL

Description: Each GPO has both AD permissions (on the GPC object) and NTFS permissions (on the SYSVOL GPT folder). Inconsistencies between these permission sets can prevent GPO application, allow unauthorized modification, or create security gaps where SYSVOL content is more permissive than the AD object
Recommended: Consistent permissions between AD GPC objects and SYSVOL GPT folders for all GPOs; Authenticated Users have Read access
Current Value: Not configured / Non-compliant
Remediation: Compare the security descriptor on each GPC object in AD with the NTFS ACL on the corresponding GPT folder in SYSVOL. Ensure that both grant Read access to Authenticated Users (required for GPO application). Resolve any inconsistencies by aligning SYSVOL permissions with the AD object. Run dcdiag /test:sysvolcheck to identify issues.
Compliance: NIST AC-3NIST CM-6MITRE T1484.001MITRE T1222.001

ADGPO-011 — GPO Settings Security Analysis

High FAIL

Description: GPO settings can weaken the security posture if they disable protections, relax authentication requirements, or configure insecure defaults. This check analyzes key security-relevant settings across all GPOs including password policies, account lockout, user rights assignments, security options, and audit policies
Recommended: All GPO settings align with organizational security baseline; no GPOs that weaken default security configurations
Current Value: Not configured / Non-compliant
Remediation: Export all GPO reports and analyze security-relevant settings including password policies, account lockout, user rights assignments, restricted groups, security options, and Windows Firewall rules. Compare settings against CIS benchmarks or organizational baselines. Remediate GPOs that configure weaker-than-baseline settings.
Compliance: NIST CM-6NIST CM-6(1)NIST AC-3MITRE T1484.001MITRE T1484

ADGPO-013 — Scripts in GPOs Analysis

High FAIL

Description: GPO startup, shutdown, logon, and logoff scripts execute with the privileges of the system or user and are stored in the accessible SYSVOL share. Malicious scripts placed in GPOs can achieve widespread code execution across the domain. Scripts should be reviewed for security issues including hardcoded credentials, unsafe commands, and references to non-secure locations
Recommended: All GPO scripts reviewed, signed where possible, and free of hardcoded credentials or unsafe operations
Current Value: Not configured / Non-compliant
Remediation: Enumerate all scripts configured in GPOs (Startup, Shutdown, Logon, Logoff) from the Scripts section of GPO reports. Review script content for hardcoded credentials, LOLBins usage, external resource references, and unsafe operations. Implement script signing where supported. Ensure script file permissions restrict modification to authorized administrators only.
Compliance: NIST CM-6NIST SI-7NIST CM-5MITRE T1059MITRE T1484.001

ADGPO-015 — Scheduled Tasks in GPOs

High FAIL

Description: Group Policy Preferences can create scheduled tasks that run with specified credentials or as SYSTEM on targeted computers. Malicious scheduled tasks deployed via GPO provide persistent code execution across the environment. This is a common post-exploitation technique for maintaining domain-wide persistence
Recommended: All GPO-deployed scheduled tasks documented, using least-privilege accounts, and performing authorized operations only
Current Value: Not configured / Non-compliant
Remediation: Review all Scheduled Task items in GPO Preferences across all GPOs. Verify each task runs a legitimate and authorized command with the minimum required privileges. Remove any tasks that store credentials (use gMSA or SYSTEM context instead). Ensure task executables are stored in protected locations. Document the business purpose for each GPO-deployed scheduled task.
Compliance: NIST CM-6NIST CM-5NIST AC-6MITRE T1053.005MITRE T1484.001

ADGPO-017 — Restricted Groups Analysis

High FAIL

Description: Restricted Groups GPO settings enforce group membership on target systems, commonly used to manage local Administrators group membership. Misconfigured Restricted Groups can inadvertently grant local admin access to unauthorized users or fail to remove unauthorized members from privileged local groups
Recommended: Restricted Groups configured to enforce least-privilege local admin membership; only authorized groups in local Administrators
Current Value: Not configured / Non-compliant
Remediation: Review Restricted Groups settings in all GPOs. Verify that the local Administrators group is managed to include only authorized admin groups. Ensure that Restricted Groups do not add Domain Users or other broad groups to privileged local groups. Consider using Group Policy Preferences for more granular control (Add/Remove members without replacing the entire membership).
Compliance: NIST AC-6NIST AC-6(1)NIST CM-6MITRE T1484.001MITRE T1098

ADGPO-018 — Audit Policy Configuration via GPO

High FAIL

Description: Windows audit policies configured through Group Policy determine which security events are logged on domain-joined systems. Insufficient audit configuration creates blind spots that allow attackers to operate undetected. Key audit categories include logon events, account management, directory service access, and object access
Recommended: Advanced Audit Policy configured via GPO with success and failure auditing for all critical categories aligned with organizational detection requirements
Current Value: Not configured / Non-compliant
Remediation: Configure Advanced Audit Policy Configuration (not legacy Audit Policy) via GPO. Enable at minimum: Account Logon (Success/Failure), Account Management (Success/Failure), Directory Service Access (Success/Failure), Logon/Logoff (Success/Failure), Object Access (Success/Failure for sensitive resources), Policy Change (Success), Privilege Use (Success/Failure), and System (Success/Failure). Deploy to all domain-joined systems.
Compliance: NIST AU-2NIST AU-3NIST AU-12MITRE T1484.001MITRE T1562.002

ADGPO-021 — PowerShell Logging Configuration

High FAIL

Description: PowerShell Module Logging, Script Block Logging, and Transcription provide critical visibility into PowerShell-based attacks which are used in the majority of modern Active Directory compromises. Without these logging capabilities, defenders cannot detect or investigate PowerShell-based reconnaissance, credential theft, or lateral movement
Recommended: Module Logging, Script Block Logging, and Transcription enabled via GPO on all systems
Current Value: Not configured / Non-compliant
Remediation: Configure GPO settings under Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell. Enable Module Logging with '*' to log all modules. Enable Script Block Logging with 'Log script block invocation start/stop events'. Enable PowerShell Transcription with a secure output directory. Deploy to all domain-joined systems and verify log collection.
Compliance: NIST AU-2NIST AU-3NIST AU-12NIST SI-4MITRE T1059.001MITRE T1562.002

ADGPO-023 — LAPS GPO Configuration

High FAIL

Description: Local Administrator Password Solution (LAPS) provides automated rotation of local administrator passwords on domain-joined systems, preventing lateral movement via shared local admin credentials. LAPS must be deployed via GPO to be effective, and its configuration settings determine password complexity, rotation frequency, and which account is managed
Recommended: LAPS enabled via GPO on all domain-joined systems with 24-character passwords and 30-day maximum age
Current Value: Not configured / Non-compliant
Remediation: Install the LAPS CSE on all managed systems via GPO software installation or SCCM. Configure LAPS GPO settings: Enable local admin password management, set password complexity to large letters + small letters + numbers + specials, set password length to 24 or more characters, and set password age to 30 days or less. Verify LAPS is functioning by checking ms-Mcs-AdmPwdExpirationTime attributes.
Compliance: NIST AC-6NIST IA-5(1)NIST CM-6MITRE T1078.003MITRE T1021ANSSI vuln_no_laps

ADGPO-006 — GPOs with Broken Links

Medium FAIL

Description: GPO links that reference non-existent GPOs or GPOs whose SYSVOL data is missing indicate replication issues, improper deletion, or corruption. Broken links can cause Group Policy processing errors and may mask the absence of intended security configurations
Recommended: No broken GPO links; all gPLink references resolve to valid GPOs with intact SYSVOL data
Current Value: Not configured / Non-compliant
Remediation: Parse gPLink attributes on all OUs, sites, and the domain root to extract referenced GPO GUIDs. Verify each GUID exists in the GPC (AD) and GPT (SYSVOL) containers. Remove broken links using Set-GPLink or by directly editing the gPLink attribute. Investigate the root cause of any missing GPO data.
Compliance: NIST CM-3NIST CM-6MITRE T1484.001

ADGPO-008 — GPOs Not Applied Due to WMI Filters

Medium FAIL

Description: WMI filters can prevent GPOs from applying to target systems based on WQL queries. Overly broad or misconfigured WMI filters may inadvertently block security-critical GPOs from applying to systems that require them, creating gaps in the intended security configuration
Recommended: All security-critical GPOs apply to intended targets; WMI filters validated against actual environment conditions
Current Value: Not configured / Non-compliant
Remediation: Review WMI filters linked to security-critical GPOs using Get-GPO and examining WMI filter assignments. Test WMI filter queries against representative target systems to verify they evaluate correctly. Use Group Policy Results (gpresult) on sample systems to confirm GPOs are applying. Replace or fix WMI filters that are blocking intended application.
Compliance: NIST CM-6NIST CM-3MITRE T1484.001

ADGPO-009 — GPOs with No Apply Permission

Medium FAIL

Description: If the Apply Group Policy (Read + Apply) permission is not granted to the appropriate security principals, the GPO will not be processed by those systems even when linked to the correct OU. This commonly occurs when Authenticated Users is removed from the GPO security filtering without adding specific groups
Recommended: All GPOs have Apply Group Policy permission granted to appropriate security groups; no GPOs with no apply targets
Current Value: Not configured / Non-compliant
Remediation: Check each GPO for Apply Group Policy permissions using Get-GPPermission. Ensure that at least one security group with members has the Apply permission. For GPOs that should apply to specific groups only, verify the target groups contain the intended members. Add Authenticated Users with Read-only permission (without Apply) if security filtering is used.
Compliance: NIST CM-6NIST AC-3MITRE T1484.001

ADGPO-010 — SYSVOL/AD GPO Version Mismatch

Medium FAIL

Description: Each GPO maintains version numbers in both the AD GPC object (versionNumber attribute) and the SYSVOL GPT folder (gpt.ini). A mismatch between these versions indicates replication failure, SYSVOL corruption, or incomplete GPO updates. Version mismatches can cause clients to apply stale or incomplete policies
Recommended: All GPO versions match between AD GPC objects and SYSVOL GPT gpt.ini files across all domain controllers
Current Value: Not configured / Non-compliant
Remediation: Compare the versionNumber attribute in AD with the Version value in SYSVOL gpt.ini for each GPO across all domain controllers. Investigate and resolve any DFSR or FRS replication issues causing mismatches. Force replication using repadmin /syncall and DFSRDIAG. For persistent mismatches, use the authoritative restore process for SYSVOL.
Compliance: NIST CM-3NIST CM-6NIST SI-7MITRE T1484.001

ADGPO-014 — MSI Packages in GPOs

Medium FAIL

Description: Software Installation GPO settings deploy MSI packages to targeted computers. Compromised or unauthorized MSI packages in GPOs can deploy malware across the domain. The source location of MSI packages and access controls on those locations must be verified
Recommended: All GPO-deployed MSI packages sourced from secure, access-controlled locations with verified integrity
Current Value: Not configured / Non-compliant
Remediation: Identify all software installation settings in GPOs. Verify that MSI source paths point to secured shares with appropriate NTFS and share permissions. Confirm that MSI packages are from trusted vendors and have not been tampered with. Consider using WDAC or AppLocker to restrict MSI installation to approved packages.
Compliance: NIST CM-5NIST CM-7(5)NIST SI-7MITRE T1484.001MITRE T1072

ADGPO-016 — Registry Settings Security Review

Medium FAIL

Description: GPOs can deploy registry settings that affect security configurations including disabling security features, weakening authentication protocols, or enabling insecure services. Registry-based settings in GPOs should be reviewed to ensure they do not weaken the security posture of targeted systems
Recommended: No GPO registry settings that weaken security defaults; all registry modifications documented and justified
Current Value: Not configured / Non-compliant
Remediation: Export GPO registry settings from Administrative Templates and Registry Preferences. Review settings that affect security-relevant registry keys including HKLM\SYSTEM\CurrentControlSet\Control\Lsa, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies, and authentication-related keys. Remove or correct settings that weaken security posture.
Compliance: NIST CM-6NIST CM-6(1)MITRE T1484.001MITRE T1112

ADGPO-019 — Windows Firewall Configuration via GPO

Medium FAIL

Description: Windows Defender Firewall with Advanced Security settings deployed via GPO control network access on domain-joined systems. GPOs that disable the firewall, allow overly permissive inbound rules, or fail to configure the firewall leave systems vulnerable to lateral movement and network-based attacks
Recommended: Windows Firewall enabled for all profiles (Domain, Private, Public) with deny-by-default inbound rules configured via GPO
Current Value: Not configured / Non-compliant
Remediation: Review Windows Firewall GPO settings across all applicable GPOs. Ensure the firewall is enabled for Domain, Private, and Public profiles. Verify that inbound rules follow a deny-by-default approach with specific allow rules for required services only. Remove any GPO settings that disable the Windows Firewall. Test firewall rules in a staging OU before domain-wide deployment.
Compliance: NIST SC-7NIST SC-7(5)NIST CM-6MITRE T1484.001MITRE T1562.004

ADGPO-020 — PowerShell Execution Policy via GPO

Medium FAIL

Description: PowerShell execution policy controls which scripts can run on a system. While execution policy is not a security boundary, setting it to Unrestricted or Bypass via GPO removes a layer of defense and makes it easier for attackers to execute malicious scripts without user prompts
Recommended: PowerShell execution policy set to AllSigned or RemoteSigned via GPO; not set to Unrestricted or Bypass
Current Value: Not configured / Non-compliant
Remediation: Review GPO settings under Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on Script Execution. Set the execution policy to AllSigned for high-security environments or RemoteSigned for standard environments. Implement code signing for authorized PowerShell scripts. Avoid setting Bypass or Unrestricted via GPO.
Compliance: NIST CM-6NIST CM-7NIST SI-7MITRE T1059.001MITRE T1484.001

ADGPO-022 — AppLocker/WDAC Policy Assessment

Medium FAIL

Description: Application control policies such as AppLocker and Windows Defender Application Control restrict which executables, scripts, and DLLs can run on managed systems. Without application control, attackers can execute arbitrary tools and malware on compromised systems to facilitate lateral movement and persistence
Recommended: AppLocker or WDAC policy deployed via GPO in enforce mode on all workstations and servers with a documented baseline
Current Value: Not configured / Non-compliant
Remediation: Deploy AppLocker or WDAC policies via GPO starting in audit mode. Analyze audit logs to build a baseline of approved applications. Create allow-list rules based on publisher, path, or hash. Transition from audit to enforce mode after validating the baseline. Monitor for blocked execution events and update rules as needed.
Compliance: NIST CM-7(5)NIST CM-7(2)NIST SI-7MITRE T1059MITRE T1204.002

ADGPO-002 — Empty GPOs

Low FAIL

Description: GPOs that contain no configured settings (both Computer and User Configuration sections are empty) add unnecessary complexity to Group Policy processing and may indicate abandoned configuration efforts or testing artifacts that were never cleaned up
Recommended: No empty GPOs in the domain; all GPOs contain at least one configured setting
Current Value: Not configured / Non-compliant
Remediation: Identify GPOs with no configured settings using Get-GPOReport in XML format and checking for empty ExtensionData elements. Verify that empty GPOs are not placeholders for future use. Delete truly empty GPOs after confirming they are not referenced by any automation or documentation.
Compliance: NIST CM-2NIST CM-7MITRE T1484.001

ADGPO-003 — Unlinked GPOs

Low FAIL

Description: GPOs that are not linked to any site, domain, or OU are not being applied and represent unused configuration. Unlinked GPOs may contain sensitive settings, credentials in GPP, or scripts that could be leveraged if an attacker later links them to a target OU
Recommended: No unlinked GPOs unless documented as templates or backups with appropriate access controls
Current Value: Not configured / Non-compliant
Remediation: Identify unlinked GPOs by comparing all GPO GUIDs against gPLink attributes on all OUs, sites, and the domain root. Review each unlinked GPO to determine if it should be linked, archived, or deleted. Remove sensitive content from unlinked GPOs that are kept as templates.
Compliance: NIST CM-2NIST CM-7MITRE T1484.001

ADGPO-004 — Disabled GPOs with Content

Low FAIL

Description: GPOs where either the User Configuration or Computer Configuration section is disabled but still contains configured settings may indicate incomplete decommissioning or unintentional disabling. If re-enabled by an attacker with GPO edit permissions, the dormant settings would take effect
Recommended: No GPOs with disabled sections that contain configured settings; disabled sections should be empty
Current Value: Not configured / Non-compliant
Remediation: Review all GPOs where GpoStatus is UserSettingsDisabled or ComputerSettingsDisabled. Verify that the disabled section does not contain active settings. Either re-enable the section if the settings are needed, or remove the settings from the disabled section. Document the reason for any intentionally disabled sections.
Compliance: NIST CM-2NIST CM-6MITRE T1484.001

ADGPO-005 — Duplicated GPOs

Low FAIL

Description: Multiple GPOs with substantially similar or identical settings create management overhead, increase the risk of configuration drift, and complicate troubleshooting. Duplicate GPOs may also result in conflicting settings that produce unpredictable behavior
Recommended: No duplicate GPOs; each GPO has a unique purpose and non-overlapping settings
Current Value: Not configured / Non-compliant
Remediation: Export all GPO reports in XML format and compare settings across GPOs to identify duplicates. Consolidate duplicate GPOs into a single GPO where possible. Update OU links to reference the consolidated GPO. Test the consolidated GPO in a staging OU before removing the duplicates.
Compliance: NIST CM-2NIST CM-3MITRE T1484.001

ADGPO-024 — GPO WMI Filter Review

Low FAIL

Description: WMI filters control GPO application based on WQL queries evaluated on target systems. Malicious or misconfigured WMI filters can selectively prevent security GPOs from applying to specific systems, creating targeted security gaps. WMI filters should be reviewed for correctness, performance impact, and potential abuse
Recommended: All WMI filters documented, tested, and producing expected results; no WMI filters that block security-critical GPOs
Current Value: Not configured / Non-compliant
Remediation: Inventory all WMI filters using Get-ADObject -Filter 'objectClass -eq "msWMI-Som"'. Review the WQL query in each filter for correctness and test against representative target systems. Verify that WMI filters are not blocking security-critical GPOs from applying. Remove unused WMI filters. Document the purpose and expected behavior of each active WMI filter.
Compliance: NIST CM-6NIST CM-3MITRE T1484.001

ADGPO-001 — GPO Inventory with Link Status

Info INFO

Description: A comprehensive inventory of all Group Policy Objects with their link status, scope, and enforcement state provides the foundation for GPO security analysis. Understanding which GPOs are linked, enforced, or disabled is essential for assessing the effective security posture delivered through Group Policy
Recommended: Complete GPO inventory documented with link status, scope, and owner for each GPO
Current Value: Not configured / Non-compliant
Remediation: Generate a full GPO inventory using Get-GPO -All and Get-GPOReport. Document each GPO's purpose, owner, link locations, and enforcement status. Establish a GPO naming convention and ensure all GPOs conform to it. Implement a GPO change management process.
Compliance: NIST CM-8NIST CM-8(1)MITRE T1484.001

AD Kerberos Security (11 checks, 10 failing)

ADKERB-002 — Kerberoastable with Weak Encryption

Critical FAIL

Description: SPN-bearing user accounts configured to use RC4 or DES encryption are significantly easier to crack via Kerberoasting than those using AES. RC4 (ARCFOUR-HMAC-MD5) tickets can be cracked orders of magnitude faster than AES tickets on modern GPU hardware. Accounts explicitly configured with weak encryption types or lacking AES keys represent the highest-priority Kerberoasting targets
Recommended: All SPN-bearing accounts support AES256 encryption. No accounts restricted to RC4 or DES encryption types. msDS-SupportedEncryptionTypes includes AES flags on all service accounts
Current Value: Not configured / Non-compliant
Remediation: Query SPN-bearing user accounts and check their msDS-SupportedEncryptionTypes attribute. Accounts with value 0 (not set) default to RC4. Accounts with only RC4 (0x4) or DES (0x1, 0x2, 0x3) flags are vulnerable. Rotate passwords on all affected accounts after enabling AES support in the domain to generate AES keys. Set msDS-SupportedEncryptionTypes to include AES128 (0x8) and AES256 (0x10) flags
Compliance: NIST IA-5(1)NIST SC-12MITRE T1558.003ANSSI R36ANSSI R37CIS AD 7.1.2

ADKERB-004 — Unconstrained Delegation - Computers

Critical FAIL

Description: Computer accounts with unconstrained delegation (TrustedForDelegation) cache the TGT of any user who authenticates to them. If an attacker compromises such a machine, they can extract cached TGTs and impersonate any user including Domain Admins. Combined with the SpoolSample or PrinterBug coercion attack, an attacker can force a domain controller to authenticate and capture its TGT, leading to full domain compromise
Recommended: No computer accounts with unconstrained delegation except domain controllers (which inherently require it). All other delegation migrated to constrained or resource-based constrained delegation
Current Value: Not configured / Non-compliant
Remediation: Identify computers with unconstrained delegation using Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation. Exclude domain controllers from findings. For remaining computers, migrate to constrained delegation by identifying the specific services they need to delegate to, then configure msDS-AllowedToDelegateTo. Add sensitive accounts to the Protected Users group to prevent their TGTs from being cached. Mark high-value accounts as 'Account is sensitive and cannot be delegated'
Compliance: NIST AC-6MITRE T1558.001ANSSI R35CIS AD 7.3.1

ADKERB-005 — Unconstrained Delegation - Users

Critical FAIL

Description: User accounts with unconstrained delegation are even more dangerous than computer accounts with the same setting, as user accounts are more easily compromised through credential theft, phishing, or password attacks. Any service running under a user account with unconstrained delegation can impersonate any user who authenticates to it, providing a direct path to domain compromise
Recommended: No user accounts with unconstrained delegation. All user account delegation migrated to constrained or resource-based constrained delegation
Current Value: Not configured / Non-compliant
Remediation: Identify users with unconstrained delegation using Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation. This is almost never a legitimate configuration for user accounts. Remove the unconstrained delegation flag and configure constrained delegation to specific services if delegation is required. Rotate the account password immediately as the account may have been targeted
Compliance: NIST AC-6MITRE T1558.001ANSSI R35CIS AD 7.3.2

ADKERB-001 — Kerberoastable Accounts

High FAIL

Description: User accounts with Service Principal Names (SPNs) are vulnerable to Kerberoasting, where any authenticated domain user can request a service ticket encrypted with the account's password hash and attempt offline cracking. This attack requires no special privileges and is difficult to detect. Each SPN-bearing user account represents a potential credential exposure vector
Recommended: Minimal user accounts with SPNs. All Kerberoastable accounts identified, documented with business justification, and protected with 25+ character passwords or migrated to gMSA
Current Value: Not configured / Non-compliant
Remediation: Enumerate Kerberoastable accounts using Get-ADUser -Filter {ServicePrincipalName -ne '$null'} -Properties ServicePrincipalName. For each account: (1) evaluate if the SPN is still needed, (2) remove unnecessary SPNs, (3) migrate to Group Managed Service Accounts where possible, (4) for remaining accounts ensure passwords are 25+ characters and rotated regularly. Monitor for Kerberos TGS requests targeting sensitive accounts via Event ID 4769
Compliance: NIST IA-5(1)MITRE T1558.003ANSSI R36CIS AD 7.1.1

ADKERB-003 — AS-REP Roastable Accounts

High FAIL

Description: Accounts with the DONT_REQUIRE_PREAUTH flag set allow any user to request an AS-REP containing encrypted material that can be cracked offline without any prior authentication. Unlike Kerberoasting, AS-REP Roasting does not even require a valid domain account in some configurations, making it an attractive initial access technique for attackers with only network access to a domain controller
Recommended: No accounts with 'Do not require Kerberos preauthentication' flag set. Zero AS-REP Roastable accounts
Current Value: Not configured / Non-compliant
Remediation: Identify accounts using Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true -and Enabled -eq $true}. Enable Kerberos pre-authentication on all accounts. There is rarely a legitimate reason to disable pre-authentication in modern environments. Rotate passwords on all previously vulnerable accounts as they may have already been targeted. Monitor for Event ID 4768 with pre-authentication type 0
Compliance: NIST IA-5(1)MITRE T1558.004ANSSI R36CIS AD 7.2.1

ADKERB-006 — Constrained Delegation Analysis

High FAIL

Description: Constrained delegation limits which services an account can delegate to via the msDS-AllowedToDelegateTo attribute, but misconfiguration can still enable privilege escalation. Delegation to LDAP, CIFS, or HOST services on domain controllers can be abused to perform DCSync attacks, access DC file shares, or execute commands as the delegated user. Each constrained delegation entry should be reviewed for security impact
Recommended: All constrained delegation entries documented with business justification. No delegation to sensitive services (LDAP, CIFS, HOST, WSMAN) on domain controllers
Current Value: Not configured / Non-compliant
Remediation: Enumerate constrained delegation using Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne '$null'} -Properties msDS-AllowedToDelegateTo. Review each delegation target. Flag any delegation to DC services (especially LDAP, CIFS, HOST, HTTP, WSMAN) as high risk. Remove unnecessary delegation entries and document legitimate ones with business justification. Consider migrating to resource-based constrained delegation for improved security
Compliance: NIST AC-6MITRE T1550.003CIS AD 7.3.3

ADKERB-007 — Resource-Based Constrained Delegation

High FAIL

Description: Resource-based constrained delegation (RBCD) allows the target resource to control which accounts can delegate to it via the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. While more secure by design than traditional constrained delegation, RBCD can be abused if an attacker gains write access to a computer object to configure unauthorized delegation paths. This is a common post-exploitation technique
Recommended: All RBCD configurations documented and audited. No unauthorized entries in msDS-AllowedToActOnBehalfOfOtherIdentity. Write access to computer objects restricted to authorized administrators only
Current Value: Not configured / Non-compliant
Remediation: Enumerate RBCD configurations using Get-ADComputer -Filter {msDS-AllowedToActOnBehalfOfOtherIdentity -ne '$null'} -Properties msDS-AllowedToActOnBehalfOfOtherIdentity. Review each entry for business justification. Audit who has write access to computer objects in AD to identify potential RBCD abuse paths. Remove unauthorized RBCD entries. Implement monitoring for changes to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute
Compliance: NIST AC-6MITRE T1550.003CIS AD 7.3.4

ADKERB-008 — Protocol Transition Abuse Paths

High FAIL

Description: Accounts configured for constrained delegation with protocol transition (TrustedToAuthForDelegation / T2A4D flag) can obtain service tickets on behalf of any user without that user actually authenticating via Kerberos. This S4U2Self capability allows the account to impersonate any user to the services it is allowed to delegate to, making it a powerful privilege escalation vector when combined with delegation to sensitive services
Recommended: Protocol transition (TrustedToAuthForDelegation) disabled on all accounts unless explicitly required and documented. No protocol transition accounts that can delegate to domain controller services
Current Value: Not configured / Non-compliant
Remediation: Identify accounts with protocol transition using Get-ADObject -Filter {TrustedToAuthForDelegation -eq $true} -Properties TrustedToAuthForDelegation,msDS-AllowedToDelegateTo. For each account, evaluate whether protocol transition is truly required (only needed when the initial authentication does not use Kerberos). Disable protocol transition where not needed. For remaining accounts, strictly limit the delegation targets and ensure no DC services are in scope
Compliance: NIST AC-6MITRE T1550.003CIS AD 7.3.5

ADKERB-009 — Kerberos Encryption Types

High FAIL

Description: Kerberos encryption types determine the strength of ticket encryption. DES and RC4 (ARCFOUR-HMAC-MD5) are cryptographically weak and should be disabled in favor of AES128 and AES256. RC4 in particular is targeted by Kerberoasting attacks as it is significantly faster to crack than AES-encrypted tickets. Enforcing AES-only encryption substantially increases the difficulty of offline credential attacks
Recommended: AES256_HMAC_SHA1 and AES128_HMAC_SHA1 as the only supported encryption types. DES and RC4 disabled via Group Policy and domain functional level
Current Value: Not configured / Non-compliant
Remediation: Configure via Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > 'Network security: Configure encryption types allowed for Kerberos' = AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Audit accounts with msDS-SupportedEncryptionTypes to identify those restricted to RC4. Ensure all service accounts have AES keys generated by rotating passwords after AES support is enabled at the domain level
Compliance: NIST SC-12NIST SC-13MITRE T1558ANSSI R37CIS AD 7.4.1

ADKERB-010 — Kerberos Ticket Lifetime

Medium FAIL

Description: Kerberos ticket lifetimes control how long authentication tickets remain valid. Excessively long TGT or service ticket lifetimes extend the window during which stolen tickets can be used for pass-the-ticket attacks. The default TGT lifetime of 10 hours and maximum renewal of 7 days should be reviewed to balance security with operational requirements
Recommended: TGT maximum lifetime: 4-10 hours. Service ticket maximum lifetime: 600 minutes. Maximum ticket renewal: 7 days. Maximum clock skew: 5 minutes
Current Value: Not configured / Non-compliant
Remediation: Configure Kerberos policy in Default Domain Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. Set maximum lifetime for service ticket (600 minutes), maximum lifetime for user ticket (10 hours or less), and maximum lifetime for user ticket renewal (7 days). For Tier 0 accounts, add them to the Protected Users group which automatically enforces a 4-hour TGT lifetime
Compliance: NIST AC-12CIS AD 7.5.1

ADKERB-011 — Computer SPN Audit

Info INFO

Description: Service Principal Names on computer accounts define the services registered to run on each machine. Duplicate SPNs cause Kerberos authentication failures, while unauthorized SPNs may indicate rogue services or compromised machines. A clean SPN configuration is essential for Kerberos to function correctly and for maintaining an accurate service inventory
Recommended: No duplicate SPNs across the domain. All SPNs on computer accounts correspond to legitimate, documented services
Current Value: Not configured / Non-compliant
Remediation: Scan for duplicate SPNs using setspn -X in the forest or Get-ADObject queries. Remove or reassign duplicate SPNs to the correct accounts. Review SPNs on computer objects to identify any unauthorized or unexpected services. Use setspn -L <computername> to list SPNs per computer. Document all non-default SPNs with their business purpose
Compliance: NIST CM-8CIS AD 7.1.3

AD Logon Scripts & Network Shares (11 checks, 10 failing)

ADSCRIPT-004 — Hardcoded Credentials in Scripts

Critical FAIL

Description: Logon scripts frequently contain hardcoded credentials including passwords for network drive mappings, service accounts, database connections, and API keys. These credentials are readable by all authenticated users through the NETLOGON share and represent a trivial credential harvesting opportunity for attackers
Recommended: No hardcoded credentials, passwords, or API keys in any NETLOGON or SYSVOL scripts
Current Value: Not configured / Non-compliant
Remediation: Scan all scripts in NETLOGON and SYSVOL for patterns indicating credentials: password, passwd, pwd, credential, secret, apikey, token, connectionstring, and similar keywords. Replace hardcoded credentials with secure alternatives such as Windows Credential Manager, gMSA accounts, or encrypted configuration files with restricted access. Rotate any credentials found in scripts immediately.
Compliance: NIST IA-5(1)NIST SC-28NIST IA-5(7)MITRE T1552.001MITRE T1059ANSSI vuln_cleartext_password

ADSCRIPT-006 — Plaintext Passwords in Scripts

Critical FAIL

Description: Scripts that contain plaintext passwords in net use commands, database connection strings, or variable assignments expose credentials to every authenticated domain user who can read the NETLOGON share. This includes passwords for service accounts, database accounts, and network resources that may provide lateral movement paths
Recommended: No plaintext passwords in any script files; all authentication uses integrated security or secure credential storage
Current Value: Not configured / Non-compliant
Remediation: Search all script files for patterns such as 'net use * /user:', password assignments in PowerShell or batch, connection strings with Password= or Pwd=, and WScript.Network.MapNetworkDrive calls with credentials. Replace all plaintext credential usage with Windows integrated authentication, Credential Manager, or gMSA accounts. Rotate all exposed passwords immediately.
Compliance: NIST IA-5(1)NIST SC-28NIST IA-5(7)MITRE T1552.001MITRE T1059ANSSI vuln_cleartext_password

ADSCRIPT-007 — World-Writable Script Permissions

Critical FAIL

Description: Individual script files in NETLOGON or SYSVOL that grant write or modify permissions to non-administrative users can be modified by any attacker with domain credentials. Even if the share-level permissions are correct, overly permissive file-level NTFS permissions on individual scripts create a code execution opportunity
Recommended: All script files in NETLOGON and SYSVOL writable only by Domain Admins and SYSTEM; no write access for Domain Users or Authenticated Users
Current Value: Not configured / Non-compliant
Remediation: Enumerate NTFS permissions on every file in the NETLOGON share and SYSVOL scripts folders. Identify files where Domain Users, Authenticated Users, Everyone, or other broad groups have Write, Modify, or Full Control permissions. Reset permissions using icacls to grant Read and Execute to Authenticated Users and Full Control to Domain Admins and SYSTEM only.
Compliance: NIST AC-3NIST AC-6NIST CM-5MITRE T1222.001MITRE T1059ANSSI vuln_writable_scripts

ADSCRIPT-001 — NETLOGON Share Permissions

High FAIL

Description: The NETLOGON share hosts logon scripts that execute on every domain-joined system during user logon. Overly permissive NTFS or share permissions on NETLOGON allow any authenticated user to modify scripts, enabling widespread code execution. Only Domain Admins and authorized administrators should have write access
Recommended: NETLOGON share: Authenticated Users Read only; write access limited to Domain Admins and authorized GPO administrators
Current Value: Not configured / Non-compliant
Remediation: Review NTFS permissions on the NETLOGON folder (typically %SystemRoot%\SYSVOL\sysvol\<domain>\Scripts) on each domain controller. Remove write, modify, or full control permissions for non-administrative groups. Verify share permissions match NTFS permissions. Ensure permissions are consistent across all domain controllers via DFSR replication.
Compliance: NIST AC-3NIST AC-6NIST CM-5MITRE T1059MITRE T1222.001ANSSI vuln_netlogon_permissions

ADSCRIPT-002 — SYSVOL Share Permissions

High FAIL

Description: The SYSVOL share contains Group Policy templates, scripts, and configuration files that are applied to all domain-joined systems. Incorrect SYSVOL permissions can allow unauthorized users to modify Group Policy settings, deploy malicious scripts, or tamper with security configurations affecting the entire domain
Recommended: SYSVOL share: Authenticated Users Read only; write access limited to Domain Admins and SYSTEM
Current Value: Not configured / Non-compliant
Remediation: Audit NTFS permissions on the SYSVOL folder tree on each domain controller. The root SYSVOL folder should grant Authenticated Users Read and Execute. GPO subfolders should match the permissions defined on the corresponding GPC object in AD. Run dcdiag /test:sysvolcheck to identify permission issues. Reset permissions using icacls if necessary.
Compliance: NIST AC-3NIST AC-6NIST CM-5MITRE T1484.001MITRE T1222.001ANSSI vuln_sysvol_permissions

ADSCRIPT-005 — LOLBins Usage in Scripts

High FAIL

Description: Living Off The Land Binaries (LOLBins) are legitimate Windows executables that can be abused for malicious purposes. Their presence in logon scripts may indicate an attacker has injected malicious commands that blend in with normal operations. Common LOLBins include certutil, bitsadmin, mshta, regsvr32, rundll32, and wscript used for downloading or executing payloads
Recommended: No LOLBins usage in logon scripts unless documented and operationally justified
Current Value: Not configured / Non-compliant
Remediation: Scan all scripts for references to known LOLBins including certutil, bitsadmin, mshta, regsvr32, rundll32, wscript, cscript, msiexec, installutil, regasm, regsvcs, msconfig, and control. Review each occurrence to determine if the usage is legitimate. Replace LOLBins with safer alternatives where possible. Document any operationally required LOLBins usage.
Compliance: NIST CM-6NIST SI-3NIST SI-7MITRE T1059MITRE T1218

ADSCRIPT-008 — External Resource References

High FAIL

Description: Logon scripts that reference external resources such as internet URLs, non-domain UNC paths, or cloud storage locations introduce supply chain risk. If the external resource is compromised, all systems executing the script will download and execute malicious content. External references also create data exfiltration opportunities
Recommended: No references to external URLs, internet resources, or non-domain UNC paths in logon scripts
Current Value: Not configured / Non-compliant
Remediation: Scan all scripts for HTTP/HTTPS URLs, FTP references, non-domain UNC paths, and cloud storage URLs (OneDrive, SharePoint Online, Azure Blob, AWS S3). Replace external references with locally hosted copies on internal file shares. If external resources are required, implement integrity verification (hash checks) before execution. Document all approved external resource dependencies.
Compliance: NIST SC-7NIST SI-7NIST CM-5MITRE T1059MITRE T1105

ADSCRIPT-010 — UNC Paths to Non-DC Locations

High FAIL

Description: Logon scripts that reference UNC paths pointing to non-domain-controller file shares create dependency on additional systems and expand the attack surface. If the referenced file server is compromised, an attacker can modify the shared resources to deliver malicious payloads through the trusted logon script mechanism. UNC paths can also be exploited for NTLM relay attacks
Recommended: All script UNC paths reference SYSVOL or NETLOGON on domain controllers; no references to non-DC file shares for script content
Current Value: Not configured / Non-compliant
Remediation: Scan all scripts for UNC paths (\\server\share patterns). Identify paths that do not point to the domain SYSVOL or NETLOGON shares. Migrate referenced resources to the NETLOGON share where appropriate. For legitimate file share references, ensure the target servers are Tier 0 or Tier 1 assets with appropriate hardening. Document all approved non-DC UNC path dependencies.
Compliance: NIST SC-7NIST AC-3NIST CM-5MITRE T1187MITRE T1557MITRE T1059

ADSCRIPT-009 — Malformed Scripts

Medium FAIL

Description: Scripts with syntax errors, encoding issues, or corrupt content may fail silently during execution, resulting in incomplete security configuration or missing drive mappings. Malformed scripts can also indicate tampering where an attacker modified a script but introduced errors, or where encoding issues mask injected malicious content
Recommended: All scripts pass syntax validation with no encoding anomalies or structural errors
Current Value: Not configured / Non-compliant
Remediation: Validate script syntax using appropriate tools: PowerShell scripts with Test-ScriptFileInfo or PSScriptAnalyzer, batch files with manual review for unclosed blocks and invalid commands, VBScript with WSH syntax checking. Check file encoding for unexpected byte sequences or mixed encoding. Review scripts with unusual encoding (UTF-16 with BOM in batch files, null bytes) for potential injection.
Compliance: NIST CM-3NIST SI-7MITRE T1059

ADSCRIPT-011 — Script Content Analysis

Medium FAIL

Description: Comprehensive content analysis of all logon scripts can reveal suspicious patterns beyond specific checks such as obfuscated code, base64-encoded commands, PowerShell download cradles, encoded executables, and anti-analysis techniques. These patterns are strong indicators of malicious script injection or backdoors planted by attackers
Recommended: No obfuscated code, encoded payloads, download cradles, or anti-analysis techniques present in any logon scripts
Current Value: Not configured / Non-compliant
Remediation: Analyze all scripts for suspicious patterns including base64 encoding (Convert-FromBase64, certutil -decode), download cradles (Invoke-WebRequest, Net.WebClient, BitsTransfer), obfuscation techniques (string concatenation, char codes, variable substitution to hide commands), and anti-analysis techniques (sleep timers, environment checks). Investigate and replace any scripts containing suspicious patterns.
Compliance: NIST SI-3NIST SI-7NIST CM-3MITRE T1059MITRE T1027MITRE T1105

ADSCRIPT-003 — Logon Script Inventory

Info INFO

Description: An inventory of all logon scripts referenced by user accounts (scriptPath attribute), Group Policy logon/logoff scripts, and startup/shutdown scripts provides visibility into all code that executes automatically in the environment. Scripts that exist in NETLOGON but are not referenced may be orphaned or indicators of past compromise
Recommended: Complete inventory of all logon scripts with documented purpose, owner, and last modification date
Current Value: Not configured / Non-compliant
Remediation: Enumerate all user scriptPath attributes using Get-ADUser -Filter {scriptPath -like '*'} -Properties scriptPath. List all GPO-configured scripts from GPO reports. Inventory all files in the NETLOGON share. Cross-reference to identify orphaned scripts, unused scripts, and scripts referenced by user accounts but missing from NETLOGON. Document each script's purpose and owner.
Compliance: NIST CM-8NIST CM-8(1)NIST CM-3MITRE T1059

AD Password & Lockout Policies (22 checks, 21 failing)

ADPWD-010 — Users with Blank Passwords

Critical FAIL

Description: Accounts with the PASSWD_NOTREQD flag can have blank passwords, completely bypassing all password policies. This flag is sometimes set inadvertently during account creation scripts. Any account with a blank password can be accessed by anyone who knows the username
Recommended: No enabled accounts with blank passwords or PASSWD_NOTREQD flag
Current Value: Not configured / Non-compliant
Remediation: Identify accounts using Get-ADUser -Filter {PasswordNotRequired -eq $true -and Enabled -eq $true}. Clear the PASSWD_NOTREQD flag and set a strong password on all identified accounts immediately. Review account creation scripts and processes to prevent this flag from being set in the future
Compliance: NIST IA-5(1)NIST IA-2MITRE T1078.002MITRE T1078ANSSI R36CIS AD 5.5.1

ADPWD-001 — Default Domain Password Policy

High FAIL

Description: The Default Domain Policy defines the baseline password and lockout settings for all domain users. This policy should enforce strong password requirements as it applies to every account not covered by a more specific fine-grained password policy
Recommended: Minimum length 14 characters, complexity enabled, maximum age 365 days, minimum age 1 day, history 24 passwords
Current Value: Not configured / Non-compliant
Remediation: Review the Default Domain Policy using Get-ADDefaultDomainPasswordPolicy. Configure via Group Policy Management: Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. Set values per organizational security requirements
Compliance: NIST IA-5(1)MITRE T1110.001MITRE T1110.003CIS 1.1.1CIS 1.1.2CIS 1.1.3CIS 1.1.4CIS 1.1.5ANSSI R34CIS AD 5.1.1

ADPWD-004 — Minimum Password Length

High FAIL

Description: Passwords below 14 characters are vulnerable to offline brute-force cracking with modern GPU hardware. NIST SP 800-63B recommends supporting passwords up to 64 characters and setting a minimum that balances security with usability. For AD environments, 14 characters is the minimum recommended baseline
Recommended: Minimum 14 characters for standard users, 25 characters for privileged accounts
Current Value: Not configured / Non-compliant
Remediation: Configure minimum password length in the Default Domain Policy or appropriate FGPP: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Minimum password length = 14. Create a stricter FGPP for privileged accounts requiring 25+ characters
Compliance: NIST IA-5(1)MITRE T1110.001MITRE T1110.003CIS 1.1.4ANSSI R34CIS AD 5.2.1

ADPWD-005 — Password Complexity Requirement

High FAIL

Description: Windows password complexity requires at least three of four character categories (uppercase, lowercase, digits, special characters) and that the password does not contain the user's account name. While NIST no longer mandates complexity, disabling it in AD without compensating controls (such as banned word lists) significantly weakens passwords
Recommended: Complexity enabled. Ideally supplemented with Azure AD Password Protection or custom banned word lists for defense against common patterns
Current Value: Not configured / Non-compliant
Remediation: Verify complexity is enabled in the Default Domain Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > 'Password must meet complexity requirements' = Enabled. Consider deploying Azure AD Password Protection for additional banned password enforcement
Compliance: NIST IA-5(1)MITRE T1110.001MITRE T1110.003CIS 1.1.5ANSSI R34CIS AD 5.2.2

ADPWD-006 — Account Lockout Policy

High FAIL

Description: Account lockout policies protect against online brute-force and password spraying attacks by locking accounts after a threshold of failed attempts. Without lockout, attackers can attempt unlimited password guesses against any account. However, overly aggressive lockout creates denial-of-service risk
Recommended: Account lockout threshold: 5-10 attempts. Lockout duration: 15-30 minutes. Reset counter after: 15-30 minutes
Current Value: Not configured / Non-compliant
Remediation: Configure account lockout in Default Domain Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy. Set threshold to 5-10 attempts, duration to 15-30 minutes, and observation window to 15-30 minutes. Monitor for lockout events that may indicate attacks
Compliance: NIST AC-7MITRE T1110.001MITRE T1110.003CIS 1.2.1CIS 1.2.2CIS 1.2.3ANSSI R35CIS AD 5.3.1

ADPWD-009 — Users with Password Never Expires

High FAIL

Description: Accounts with the 'Password Never Expires' flag bypass the maximum password age policy. While this may be acceptable for managed service accounts (gMSAs handle rotation automatically), user accounts with this flag retain compromised passwords indefinitely
Recommended: No user accounts with Password Never Expires. Only Group Managed Service Accounts may have automatic rotation exemptions
Current Value: Not configured / Non-compliant
Remediation: Identify accounts using Get-ADUser -Filter {PasswordNeverExpires -eq $true -and Enabled -eq $true} -Properties PasswordNeverExpires. Review each account for business justification. Clear the flag on user accounts and migrate service accounts to gMSA where possible. Document any approved exceptions with compensating controls
Compliance: NIST IA-5(1)MITRE T1078.002CIS 1.1.4ANSSI R36CIS AD 5.4.1

ADPWD-011 — Duplicate Password Hashes

High FAIL

Description: Multiple accounts sharing the same password hash indicate password reuse, commonly used passwords, or accounts with default passwords. Password reuse amplifies the impact of any single credential compromise, allowing lateral movement across multiple accounts
Recommended: No clusters of accounts sharing identical password hashes. Each account should have a unique password
Current Value: Not configured / Non-compliant
Remediation: Extract and compare NT hashes using DCSync-capable tools (DSInternals) with appropriate authorization. Identify clusters of accounts sharing hashes. Force password changes on all accounts in duplicate clusters. Implement password filters to prevent common passwords and consider deploying Azure AD Password Protection
Compliance: NIST IA-5(1)MITRE T1110.002MITRE T1078.002CIS AD 5.5.2

ADPWD-012 — Passwords in HaveIBeenPwned Database

High FAIL

Description: Passwords that appear in known breach databases are actively used in credential stuffing attacks. Comparing AD password hashes against the HaveIBeenPwned database identifies accounts using compromised passwords that are likely to be targeted
Recommended: No active accounts using passwords found in the HaveIBeenPwned database
Current Value: Not configured / Non-compliant
Remediation: Compare NT hashes against the HaveIBeenPwned Passwords database (downloadable hash list) using tools like DSInternals Test-PasswordQuality. Force immediate password changes on all accounts with matching hashes. Deploy Azure AD Password Protection or custom password filters to block known breached passwords going forward
Compliance: NIST IA-5(1)MITRE T1110.002MITRE T1078.002CIS AD 5.5.3

ADPWD-014 — Default/Common Passwords

High FAIL

Description: Accounts using default, common, or trivially guessable passwords (such as Password1, Welcome1, or the account name) are the first targets in password spraying attacks. These passwords are included in every attacker wordlist and are often tested first
Recommended: No accounts using passwords from the top 1000 most common password lists or matching default password patterns
Current Value: Not configured / Non-compliant
Remediation: Test password hashes against common password lists (such as SecLists) using DSInternals Test-PasswordQuality. Force immediate password changes on all accounts with common passwords. Implement Azure AD Password Protection which includes a global banned password list updated by Microsoft
Compliance: NIST IA-5(1)MITRE T1110.001MITRE T1110.003MITRE T1078.002ANSSI R34CIS AD 5.5.5

ADPWD-016 — LAPS Deployment Status

High FAIL

Description: Local Administrator Password Solution (LAPS) provides unique, randomly generated local administrator passwords for each computer, stored securely in AD. Without LAPS, local admin passwords are typically identical across all machines, enabling trivial lateral movement after capturing one hash
Recommended: LAPS deployed to 100% of domain-joined Windows computers. No computers with missing or expired LAPS passwords
Current Value: Not configured / Non-compliant
Remediation: Deploy the LAPS client (CSE) to all domain-joined computers via GPO, SCCM, or Intune. Configure LAPS GPO settings for password complexity, length (at least 20 characters), and age (30 days). Verify deployment by checking the ms-Mcs-AdmPwd or msLAPS-Password attribute on computer objects. Investigate any computers without LAPS passwords
Compliance: NIST IA-5(1)NIST AC-6MITRE T1078.003MITRE T1003CIS 18.2.1ANSSI R42NSA LAPS-1CIS AD 5.7.1

ADPWD-021 — Account Lockout Threshold

High FAIL

Description: The account lockout threshold defines the number of failed logon attempts before an account is locked. A threshold that is too high (or zero, meaning no lockout) allows extensive password spraying, while a threshold that is too low enables easy denial of service
Recommended: Lockout threshold between 5-10 failed attempts
Current Value: Not configured / Non-compliant
Remediation: Configure in Default Domain Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > 'Account lockout threshold' = 5-10 attempts. A value of 0 disables lockout entirely and should be avoided. Balance between security and usability based on organizational needs
Compliance: NIST AC-7MITRE T1110.001MITRE T1110.003CIS 1.2.1ANSSI R35CIS AD 5.3.2

ADPWD-002 — Fine-Grained Password Policy Enumeration

Medium FAIL

Description: Fine-grained password policies (FGPPs) allow different password requirements for different groups of users. All FGPPs should be documented to understand the complete password policy landscape and ensure no groups are covered by weaker-than-intended policies
Recommended: All FGPPs documented with their precedence, target groups, and policy settings. At minimum, a strict FGPP for privileged accounts and a standard FGPP for regular users
Current Value: Not configured / Non-compliant
Remediation: Enumerate all FGPPs using Get-ADFineGrainedPasswordPolicy -Filter *. Document each policy's precedence value, target groups, and settings. Verify that privileged accounts are covered by a stricter policy than standard users. Create FGPPs if only the Default Domain Policy exists
Compliance: NIST IA-5(1)NIST AC-2MITRE T1110.001ANSSI R34CIS AD 5.1.2

ADPWD-003 — FGPP Application Analysis

Medium FAIL

Description: Fine-grained password policies must be applied to the correct groups to be effective. Misconfigured FGPP application can leave high-value accounts under weaker policies or create policy gaps where no FGPP applies and the Default Domain Policy is used instead
Recommended: All privileged accounts covered by a strict FGPP. No policy gaps where high-value accounts fall back to a weaker default policy
Current Value: Not configured / Non-compliant
Remediation: For each FGPP, review the msDS-PSOAppliesTo attribute to see target groups. Cross-reference with privileged group membership to verify coverage. Use Get-ADUserResultantPasswordPolicy for specific accounts to determine the effective policy. Fix any gaps in FGPP application
Compliance: NIST IA-5(1)NIST AC-2MITRE T1110.001MITRE T1078.002CIS AD 5.1.3

ADPWD-007 — Password History Enforcement

Medium FAIL

Description: Password history prevents users from cycling through the same passwords. Without sufficient history depth, users can alternate between a small set of passwords, negating the security benefit of password rotation requirements
Recommended: Password history remembering at least 24 previous passwords
Current Value: Not configured / Non-compliant
Remediation: Configure in Default Domain Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > 'Enforce password history' = 24 passwords remembered. Also ensure 'Minimum password age' is set to at least 1 day to prevent rapid cycling through the history
Compliance: NIST IA-5(1)MITRE T1110.001CIS 1.1.1ANSSI R34CIS AD 5.2.3

ADPWD-008 — Maximum Password Age

Medium FAIL

Description: Maximum password age forces periodic password rotation. While NIST SP 800-63B recommends against mandatory periodic changes unless compromise is suspected, many compliance frameworks still require it. The policy should balance compliance requirements with usability, avoiding excessively short rotation periods that lead to weak passwords
Recommended: Maximum password age between 90-365 days depending on compliance requirements. For privileged accounts, 60 days maximum
Current Value: Not configured / Non-compliant
Remediation: Configure in Default Domain Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > 'Maximum password age' = 365 days (or per compliance requirement). Implement a stricter FGPP for privileged accounts with 60-day maximum
Compliance: NIST IA-5(1)MITRE T1078.002CIS 1.1.2ANSSI R34CIS AD 5.2.4

ADPWD-013 — Custom Dictionary Password Check

Medium FAIL

Description: Passwords based on organization-specific terms (company name, product names, seasons, location names) are commonly used and easily guessed by targeted attackers. Custom dictionary checks identify passwords that meet complexity requirements but are still predictable
Recommended: No accounts using passwords containing organization-specific terms, common patterns (Season+Year), or keyboard walks
Current Value: Not configured / Non-compliant
Remediation: Build a custom dictionary including company names, product names, location names, seasons, and common patterns. Test password hashes against this dictionary using DSInternals or similar tools. Force password changes on matching accounts. Deploy custom password filters or Azure AD Password Protection custom banned password list
Compliance: NIST IA-5(1)MITRE T1110.001MITRE T1110.003CIS AD 5.5.4

ADPWD-015 — Password Last Set Age Distribution

Medium FAIL

Description: Analyzing the distribution of password ages across all accounts reveals policy enforcement effectiveness and identifies accounts with extremely old passwords. Accounts with passwords unchanged for years may have been missed by policy changes or have Password Never Expires set
Recommended: No enabled user accounts with passwords older than the maximum password age policy. Distribution should show regular rotation patterns
Current Value: Not configured / Non-compliant
Remediation: Generate a password age distribution report using Get-ADUser -Filter {Enabled -eq $true} -Properties PasswordLastSet | Group-Object {(New-TimeSpan $_.PasswordLastSet (Get-Date)).Days -replace '\d$','0'}. Investigate accounts with passwords older than the policy allows. Force password changes where needed and review Password Never Expires flags
Compliance: NIST IA-5(1)MITRE T1078.002CIS AD 5.6.1

ADPWD-017 — LAPS Password Expiration

Medium FAIL

Description: LAPS passwords should be rotated regularly to limit the window of exposure if a local admin password is compromised. Expired or stale LAPS passwords indicate that the LAPS client is not functioning correctly on those machines
Recommended: LAPS password expiration set to 30 days. No computers with expired LAPS passwords
Current Value: Not configured / Non-compliant
Remediation: Review LAPS password expiration dates on computer objects using Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwdExpirationTime. Identify computers with expired passwords and investigate the LAPS CSE functionality on those machines. Configure GPO to set password age to 30 days maximum
Compliance: NIST IA-5(1)MITRE T1078.003ANSSI R42CIS AD 5.7.2

ADPWD-019 — Azure AD Password Protection

Medium FAIL

Description: Azure AD Password Protection extends banned password enforcement to on-premises AD by deploying proxy and DC agent components. It blocks passwords matching a global Microsoft-curated banned list and an optional custom banned list, preventing users from choosing passwords known to be weak
Recommended: Azure AD Password Protection deployed in enforced mode with custom banned password list configured
Current Value: Not configured / Non-compliant
Remediation: Deploy the Azure AD Password Protection proxy service and DC agent on all domain controllers. Configure a custom banned password list in Azure AD including organization-specific terms. Set the mode to Enforced (not Audit). Monitor password change rejections through event logs and Azure AD reporting
Compliance: NIST IA-5(1)MITRE T1110.001MITRE T1110.003CIS AD 5.5.6

ADPWD-022 — Lockout Observation Window

Medium FAIL

Description: The lockout observation window defines the time period during which failed logon attempts are counted toward the lockout threshold. If the observation window is too short, attackers can spread password spray attempts over time to avoid triggering lockout
Recommended: Observation window of 15-30 minutes, matching or exceeding the lockout duration
Current Value: Not configured / Non-compliant
Remediation: Configure in Default Domain Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > 'Reset account lockout counter after' = 15-30 minutes. Ensure this value is equal to or greater than the lockout duration to prevent attackers from waiting out the counter between spray attempts
Compliance: NIST AC-7MITRE T1110.001MITRE T1110.003CIS 1.2.3ANSSI R35CIS AD 5.3.3

ADPWD-018 — Windows LAPS vs Legacy LAPS

Low FAIL

Description: Windows LAPS (built into Windows Server 2019+ and Windows 10/11 with April 2023 update) provides improvements over legacy LAPS including password encryption, password history, and DSRM password management. Organizations should migrate from legacy LAPS to Windows LAPS for enhanced security features
Recommended: Windows LAPS deployed with password encryption enabled. Legacy LAPS migration completed
Current Value: Not configured / Non-compliant
Remediation: Verify which LAPS version is deployed by checking for the msLAPS-Password attribute (Windows LAPS) versus ms-Mcs-AdmPwd (Legacy LAPS). Plan migration to Windows LAPS. Update the AD schema for Windows LAPS attributes. Deploy Windows LAPS GPO settings with encryption enabled. Decommission legacy LAPS components after migration
Compliance: NIST IA-5(1)NIST SC-28MITRE T1078.003CIS AD 5.7.3

ADPWD-020 — BitLocker Recovery Keys in AD

Info INFO

Description: BitLocker recovery keys stored in Active Directory should be inventoried to ensure disk encryption is properly deployed and recovery keys are available. The presence of recovery keys also indicates which machines have BitLocker enabled, providing visibility into encryption coverage
Recommended: BitLocker recovery keys present in AD for all workstations and laptops. Recovery key access restricted to authorized administrators
Current Value: Not configured / Non-compliant
Remediation: Query AD for BitLocker recovery information objects using Get-ADObject -Filter {objectClass -eq 'msFVE-RecoveryInformation'} -SearchBase 'DC=domain,DC=com'. Cross-reference with computer inventory to identify machines without BitLocker. Review ACLs on recovery key objects to ensure only authorized administrators can read them
Compliance: NIST SC-28NIST SC-28(1)MITRE T1005CIS AD 5.8.1

AD Privileged Account Security (30 checks, 30 failing)

ADPRIV-001 — Domain Admins Enumeration

Critical FAIL

Description: The Domain Admins group provides full administrative control over all domain-joined systems. Membership should be strictly limited and every member must have a documented business justification. Excessive membership dramatically increases the attack surface for credential theft and lateral movement
Recommended: Minimal membership (ideally 2-3 accounts maximum) with documented justification for each member. No day-to-day user accounts
Current Value: Not configured / Non-compliant
Remediation: Enumerate Domain Admins membership including nested groups using Get-ADGroupMember -Identity 'Domain Admins' -Recursive. Review each member for business need. Remove unnecessary members and migrate to delegated administration models. Ensure no regular user accounts are members
Compliance: NIST AC-6(1)NIST AC-6(5)NIST AC-2(7)MITRE T1078.002MITRE T1069.002CIS 9.2.1ANSSI R2CIS AD 4.1.1

ADPRIV-002 — Enterprise Admins Enumeration

Critical FAIL

Description: The Enterprise Admins group has forest-wide administrative privileges across all domains. This group should be empty during normal operations and only populated temporarily for forest-level changes. A compromised Enterprise Admin account leads to total forest compromise
Recommended: Empty during normal operations. Members added temporarily only for forest-level changes with documented approval
Current Value: Not configured / Non-compliant
Remediation: Enumerate Enterprise Admins membership using Get-ADGroupMember -Identity 'Enterprise Admins' -Recursive. Remove all permanent members. Implement a just-in-time access process for forest-level operations that temporarily adds and removes members with full audit logging
Compliance: NIST AC-6(1)NIST AC-6(5)NIST AC-2(2)MITRE T1078.002MITRE T1069.002CIS 9.2.2ANSSI R2CIS AD 4.1.2

ADPRIV-010 — Privileged Users Password Never Expires

Critical FAIL

Description: Privileged accounts with the 'Password Never Expires' flag set are exempt from password rotation policies. If such an account is compromised, the attacker retains persistent access indefinitely as the password will never be forced to change
Recommended: No privileged accounts with Password Never Expires flag set. All privileged accounts subject to password rotation policy of 60 days or less
Current Value: Not configured / Non-compliant
Remediation: Identify privileged accounts with PasswordNeverExpires using Get-ADUser -Filter {PasswordNeverExpires -eq $true -and AdminCount -eq 1}. Clear the flag and ensure these accounts are covered by an appropriate password policy. Implement FGPP for privileged accounts with a 60-day maximum password age
Compliance: NIST IA-5(1)NIST AC-2MITRE T1078.002CIS 1.1.4ANSSI R36CIS AD 4.3.1

ADPRIV-011 — Privileged Users Password Not Required

Critical FAIL

Description: The PASSWD_NOTREQD flag allows an account to have a blank password, completely bypassing password policy. On privileged accounts, this is catastrophic as it allows unauthenticated access to highly privileged resources
Recommended: No privileged accounts with PASSWD_NOTREQD flag set
Current Value: Not configured / Non-compliant
Remediation: Identify accounts using Get-ADUser -Filter {PasswordNotRequired -eq $true -and AdminCount -eq 1}. Clear the PASSWD_NOTREQD flag immediately and set a strong password on all identified accounts. Investigate how this flag was set as it may indicate compromise
Compliance: NIST IA-5(1)NIST AC-2MITRE T1078.002ANSSI R36CIS AD 4.3.2

ADPRIV-012 — Privileged Users No Kerberos Pre-Auth

Critical FAIL

Description: Accounts with Kerberos pre-authentication disabled are vulnerable to AS-REP Roasting, where an attacker can request encrypted material offline without any authentication and crack it to recover the account password. On privileged accounts, this provides a direct path to domain compromise
Recommended: No privileged accounts with 'Do not require Kerberos preauthentication' flag set
Current Value: Not configured / Non-compliant
Remediation: Identify accounts using Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true -and AdminCount -eq 1}. Enable Kerberos pre-authentication immediately on all privileged accounts. Rotate passwords on affected accounts as they may have already been compromised via AS-REP Roasting
Compliance: NIST IA-5(2)NIST AC-2MITRE T1558.004ANSSI R36CIS AD 4.3.3

ADPRIV-013 — Privileged Users Reversible Encryption

Critical FAIL

Description: Accounts with 'Store password using reversible encryption' enabled store passwords in a format that can be decrypted to plaintext. This is equivalent to storing passwords in cleartext and allows any attacker with access to the AD database to retrieve the actual password
Recommended: No accounts with reversible encryption enabled, especially not privileged accounts
Current Value: Not configured / Non-compliant
Remediation: Identify accounts using Get-ADUser -Filter {AllowReversiblePasswordEncryption -eq $true -and AdminCount -eq 1}. Clear the flag and force an immediate password change on all affected accounts. Review password policies to ensure they do not require reversible encryption
Compliance: NIST IA-5(1)NIST SC-28MITRE T1003.006MITRE T1078.002CIS 1.1.1ANSSI R36CIS AD 4.3.4

ADPRIV-016 — Privileged Accounts Weak Passwords

Critical FAIL

Description: Privileged accounts with weak or commonly used passwords are trivially compromised through password spraying, dictionary attacks, or credential stuffing. A weak password on a Domain Admin account can lead to complete domain compromise within minutes
Recommended: All privileged account passwords meet a minimum of 25 characters and are not found in common password dictionaries
Current Value: Not configured / Non-compliant
Remediation: Test privileged account password strength by comparing NT hashes against known weak password lists (using tools like DSInternals). Force immediate password changes on any accounts with weak passwords. Implement FGPP requiring 25+ character passwords for privileged accounts
Compliance: NIST IA-5(1)MITRE T1110.001MITRE T1110.003MITRE T1078.002ANSSI R37CIS AD 4.5.1

ADPRIV-020 — AdminSDHolder Protected Object Audit

Critical FAIL

Description: AdminSDHolder is a security mechanism that overwrites ACLs on protected objects (privileged users and groups) every 60 minutes via SDProp. Modifications to the AdminSDHolder ACL propagate to all protected objects, making it a high-value target for persistence. Unauthorized ACEs on AdminSDHolder grant backdoor access to all privileged accounts
Recommended: AdminSDHolder ACL contains only default entries with no unauthorized or unexpected ACEs
Current Value: Not configured / Non-compliant
Remediation: Review the AdminSDHolder ACL at CN=AdminSDHolder,CN=System,DC=domain using Get-ACL or ADSIEdit. Compare against the documented baseline. Remove any non-default ACEs immediately. Monitor for modifications to AdminSDHolder as part of ongoing security monitoring
Compliance: NIST AC-6NIST AC-3NIST AU-6MITRE T1222.001MITRE T1078.002ANSSI R6CIS AD 4.7.1

ADPRIV-022 — krbtgt Password Age

Critical FAIL

Description: The krbtgt account password is used to encrypt and sign all Kerberos tickets in the domain. If compromised, an attacker can create Golden Tickets granting unrestricted access to any resource for any duration. The krbtgt password should be rotated at least every 180 days and immediately after any suspected compromise
Recommended: krbtgt password changed within the last 180 days. Rotated twice (to invalidate all existing tickets) after any suspected compromise
Current Value: Not configured / Non-compliant
Remediation: Check krbtgt password age using Get-ADUser krbtgt -Properties PasswordLastSet. Reset the password twice (with sufficient time between resets for replication to complete) to invalidate all existing tickets. Use the krbtgt reset script from Microsoft to safely perform the rotation. Schedule regular rotation every 180 days
Compliance: NIST IA-5(1)NIST SC-12MITRE T1558.001MITRE T1550.003CIS 18.3.1ANSSI R39CIS AD 4.8.1

ADPRIV-023 — krbtgt Account Exposure Assessment

Critical FAIL

Description: The krbtgt account configuration should be assessed for exposure indicators including supported encryption types, delegation settings, and SPNs. Any misconfiguration increases the risk of Golden Ticket and other Kerberos-based attacks
Recommended: krbtgt account configured with AES256 encryption only, no delegation, and no additional SPNs beyond the default kadmin/changepw
Current Value: Not configured / Non-compliant
Remediation: Review the krbtgt account properties including msDS-SupportedEncryptionTypes, delegation settings, and SPNs. Ensure AES256 is the primary encryption type. Verify no delegation flags are set. Check for unexpected SPNs that could indicate compromise or misconfiguration
Compliance: NIST SC-12NIST SC-13MITRE T1558.001MITRE T1550.003ANSSI R39CIS AD 4.8.2

ADPRIV-028 — Users with DCSync Rights

Critical FAIL

Description: DCSync allows replication of password data from Active Directory, including all user hashes. Accounts with 'Replicating Directory Changes All' and 'Replicating Directory Changes' rights can extract every password hash in the domain without touching a DC. Only domain controller computer accounts and the default admin account should have these rights
Recommended: Only domain controller computer accounts and default administrator account have replication rights. No additional users or groups granted DCSync permissions
Current Value: Not configured / Non-compliant
Remediation: Audit the domain root ACL for 'Replicating Directory Changes' and 'Replicating Directory Changes All' using (Get-ACL 'AD:\DC=domain,DC=com').Access | Where-Object {$_.ObjectType -match '1131f6a[a-d]'}. Remove any unauthorized entries immediately. Investigate whether unauthorized accounts have already performed DCSync
Compliance: NIST AC-6(1)NIST AC-3MITRE T1003.006CIS 18.3.1ANSSI R41CIS AD 4.11.1

ADPRIV-003 — Schema Admins Enumeration

High FAIL

Description: The Schema Admins group can modify the AD schema, which is irreversible and affects the entire forest. This group should be empty during normal operations as schema changes are rare and high-impact
Recommended: Empty during normal operations. Members added temporarily only for schema modifications with change management approval
Current Value: Not configured / Non-compliant
Remediation: Enumerate Schema Admins membership using Get-ADGroupMember -Identity 'Schema Admins'. Remove all permanent members. Add members only when schema changes are required through a formal change management process
Compliance: NIST AC-6(1)NIST AC-6(5)MITRE T1078.002MITRE T1069.002CIS 9.2.3ANSSI R2CIS AD 4.1.3

ADPRIV-004 — Account Operators Enumeration

High FAIL

Description: Account Operators can create and modify most user and group accounts in the domain, including creating accounts in privileged OUs. This group is frequently overlooked but provides significant privilege escalation potential
Recommended: Empty. Use delegated OU-level permissions instead of Account Operators group membership
Current Value: Not configured / Non-compliant
Remediation: Enumerate Account Operators membership using Get-ADGroupMember -Identity 'Account Operators'. Remove all members and replace with OU-scoped delegation using Active Directory Delegation of Control wizard. Document all delegated permissions
Compliance: NIST AC-6(1)NIST AC-6(5)MITRE T1078.002MITRE T1098CIS 9.2.4ANSSI R3CIS AD 4.1.4

ADPRIV-005 — Server Operators Enumeration

High FAIL

Description: Server Operators can log on to domain controllers, manage services, and modify shared resources. This group can be abused to escalate privileges on DCs by manipulating services to run arbitrary code as SYSTEM
Recommended: Empty. Use dedicated service management accounts with specific delegation instead
Current Value: Not configured / Non-compliant
Remediation: Enumerate Server Operators membership using Get-ADGroupMember -Identity 'Server Operators'. Remove all members and implement targeted delegation for any required server management tasks. Audit DC logon rights separately
Compliance: NIST AC-6(1)NIST AC-6(5)MITRE T1078.002MITRE T1543.003ANSSI R3CIS AD 4.1.5

ADPRIV-006 — Backup Operators Enumeration

High FAIL

Description: Backup Operators can back up and restore files on domain controllers, including the AD database (ntds.dit). This allows extraction of all password hashes in the domain, making Backup Operators membership equivalent to Domain Admin access for a skilled attacker
Recommended: Empty or restricted to dedicated backup service accounts only. No user accounts
Current Value: Not configured / Non-compliant
Remediation: Enumerate Backup Operators membership using Get-ADGroupMember -Identity 'Backup Operators'. Remove all user accounts. If backup service accounts require membership, ensure they are dedicated, have strong passwords, and are monitored. Consider agent-based backup solutions that do not require Backup Operators membership
Compliance: NIST AC-6(1)NIST AC-6(5)MITRE T1003.003MITRE T1078.002ANSSI R3CIS AD 4.1.6

ADPRIV-008 — DnsAdmins Group Membership

High FAIL

Description: Members of the DnsAdmins group can configure the DNS service on domain controllers to load an arbitrary DLL, which executes as SYSTEM. This well-known privilege escalation path can lead to full domain compromise from a seemingly low-privilege group membership
Recommended: Empty or restricted to dedicated DNS administration accounts only. Membership treated as Tier 0 privileged
Current Value: Not configured / Non-compliant
Remediation: Enumerate DnsAdmins membership using Get-ADGroupMember -Identity 'DnsAdmins'. Remove unnecessary members. Treat DnsAdmins as a Tier 0 privileged group in your tiering model. Monitor for changes to DNS server configuration and ServerLevelPluginDll registry value
Compliance: NIST AC-6(1)NIST AC-6(5)MITRE T1543.003MITRE T1078.002ANSSI R3CIS AD 4.1.8

ADPRIV-009 — Nested Group Membership Analysis

High FAIL

Description: Nested group memberships can obscure effective privileges by hiding privileged access behind chains of group nesting. Users may have Domain Admin equivalent access through deeply nested groups that are not visible through simple group enumeration
Recommended: All nested group paths to privileged groups documented. Maximum nesting depth of 2 levels. No circular nesting
Current Value: Not configured / Non-compliant
Remediation: Recursively enumerate all privileged group memberships using Get-ADGroupMember -Recursive. Map all nesting paths and identify users who gain privileges through indirect membership. Flatten unnecessary nesting and document all remaining nested paths with business justification
Compliance: NIST AC-6(1)NIST AC-2MITRE T1069.002MITRE T1078.002ANSSI R4CIS AD 4.2.1

ADPRIV-014 — Privileged Users DES-Only Kerberos

High FAIL

Description: Accounts configured to use DES-only Kerberos encryption are using a cryptographically broken algorithm. DES keys can be brute-forced rapidly, allowing attackers to forge or decrypt Kerberos tickets for the affected accounts
Recommended: No accounts with 'Use Kerberos DES encryption types for this account' flag set
Current Value: Not configured / Non-compliant
Remediation: Identify accounts using Get-ADUser -Filter {UseDESKeyOnly -eq $true -and AdminCount -eq 1}. Clear the DES-only flag and ensure accounts support AES256 encryption. Rotate passwords on affected accounts to generate new AES-based Kerberos keys
Compliance: NIST SC-12NIST SC-13MITRE T1558MITRE T1078.002ANSSI R36CIS AD 4.3.5

ADPRIV-015 — Privileged Accounts No MFA Indicator

High FAIL

Description: Privileged accounts should be protected by multi-factor authentication for all interactive and remote logons. Without MFA, a stolen password alone is sufficient to gain full domain administrative access
Recommended: All privileged accounts required to use MFA via smart card, Windows Hello for Business, or FIDO2. 'Smart card is required for interactive logon' flag set where applicable
Current Value: Not configured / Non-compliant
Remediation: Review privileged accounts for smart card logon requirement using Get-ADUser -Filter {SmartcardLogonRequired -eq $false -and AdminCount -eq 1}. Deploy smart card or Windows Hello for Business authentication for all privileged accounts. Enable 'Smart card is required for interactive logon' flag on Tier 0 accounts
Compliance: NIST IA-2(1)NIST IA-2(2)MITRE T1078.002CIS 1.1.6ANSSI R5CIS AD 4.4.1

ADPRIV-017 — Privileged Accounts Old Passwords

High FAIL

Description: Privileged accounts with passwords that have not been changed in over 90 days have an extended exposure window. If credentials were compromised, the attacker retains access for the entire period the password remains unchanged
Recommended: All privileged account passwords changed within the last 60 days
Current Value: Not configured / Non-compliant
Remediation: Identify privileged accounts with old passwords using Get-ADUser -Filter {AdminCount -eq 1} -Properties PasswordLastSet | Where-Object {$_.PasswordLastSet -lt (Get-Date).AddDays(-90)}. Force password rotation on all identified accounts. Implement FGPP with 60-day maximum password age for privileged accounts
Compliance: NIST IA-5(1)MITRE T1078.002ANSSI R37CIS AD 4.5.2

ADPRIV-019 — Disabled Accounts in Privileged Groups

High FAIL

Description: Disabled accounts remaining in privileged groups create risk because re-enabling the account (intentionally or through compromise) immediately grants full privileged access. Disabled accounts should be removed from all privileged groups
Recommended: No disabled accounts in any privileged groups
Current Value: Not configured / Non-compliant
Remediation: Identify disabled accounts in privileged groups using Get-ADGroupMember 'Domain Admins' -Recursive | Get-ADUser | Where-Object {$_.Enabled -eq $false}. Repeat for all privileged groups. Remove disabled accounts from all privileged group memberships immediately
Compliance: NIST AC-2(3)NIST AC-2MITRE T1078.002MITRE T1098ANSSI R38CIS AD 4.6.2

ADPRIV-024 — Service Accounts in Privileged Groups

High FAIL

Description: Service accounts in privileged groups present elevated risk because they typically have passwords that do not expire, are shared among administrators, may be stored in scripts or configuration files, and run on multiple servers where credentials can be harvested
Recommended: No service accounts in privileged groups. Service accounts should use delegated permissions scoped to minimum required access
Current Value: Not configured / Non-compliant
Remediation: Identify service accounts in privileged groups by reviewing all members and checking for accounts used as service logon identities. Remove service accounts from privileged groups and grant only the specific permissions needed via delegation. Migrate to Group Managed Service Accounts (gMSA) where possible
Compliance: NIST AC-6(1)NIST AC-6(5)MITRE T1078.002MITRE T1078ANSSI R40CIS AD 4.9.1

ADPRIV-025 — Computer Accounts in Privileged Groups

High FAIL

Description: Computer accounts in privileged groups grant any process running as SYSTEM on those computers the privileges of the group. An attacker who compromises such a machine gains Domain Admin equivalent access, significantly expanding the lateral movement attack surface
Recommended: No computer accounts in any privileged groups
Current Value: Not configured / Non-compliant
Remediation: Enumerate privileged group members and identify any computer accounts using Get-ADGroupMember 'Domain Admins' | Where-Object {$_.objectClass -eq 'computer'}. Repeat for all privileged groups. Remove computer accounts immediately and investigate why they were added
Compliance: NIST AC-6(1)NIST AC-2MITRE T1078.002CIS AD 4.6.3

ADPRIV-026 — Privileged Users Local Logon on DCs

High FAIL

Description: Only designated Tier 0 administrative accounts should be permitted to log on locally to domain controllers. Allowing non-Tier 0 accounts to log on to DCs exposes privileged credentials to credential harvesting attacks on less-secured workstations
Recommended: Only Domain Admins and designated Tier 0 accounts allowed local logon on DCs. 'Allow log on locally' restricted via GPO on Domain Controllers OU
Current Value: Not configured / Non-compliant
Remediation: Configure via Group Policy applied to Domain Controllers OU: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally' = Administrators, Domain Admins only. Remove all other entries and test thoroughly
Compliance: NIST AC-6(1)NIST AC-3MITRE T1078.002MITRE T1003CIS 2.2.7ANSSI R7CIS AD 4.10.1

ADPRIV-027 — Privileged Users RDP on DCs

High FAIL

Description: Remote Desktop access to domain controllers should be strictly limited to designated Tier 0 administrators. RDP sessions cache credentials that can be harvested, and excessive RDP access increases the attack surface for credential theft and lateral movement to DCs
Recommended: Only designated Tier 0 administrative accounts allowed RDP access to DCs. 'Allow log on through Remote Desktop Services' restricted via GPO
Current Value: Not configured / Non-compliant
Remediation: Configure via Group Policy applied to Domain Controllers OU: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on through Remote Desktop Services' = Administrators only. Consider using Remote Credential Guard or Restricted Admin mode for RDP sessions
Compliance: NIST AC-6(1)NIST AC-3NIST AC-17MITRE T1078.002MITRE T1021.001CIS 2.2.26ANSSI R7CIS AD 4.10.2

ADPRIV-029 — Protected Users Group Audit

High FAIL

Description: The Protected Users security group provides hardened authentication protections including disabling NTLM authentication, enforcing AES Kerberos encryption, preventing credential caching, and setting short TGT lifetimes. All Tier 0 privileged accounts should be members
Recommended: All Tier 0 privileged user accounts are members of the Protected Users group
Current Value: Not configured / Non-compliant
Remediation: Add all Tier 0 accounts to the Protected Users group using Add-ADGroupMember -Identity 'Protected Users' -Members <account>. Test each account first as Protected Users disables NTLM and credential delegation which may break legacy applications. Note: service accounts and computer accounts should NOT be added
Compliance: NIST AC-6NIST IA-5(2)MITRE T1003MITRE T1550.003MITRE T1078.002CIS 18.3.1ANSSI R5CIS AD 4.12.1

ADPRIV-030 — Privileged Users Not in Protected Users

High FAIL

Description: Privileged accounts that are not members of the Protected Users group lack hardened authentication protections and remain vulnerable to credential theft techniques including NTLM relay, credential caching, and long-lived Kerberos tickets. Every eligible privileged account should be protected
Recommended: All eligible privileged user accounts enrolled in Protected Users group. Exceptions documented with compensating controls
Current Value: Not configured / Non-compliant
Remediation: Compare privileged group members against Protected Users membership. For each privileged account not in Protected Users, evaluate compatibility (NTLM dependencies, delegation requirements) and add to the group. Document any exceptions with specific technical reasons and compensating controls
Compliance: NIST AC-6NIST IA-5(2)MITRE T1003MITRE T1557MITRE T1078.002ANSSI R5CIS AD 4.12.2

ADPRIV-007 — Print Operators Enumeration

Medium FAIL

Description: Print Operators can manage printers and load printer drivers on domain controllers. Malicious printer drivers can execute arbitrary code as SYSTEM on DCs, providing a path to full domain compromise
Recommended: Empty. Manage printers using dedicated print servers, not domain controllers
Current Value: Not configured / Non-compliant
Remediation: Enumerate Print Operators membership using Get-ADGroupMember -Identity 'Print Operators'. Remove all members. Deploy print services on dedicated member servers rather than domain controllers. Restrict printer driver installation through Group Policy
Compliance: NIST AC-6(1)NIST CM-7MITRE T1547.012MITRE T1078.002ANSSI R3CIS AD 4.1.7

ADPRIV-018 — Privileged Accounts Never Logged In

Medium FAIL

Description: Privileged accounts that have never logged in may be provisioned accounts that were never claimed, test accounts, or migration artifacts. These unmanaged accounts in privileged groups represent a significant risk as they may have default or weak passwords
Recommended: No privileged accounts with null LastLogonTimestamp. All privileged accounts actively used by their assigned owners
Current Value: Not configured / Non-compliant
Remediation: Identify privileged accounts that have never logged in using Get-ADUser -Filter {AdminCount -eq 1} -Properties LastLogonTimestamp | Where-Object {$_.LastLogonTimestamp -eq $null}. Investigate each account to determine if it is needed. Disable or remove unnecessary accounts from privileged groups
Compliance: NIST AC-2(3)NIST AC-2MITRE T1078.002CIS AD 4.6.1

ADPRIV-021 — AdminCount Orphans

Medium FAIL

Description: When objects are removed from protected groups, the AdminCount attribute remains set to 1 and inherited permissions remain blocked. These 'AdminCount orphans' have broken permission inheritance, which may prevent security policies from applying correctly and can mask privilege escalation
Recommended: No accounts with AdminCount=1 that are not members of any protected group
Current Value: Not configured / Non-compliant
Remediation: Identify orphaned accounts using Get-ADUser -Filter {AdminCount -eq 1} and cross-reference with current protected group membership. For orphans, clear the AdminCount attribute and re-enable inheritance on the object's ACL. Use PowerShell or ADSIEdit to fix inherited permissions
Compliance: NIST AC-6NIST AC-3MITRE T1078.002CIS AD 4.7.2

AD Stale & Obsolete Objects (11 checks, 11 failing)

ADSTALE-005 — Obsolete OS Computers

High FAIL

Description: Domain-joined computers running obsolete operating systems (Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008) that are no longer receiving any security updates represent high-risk assets. These systems contain known unpatched vulnerabilities that are actively exploited by attackers and cannot support modern security controls such as Credential Guard or LAPS
Recommended: No computers running Windows XP, Server 2003, Vista, or Server 2008 joined to the domain
Current Value: Not configured / Non-compliant
Remediation: Query computer accounts by operatingSystem attribute to identify obsolete OS versions. Verify that identified systems are still active using lastLogonTimestamp and ping tests. Create a migration plan to upgrade or replace obsolete systems. For systems that cannot be immediately upgraded, implement network isolation using VLANs and firewall rules. Disable computer accounts for confirmed decommissioned systems
Compliance: NIST SI-2NIST CM-6MITRE T1210ANSSI R03CIS AD 9.3.1

ADSTALE-006 — Unsupported OS Versions

High FAIL

Description: Domain-joined computers running operating systems that are past their end-of-support date (Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012/R2) no longer receive regular security patches. While Extended Security Updates may be available for some, these systems present elevated risk and should be identified, tracked, and prioritized for migration to supported platforms
Recommended: No computers running end-of-support operating systems unless covered by Extended Security Updates with a documented migration plan
Current Value: Not configured / Non-compliant
Remediation: Query computer accounts by operatingSystem attribute to identify end-of-support OS versions. Determine which systems are covered by Extended Security Updates (ESU). Create migration timelines for all unsupported systems. Implement compensating controls for systems that cannot be immediately upgraded: network segmentation, enhanced monitoring, restricted service access. Track progress against migration timelines
Compliance: NIST SI-2MITRE T1210ANSSI R03CIS AD 9.3.2

ADSTALE-001 — Inactive User Accounts

Medium FAIL

Description: User accounts that have not been used for an extended period represent an unnecessary attack surface. Inactive accounts may still have valid credentials and group memberships, making them attractive targets for attackers who can compromise forgotten or shared credentials without triggering alerts tied to active users. Accounts inactive for more than 90 days should be reviewed and disabled
Recommended: No enabled user accounts inactive for more than 90 days; inactive accounts disabled or removed
Current Value: Not configured / Non-compliant
Remediation: Query user accounts where lastLogonTimestamp is older than 90 days and the account is enabled using Search-ADAccount -AccountInactive -TimeSpan 90 -UsersOnly. Verify with account owners or managers before taking action. Disable inactive accounts first, then delete after a 30-day grace period if unclaimed. Remove disabled accounts from all security groups. Implement automated lifecycle management
Compliance: NIST AC-2(3)MITRE T1078.002CIS AD 9.1.1

ADSTALE-002 — Inactive Computer Accounts

Medium FAIL

Description: Computer accounts that have not authenticated to the domain for an extended period indicate decommissioned, reimaged, or offline systems. These stale computer accounts retain their machine credentials and group memberships, and an attacker who recovers or resets the machine account password can authenticate as the computer, potentially accessing resources or performing Kerberos delegation attacks
Recommended: No enabled computer accounts inactive for more than 90 days; inactive accounts disabled or removed
Current Value: Not configured / Non-compliant
Remediation: Query computer accounts where lastLogonTimestamp is older than 90 days using Search-ADAccount -AccountInactive -TimeSpan 90 -ComputersOnly. Cross-reference with asset management systems to verify decommissioning status. Disable stale computer accounts and move to a Disabled Computers OU. Delete after a 60-day grace period if the system does not reconnect. Remove from security groups upon disabling
Compliance: NIST AC-2(3)MITRE T1078.002CIS AD 9.1.2

ADSTALE-003 — Disabled Accounts with Group Memberships

Medium FAIL

Description: Disabled user and computer accounts that retain membership in security groups continue to appear in group-based access control evaluations and can create confusion in access reviews. While disabled accounts cannot authenticate, their group memberships may be restored if the account is re-enabled, and the retained memberships inflate group sizes and complicate least-privilege analysis
Recommended: All disabled accounts removed from all security groups except Domain Users
Current Value: Not configured / Non-compliant
Remediation: Identify disabled accounts with non-default group memberships using Get-ADUser -Filter {Enabled -eq $false} -Properties MemberOf. Remove all security group memberships (except the primary group) from disabled accounts. Implement an automated workflow that strips group memberships when accounts are disabled. Include group membership cleanup in the account deprovisioning process
Compliance: NIST AC-2(3)NIST AC-6CIS AD 9.2.1

ADSTALE-004 — Expired Passwords Not Disabled

Medium FAIL

Description: Accounts with passwords that have exceeded the maximum password age but remain enabled may indicate accounts that are not being actively managed. These accounts could have been compromised with credentials obtained through historical breaches or credential dumps, and the long-unchanged passwords increase the window for offline brute-force attacks
Recommended: No accounts with passwords older than the maximum password age policy unless explicitly exempted as documented service accounts
Current Value: Not configured / Non-compliant
Remediation: Query accounts where PasswordLastSet is older than the maximum password age using Get-ADUser -Filter * -Properties PasswordLastSet,PasswordNeverExpires. Exclude accounts with PasswordNeverExpires that are documented service accounts. Force password reset at next logon for accounts with expired passwords. Disable accounts that are not claimed after notification. Review PasswordNeverExpires exemptions annually
Compliance: NIST IA-5(1)MITRE T1078.002CIS AD 9.2.2

ADSTALE-007 — Orphaned Foreign Security Principals

Medium FAIL

Description: Foreign Security Principals (FSPs) are placeholder objects created in the ForeignSecurityPrincipals container when external domain users or groups are added to local domain groups via trusts. Orphaned FSPs reference SIDs from trusted domains that no longer exist or accounts that have been deleted, resulting in unresolvable SIDs in group memberships that clutter access control and complicate auditing
Recommended: No orphaned Foreign Security Principals with unresolvable SIDs in the domain
Current Value: Not configured / Non-compliant
Remediation: Enumerate all objects in CN=ForeignSecurityPrincipals and attempt to resolve each SID to a name using the corresponding trust. Identify FSPs where the SID cannot be resolved (trust removed or account deleted). Remove orphaned FSPs from any group memberships. Delete the orphaned FSP objects. Review remaining FSPs to verify the trust relationship and referenced accounts are still valid
Compliance: NIST AC-2CIS AD 9.4.1

ADSTALE-008 — Orphaned SID History

Medium FAIL

Description: SID History is used during domain migrations to preserve access to resources in the source domain. After migration is complete, SID History entries should be removed as they can be abused for privilege escalation. Orphaned SID History entries referencing non-existent domains or deleted accounts provide no legitimate benefit and increase the risk of SID injection attacks across trust boundaries
Recommended: No SID History entries referencing non-existent domains. SID History cleaned after migration completion
Current Value: Not configured / Non-compliant
Remediation: Query all user and group accounts with SID History using Get-ADUser -Filter {SIDHistory -like '*'} -Properties SIDHistory. Cross-reference each SID History domain component against existing trusts to identify orphaned entries. Remove SID History entries for completed migrations using Remove-ADUser with the -Remove parameter or Netdom trust /CleanupSIDHistory. Monitor for new SID History additions using Event ID 4765
Compliance: NIST AC-2MITRE T1134.005CIS AD 9.4.2

ADSTALE-011 — DNS Record Staleness

Medium FAIL

Description: Stale DNS records in Active Directory-integrated DNS zones point to IP addresses that are no longer assigned to the original hosts. Attackers can claim these abandoned IP addresses and intercept traffic intended for the original hosts, enabling man-in-the-middle attacks, credential harvesting, and service impersonation. DNS scavenging should be enabled to automatically clean up stale records
Recommended: DNS scavenging enabled with appropriate no-refresh and refresh intervals; no stale DNS records older than 30 days
Current Value: Not configured / Non-compliant
Remediation: Enable DNS scavenging on the DNS server properties and on each AD-integrated DNS zone. Configure the no-refresh interval to 7 days and the refresh interval to 7 days. Set scavenging period on at least one DNS server. Manually review aged DNS records before the first scavenging run to identify critical static records that need to be excluded. Mark records that should not be scavenged as static
Compliance: NIST CM-2CIS AD 9.5.3

ADSTALE-009 — Abandoned OUs

Low FAIL

Description: Empty or near-empty Organizational Units that no longer serve a purpose add complexity to the AD structure, complicate Group Policy analysis, and may have delegated permissions that are no longer monitored. Abandoned OUs from past organizational restructuring or decommissioned projects can confuse administrators and create potential targets for GPO linking attacks
Recommended: No empty OUs without a documented purpose; OU structure reflects current organizational requirements
Current Value: Not configured / Non-compliant
Remediation: Enumerate all OUs and count their child objects. Identify OUs with zero or very few objects. Review OU descriptions and any associated documentation to determine if the OU is planned for future use. Remove delegated permissions from abandoned OUs. Delete empty OUs that have no documented purpose after verifying they are not referenced by GPO links, scripts, or automation. Update OU structure documentation
Compliance: NIST CM-2CIS AD 9.5.1

ADSTALE-010 — Printer Objects

Low FAIL

Description: Printer objects published in Active Directory expose printer share paths and server names that can be used for reconnaissance. The PrintNightmare vulnerability family (CVE-2021-34527 and related) demonstrated that printer-related objects and configurations can be exploited for remote code execution. Stale printer objects referencing decommissioned print servers provide misleading information and unnecessary attack surface
Recommended: Only active, managed printer objects published in AD; stale printer objects removed
Current Value: Not configured / Non-compliant
Remediation: Enumerate all printQueue objects in AD using Get-ADObject -Filter {objectClass -eq 'printQueue'}. Verify that each printer object references an active, accessible print server and printer. Remove printer objects for decommissioned printers or print servers. Review whether printer publishing in AD is required for the environment. Ensure print servers are patched against PrintNightmare vulnerabilities
Compliance: NIST CM-8MITRE T1557CIS AD 9.5.2

AD Trust Relationships (11 checks, 9 failing)

ADTRUST-004 — SID Filtering Status

Critical FAIL

Description: SID filtering removes SIDs from foreign domains in authentication tokens, preventing SID history injection attacks. Without SID filtering, an attacker who compromises a trusted domain can craft tickets containing privileged SIDs (such as Enterprise Admins) from your domain, achieving full compromise
Recommended: SID filtering (quarantine) enabled on all external and forest trusts
Current Value: Not configured / Non-compliant
Remediation: Verify SID filtering status using 'netdom trust /domain:trusted.domain /Quarantine'. Enable SID filtering with 'netdom trust /domain:trusted.domain /Quarantine:Yes'. Note: SID filtering is enabled by default on external trusts but must be verified on forest trusts where it may have been deliberately disabled
Compliance: NIST AC-4NIST AC-6MITRE T1134.005CIS 18.3.1ANSSI R32CIS AD 3.2.1

ADTRUST-005 — SID History Abuse Detection

Critical FAIL

Description: SID history is intended for domain migrations but can be abused to inject privileged SIDs into user tokens across trust boundaries. Attackers who compromise a trusted domain can add Enterprise Admin or Domain Admin SIDs to the SID history of any account they control
Recommended: No accounts with SID history values referencing privileged groups. SID history cleaned up after all migrations complete
Current Value: Not configured / Non-compliant
Remediation: Search for accounts with SID history using Get-ADUser -Filter {SIDHistory -like '*'} -Properties SIDHistory. Identify any SID history entries that reference privileged groups (Domain Admins, Enterprise Admins, etc.). Clean up SID history after migration using Remove-ADUser with the SIDHistory parameter. Enable SID filtering on trusts
Compliance: NIST AC-6NIST AC-6(1)MITRE T1134.005ANSSI R32CIS AD 3.2.2

ADTRUST-006 — Selective Authentication Status

High FAIL

Description: Selective authentication restricts which users from a trusted domain can authenticate to resources in your domain by requiring explicit permissions on each resource. Without it, all authenticated users from the trusted domain can access any resource they have permissions to, expanding the attack surface significantly
Recommended: Selective authentication enabled on all forest trusts. Allowed-to-Authenticate permissions granted only on required resources
Current Value: Not configured / Non-compliant
Remediation: Enable selective authentication on forest trusts via Active Directory Domains and Trusts > Properties of the trust > Authentication tab > Select 'Selective authentication'. Then grant 'Allowed to Authenticate' permission on specific computer objects that external users need to access
Compliance: NIST AC-3NIST AC-4NIST AC-6MITRE T1482MITRE T1078.002ANSSI R33CIS AD 3.2.3

ADTRUST-010 — Trust Key Age and Rotation

High FAIL

Description: Trust passwords (inter-realm keys) should be rotated regularly. Stale trust keys increase the window for credential-based attacks. By default, trust passwords rotate every 30 days, but this should be verified as failed rotations can go undetected
Recommended: Trust passwords rotated within the last 30 days. Automatic trust password rotation not disabled
Current Value: Not configured / Non-compliant
Remediation: Check the trust password last set date by examining the trustAuthOutgoing attribute or running 'netdom trust /domain:trusted.domain /verify'. If the trust password is stale, reset it using 'netdom trust /domain:trusted.domain /Reset'. Verify that no GPO or registry setting has disabled automatic trust password rotation
Compliance: NIST IA-5(1)NIST SC-12MITRE T1482MITRE T1550.003CIS AD 3.2.4

ADTRUST-002 — Trust Direction Analysis

Medium FAIL

Description: Inbound trusts allow external domain users to authenticate into your domain. Each inbound or bidirectional trust should be reviewed to ensure that the trusted domain maintains adequate security controls. A compromised trusted domain can be used to attack your environment
Recommended: All trust directions justified and documented. Bidirectional trusts converted to one-way where possible to reduce attack surface
Current Value: Not configured / Non-compliant
Remediation: Review each trust direction using Get-ADTrust -Filter *. For bidirectional trusts, evaluate whether both directions are required. Convert to one-way trusts where the business need only requires one direction. Document the justification for all inbound trust paths
Compliance: NIST AC-20NIST AC-4MITRE T1482MITRE T1078.002CIS AD 3.1.2

ADTRUST-003 — Trust Transitivity Analysis

Medium FAIL

Description: Transitive trusts extend authentication paths beyond direct trust partners, potentially creating unintended access paths through chains of trusted domains. Each transitive trust should be evaluated for the extended attack surface it creates
Recommended: All transitive trusts documented with full transitivity path analysis. External trusts preferred over forest trusts when transitivity is not required
Current Value: Not configured / Non-compliant
Remediation: Map all transitive trust paths to identify indirect authentication routes. For forest trusts, understand that all child domains are transitively trusted. Consider using external (non-transitive) trusts when only specific domain access is needed
Compliance: NIST AC-20NIST AC-4MITRE T1482MITRE T1078.002CIS AD 3.1.3

ADTRUST-007 — Azure AD Hybrid Trust Security

Medium FAIL

Description: Hybrid identity configurations connecting on-premises AD with Azure AD create additional attack paths. Azure AD Connect, pass-through authentication agents, and federation services can be targeted to pivot between cloud and on-premises environments
Recommended: Azure AD Connect running latest version on a hardened, dedicated server. PHS preferred over PTA/federation. Seamless SSO disabled if not required. Cloud-only break-glass accounts configured
Current Value: Not configured / Non-compliant
Remediation: Review Azure AD Connect configuration and ensure it runs on a Tier 0 hardened server. Evaluate switching from federation or PTA to Password Hash Sync (PHS) for reduced attack surface. If using Seamless SSO, ensure the AZUREADSSOACC computer account password is rotated. Verify cloud-only emergency access accounts exist
Compliance: NIST IA-2NIST AC-20NIST SC-8MITRE T1078.004MITRE T1649CIS AD 3.3.1

ADTRUST-008 — Foreign Domain Trust Enumeration

Medium FAIL

Description: Trusts with domains outside the organization extend the security boundary to entities with potentially different security standards. Foreign domain trusts should receive additional scrutiny as the trusting organization cannot control the security posture of the external domain
Recommended: All foreign domain trusts documented with external security assessment, contractual security requirements, and annual review
Current Value: Not configured / Non-compliant
Remediation: Identify trusts with domains outside the organization using Get-ADTrust -Filter *. For each external trust, verify that a security agreement is in place, SID filtering is enabled, selective authentication is configured, and the trust is reviewed annually
Compliance: NIST AC-20NIST CA-3NIST SA-9MITRE T1482MITRE T1078.002CIS AD 3.1.4

ADTRUST-009 — Orphaned Trust Detection

Medium FAIL

Description: Orphaned trusts reference domains that no longer exist or are no longer reachable. These stale trust objects may retain credentials and create confusion during security audits. They should be removed to reduce unnecessary attack surface and maintain a clean trust topology
Recommended: No orphaned or unresolvable trust relationships present
Current Value: Not configured / Non-compliant
Remediation: Enumerate all trusts and attempt to validate each by resolving the trusted domain name and testing the trust with 'netdom trust /verify'. Remove orphaned trusts where the partner domain no longer exists or is unreachable using 'netdom trust /Remove' or Active Directory Domains and Trusts
Compliance: NIST CM-6NIST AC-20MITRE T1482CIS AD 3.4.1

ADTRUST-001 — Trust Relationships Enumeration

Info INFO

Description: All trust relationships should be inventoried to establish a complete picture of the authentication boundary. Undocumented trusts expand the attack surface by allowing users from external domains to access resources
Recommended: All trust relationships documented with business justification, direction, type, and owner
Current Value: Not configured / Non-compliant
Remediation: Run Get-ADTrust -Filter * to enumerate all trusts. Document each trust with its direction, type (forest, external, shortcut, realm), transitivity, and business justification. Review and remove any trusts that no longer serve a business need
Compliance: NIST AC-20NIST CA-3MITRE T1482CIS AD 3.1.1

ADTRUST-011 — Trust Hierarchy Visualization

Info INFO

Description: A complete trust topology map should be maintained showing all trust relationships, directions, types, and transitivity paths. This visualization is essential for understanding the full authentication boundary and identifying unexpected access paths
Recommended: Up-to-date trust topology diagram maintained and reviewed quarterly
Current Value: Not configured / Non-compliant
Remediation: Generate a trust topology map using automated tools or manually document all trust relationships including direction, type, transitivity, SID filtering status, and selective authentication status. Update the diagram whenever trusts are added, modified, or removed. Include the map in security documentation and review quarterly
Compliance: NIST AC-20NIST PL-2MITRE T1482CIS AD 3.1.5

Entra ID / Azure / M365

Azure IAM & Resource Security (10 checks, 9 failing)

AZIAM-001 — Subscription-level role assignments audit

High FAIL

Description: Subscription-level role assignments grant broad permissions across all resources within a subscription. Overly permissive or stale assignments at this scope can allow lateral movement and unauthorized access to sensitive workloads. Regular audits ensure that only authorized personnel retain subscription-wide privileges.
Recommended: Minimize subscription-level role assignments; prefer resource group or resource-level scoping
Current Value: Not configured / Non-compliant
Remediation: Review all subscription-level role assignments in Azure IAM and remove any that are stale, unnecessary, or overly broad. Reassign permissions at the resource group or individual resource level where possible. Implement a recurring quarterly access review using Azure AD Access Reviews for subscription-scoped roles.
Compliance: NIST AC-2NIST AC-6CIS Azure 1.23

AZIAM-004 — Azure Key Vault access policy audit

High FAIL

Description: Azure Key Vault stores cryptographic keys, secrets, and certificates critical to application security and data protection. Overly permissive access policies can expose secrets to unauthorized users or service principals, leading to credential theft or data breaches. Both access policy and RBAC authorization models must be audited for least-privilege adherence.
Recommended: Use Azure RBAC for Key Vault access control; restrict Get/List/Set permissions to minimum required principals
Current Value: Not configured / Non-compliant
Remediation: Review all Key Vault access policies or RBAC assignments and remove any principals with unnecessary permissions such as Purge or full key management rights. Migrate from the legacy access policy model to Azure RBAC-based authorization for finer-grained control and auditability. Enable Key Vault logging to a Log Analytics workspace and set up alerts for suspicious access patterns.
Compliance: NIST AC-6NIST SC-12CIS Azure 8.5

AZIAM-005 — Storage account security settings

High FAIL

Description: Azure Storage accounts often contain sensitive business data, backups, and application state that must be protected at rest and in transit. Misconfigured settings such as allowing public blob access, disabling HTTPS enforcement, or using legacy TLS versions create significant data exposure risks. Storage account security settings must be hardened to prevent unauthorized access and data leakage.
Recommended: Enforce HTTPS-only transfer, disable public blob access, require TLS 1.2 minimum, enable infrastructure encryption
Current Value: Not configured / Non-compliant
Remediation: Set the minimum TLS version to 1.2, enable HTTPS-only transfer, and disable public blob access on all storage accounts. Enable infrastructure encryption for double encryption at rest and configure private endpoints to restrict network access. Review shared access signatures and access keys, rotate keys on a regular schedule, and prefer Azure AD authentication over key-based access.
Compliance: NIST SC-8NIST SC-28CIS Azure 3.1

AZIAM-006 — Network Security Group rules audit

High FAIL

Description: Network Security Groups control inbound and outbound traffic flow to Azure resources and are a primary network segmentation mechanism. Overly permissive NSG rules, such as allowing unrestricted inbound access from the internet on management ports, expose resources to brute-force attacks and exploitation. Regular audits of NSG rules are essential to maintain a secure network perimeter.
Recommended: Deny all inbound internet traffic by default; allow only required ports from specific source IP ranges
Current Value: Not configured / Non-compliant
Remediation: Review all NSG rules for overly permissive entries, particularly any rules allowing inbound traffic from 0.0.0.0/0 or Any on ports such as 22, 3389, 445, or 1433. Replace broad allow rules with specific source IP ranges or service tags and remove unused rules. Enable NSG flow logs and integrate with Azure Network Watcher for continuous monitoring of traffic patterns and anomaly detection.
Compliance: NIST SC-7CIS Azure 6.1

AZIAM-002 — Users with Azure IAM roles directly on resources

Medium FAIL

Description: Direct role assignments to individual users on Azure resources bypass group-based access governance and make permission tracking difficult. This practice increases the risk of orphaned permissions when users change roles or leave the organization. Group-based assignments provide better auditability and lifecycle management.
Recommended: Assign roles to Azure AD groups rather than directly to individual users
Current Value: Not configured / Non-compliant
Remediation: Identify all direct user-to-resource role assignments using Azure Resource Graph or the IAM blade. Create appropriate Azure AD security groups for each access pattern and migrate individual assignments to group-based assignments. Remove the direct user assignments after confirming group membership grants equivalent access.
Compliance: NIST AC-6(1)CIS Azure 1.23

AZIAM-003 — Resource group permission analysis

Medium FAIL

Description: Resource groups serve as logical containers for Azure resources and their IAM assignments cascade to all contained resources. Misconfigured resource group permissions can inadvertently grant access to sensitive resources such as databases, key vaults, or virtual machines. Analyzing these permissions ensures consistent enforcement of least-privilege principles.
Recommended: Apply least-privilege role assignments at the resource group level with documented justification
Current Value: Not configured / Non-compliant
Remediation: Enumerate all role assignments at each resource group using Get-AzRoleAssignment and review for excessive permissions such as Owner or Contributor roles granted to broad groups. Downgrade overly permissive roles to more specific built-in roles like Reader or specific resource provider roles. Document the business justification for each resource group role assignment and schedule periodic reviews.
Compliance: NIST AC-6

AZIAM-007 — Azure Policy compliance status

Medium FAIL

Description: Azure Policy enforces organizational standards and assesses compliance at scale across Azure resources. Non-compliant resources indicate configuration drift from security baselines, potentially exposing the environment to risks that governance controls are designed to prevent. Monitoring policy compliance ensures that deployed resources consistently meet security and regulatory requirements.
Recommended: All assigned policies should report 95% or higher compliance; non-compliant resources should have documented exceptions
Current Value: Not configured / Non-compliant
Remediation: Review the Azure Policy compliance dashboard to identify non-compliant resources and prioritize remediation based on policy severity. Use remediation tasks to automatically fix non-compliant resources where supported by the policy effect (DeployIfNotExists, Modify). For resources that cannot be made compliant, create documented policy exemptions with expiration dates and business justification.
Compliance: NIST CM-6CIS Azure 2.1

AZIAM-009 — Custom RBAC role definitions

Medium FAIL

Description: Custom Azure RBAC roles provide tailored permissions beyond what built-in roles offer, but they can inadvertently grant excessive or dangerous action combinations. Poorly scoped custom roles with wildcard permissions or overly broad assignable scopes create privilege escalation paths. Each custom role must be reviewed to ensure it follows least-privilege principles and does not combine sensitive operations.
Recommended: Minimize custom role definitions; avoid wildcard actions; restrict assignable scopes to specific management groups or subscriptions
Current Value: Not configured / Non-compliant
Remediation: List all custom RBAC role definitions and review their actions, notActions, dataActions, and assignable scopes for overly permissive configurations. Remove any wildcard permissions (*/*, Microsoft.*/*, etc.) and replace with specific action strings required for the role's function. Document the business justification for each custom role and evaluate whether a built-in role or combination of built-in roles could replace the custom definition.
Compliance: NIST AC-6CIS Azure 1.23

AZIAM-010 — Resource locks configuration

Medium FAIL

Description: Azure resource locks prevent accidental deletion or modification of critical resources such as production databases, networking components, and key vaults. Without resource locks, users with sufficient permissions can inadvertently destroy infrastructure, causing service outages and potential data loss. Applying CanNotDelete or ReadOnly locks to critical resources provides an additional safety layer beyond RBAC.
Recommended: Apply CanNotDelete locks on all production resource groups and critical individual resources
Current Value: Not configured / Non-compliant
Remediation: Identify all production and business-critical resource groups and resources that should be protected from accidental deletion or modification. Apply CanNotDelete locks at the resource group level for production environments and ReadOnly locks for immutable infrastructure components. Document the lock strategy and ensure that operational procedures include lock removal steps when intentional changes are required, with appropriate change management approval.
Compliance: NIST CM-6

AZIAM-008 — Management group structure review

Info INFO

Description: Management groups provide a hierarchical structure for organizing subscriptions and applying governance controls at scale. A poorly designed or flat management group structure makes it difficult to enforce differentiated policies for production, development, and sandbox environments. Reviewing the hierarchy ensures that policy inheritance and role assignments align with organizational security requirements.
Recommended: Implement a management group hierarchy that separates production, development, and sandbox environments with appropriate policy assignments
Current Value: Not configured / Non-compliant
Remediation: Review the current management group hierarchy and ensure it reflects organizational boundaries such as business units, environments, and workload classifications. Apply restrictive policies at higher management group levels for broad enforcement and allow exceptions at lower levels only with documented justification. Ensure the root management group has minimal direct role assignments and that sensitive subscriptions are placed in appropriately governed management groups.
Compliance: NIST AC-2

Defender for Office 365 (3 checks, 3 failing)

M365DEF-001 — Preset security policy audit

High FAIL

Description: Preset security policies in Microsoft Defender for Office 365 provide Microsoft-recommended configurations for anti-spam, anti-phishing, anti-malware, Safe Attachments, and Safe Links as a unified policy bundle. Organizations that do not leverage preset policies or equivalent custom configurations may have inconsistent protection levels across different threat protection features. Verifying that the Standard or Strict preset policy is applied ensures a comprehensive and consistently maintained baseline.
Recommended: Standard Protection preset policy applied to all users at minimum; Strict Protection applied to priority accounts and executives
Current Value: Not configured / Non-compliant
Remediation: Enable the Standard Protection preset security policy and assign it to all users to establish a Microsoft-recommended security baseline for email threat protection. Apply the Strict Protection preset policy to priority accounts, executives, and high-value targets who are most likely to be targeted by sophisticated attacks. If custom policies are preferred over presets, verify that each custom policy meets or exceeds the settings defined in the Standard or Strict preset configuration.
Compliance: NIST SI-3NIST SI-8CIS M365 2.1.8

M365DEF-002 — Alert policy inventory

Medium FAIL

Description: Alert policies in Microsoft 365 Defender generate notifications when specific security events or suspicious activities are detected, enabling timely incident response. Without a comprehensive set of alert policies, critical security events such as mass file deletions, impossible travel, or malware campaigns may go unnoticed for extended periods. Reviewing the alert policy inventory ensures that all important threat categories have corresponding detection and notification mechanisms.
Recommended: All default alert policies enabled; custom alert policies for organization-specific threats; alert recipients configured for the security team
Current Value: Not configured / Non-compliant
Remediation: Review all default and custom alert policies in the Microsoft 365 Defender portal and ensure that default security alert policies have not been disabled or modified to reduce their effectiveness. Configure alert notification recipients to include the security operations team and verify that email notifications are being delivered and monitored. Create custom alert policies for organization-specific threat scenarios such as unusual mail flow patterns, bulk permission changes, or access from blocked geographies.
Compliance: NIST SI-4NIST AU-5

M365DEF-003 — Threat intelligence configuration

Medium FAIL

Description: Threat intelligence capabilities in Microsoft Defender for Office 365 provide visibility into the threat landscape targeting your organization, including campaign views, threat analytics, and threat tracker insights. Without utilizing threat intelligence features, security teams lack the context needed to understand whether their organization is being targeted by specific threat actors or attack campaigns. Proper threat intelligence configuration enables proactive defense and informed security decision-making.
Recommended: Threat Explorer and real-time detections actively monitored; threat trackers configured for priority threats; automated investigation and response enabled
Current Value: Not configured / Non-compliant
Remediation: Ensure that security analysts have access to Threat Explorer or real-time detections views and are trained to use them for investigating email-based threats and campaigns. Configure threat trackers to monitor for specific threat categories relevant to your industry and organization profile. Enable automated investigation and response (AIR) capabilities to automatically investigate and remediate detected threats, reducing the time between detection and response for common threat patterns.
Compliance: NIST SI-5

Entra ID Application & Service Principal Security (19 checks, 16 failing)

EIDAPP-002 — App Registrations with High-Risk API Permissions

Critical FAIL

Description: Application registrations with high-risk API permissions such as Mail.ReadWrite, Files.ReadWrite.All, RoleManagement.ReadWrite.Directory, or Application.ReadWrite.All can be exploited to read sensitive data, modify directory objects, or escalate privileges tenant-wide. Attackers who compromise an application with these permissions gain broad access equivalent to or exceeding that of a Global Administrator. All high-risk permissions must be reviewed and justified with compensating controls.
Recommended: No application registrations with high-risk API permissions unless documented with business justification and compensating controls
Current Value: Not configured / Non-compliant
Remediation: Review all application registrations in Entra ID > Applications > App registrations and examine the API permissions tab for each. Identify applications with high-privilege permissions such as Directory.ReadWrite.All, Mail.ReadWrite, or RoleManagement.ReadWrite.Directory. Remove unnecessary permissions and replace broad scopes with the most restrictive permissions that still meet application requirements.
Compliance: NIST AC-6NIST AC-6(1)MITRE T1098.002CIS M365 5.3.1

EIDAPP-004 — First-Party Microsoft Service Principals with Added Credentials

Critical FAIL

Description: Attackers add credentials to Microsoft first-party service principals to establish persistent backdoor access that blends in with legitimate Microsoft services. Because first-party service principals are trusted by default and often hold extensive permissions, added credentials on these objects provide stealthy, high-privilege persistence that is rarely audited. Any credential additions to first-party Microsoft service principals should be treated as a critical indicator of compromise.
Recommended: No credentials (secrets or certificates) added to any first-party Microsoft service principals
Current Value: Not configured / Non-compliant
Remediation: Enumerate all service principals where the appOwnerOrganizationId matches the Microsoft tenant ID (f8cdef31-a31e-4b4a-93e4-5f571e91255a) and check for added key credentials or password credentials. Remove any credentials found on first-party Microsoft service principals immediately as these are almost certainly unauthorized. Investigate the audit logs to determine who added the credentials and when, treating this as a potential security incident.
Compliance: NIST IA-5MITRE T1098.001

EIDAPP-005 — Service Principals with High Privileges and Added Credentials

Critical FAIL

Description: Service principals that combine high-privilege API permissions or directory role assignments with added client credentials represent the highest-risk application objects in the tenant. An attacker who obtains these credentials can authenticate non-interactively with elevated permissions, bypassing MFA and Conditional Access controls entirely. This combination of privilege and credential access is a primary persistence and lateral movement technique in cloud-based attacks.
Recommended: No service principals with both high-privilege permissions and added credentials unless documented with mandatory compensating controls
Current Value: Not configured / Non-compliant
Remediation: Cross-reference service principals that hold high-privilege API permissions or directory role assignments against those with added key or password credentials. For each match, validate the business necessity and either remove excessive permissions or migrate to managed identity authentication that eliminates the need for stored credentials. Implement certificate-based authentication with short-lived certificates where managed identities are not feasible.
Compliance: NIST AC-6NIST IA-5MITRE T1098.001

EIDAPP-014 — Application Impersonation Role Holders

Critical FAIL

Description: The ApplicationImpersonation role in Exchange Online grants the ability to impersonate any mailbox in the organization, allowing full read and write access to all email without the mailbox owner's knowledge. This role is frequently abused in business email compromise and data exfiltration attacks because a single compromised account with this role can access the entire organization's email. Assignments should be extremely limited, time-bound, and continuously monitored.
Recommended: No permanent ApplicationImpersonation role assignments. Any required assignments must be scoped to specific mailboxes and time-limited
Current Value: Not configured / Non-compliant
Remediation: Review Exchange Online role assignments to identify all principals holding the ApplicationImpersonation role using Get-ManagementRoleAssignment in Exchange Online PowerShell. Remove all unnecessary assignments immediately and replace broad impersonation grants with scoped assignments restricted to specific mailboxes where required. Implement monitoring alerts for any new ApplicationImpersonation role assignments and conduct monthly reviews of existing assignments.
Compliance: NIST AC-6(5)MITRE T1098.002

EIDAPP-003 — App Registrations with Added Credentials

High FAIL

Description: Application registrations with client secrets or certificates added represent potential persistence mechanisms for attackers. A compromised secret or certificate allows an attacker to authenticate as the application and exercise all of its granted permissions without user interaction. Credentials should be inventoried, rotated on schedule, and removed when no longer needed to limit the window of exposure.
Recommended: All application credentials inventoried with defined rotation schedules and no credentials older than 12 months
Current Value: Not configured / Non-compliant
Remediation: Review all application registrations and examine the Certificates & secrets blade for each. Document all active credentials including their expiration dates and creation timestamps. Remove expired or unused credentials immediately and establish a rotation policy requiring credentials to be renewed at least annually with automated alerts before expiration.
Compliance: NIST IA-5MITRE T1098.001

EIDAPP-006 — Excessive Microsoft Graph Permissions

High FAIL

Description: Applications granted broad Microsoft Graph application permissions such as Directory.ReadWrite.All, Sites.ReadWrite.All, or Mail.ReadWrite gain tenant-wide access to data and configuration without user context. Excessive Graph permissions violate the principle of least privilege and provide attackers who compromise the application with sweeping access to mailboxes, files, directory objects, and tenant settings. Permissions should be scoped to the minimum required for application functionality.
Recommended: All Microsoft Graph permissions scoped to the minimum required with application permissions replaced by delegated permissions where possible
Current Value: Not configured / Non-compliant
Remediation: Review Microsoft Graph permissions for all application registrations and identify any using broad .All scopes or application-level permissions where delegated permissions would suffice. Replace broad permissions with granular alternatives such as Mail.Read instead of Mail.ReadWrite.All or User.Read.All instead of Directory.Read.All. Use the Microsoft Graph permissions reference to identify the least-privilege permission for each API call the application makes.
Compliance: NIST AC-6(1)MITRE T1098.002

EIDAPP-007 — App Registrations with Azure IAM Role Assignments

High FAIL

Description: Application registrations or their corresponding service principals with Azure resource-level IAM role assignments such as Contributor, Owner, or User Access Administrator can modify Azure infrastructure, deploy resources, or escalate privileges across subscriptions. These role assignments extend the application's blast radius beyond Entra ID into the Azure resource plane, enabling infrastructure compromise if application credentials are stolen.
Recommended: No application registrations with Azure IAM role assignments above Reader unless documented with business justification and least-privilege scope
Current Value: Not configured / Non-compliant
Remediation: Review Azure IAM role assignments at the management group, subscription, and resource group levels to identify any assigned to application service principals. Remove Owner and User Access Administrator assignments and replace broad Contributor roles with custom roles scoped to specific resource types and actions. Limit IAM assignments to the narrowest scope possible, preferring resource-group level over subscription-level assignments.
Compliance: NIST AC-6CIS Azure 1.23

EIDAPP-011 — Consent Grants Analysis

High FAIL

Description: OAuth consent grants authorize applications to access organizational data on behalf of users (delegated) or as the application itself (application-level). Admin consent grants provide tenant-wide access for all users, while user consent grants are scoped to individual users. Malicious or excessive consent grants are a primary technique used in OAuth phishing attacks to gain persistent access to mailboxes, files, and directory data without requiring credentials.
Recommended: All admin consent grants reviewed and justified. No user consent grants for high-risk permissions. Regular consent grant reviews established
Current Value: Not configured / Non-compliant
Remediation: Enumerate all OAuth2 permission grants in the tenant using Microsoft Graph and categorize them as admin consent or user consent. Review admin consent grants for overly broad permissions and revoke any that are no longer justified. Investigate user consent grants for suspicious applications, particularly those requesting Mail.Read, Files.ReadWrite, or other sensitive scopes, and revoke unauthorized grants.
Compliance: NIST AC-6MITRE T1098.003CIS M365 5.3.1

EIDAPP-012 — User Consent Settings Policy

High FAIL

Description: The user consent settings policy controls whether users can grant applications access to organizational data without administrator approval. Permissive consent settings allow users to authorize applications independently, which attackers exploit through illicit consent grant phishing campaigns to gain persistent access. Restricting user consent to verified publishers or disabling it entirely forces all consent through an admin approval workflow.
Recommended: User consent disabled or restricted to apps from verified publishers with low-risk permissions only
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Enterprise applications > Consent and permissions > User consent settings. Set user consent to 'Do not allow user consent' or 'Allow user consent for apps from verified publishers, for selected permissions only' with only low-risk permissions selected. Enable the admin consent workflow to provide a structured process for users to request access to applications that require admin approval.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings
Compliance: NIST AC-6CIS M365 5.3.1

EIDAPP-015 — OAuth2 Permission Grants Review

High FAIL

Description: OAuth2 permission grants define the specific permissions that applications have been authorized to exercise, either as delegated permissions acting on behalf of a user or as application permissions acting independently. Accumulated permission grants across many applications can create a complex web of access that is difficult to audit and may include overly broad or unnecessary authorizations. Regular review ensures grants remain aligned with current business requirements.
Recommended: All OAuth2 permission grants reviewed quarterly with stale or excessive grants revoked
Current Value: Not configured / Non-compliant
Remediation: Export all OAuth2 permission grants using Microsoft Graph and categorize them by permission type (delegated vs application), resource, and scope. Identify grants for applications that are no longer active or permissions that exceed what is required for current application functionality. Revoke unnecessary grants through the Entra admin center or Microsoft Graph API and establish a quarterly review cycle for all active grants.
Compliance: NIST AC-6MITRE T1098.003

EIDAPP-019 — Dangling Reply URLs

High FAIL

Description: Reply URLs pointing to expired, unowned, or unclaimed domains enable token theft by allowing attackers to register the abandoned domain and intercept OAuth authorization codes and tokens redirected by Entra ID. This vulnerability, known as a subdomain takeover or dangling DNS attack, gives attackers the ability to obtain valid access tokens for the application's permissions without any credential compromise. All reply URLs must be validated to ensure they resolve to organization-controlled infrastructure.
Recommended: All reply URLs resolve to active, organization-owned domains with no dangling or expired domain references
Current Value: Not configured / Non-compliant
Remediation: Extract all reply URLs from application registrations and resolve each domain to verify ownership and active DNS registration. Identify any reply URLs pointing to domains that are expired, available for registration, or not controlled by the organization. Remove or update dangling reply URLs immediately and implement a periodic review process to detect new dangling references as domains expire or infrastructure changes occur.
Compliance: NIST CM-6MITRE T1566.002

EIDAPP-008 — Credential Expiration Monitoring

Medium FAIL

Description: Application credentials (client secrets and certificates) that are approaching expiration or have already expired can cause service outages if not rotated in time, or create security risks if expiration policies are set too far in the future. Credentials with long validity periods extend the window during which a compromised credential can be exploited. Proactive monitoring and alerting on credential expiration ensures timely rotation and reduces security exposure.
Recommended: All application credentials have a maximum validity of 12 months with automated alerts at 30 and 60 days before expiration
Current Value: Not configured / Non-compliant
Remediation: Enumerate all application credentials and their expiration dates using the Microsoft Graph API. Identify credentials expiring within 30 days and those with validity periods exceeding 12 months. Establish an automated monitoring process that alerts application owners and security teams when credentials approach expiration, and enforce a maximum credential lifetime policy through governance procedures.
Compliance: NIST IA-5(1)

EIDAPP-009 — Stale Application Registrations

Medium FAIL

Description: Application registrations with no recent sign-in activity may be abandoned, orphaned, or no longer needed, yet they retain all granted permissions and credentials. Stale applications expand the attack surface because they are unlikely to be monitored or maintained by their original owners, making them attractive targets for attackers seeking to leverage forgotten credentials or permissions. Regular cleanup of unused applications reduces the tenant's overall risk exposure.
Recommended: No application registrations without sign-in activity in the last 90 days unless documented with a valid exception
Current Value: Not configured / Non-compliant
Remediation: Review application sign-in logs in Entra ID to identify applications with no authentication activity in the past 90 days. Contact the listed application owners to confirm whether the application is still required. Disable or delete stale application registrations after confirming they are no longer needed, and remove any associated credentials and permissions.
Compliance: NIST AC-2(3)

EIDAPP-010 — Multi-Tenant Application Analysis

Medium FAIL

Description: Multi-tenant application registrations are configured to accept sign-ins from any Entra ID tenant, allowing users from external organizations to authenticate. While necessary for SaaS and partner scenarios, multi-tenant configuration on internal applications creates an unnecessary risk by allowing external identities to obtain tokens. Each multi-tenant application should be validated to confirm the configuration is intentional and that appropriate authorization controls are in place.
Recommended: No multi-tenant application registrations unless required by business need with documented justification and appropriate authorization controls
Current Value: Not configured / Non-compliant
Remediation: Review all application registrations and identify those with signInAudience set to AzureADMultipleOrgs or AzureADandPersonalMicrosoftAccount. For each multi-tenant application, validate that multi-tenant access is required and document the business justification. Convert applications that do not require multi-tenant access to single-tenant configuration and implement token validation to restrict which external tenants can access multi-tenant applications.
Compliance: NIST AC-20CIS M365 5.3.2

EIDAPP-013 — Admin Consent Workflow Configuration

Medium FAIL

Description: The admin consent workflow provides a structured process for users to request administrator approval before applications can access organizational data. Without an admin consent workflow, users whose consent is restricted have no formal mechanism to request application access, leading to shadow IT workarounds or helpdesk bottlenecks. A properly configured workflow ensures legitimate application requests are reviewed and approved by designated administrators.
Recommended: Admin consent workflow enabled with designated reviewers and defined SLA for review completion
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Enterprise applications > Consent and permissions > Admin consent settings. Enable the admin consent workflow and designate appropriate reviewers from your security or IT administration teams. Configure notification settings to alert reviewers of pending requests and establish a service level agreement for review turnaround to prevent workflow bottlenecks.
Compliance: NIST AC-6CIS M365 5.3.1

EIDAPP-018 — Change Tracking on App Registrations and Service Principals

Medium FAIL

Description: Changes to application registrations and service principals such as new credential additions, permission modifications, or configuration changes should be tracked and reviewed. Attackers frequently modify existing applications to add backdoor credentials, escalate permissions, or change redirect URIs as part of persistence and privilege escalation techniques. Without change tracking, these modifications can go undetected indefinitely.
Recommended: All changes to application registrations and service principals logged, monitored, and reviewed with alerts for high-risk modifications
Current Value: Not configured / Non-compliant
Remediation: Configure audit log monitoring to capture all changes to application registrations and service principals including credential additions, permission changes, and configuration modifications. Create alert rules in Microsoft Sentinel or Azure Monitor for high-risk changes such as new credentials added to existing applications, application permission grant changes, and reply URL modifications. Establish a review process for all application changes with designated security reviewers.
Compliance: NIST CM-3NIST SI-4MITRE T1098

EIDAPP-001 — Application Registration Inventory

Info INFO

Description: A complete inventory of all application registrations provides foundational visibility into the applications integrated with your Entra ID tenant. Without a comprehensive inventory, organizations cannot assess their application attack surface or identify unauthorized, abandoned, or shadow IT applications. This baseline enables all subsequent application security checks and should be maintained as a living document.
Recommended: All application registrations inventoried with documented owners, purpose, and business justification
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Applications > App registrations and export the full list of registered applications. Review each registration to confirm it has an assigned owner, a documented business purpose, and is still actively required. Remove or disable any registrations that are no longer needed or lack identifiable ownership.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
Compliance: NIST CM-8

EIDAPP-016 — Managed Identity Inventory and Permissions

Info INFO

Description: Managed identities provide Azure resources with automatically managed credentials for authenticating to services that support Entra ID authentication. While managed identities eliminate the need for stored credentials, they can still be over-permissioned or assigned to resources that no longer require them. A comprehensive inventory of managed identities and their permission assignments ensures least-privilege access and identifies orphaned identities associated with deleted resources.
Recommended: All managed identities inventoried with documented resource associations and least-privilege permission assignments
Current Value: Not configured / Non-compliant
Remediation: Enumerate all system-assigned and user-assigned managed identities across Azure subscriptions using Azure Resource Graph or the Azure portal. Review the role assignments and API permissions granted to each managed identity and verify they follow least-privilege principles. Remove role assignments from managed identities associated with deleted or decommissioned resources and document the purpose and permission requirements for each active managed identity.
Compliance: NIST CM-8CIS Azure 8.5

EIDAPP-017 — Service Principal Sign-In Activity

Info INFO

Description: Monitoring service principal sign-in activity provides visibility into which applications are actively authenticating and from which IP addresses. Unusual sign-in patterns such as authentication from unexpected geographic locations, abnormal request volumes, or sign-ins from applications that should be dormant can indicate credential compromise or unauthorized use. This baseline activity data is essential for detecting anomalies and investigating incidents.
Recommended: Service principal sign-in logs reviewed regularly with baseline activity profiles established for critical applications
Current Value: Not configured / Non-compliant
Remediation: Review service principal sign-in logs in Entra ID > Monitoring > Sign-in logs > Service principal sign-ins. Establish baseline activity profiles for critical applications including normal authentication frequency, source IP ranges, and target resources. Configure alerts for anomalous service principal sign-in patterns such as authentication from new IP addresses, unusual time-of-day activity, or sign-ins from applications that have been dormant.
Compliance: NIST AU-6

Entra ID Authentication Methods & MFA (17 checks, 14 failing)

EIDAUTH-002 — MFA Registration Status for All Users

Critical FAIL

Description: All users should be registered for multi-factor authentication to prevent account compromise through stolen or guessed credentials. Accounts without MFA registration are the primary target for credential-based attacks including password spraying and phishing. Unregistered users represent critical gaps in your identity security posture.
Recommended: 100% of active users registered for MFA
Current Value: Not configured / Non-compliant
Remediation: Review MFA registration status via Entra ID > Protection > Authentication methods > User registration details. Enforce MFA registration through Conditional Access policies requiring MFA for all users. Set a registration deadline and communicate requirements to unregistered users.
Compliance: NIST IA-2(1)NIST IA-2(2)MITRE T1078MITRE T1110CIS M365 5.2.2.1

EIDAUTH-005 — Users with No MFA Methods Registered

Critical FAIL

Description: Users without any registered MFA methods cannot satisfy MFA challenges and represent critical security gaps. These accounts are fully exposed to credential-based attacks including password spraying, phishing, and brute-force attacks. Immediate remediation is required to ensure all active accounts have at least one MFA method enrolled.
Recommended: Zero active users without at least one MFA method registered
Current Value: Not configured / Non-compliant
Remediation: Query user registration details via Entra ID > Protection > Authentication methods > User registration details to identify users with no methods. Enforce MFA registration through a Conditional Access policy targeting unregistered users. Use Temporary Access Pass to assist users who need to bootstrap their MFA registration.
Compliance: NIST IA-2(1)NIST IA-2(2)MITRE T1078MITRE T1110CIS M365 5.2.2.1

EIDAUTH-007 — FIDO2 Key ROCA Vulnerability Check

Critical FAIL

Description: The ROCA (Return of Coppersmith's Attack) vulnerability (CVE-2017-15361) affects RSA key generation in Infineon TPM firmware used in certain FIDO2 security keys, allowing private key recovery from public keys. Affected keys produce weak RSA key pairs that can be factored, completely undermining the security of the authentication credential. Keys with vulnerable firmware must be identified and replaced immediately.
Recommended: No FIDO2 keys with ROCA-vulnerable Infineon TPM firmware in use
Current Value: Not configured / Non-compliant
Remediation: Identify FIDO2 keys using Infineon TPMs by checking the AAGUID values against known vulnerable models. Test registered keys using ROCA detection tools to confirm vulnerability status. Replace all affected keys with patched firmware versions or alternative hardware and revoke the old key registrations in Entra ID.
Compliance: NIST IA-2(6)NIST RA-5MITRE T1556

EIDAUTH-004 — Users with Only SMS/Voice MFA Methods

High FAIL

Description: Users relying solely on SMS or voice-based MFA are vulnerable to SIM swap attacks, where attackers social-engineer mobile carriers to transfer a victim's phone number, and SS7 signaling protocol attacks that intercept SMS messages in transit. These methods provide significantly weaker protection than app-based or hardware token authentication. Organizations should identify and migrate these users to phishing-resistant methods.
Recommended: No users relying exclusively on SMS or voice as their only MFA method
Current Value: Not configured / Non-compliant
Remediation: Identify users with only SMS/voice MFA via Entra ID > Protection > Authentication methods > User registration details. Create a migration plan to move these users to Microsoft Authenticator or FIDO2 security keys. Consider disabling SMS/voice as allowed methods in the authentication methods policy after migration is complete.
Compliance: NIST IA-2(1)MITRE T1111MITRE T1078CIS M365 5.2.2.4

EIDAUTH-011 — Self-Service Password Reset (SSPR) Configuration

High FAIL

Description: SSPR allows users to reset their own passwords without helpdesk intervention, but must be properly configured to prevent account takeover. Misconfigured SSPR with weak verification methods or insufficient required methods enables attackers to reset passwords using compromised personal information. SSPR should require multiple strong verification methods and be enabled for all users.
Recommended: SSPR enabled for all users with a minimum of two authentication methods required for reset
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Protection > Password reset > Properties and enable SSPR for all users. Set the number of methods required to reset to 2. Under Authentication methods, ensure only strong methods such as mobile app notification, mobile app code, and email are allowed while disabling security questions.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/PasswordResetMenuBlade/~/Properties
Compliance: NIST IA-5(1)CIS M365 5.2.4

EIDAUTH-013 — Password Protection (Banned Passwords) Configuration

High FAIL

Description: Entra ID Password Protection prevents users from choosing commonly compromised passwords by checking against a global banned password list maintained by Microsoft. Without password protection enabled, users can select passwords that appear in known breach databases, making accounts vulnerable to password spraying and dictionary attacks. The feature should be enabled in enforced mode for both cloud and on-premises environments.
Recommended: Password protection enabled in Enforced mode with the global banned password list active
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Protection > Authentication methods > Password protection. Set the mode to Enforced and ensure the global banned password list is enabled. If using hybrid identity with on-premises Active Directory, deploy the Entra ID Password Protection proxy and DC agents to extend protection to on-premises password changes.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/PasswordProtection
Compliance: NIST IA-5(1)MITRE T1110.001MITRE T1110.003CIS M365 5.2.5

EIDAUTH-015 — Legacy Authentication Protocol Usage

High FAIL

Description: Legacy authentication protocols including POP3, IMAP4, SMTP AUTH, and Exchange ActiveSync Basic do not support modern authentication or MFA, allowing attackers to bypass MFA entirely using stolen credentials. These protocols transmit credentials in ways that are susceptible to interception and are the primary vector for password spray attacks against Microsoft 365 tenants. All legacy authentication should be blocked via Conditional Access policies.
Recommended: All legacy authentication protocols blocked via Conditional Access with no active usage detected in sign-in logs
Current Value: Not configured / Non-compliant
Remediation: Review legacy authentication usage in Entra ID > Monitoring > Sign-in logs > Filter by client app (legacy protocols). Create a Conditional Access policy to block legacy authentication for all users and all cloud apps. Monitor for blocked sign-in attempts and work with affected users to migrate to modern authentication clients.
Compliance: NIST IA-2NIST AC-17(2)MITRE T1078MITRE T1110.001CIS M365 5.2.2.3

EIDAUTH-016 — ROPC (Resource Owner Password Credentials) Flow Enabled

High FAIL

Description: The Resource Owner Password Credentials (ROPC) authentication flow sends username and password directly to the token endpoint, completely bypassing multi-factor authentication and Conditional Access policies. Applications using ROPC grant type expose credentials in a way that cannot be protected by modern security controls and represent a significant security gap. ROPC should be disabled for all applications unless there is an absolute technical requirement with compensating controls.
Recommended: ROPC flow disabled for all application registrations, no applications using password grant type
Current Value: Not configured / Non-compliant
Remediation: Review application registrations in Entra ID > Applications > App registrations for any apps configured to allow public client flows. Disable the 'Allow public client flows' setting for applications that do not require ROPC. Migrate applications using ROPC to supported interactive flows such as authorization code with PKCE or device code flow.
Compliance: NIST IA-2NIST IA-5MITRE T1078

EIDAUTH-008 — Passwordless Authentication Readiness

Medium FAIL

Description: Passwordless authentication eliminates passwords as an attack vector, removing the risk of credential theft, phishing, and password spraying. Organizations should assess their readiness to deploy passwordless methods such as FIDO2, Windows Hello for Business, and Microsoft Authenticator phone sign-in. This check evaluates current method adoption and identifies gaps preventing passwordless deployment.
Recommended: Organization has a passwordless deployment plan with at least 50% of users capable of passwordless sign-in
Current Value: Not configured / Non-compliant
Remediation: Review authentication method registrations to determine how many users have passwordless-capable methods enrolled. Enable FIDO2 and Microsoft Authenticator passwordless sign-in in the authentication methods policy. Create a phased rollout plan starting with privileged users and IT staff before expanding to the broader organization.
Compliance: NIST IA-2(6)

EIDAUTH-009 — Windows Hello for Business Configuration

Medium FAIL

Description: Windows Hello for Business provides phishing-resistant, hardware-backed authentication using biometrics or PIN tied to the device TPM. Misconfigured WHfB deployments may fall back to weaker convenience PIN without proper TPM attestation, reducing security guarantees. The configuration should enforce TPM-backed keys and appropriate biometric policies.
Recommended: Windows Hello for Business enabled with TPM requirement enforced and multi-factor unlock configured for sensitive roles
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Protection > Authentication methods > Windows Hello for Business. Enable the method and configure key restrictions to require TPM-backed keys. Deploy WHfB configuration profiles via Intune to enforce TPM attestation and PIN complexity requirements across managed devices.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods
Compliance: NIST IA-2(6)CIS M365 5.2.3

EIDAUTH-010 — Temporary Access Pass (TAP) Policy Audit

Medium FAIL

Description: Temporary Access Pass allows time-limited passcodes for onboarding users to passwordless credentials, but can serve as a backdoor if not properly restricted. TAPs that are configured with long lifetimes or reusable settings can be exploited by attackers who compromise the issuance process. The TAP policy should enforce short lifetimes, single-use restrictions, and limit issuance to authorized administrators.
Recommended: TAP enabled with maximum lifetime of 1 hour, single-use only, restricted to authorized onboarding administrators
Current Value: Not configured / Non-compliant
Remediation: Review the TAP policy in Entra ID > Protection > Authentication methods > Temporary Access Pass. Set the minimum and maximum lifetime to the shortest practical duration and enable one-time use. Restrict TAP issuance permissions to a limited set of administrators through role-based access controls.
Compliance: NIST IA-5(1)MITRE T1078

EIDAUTH-012 — SSPR Methods and Requirements

Medium FAIL

Description: The specific methods allowed for SSPR and the number required directly impact the security of the password reset process. Allowing weak methods such as security questions or requiring only a single method creates opportunities for attackers to reset passwords through social engineering or OSINT. Organizations should require at least two strong methods for all password resets.
Recommended: Two or more strong authentication methods required for password reset, security questions disabled
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Protection > Password reset > Authentication methods. Set the number of methods required to 2 and remove security questions from the allowed methods list. Prioritize mobile app notification and mobile app code as the primary SSPR methods to ensure strong verification.
Compliance: NIST IA-5(1)CIS M365 5.2.4

EIDAUTH-014 — Custom Banned Password List Status

Medium FAIL

Description: In addition to the global banned password list, organizations should maintain a custom banned password list containing company-specific terms, product names, locations, and other easily guessable variations. Without a custom list, users may choose passwords based on organizational context that attackers can easily guess through targeted attacks. The custom list supports up to 1000 entries and should be regularly updated.
Recommended: Custom banned password list enabled with organization-specific terms including company name, products, locations, and common variations
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Protection > Authentication methods > Password protection. Enable the custom banned password list and add entries for your organization name, product names, office locations, and commonly used internal terms. Review and update the list quarterly to include new terms and patterns identified in password audits.
Compliance: NIST IA-5(1)CIS M365 5.2.5

EIDAUTH-017 — Per-User MFA vs Conditional Access MFA Conflict Detection

Medium FAIL

Description: Legacy per-user MFA settings (enabled/enforced at the individual user level) can conflict with Conditional Access-based MFA policies, creating unpredictable authentication behavior. When both are active, users may experience duplicate MFA prompts, authentication failures, or inconsistent policy enforcement depending on which mechanism evaluates first. Organizations should migrate entirely to Conditional Access-based MFA and disable per-user MFA settings to ensure consistent policy application.
Recommended: Per-user MFA disabled for all users with MFA enforced exclusively through Conditional Access policies
Current Value: Not configured / Non-compliant
Remediation: Check per-user MFA status via Entra ID > Users > Per-user MFA and identify users with per-user MFA enabled or enforced. Create equivalent Conditional Access policies that enforce MFA for all users before disabling per-user MFA. Disable per-user MFA by setting each user's status to Disabled after confirming Conditional Access MFA coverage is complete.
Compliance: NIST IA-2(1)CIS M365 5.2.2.1

EIDAUTH-001 — Authentication Methods Policy Audit

Info INFO

Description: The authentication methods policy defines which methods are available to users for sign-in and MFA. A misconfigured policy may allow weak or deprecated methods, increasing the attack surface. This check audits the current policy state against security baselines from Maester and ScubaGear frameworks.
Recommended: Authentication methods policy reviewed and aligned with organizational security baseline
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Protection > Authentication methods > Policies. Review each enabled method and disable any that are not required by your organization. Ensure phishing-resistant methods such as FIDO2 and Microsoft Authenticator are prioritized over SMS and voice.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods
Compliance: NIST IA-2CIS M365 5.2.1

EIDAUTH-003 — MFA Method Distribution Analysis

Info INFO

Description: Understanding the distribution of MFA methods across users helps assess the overall strength of authentication controls. Organizations should track adoption of phishing-resistant methods like FIDO2 and Authenticator push versus weaker methods like SMS. This visibility enables targeted campaigns to migrate users to stronger methods.
Recommended: Majority of users registered with phishing-resistant MFA methods (FIDO2, Microsoft Authenticator, Windows Hello)
Current Value: Not configured / Non-compliant
Remediation: Review method distribution via Entra ID > Protection > Authentication methods > User registration details. Identify users relying solely on weaker methods and create migration plans. Use authentication method activity reports to track adoption progress.
Compliance: NIST IA-2(1)

EIDAUTH-006 — FIDO2 Security Key Inventory and Audit

Info INFO

Description: FIDO2 security keys provide phishing-resistant authentication but must be inventoried and managed throughout their lifecycle. Untracked keys may remain associated with departed employees or become lost without detection. Regular audits ensure only authorized keys are active and properly assigned to current users.
Recommended: All registered FIDO2 keys inventoried with documented owner assignments and regular attestation reviews
Current Value: Not configured / Non-compliant
Remediation: Review FIDO2 key registrations via Entra ID > Protection > Authentication methods > FIDO2 security key. Cross-reference registered keys with your hardware asset inventory and remove keys for departed users. Implement key registration policies that restrict allowed AAGUID values to approved vendor models.
Compliance: NIST IA-2(6)

Entra ID Conditional Access (16 checks, 13 failing)

EIDCA-006 — Break-Glass Account CA Exclusion Validation

Critical FAIL

Description: Emergency access (break-glass) accounts must be excluded from Conditional Access policies to ensure access during outages or misconfigurations, but these exclusions must be tightly controlled. Failure to properly configure break-glass exclusions can result in complete lockout during critical incidents or create unmonitored backdoor accounts.
Recommended: Exactly two break-glass accounts excluded from all CA policies with monitoring, alerts, and regular validation
Current Value: Not configured / Non-compliant
Remediation: Verify that dedicated break-glass accounts exist, are excluded from all Conditional Access policies, and are not used for daily operations. Configure Azure Monitor alerts to trigger on any sign-in activity from break-glass accounts. Test break-glass account access quarterly and store credentials securely in a physical safe or hardware security module.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers
Compliance: NIST AC-2(2)MITRE T1078.004CIS M365 1.1.4

EIDCA-007 — MFA Enforcement via Conditional Access

Critical FAIL

Description: Multi-factor authentication should be required for all users through Conditional Access policies to prevent credential-based attacks. Without MFA enforcement, compromised passwords alone grant full access to organizational resources, making this the single most impactful control against account takeover.
Recommended: MFA required for 100% of users across all cloud applications via Conditional Access
Current Value: Not configured / Non-compliant
Remediation: Create a Conditional Access policy targeting all users and all cloud applications with a grant control requiring multifactor authentication. Verify the policy covers all user types including guests and external collaborators. Monitor the sign-in logs to confirm MFA is being prompted and review the CA insights workbook for coverage gaps.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Compliance: NIST IA-2(1)NIST IA-2(2)MITRE T1078MITRE T1110CIS M365 5.2.2.1

EIDCA-008 — Legacy Authentication Blocking via CA

Critical FAIL

Description: Legacy authentication protocols such as IMAP, POP3, SMTP, and ActiveSync do not support modern authentication or MFA, making them a primary attack vector for password spray and brute-force attacks. Blocking legacy authentication through Conditional Access is essential to prevent these protocols from bypassing MFA controls.
Recommended: All legacy authentication protocols blocked via Conditional Access for all users
Current Value: Not configured / Non-compliant
Remediation: Create a Conditional Access policy targeting all users and all cloud applications with the client apps condition set to Exchange ActiveSync clients and other clients, then set the grant control to block access. Verify the policy is in enabled state and monitor sign-in logs for any remaining legacy authentication attempts. Coordinate with application owners to migrate any remaining legacy protocol dependencies to modern authentication.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Compliance: NIST IA-2NIST AC-17(2)MITRE T1078MITRE T1110.001CIS M365 5.2.2.3

EIDCA-002 — CA Policy Coverage Gap Analysis

High FAIL

Description: All users and applications should be covered by at least one Conditional Access policy. Gaps in coverage leave users or applications without security controls such as MFA, device compliance, or location restrictions, creating attack vectors for unauthorized access.
Recommended: 100% of active users and critical applications covered by at least one CA policy
Current Value: Not configured / Non-compliant
Remediation: Review all Conditional Access policies to identify users and applications that are not targeted by any policy. Create policies that cover uncovered users and applications with appropriate grant and session controls. Prioritize coverage for privileged accounts and business-critical applications.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Compliance: NIST AC-2NIST AC-3MITRE T1078.004CIS M365 5.2.2

EIDCA-004 — CA Exclusion Group Analysis

High FAIL

Description: Users and groups excluded from Conditional Access policies bypass critical security controls. Exclusions should be minimized, documented with business justification, and regularly reviewed to prevent privilege creep and unauthorized access.
Recommended: All exclusions documented with business justification and reviewed quarterly
Current Value: Not configured / Non-compliant
Remediation: Audit all Conditional Access policies to identify excluded users and groups. Document the business justification for each exclusion and establish an owner responsible for periodic review. Remove any exclusions that no longer have a valid business need and implement compensating controls where exclusions are required.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Compliance: NIST AC-6(1)MITRE T1078.004

EIDCA-005 — Unprotected Groups in CA Exclusions

High FAIL

Description: Groups used in Conditional Access exclusions that lack ownership, membership reviews, or access restrictions can be exploited by attackers to bypass security policies. An attacker who adds themselves to an unprotected exclusion group effectively bypasses all CA controls targeting that group.
Recommended: All CA exclusion groups have assigned owners, restricted membership management, and regular access reviews enabled
Current Value: Not configured / Non-compliant
Remediation: Identify all groups referenced in CA policy exclusions and verify each group has an assigned owner, restricted join/leave settings, and an active access review schedule. Enable Privileged Access Group features or restrict group membership changes to authorized administrators only. Remove any unmanaged or orphaned groups from CA exclusions immediately.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/~/AllGroups
Compliance: NIST AC-6(1)NIST AC-6(5)MITRE T1078.004

EIDCA-009 — Device Compliance Requirement in CA

High FAIL

Description: Conditional Access policies should require device compliance to ensure only managed and healthy devices can access organizational resources. Without device compliance requirements, unmanaged or compromised devices can access sensitive data, increasing the risk of data exfiltration and malware propagation.
Recommended: Device compliance or Hybrid Azure AD join required for access to all cloud applications
Current Value: Not configured / Non-compliant
Remediation: Create or update Conditional Access policies to require device compliance or Hybrid Azure AD join as a grant control for all cloud applications. Ensure Intune device compliance policies are configured with appropriate security baselines before enforcing this requirement. Use report-only mode initially to assess impact, then transition to enforcement after confirming managed device coverage is sufficient.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Compliance: NIST AC-17(2)NIST CM-6CIS M365 5.2.2.2

EIDCA-012 — Sign-In Risk-Based CA Policies

High FAIL

Description: Sign-in risk-based Conditional Access policies use Azure AD Identity Protection signals to detect anomalous sign-in behavior such as impossible travel, anonymous IP usage, and credential leak detection. Without risk-based policies, compromised credentials can be used from suspicious locations or patterns without triggering additional verification.
Recommended: CA policies configured to require MFA or block access for medium and high sign-in risk levels
Current Value: Not configured / Non-compliant
Remediation: Create Conditional Access policies that target all users with the sign-in risk condition set to medium and high, requiring multifactor authentication as the grant control. Ensure Azure AD Identity Protection is enabled and properly licensed (requires Entra ID P2). Monitor the risky sign-ins report regularly and tune risk detection sensitivity based on organizational patterns.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Compliance: NIST IA-2(13)MITRE T1078.004MITRE T1110CIS M365 5.2.2.7

EIDCA-013 — User Risk-Based CA Policies

High FAIL

Description: User risk-based Conditional Access policies respond to cumulative risk signals indicating a user account may be compromised, such as leaked credentials or anomalous activity patterns. Without user risk policies, accounts flagged as compromised by Identity Protection continue to operate normally without requiring password changes or additional verification.
Recommended: CA policies configured to require password change for high user risk and MFA for medium user risk
Current Value: Not configured / Non-compliant
Remediation: Create Conditional Access policies targeting all users with user risk conditions set to medium and high, requiring a secure password change as the grant control for high risk and MFA for medium risk. Ensure self-service password reset (SSPR) is enabled and registered for all users to allow automated remediation. Review the risky users report regularly and investigate accounts that remain at elevated risk levels.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Compliance: NIST IA-2(13)MITRE T1078.004CIS M365 5.2.2.8

EIDCA-003 — CA Policies in Report-Only Mode

Medium FAIL

Description: Conditional Access policies left in report-only mode do not enforce security controls and only log what would have happened. Policies that have completed testing should be switched to the enabled state to actively protect the environment.
Recommended: No policies in report-only mode unless actively being tested with a defined transition timeline
Current Value: Not configured / Non-compliant
Remediation: Review all Conditional Access policies currently in report-only mode and evaluate their sign-in log impact data. For policies that have been validated and show acceptable impact, change the state from report-only to enabled. Establish a policy lifecycle process that defines maximum report-only durations before enforcement.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Compliance: CIS M365 5.2.1

EIDCA-010 — Location-Based CA Policies Audit

Medium FAIL

Description: Location-based Conditional Access policies restrict access based on IP address ranges, countries, or named locations. Without location controls, attackers can authenticate from any geographic location, making it harder to detect and prevent unauthorized access from suspicious or high-risk regions.
Recommended: Location-based policies configured to block or require additional controls for access from untrusted locations
Current Value: Not configured / Non-compliant
Remediation: Review existing named locations and ensure trusted corporate IP ranges and countries are accurately defined. Create Conditional Access policies that require MFA or block access from untrusted locations, particularly for privileged accounts and sensitive applications. Regularly update named location definitions as corporate network infrastructure changes.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Compliance: NIST AC-2(11)NIST SC-7

EIDCA-011 — Named Locations Configuration Review

Medium FAIL

Description: Named locations define trusted and untrusted network boundaries used by Conditional Access policies. Misconfigured named locations can result in overly permissive access from untrusted networks or unnecessarily restricted access from legitimate corporate locations.
Recommended: All named locations accurately reflect current corporate network boundaries with trusted locations marked appropriately
Current Value: Not configured / Non-compliant
Remediation: Navigate to the Named Locations blade in the Entra admin center and review all configured locations for accuracy. Verify that trusted corporate IP ranges are up to date and that country-based locations align with organizational presence. Remove any stale or unused named locations and ensure trusted location flags are only applied to verified corporate networks.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/NamedLocations
Compliance: NIST AC-2(11)

EIDCA-014 — Session Controls Audit

Medium FAIL

Description: Conditional Access session controls govern sign-in frequency and browser session persistence. Without proper session controls, users may remain authenticated indefinitely, increasing the window of opportunity for session hijacking and token theft attacks.
Recommended: Sign-in frequency set to no more than 24 hours for sensitive applications with persistent browser sessions disabled
Current Value: Not configured / Non-compliant
Remediation: Review Conditional Access policies for session control configurations including sign-in frequency and persistent browser session settings. Configure sign-in frequency to appropriate intervals based on application sensitivity, with shorter intervals for privileged access. Disable persistent browser sessions for sensitive applications to ensure tokens expire and require re-authentication.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Compliance: NIST AC-12NIST SC-10CIS M365 5.2.2.6

EIDCA-001 — Full CA Policy Inventory

Info INFO

Description: A complete inventory of all Conditional Access policies with their settings should be maintained. This provides visibility into the security posture and enables gap analysis, change tracking, and compliance auditing across the tenant. Emulates inventory capabilities found in Maester, EntraFalcon, and ScubaGear.
Recommended: All Conditional Access policies documented with state, conditions, grant controls, and session controls
Current Value: Not configured / Non-compliant
Remediation: Navigate to the Entra admin center Conditional Access blade and export all policies. Review each policy for correct naming conventions, descriptions, and appropriate state (enabled, disabled, or report-only). Maintain a versioned record of all policy configurations for audit purposes.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Compliance: CIS M365 5.2.1

EIDCA-015 — CA What-If Simulation for Attack Scenarios

Info INFO

Description: The Conditional Access What-If tool allows simulation of sign-in scenarios to validate policy behavior against common attack patterns. Without regular what-if testing, policy misconfigurations or gaps may go undetected until exploited by an attacker.
Recommended: Quarterly what-if simulations covering common attack scenarios including external attacker, compromised device, and legacy auth attempts
Current Value: Not configured / Non-compliant
Remediation: Use the Conditional Access What-If tool to simulate sign-in scenarios for common attack patterns such as external MFA bypass, legacy authentication attempts, unmanaged device access, and compromised credential usage. Document the results of each simulation and remediate any policies that fail to block the simulated attack. Incorporate what-if testing into the change management process for all CA policy modifications.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/WhatIf
Compliance: NIST CA-8MITRE T1078.004

EIDCA-016 — CA Policy Documentation Export

Info INFO

Description: A complete export of all Conditional Access policies should be generated for documentation, disaster recovery, and compliance audit purposes. Without documented policy exports, rebuilding CA policies after a tenant compromise or accidental deletion requires significant effort and may result in security gaps.
Recommended: Full CA policy export generated and stored in a secure, versioned repository updated after each policy change
Current Value: Not configured / Non-compliant
Remediation: Export all Conditional Access policies using Microsoft Graph API or the Entra admin center and store the output in a secure, version-controlled repository. Establish an automated process to capture policy snapshots on a regular schedule or triggered by policy modifications. Include the export in your tenant disaster recovery plan and validate that policies can be restored from the export.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Compliance: NIST CM-2NIST CM-6

Entra ID Federation & Hybrid Identity (12 checks, 10 failing)

EIDFED-003 — Federation Signing Certificate Issuer/Subject Mismatch

Critical FAIL

Description: A mismatch between the issuer and subject fields of a federation signing certificate is a strong indicator of a potential Golden SAML attack, where an attacker has replaced the legitimate signing certificate with one they control. In a Golden SAML attack, the attacker generates a self-signed certificate with arbitrary issuer/subject values and configures it as the federation trust signing certificate, enabling them to forge SAML tokens for any user. Any issuer/subject mismatch that does not align with the expected certificate authority chain requires immediate investigation.
Recommended: Federation signing certificate issuer and subject fields match expected organizational PKI chain with no unexpected self-signed certificates
Current Value: Not configured / Non-compliant
Remediation: Extract the signing certificate from each federated domain trust and compare the issuer and subject fields against your expected organizational PKI hierarchy. Investigate any certificates where the issuer does not match your known certificate authority or where the subject contains unexpected values. If a mismatch is detected, treat this as a potential security incident, rotate the federation signing certificate immediately, and review audit logs for unauthorized federation configuration changes.
Compliance: NIST IA-5(2)MITRE T1556.006

EIDFED-002 — Federation Signing Certificate Validity Period

High FAIL

Description: Federation signing certificates with excessively long validity periods provide an extended window for attackers who obtain the private key to forge SAML tokens and maintain persistent unauthorized access. Certificates with validity periods exceeding 3 years deviate from security best practices and may indicate a compromised or attacker-created certificate. Short-lived certificates limit the duration of potential abuse if the private key is compromised.
Recommended: Federation signing certificates with validity periods no longer than 1 year with automated rotation procedures in place
Current Value: Not configured / Non-compliant
Remediation: Review the signing certificates for all federated domains and check their NotBefore and NotAfter dates to determine the validity period. Replace any certificates with validity periods exceeding 3 years with new certificates using shorter lifetimes aligned with organizational certificate policy. Implement automated certificate rotation procedures and configure monitoring alerts for certificates approaching expiration.
Compliance: NIST IA-5(2)MITRE T1556.006

EIDFED-004 — Federation Trust Metadata Analysis

High FAIL

Description: Federation trust metadata defines the identity provider endpoints, supported protocols, and token signing configuration used for federated authentication. Manipulated metadata can redirect authentication flows to attacker-controlled endpoints or introduce rogue signing certificates, enabling token forgery and impersonation attacks. The metadata endpoint URL, passive and active endpoints, and signing algorithm configurations should be validated against known-good values.
Recommended: All federation trust metadata validated against known-good baseline with metadata refresh URLs pointing to organization-controlled endpoints
Current Value: Not configured / Non-compliant
Remediation: Review the federation configuration for each federated domain including the metadata exchange URI, passive sign-on endpoint, issuer URI, and signing certificate details. Compare current values against a documented baseline configuration to identify any unauthorized modifications. Ensure metadata refresh endpoints use HTTPS and point to organization-controlled infrastructure, and validate that signing algorithms use SHA-256 or stronger.
Compliance: NIST IA-8(4)MITRE T1556.006

EIDFED-005 — Azure AD Connect Configuration Review

High FAIL

Description: Azure AD Connect synchronizes on-premises Active Directory objects to Entra ID and is a critical component of hybrid identity architecture. Misconfigured Azure AD Connect settings can expose sensitive attributes to the cloud, create unintended privilege escalation paths, or allow attackers with on-premises access to manipulate cloud identities. The connector account permissions, synchronization rules, and feature configuration should be reviewed against security best practices.
Recommended: Azure AD Connect configured with least-privilege connector accounts, hardened synchronization rules, and all security features enabled
Current Value: Not configured / Non-compliant
Remediation: Review the Azure AD Connect configuration including the connector account permissions, synchronization rules, and enabled features. Ensure the AD DS connector account uses the minimum required permissions and that the Entra ID connector account is a dedicated cloud-only service account. Verify that the Azure AD Connect server is treated as a Tier 0 asset with restricted administrative access and comprehensive monitoring.
Compliance: NIST CM-6MITRE T1078.004

EIDFED-009 — AD FS Server Configuration Assessment

High FAIL

Description: Active Directory Federation Services (AD FS) servers handle authentication for federated domains and process security-sensitive SAML tokens. Misconfigured AD FS settings such as weak token signing algorithms, disabled audit logging, overly permissive extranet access, or outdated claim rules can be exploited for token forgery, credential harvesting, or unauthorized access. The AD FS configuration should be regularly assessed against Microsoft security baselines and hardening guides.
Recommended: AD FS servers configured per Microsoft security baseline with SHA-256 signing, comprehensive audit logging, and current Windows Server patches
Current Value: Not configured / Non-compliant
Remediation: Review the AD FS server configuration including token signing algorithm (should be SHA-256), audit log settings (should capture success and failure events), extranet access policies, and claim rule complexity. Ensure AD FS servers are running the latest Windows Server patches and that the AD FS farm is configured with redundant servers. Validate that the AD FS service account follows least-privilege principles and that the token signing certificate private key is properly protected.
Compliance: NIST CM-6NIST IA-8(4)

EIDFED-006 — Azure AD Connect Sync Scope Audit

Medium FAIL

Description: The synchronization scope in Azure AD Connect determines which on-premises organizational units, groups, and attributes are replicated to Entra ID. An overly broad sync scope may replicate sensitive service accounts, administrative accounts, or security groups that should remain exclusively on-premises. Conversely, an improperly restricted scope may fail to sync accounts that require cloud access, causing authentication failures.
Recommended: Synchronization scope restricted to required organizational units and objects only, with sensitive service accounts and administrative objects excluded
Current Value: Not configured / Non-compliant
Remediation: Review the Azure AD Connect synchronization scope including OU filtering, group-based filtering, and attribute-level filtering rules. Verify that only OUs containing user accounts that require cloud access are included in the sync scope. Exclude sensitive on-premises service accounts, administrative accounts, and security groups that do not need cloud representation, and document the rationale for each included OU.
Compliance: NIST AC-2

EIDFED-007 — Password Hash Sync Enabled Status

Medium FAIL

Description: Password Hash Synchronization (PHS) replicates a hash of on-premises password hashes to Entra ID, enabling cloud authentication as a backup when federation or pass-through authentication is unavailable. While PHS provides resilience and enables leaked credential detection through Entra ID Identity Protection, organizations must understand the security implications of storing password derivatives in the cloud. PHS should be evaluated against organizational security requirements and risk tolerance.
Recommended: PHS enabled as a backup authentication method with leaked credential detection active through Entra ID Identity Protection
Current Value: Not configured / Non-compliant
Remediation: Check the Azure AD Connect configuration to determine if Password Hash Synchronization is enabled. If PHS is disabled, evaluate enabling it as a backup authentication method and to support Entra ID Identity Protection leaked credential detection. If PHS is already enabled, verify that Entra ID Identity Protection is configured to leverage the password hashes for risk-based detection of compromised credentials.
Compliance: NIST IA-5

EIDFED-008 — Pass-Through Authentication Agent Status

Medium FAIL

Description: Pass-Through Authentication (PTA) validates user passwords against on-premises Active Directory in real-time without storing password hashes in the cloud. PTA agents running on on-premises servers must be properly secured, monitored, and kept current, as a compromised PTA agent could be manipulated to accept any password or to intercept credentials during authentication. Agent health, version currency, and server security posture are critical to maintaining authentication integrity.
Recommended: At least 2 PTA agents deployed on hardened servers with current agent versions and health monitoring enabled
Current Value: Not configured / Non-compliant
Remediation: Review the PTA agent status in Entra ID > Hybrid management > Azure AD Connect > Pass-through authentication. Verify that at least two agents are deployed for redundancy and that all agents show a healthy status with current software versions. Ensure PTA agent servers are treated as Tier 0 assets with restricted administrative access, up-to-date security patches, and comprehensive event log monitoring.
Compliance: NIST IA-2MITRE T1556

EIDFED-010 — AD FS Extranet Lockout Settings

Medium FAIL

Description: AD FS extranet lockout protects against brute-force and password spray attacks targeting the AD FS endpoint exposed to the internet. Without proper extranet lockout configuration, attackers can attempt unlimited password guesses against any federated account through the AD FS proxy, potentially compromising accounts with weak or commonly used passwords. The smart lockout feature in AD FS provides protection while minimizing lockout impact on legitimate users.
Recommended: Extranet smart lockout enabled with appropriate threshold and observation window configured to prevent brute-force attacks
Current Value: Not configured / Non-compliant
Remediation: Review the AD FS extranet lockout configuration using Get-AdfsProperties in PowerShell on the AD FS server. Enable extranet smart lockout if not already active and configure an appropriate lockout threshold and observation window based on your organization's authentication patterns. Monitor the AD FS security logs for extranet lockout events and adjust thresholds if legitimate users are being locked out or if brute-force attempts are succeeding.
Compliance: NIST AC-7

EIDFED-011 — Hybrid Join Configuration

Medium FAIL

Description: Hybrid Azure AD join registers on-premises domain-joined devices with Entra ID, enabling Conditional Access policies that require device compliance or domain join status. Misconfigured hybrid join settings can result in devices failing to register, which prevents users from satisfying device-based Conditional Access requirements, or can allow unauthorized devices to register if the service connection point is not properly secured. The configuration should be validated end-to-end.
Recommended: Hybrid Azure AD join configured and functional with service connection point properly secured and device registration verified for all target OUs
Current Value: Not configured / Non-compliant
Remediation: Verify the service connection point (SCP) configuration in Active Directory and ensure it points to the correct Entra ID tenant. Check that the hybrid join configuration in Azure AD Connect includes the correct domains and that required enterprise registration endpoints are accessible from client devices. Validate that devices are successfully registering by reviewing the device list in Entra ID and troubleshooting any devices that show a pending state.
Compliance: NIST IA-3

EIDFED-001 — Federated Domain Enumeration

Info INFO

Description: A complete inventory of all federated domains in the tenant provides visibility into how authentication is configured for each domain. Federated domains redirect authentication to external identity providers, which must be properly secured and monitored. This baseline inventory enables assessment of the federation attack surface and identifies domains that may have been configured by attackers as part of a Golden SAML or backdoor federation attack.
Recommended: All federated domains inventoried with documented identity provider endpoints, signing certificates, and business justification
Current Value: Not configured / Non-compliant
Remediation: Enumerate all domains in the tenant using Microsoft Graph and identify those with federation authentication configured. Document the identity provider endpoint, signing certificate details, and federation protocol for each federated domain. Verify that each federation trust is authorized and corresponds to a known, legitimate identity provider under organizational control.
Compliance: NIST CM-8

EIDFED-012 — Cloud-Only vs Synced Account Analysis

Info INFO

Description: Understanding the distribution of cloud-only versus on-premises-synced accounts provides visibility into the hybrid identity landscape and helps identify potential security gaps. Cloud-only accounts are managed entirely in Entra ID while synced accounts originate from on-premises Active Directory and inherit its security posture. This analysis helps identify accounts that should be cloud-only but are being synced, or vice versa, and informs decisions about authentication method selection and security control placement.
Recommended: All accounts categorized as cloud-only or synced with documentation of the expected state for each account type and role
Current Value: Not configured / Non-compliant
Remediation: Export all user accounts from Entra ID and categorize them by the onPremisesSyncEnabled property to determine which accounts are synced from on-premises versus cloud-only. Verify that privileged administrative accounts are cloud-only to prevent on-premises compromise from affecting cloud administration. Document the expected identity source for each account type and investigate any accounts whose actual source does not match the expected configuration.
Compliance: NIST AC-2

Entra ID Privileged Identity Management (14 checks, 11 failing)

EIDPIM-004 — Privileged Role Assignments to Guest Users

Critical FAIL

Description: Guest or external users with privileged Entra ID role assignments present a significant supply chain and third-party risk. These accounts originate from external organizations and are not subject to the same security controls, password policies, or monitoring as internal accounts. A compromised guest account with administrative privileges can lead to full tenant compromise while being difficult to detect through normal internal security monitoring
Recommended: No guest or external users assigned to any privileged Entra ID roles
Current Value: Not configured / Non-compliant
Remediation: Review all privileged role assignments and identify any members with a userType of Guest. Remove privileged role assignments from all guest accounts immediately. If external administrative access is required, provision dedicated cloud-only accounts within the tenant under full organizational control instead of using guest invitations
Compliance: NIST AC-6(5)NIST IA-8MITRE T1078.004CIS M365 1.1.2

EIDPIM-006 — Privileged Users Without MFA

Critical FAIL

Description: Privileged accounts without multi-factor authentication registered are exposed to credential-based attacks including password spraying, phishing, and brute force. A compromised privileged account without MFA provides an attacker with immediate administrative access using only a stolen password. All accounts with privileged role assignments must have strong MFA methods registered and enforced through Conditional Access policies
Recommended: 100% of privileged users with MFA registered and enforced via Conditional Access
Current Value: Not configured / Non-compliant
Remediation: Review MFA registration status for all privileged users via Entra ID > Users > Per-user MFA or the Authentication Methods activity report. Ensure a Conditional Access policy requires MFA for all directory role assignments. Contact any privileged users lacking MFA registration and enforce registration within a defined deadline
Compliance: NIST IA-2(1)NIST IA-2(2)MITRE T1078MITRE T1110CIS M365 5.2.2.1

EIDPIM-012 — Emergency Access Account Validation

Critical FAIL

Description: Emergency access (break-glass) accounts are critical safeguards that ensure administrative access to the tenant when normal authentication mechanisms fail, such as during MFA outages, Conditional Access misconfigurations, or identity provider failures. At least 2 break-glass accounts should exist, be cloud-only, excluded from all Conditional Access policies, and protected with strong authentication such as FIDO2 keys stored securely. Without properly configured break-glass accounts, an organization risks permanent lockout from its own tenant
Recommended: At least 2 emergency access accounts that are cloud-only, permanently assigned Global Administrator, excluded from all Conditional Access policies, with FIDO2 or long complex passwords stored securely
Current Value: Not configured / Non-compliant
Remediation: Create at least 2 dedicated emergency access accounts that are cloud-only (not synced), assign permanent Global Administrator role, exclude from all Conditional Access policies, and configure with FIDO2 security keys or very long complex passwords stored in a physical safe. Configure monitoring alerts for any sign-in activity on these accounts and test the break-glass procedure quarterly
Compliance: NIST AC-2(2)NIST CP-2MITRE T1078.004CIS M365 1.1.4

EIDPIM-003 — Permanent Privileged Role Assignments

High FAIL

Description: Permanent (active) privileged role assignments provide standing administrative access without time limits or activation requirements. These permanent assignments should be converted to eligible (just-in-time) assignments via PIM, which require explicit activation with justification, approval, and time-bound access windows. Standing privileged access increases the risk and impact of credential compromise because the attacker gains immediate elevated access without any additional gates
Recommended: No permanent privileged role assignments except for break-glass accounts. All other privileged assignments should be PIM eligible
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Roles and administrators and identify all permanent role assignments. Convert each permanent assignment to an eligible assignment through PIM by removing the active assignment and creating a corresponding eligible assignment. Only break-glass accounts should retain permanent Global Administrator assignments
Compliance: NIST AC-2(3)NIST AC-6(1)MITRE T1078.004CIS M365 1.1.3

EIDPIM-005 — Privileged Role Assignments to Synced Accounts

High FAIL

Description: Accounts synchronized from on-premises Active Directory via Entra Connect that hold privileged cloud roles create a dangerous hybrid attack path. If the on-premises environment is compromised, an attacker can manipulate synced account credentials or attributes to gain administrative access to the cloud tenant. Cloud-privileged roles should only be assigned to cloud-only accounts to maintain a security boundary between on-premises and cloud environments
Recommended: No synced (hybrid) accounts assigned to privileged Entra ID roles. All privileged accounts should be cloud-only
Current Value: Not configured / Non-compliant
Remediation: Identify all privileged role members whose onPremisesSyncEnabled property is true. Create dedicated cloud-only administrative accounts for each administrator and assign the required privileged roles to these new accounts. Remove privileged role assignments from all synced accounts to eliminate the on-premises to cloud escalation path
Compliance: NIST AC-6(5)MITRE T1078.004

EIDPIM-007 — Privileged Users with Weak Authentication Methods

High FAIL

Description: Privileged accounts relying on weak authentication methods such as SMS, voice call, or email OTP are vulnerable to SIM-swapping, call interception, and email compromise attacks. These legacy MFA methods do not provide the same level of assurance as phishing-resistant methods like FIDO2 security keys, Windows Hello for Business, or certificate-based authentication. Privileged accounts should be required to use phishing-resistant authentication methods exclusively
Recommended: All privileged users using phishing-resistant MFA methods (FIDO2, Windows Hello for Business, or certificate-based authentication). No SMS, voice, or email OTP
Current Value: Not configured / Non-compliant
Remediation: Review authentication methods registered for each privileged user via Entra ID > Authentication methods > Activity. Create a Conditional Access policy targeting privileged roles that requires authentication strength of phishing-resistant MFA. Provision FIDO2 security keys or configure Windows Hello for Business for all privileged users and remove weak methods
Compliance: NIST IA-2(1)MITRE T1111MITRE T1078

EIDPIM-008 — Disabled Accounts in Privileged Roles

High FAIL

Description: Disabled user accounts that retain privileged role assignments create a latent security risk. If the account is re-enabled through administrative action or compromise, it immediately regains full privileged access. Disabled accounts should be promptly removed from all privileged roles as part of the offboarding or account deprovisioning process to eliminate this reactivation risk
Recommended: No disabled accounts with active or eligible privileged role assignments
Current Value: Not configured / Non-compliant
Remediation: Enumerate all privileged role members and filter for accounts where accountEnabled is false. Remove all privileged role assignments from disabled accounts immediately. Implement an automated process or access review that detects and removes role assignments when accounts are disabled
Compliance: NIST AC-2(3)MITRE T1078.004

EIDPIM-010 — PIM Configuration Audit

High FAIL

Description: Privileged Identity Management role settings control the activation workflow including whether approval is required, whether justification must be provided, maximum activation duration, and notification recipients. Misconfigured PIM settings can allow privileged roles to be activated without oversight, effectively negating the security benefits of just-in-time access. Each privileged role should require approval from a designated approver, mandate activation justification, and send notifications to security personnel
Recommended: All privileged roles configured with: approval required, justification required, maximum activation duration of 8 hours or less, and notifications enabled for role activation
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Roles and administrators > Settings and review each privileged role configuration. Enable approval requirement with designated approvers, require activation justification, set maximum activation duration to 8 hours or less, and configure notification recipients for activation events. Pay special attention to Global Administrator, Privileged Role Administrator, and Exchange Administrator roles
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/RolesManagementMenuBlade/~/Settings
Compliance: NIST AC-2(4)NIST AC-6(1)MITRE T1078.004CIS M365 1.1.3

EIDPIM-013 — Separate Admin Account Enforcement

High FAIL

Description: Administrative actions should be performed from dedicated administrative accounts rather than the same accounts used for daily activities such as email, web browsing, and collaboration. Using a single account for both administrative and daily tasks exposes privileged credentials to phishing, drive-by downloads, and other threats encountered during routine work. Separate admin accounts significantly reduce the likelihood of privileged credential compromise through normal user activity
Recommended: All administrators use dedicated admin accounts separate from their daily-use accounts. Admin accounts should not have mailboxes or productivity licenses assigned
Current Value: Not configured / Non-compliant
Remediation: Review all privileged role members and identify accounts that also have productivity licenses (Exchange Online, SharePoint, Teams) assigned, indicating dual-use. Create dedicated admin accounts following a naming convention such as adm-username for each administrator. Assign privileged roles to the dedicated admin accounts only and remove privileged roles from daily-use accounts
Compliance: NIST AC-5NIST AC-6(2)MITRE T1078.004CIS M365 1.1.1

EIDPIM-009 — Accounts Never Signed In with Active Privileged Role

Medium FAIL

Description: Accounts that hold privileged role assignments but have never signed in may represent provisioned-but-unclaimed accounts, test accounts, or migration artifacts. These dormant privileged accounts are high-risk targets because they may have default or weak credentials and are unlikely to be monitored by their intended owners. An attacker who discovers and authenticates as one of these accounts gains immediate privileged access
Recommended: No privileged role assignments on accounts that have never signed in
Current Value: Not configured / Non-compliant
Remediation: Review all privileged role members and identify accounts with a null or empty lastSignInDateTime. Investigate each account to determine if it is still needed. Remove privileged role assignments from dormant accounts and disable any accounts that have no valid business purpose
Compliance: NIST AC-2(3)MITRE T1078.004

EIDPIM-014 — Privileged Role Assignment Notification Settings

Medium FAIL

Description: Notifications should be configured to alert security personnel when privileged roles are activated or permanently assigned. Without proper notification settings, unauthorized privilege escalation or role activation can go undetected, allowing attackers or malicious insiders to operate with elevated permissions without triggering any alerts. Notification settings are a critical detective control that complements preventive PIM configurations
Recommended: Notifications enabled for all privileged role activations and new permanent assignments, sent to designated security operations contacts
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Roles and administrators > Settings for each privileged role. Under the Notification tab, ensure notifications are enabled for role activation, permanent assignment, and eligible assignment events. Configure notification recipients to include the security operations team distribution list. Verify notifications are being received by performing a test activation
Compliance: NIST AU-5NIST SI-4MITRE T1078.004

EIDPIM-001 — Global Administrator Enumeration

Info INFO

Description: The Global Administrator role grants unrestricted access to all Microsoft 365 and Entra ID services, making it the highest-privilege role in the tenant. Organizations should maintain a minimum of 2 and a maximum of 4 Global Administrators to balance operational resilience with least-privilege principles. Excessive Global Administrator assignments dramatically expand the attack surface for credential theft and tenant-wide compromise
Recommended: 2-4 Global Admins maximum
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Roles and administrators > Global Administrator and review all assigned users. Remove unnecessary permanent assignments and ensure no more than 4 accounts hold this role. Convert permanent assignments to PIM eligible assignments where possible
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/RolesManagementMenuBlade/~/AllRoles
Compliance: NIST AC-2NIST AC-6(5)MITRE T1078.004CIS M365 1.1.1

EIDPIM-002 — All Privileged Role Assignments

Info INFO

Description: A comprehensive inventory of all privileged role assignments including both permanent (active) and eligible (just-in-time) assignments is essential for understanding the privileged access landscape. This enumeration provides visibility into how many users hold elevated permissions and whether assignments follow the principle of least privilege. Regular review of this inventory helps identify role sprawl and over-provisioned accounts
Recommended: All privileged role assignments documented and reviewed quarterly. Eligible assignments preferred over permanent
Current Value: Not configured / Non-compliant
Remediation: Review all role assignments in Entra ID > Roles and administrators for each privileged role. Document all permanent and eligible assignments with business justification. Establish a quarterly access review process to validate continued need for each assignment
Compliance: NIST AC-2NIST AC-6MITRE T1078.004CIS M365 1.1.3

EIDPIM-011 — PIM Eligible Role Activation History

Info INFO

Description: Reviewing PIM activation history provides insight into how frequently privileged roles are activated, by whom, with what justification, and for what duration. This audit trail is critical for detecting anomalous privileged access patterns such as activations outside business hours, activations without valid justification, or excessive activation frequency that may indicate a compromised account or insider threat
Recommended: PIM activation logs reviewed regularly. All activations have valid business justification documented
Current Value: Not configured / Non-compliant
Remediation: Review PIM activation history via Entra ID > Roles and administrators > Audit logs filtered for PIM operations. Investigate any activations with unusual patterns including off-hours activations, activations by unfamiliar accounts, or activations with vague justifications. Establish a regular review cadence for PIM audit logs as part of security operations
Compliance: NIST AU-3NIST AU-6MITRE T1078.004

Entra ID Tenant Configuration (13 checks, 9 failing)

EIDTNT-007 — Security Defaults Enabled/Disabled Status

Critical FAIL

Description: Security defaults provide a baseline set of identity security mechanisms including MFA registration requirements, MFA challenges for administrators, and blocking legacy authentication. Organizations using Conditional Access policies should have security defaults disabled to avoid conflicts, but tenants without Conditional Access that also have security defaults disabled have no baseline protection against common identity attacks. This check verifies that either security defaults or equivalent Conditional Access policies are actively protecting the tenant.
Recommended: Security defaults enabled for tenants without Conditional Access. For tenants with Conditional Access, security defaults disabled with equivalent or stronger CA policies in place
Current Value: Not configured / Non-compliant
Remediation: Check whether security defaults are enabled in Entra ID > Properties > Manage security defaults. If security defaults are disabled, verify that Conditional Access policies provide equivalent or stronger protection including MFA for all users, legacy authentication blocking, and MFA for administrative actions. If neither security defaults nor equivalent Conditional Access policies are in place, enable security defaults immediately as a baseline protection measure.
Compliance: NIST IA-2NIST AC-2MITRE T1078CIS M365 1.1.1

EIDTNT-002 — User Settings Review

High FAIL

Description: Tenant-wide user settings control whether standard users can register applications, consent to applications accessing company data, create security groups, and read other users' directory information. Overly permissive user settings enable shadow IT, unauthorized application integrations, and group sprawl that expand the attack surface. These settings should be restricted to prevent standard users from performing actions that should require administrative oversight.
Recommended: Users cannot register applications, user consent restricted to verified publishers, group creation limited to authorized users
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > User settings and review each setting. Disable 'Users can register applications' to prevent uncontrolled app registration sprawl. Restrict user consent settings to allow consent only for apps from verified publishers with low-risk permissions. Limit who can create Microsoft 365 groups and security groups to designated administrators or group owners.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/UserSettings
Compliance: NIST AC-6CIS M365 1.3

EIDTNT-003 — Guest User Access Restrictions

High FAIL

Description: Guest users are external identities invited to collaborate with the organization. By default, guest users may have overly broad visibility into the directory, including the ability to enumerate users, groups, and applications. Unrestricted guest access allows external parties to map the organization's identity structure, identify high-value targets, and gather intelligence for subsequent attacks. Guest permissions should be restricted to the minimum required for collaboration.
Recommended: Guest user access restricted to properties and memberships of their own directory objects only
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > External Identities > External collaboration settings and review the guest user access restrictions. Set guest user access to the most restrictive option that limits guests to properties and memberships of their own directory objects. Verify that guests cannot enumerate the full user list, group memberships, or application registrations by testing with a guest account.
Compliance: NIST AC-14MITRE T1078.004CIS M365 1.3.1

EIDTNT-005 — External Collaboration Settings

High FAIL

Description: External collaboration settings define the scope of domains from which guest users can be invited and which external organizations can collaborate with the tenant. Without domain restrictions, guests can be invited from any external organization, including competitors, sanctioned entities, or attacker-controlled tenants. Domain allowlists or blocklists should be configured to limit collaboration to approved partner organizations and prevent unauthorized external access.
Recommended: External collaboration restricted to specific allowed domains with a deny list for known high-risk domains
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > External Identities > External collaboration settings and configure collaboration restrictions. Implement either an allowlist of approved partner domains or a blocklist of known high-risk and competitor domains based on your organization's collaboration model. Review and update the domain list quarterly to reflect changes in partner relationships and ensure that collaboration restrictions align with data classification and information sharing policies.
Compliance: NIST AC-20CIS M365 1.3.1

EIDTNT-006 — Azure B2B Cross-Tenant Access Policies

High FAIL

Description: Cross-tenant access policies provide granular control over how users authenticate and access resources when collaborating with external Entra ID tenants. Default cross-tenant access settings may allow broad inbound and outbound access that does not align with organizational security requirements. Properly configured cross-tenant access policies enable trusted B2B collaboration while preventing unauthorized access from untrusted tenants and controlling which users can access external resources.
Recommended: Default cross-tenant access policy set to block with explicit allow rules for approved partner tenants only
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > External Identities > Cross-tenant access settings and review the default inbound and outbound access settings. Configure the default policy to restrict both inbound and outbound access, then create organization-specific policies for approved partner tenants with appropriate access controls. Enable trust settings for partner tenants to accept their MFA claims and device compliance where appropriate, reducing authentication friction for trusted collaborations.
Reference: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/~/CrossTenantAccessSettings
Compliance: NIST AC-20CIS M365 1.3.1

EIDTNT-011 — Diagnostic Settings for Audit and Sign-In Logs

High FAIL

Description: Entra ID generates audit logs and sign-in logs that are critical for security monitoring, incident investigation, and compliance reporting. Without diagnostic settings configured to export these logs to a durable storage location such as a Log Analytics workspace, Azure Storage account, or SIEM, logs are retained for only a limited period within Entra ID and may be unavailable during incident investigation. Attackers actively target logging configuration to disable or evade detection.
Recommended: All Entra ID log categories (audit, sign-in, non-interactive sign-in, service principal sign-in, managed identity sign-in, provisioning) exported to a Log Analytics workspace or SIEM
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > Monitoring > Diagnostic settings and create or verify a diagnostic setting that exports all log categories to a Log Analytics workspace, Azure Storage account, or Event Hub for SIEM ingestion. Ensure all available log categories are selected including audit logs, sign-in logs, non-interactive sign-in logs, service principal sign-in logs, managed identity sign-in logs, and provisioning logs. Verify that the destination storage has appropriate retention policies and access controls configured.
Compliance: NIST AU-2NIST AU-3NIST AU-6MITRE T1562.008CIS M365 3.1

EIDTNT-012 — Audit Log Retention Settings

High FAIL

Description: Audit log retention determines how long historical security events are available for investigation, compliance reporting, and forensic analysis. Insufficient retention periods may result in critical evidence being unavailable when investigating incidents that are discovered weeks or months after the initial compromise. Organizations should retain audit logs for at least 1 year to support incident response timelines and meet common regulatory requirements.
Recommended: Audit logs retained for a minimum of 1 year in an immutable storage location with at least 90 days immediately queryable
Current Value: Not configured / Non-compliant
Remediation: Review the retention settings on the Log Analytics workspace, Azure Storage account, or SIEM destination where Entra ID logs are exported. Configure retention for at least 365 days for all Entra ID log categories to support incident investigation and compliance requirements. Ensure that at least 90 days of logs are immediately queryable without restore operations, and implement immutable storage or write-once policies to prevent tampering with historical log data.
Compliance: NIST AU-11CIS M365 3.1

EIDTNT-004 — Guest Invitation Restrictions

Medium FAIL

Description: Guest invitation settings control who can invite external users to the tenant, ranging from allowing any user to invite guests to restricting invitations to administrators only. Permissive invitation settings allow standard users to invite external parties without oversight, potentially introducing unvetted external identities with access to organizational resources. Invitation restrictions should align with the organization's external collaboration governance requirements.
Recommended: Guest invitations restricted to users with specific admin roles or guest inviter role, with no self-service guest access enabled
Current Value: Not configured / Non-compliant
Remediation: Navigate to Entra ID > External Identities > External collaboration settings and review the guest invite settings. Restrict guest invitations to users assigned the Guest Inviter role or specific administrator roles rather than allowing all members to invite. Disable the option for guests to invite other guests to prevent uncontrolled invitation chains and establish an approval workflow for guest invitation requests.
Compliance: NIST AC-14CIS M365 1.3.1

EIDTNT-013 — Notification Settings Audit

Medium FAIL

Description: Entra ID notification settings control who receives alerts for critical security events such as users at risk, weekly digest reports, and administrative notifications. Misconfigured notification settings may result in security alerts being sent to inactive mailboxes, former employees, or not being sent at all. Proper notification routing ensures that security-relevant events reach the appropriate personnel for timely investigation and response.
Recommended: All security notifications routed to active, monitored mailboxes belonging to current security operations personnel
Current Value: Not configured / Non-compliant
Remediation: Review notification settings across Entra ID including Identity Protection notification recipients, password reset notification settings, and technical notification contacts. Verify that all notification recipients are current employees with actively monitored mailboxes and update any references to former employees or inactive distribution lists. Configure notifications to be sent to a security operations distribution list rather than individual users to ensure continuity when personnel changes occur.
Compliance: NIST AU-5

EIDTNT-001 — Tenant-Wide Settings Export

Info INFO

Description: A comprehensive export of all tenant-wide configuration settings establishes a known-good baseline for change detection and disaster recovery. Without a documented baseline, it is impossible to determine whether current settings have drifted from their intended state or whether an attacker has modified tenant configuration to weaken security controls. This baseline should be captured at initial configuration and updated whenever authorized changes are made.
Recommended: Complete tenant configuration baseline exported and stored in a version-controlled repository with regular snapshots
Current Value: Not configured / Non-compliant
Remediation: Export all tenant-wide settings using Microsoft Graph API including authorization policies, authentication method policies, consent policies, cross-tenant access settings, and directory settings. Store the export in a secure, version-controlled repository and establish a scheduled process to capture periodic snapshots. Compare current settings against the baseline regularly to detect unauthorized or unintended configuration drift.
Compliance: NIST CM-2

EIDTNT-008 — License Inventory and Utilization

Info INFO

Description: A comprehensive inventory of assigned licenses and their utilization rates provides visibility into available security features and identifies potential gaps where licensed capabilities are not being used. Organizations may be paying for advanced security features such as Entra ID P2, Microsoft Defender for Identity, or Microsoft Sentinel that are not fully deployed or configured. Understanding the license landscape ensures all purchased security capabilities are activated and utilized.
Recommended: All licenses inventoried with utilization tracking and all security-related licensed features fully deployed and configured
Current Value: Not configured / Non-compliant
Remediation: Review the license assignment summary in the Microsoft 365 admin center or Entra ID > Licenses > Overview. Identify security-relevant licenses such as Entra ID P1/P2, Microsoft Defender for Identity, and Microsoft 365 E5 Security. Verify that features included in each license are actively configured and deployed, and create a plan to activate any unused security capabilities that are already licensed.
Compliance: NIST CM-8

EIDTNT-009 — Administrative Unit Configuration

Info INFO

Description: Administrative units provide delegated administrative scope by grouping users, groups, and devices into logical containers with specific administrators assigned to manage only those objects. Without administrative units, delegated administrators may have broader access than intended, or administrative boundaries may not align with organizational structure. Properly configured administrative units enforce least-privilege delegation and prevent administrative overreach.
Recommended: Administrative units configured to align with organizational delegation model with restricted management administrative units used for sensitive objects
Current Value: Not configured / Non-compliant
Remediation: Review existing administrative unit configuration in Entra ID > Roles and administrators > Administrative units. Evaluate whether the current structure aligns with your organizational delegation requirements and whether sensitive objects such as privileged accounts are protected by restricted management administrative units. Create or modify administrative units as needed to ensure administrators can only manage objects within their designated scope.
Compliance: NIST AC-2

EIDTNT-010 — Custom Domain Configuration

Info INFO

Description: Custom domains registered in the tenant define the email address and sign-in suffixes used by the organization. Unverified or unauthorized domains may indicate misconfiguration or an attacker attempting to establish a presence in the tenant. Each custom domain should be verified through DNS records and periodically reviewed to ensure all domains are still owned by the organization and that DNS verification records remain intact.
Recommended: All custom domains verified, actively managed, and with DNS verification records intact
Current Value: Not configured / Non-compliant
Remediation: Review all custom domains registered in Entra ID > Custom domain names and verify that each domain is still owned by the organization and that DNS verification records are properly configured. Remove any domains that are no longer in use or that cannot be verified as organization-owned. Ensure that domain DNS registrations are protected with registrar locks and that domain expiration dates are monitored to prevent unintentional domain loss.
Compliance: NIST CM-8

Exchange Online Security (12 checks, 12 failing)

M365EXO-006 — DKIM/DMARC/SPF validation

Critical FAIL

Description: DKIM, DMARC, and SPF are email authentication protocols that verify sender identity and prevent domain spoofing. Without all three protocols properly configured, attackers can send emails that appear to originate from your organization's domain, enabling highly convincing phishing campaigns against employees, customers, and partners. Complete email authentication is a fundamental defense against business email compromise and domain impersonation.
Recommended: SPF record with -all (hard fail); DKIM signing enabled for all domains; DMARC policy set to reject or quarantine with aggregate reporting enabled
Current Value: Not configured / Non-compliant
Remediation: Verify that each organizational domain has a valid SPF record ending with -all (hard fail) that includes all authorized sending sources. Enable DKIM signing in Exchange Online for all custom domains and publish the DKIM CNAME records in DNS. Publish a DMARC record for each domain starting with a policy of none for monitoring, then progressively move to quarantine and finally reject once legitimate sending sources are confirmed, with aggregate reports configured for ongoing visibility.
Compliance: NIST SI-8MITRE T1566.001CIS M365 2.1.9

M365EXO-007 — Auto-forwarding policy

Critical FAIL

Description: Automatic email forwarding to external addresses is a common data exfiltration technique used by attackers after compromising a mailbox. An attacker can set up auto-forwarding rules to silently copy all incoming email to an external address, maintaining persistent access to sensitive communications even after their access is revoked. Organizations should block external auto-forwarding by default and audit any existing forwarding rules.
Recommended: External auto-forwarding blocked via anti-spam outbound policy; existing forwarding rules audited and approved
Current Value: Not configured / Non-compliant
Remediation: Configure the outbound spam filter policy to set automatic forwarding to 'Automatic - System-controlled' or 'Off' to block external auto-forwarding at the transport level. Audit all existing mailbox forwarding rules and SMTP forwarding configurations to identify any unauthorized external forwarding that may indicate compromise. Remove any unapproved forwarding rules and implement monitoring alerts to detect new forwarding rule creation using the unified audit log.
Compliance: NIST AC-4MITRE T1114.003CIS M365 2.1.6

M365EXO-001 — Anti-spam policy audit

High FAIL

Description: Anti-spam policies in Exchange Online Protection filter inbound and outbound email to block unsolicited messages and spam-based phishing campaigns. Misconfigured or default anti-spam settings may not provide adequate protection, allowing malicious emails to reach user inboxes. Customized spam filter policies with appropriate thresholds and actions are essential for reducing the volume of threats delivered to end users.
Recommended: Custom anti-spam policy with high confidence spam quarantined; bulk email threshold set to 6 or lower; outbound spam alerts enabled
Current Value: Not configured / Non-compliant
Remediation: Review all anti-spam policies in Exchange Online and ensure that high confidence spam and high confidence phishing are set to quarantine rather than deliver to junk folder. Configure the bulk email threshold to 6 or lower to catch aggressive bulk senders and enable notifications for outbound spam detection. Apply the custom policy to all recipient domains and verify that no user-level overrides are weakening the organizational policy.
Compliance: NIST SI-8CIS M365 2.1.1

M365EXO-002 — Anti-phishing policy audit

High FAIL

Description: Anti-phishing policies use mailbox intelligence and impersonation detection to identify emails that spoof trusted senders or domains. Without properly configured anti-phishing policies, attackers can impersonate executives, partners, or trusted domains to conduct business email compromise and credential harvesting attacks. Advanced anti-phishing settings including user and domain impersonation protection are critical for defending against targeted phishing campaigns.
Recommended: User impersonation protection enabled for executives and VIPs; domain impersonation protection enabled for all organizational domains; mailbox intelligence enabled
Current Value: Not configured / Non-compliant
Remediation: Configure anti-phishing policies with impersonation protection for high-value targets including executives, finance team members, and IT administrators. Enable domain impersonation protection for all organizational domains and key partner domains, setting the action to quarantine impersonated messages. Enable mailbox intelligence and spoof intelligence with appropriate safety tips to warn users about potentially impersonated senders.
Compliance: NIST SI-8MITRE T1566CIS M365 2.1.2

M365EXO-003 — Anti-malware policy audit

High FAIL

Description: Anti-malware policies in Exchange Online scan email attachments for known malware, viruses, and malicious content before delivery. Default anti-malware settings may not block all dangerous file types, and certain attachment types commonly used in attacks such as executables and scripts may pass through without filtering. A comprehensive anti-malware policy with common attachment type filtering is essential to prevent malware delivery via email.
Recommended: Common attachment types filter enabled blocking executable and script file types; zero-hour auto purge enabled; admin notifications enabled for malware detection
Current Value: Not configured / Non-compliant
Remediation: Review the anti-malware policy and enable the common attachments filter to block dangerous file types including exe, vbs, js, ps1, bat, cmd, and other executable formats. Enable zero-hour auto purge (ZAP) to retroactively remove malware detected in already-delivered messages. Configure administrator notifications to alert the security team when malware is detected and verify that the policy is applied to all recipients in the organization.
Compliance: NIST SI-3MITRE T1204CIS M365 2.1.3

M365EXO-004 — Safe Attachments policy

High FAIL

Description: Safe Attachments in Microsoft Defender for Office 365 detonates email attachments in a sandbox environment to detect zero-day malware and advanced threats that signature-based scanning cannot identify. Without Safe Attachments enabled, novel malware variants delivered as email attachments may bypass traditional anti-malware filters. This defense layer is critical for organizations targeted by sophisticated adversaries using custom or polymorphic malware.
Recommended: Safe Attachments enabled in Dynamic Delivery mode for all users; global settings enabled for SharePoint, OneDrive, and Teams
Current Value: Not configured / Non-compliant
Remediation: Create or update the Safe Attachments policy to use Dynamic Delivery mode, which delivers the email body immediately while attachments are scanned, minimizing user impact while maintaining protection. Enable Safe Attachments for SharePoint, OneDrive, and Teams in the global settings to extend file detonation protection beyond email. Assign the policy to all users and monitor the Threat Explorer for detections to validate policy effectiveness.
Compliance: NIST SI-3CIS M365 2.1.4

M365EXO-005 — Safe Links policy

High FAIL

Description: Safe Links in Microsoft Defender for Office 365 provides time-of-click URL verification to protect users from malicious links in email messages and Office documents. Attackers commonly use deferred phishing techniques where a URL is benign at delivery time but is changed to point to a malicious site after the email passes initial scanning. Without Safe Links, users clicking on these weaponized URLs after delivery are unprotected.
Recommended: Safe Links enabled for email and Office apps; URL rewriting enabled; do not allow click-through to malicious URLs; real-time scanning enabled
Current Value: Not configured / Non-compliant
Remediation: Configure a Safe Links policy that applies to all users with URL scanning enabled for email messages and Microsoft Office applications. Enable the setting to block users from clicking through to detected malicious URLs and turn on real-time URL scanning for suspicious links. Do not add broad URL exceptions to the do-not-rewrite list and review any existing exceptions to ensure they are still necessary and do not create security gaps.
Compliance: NIST SI-3MITRE T1566.002CIS M365 2.1.5

M365EXO-009 — Mailbox auditing enabled

High FAIL

Description: Mailbox auditing records actions performed on mailbox contents by the mailbox owner, delegates, and administrators, providing critical forensic evidence during security investigations. Although mailbox auditing is enabled by default in Microsoft 365, organizations may have disabled it for specific mailboxes or may not have verified that the default audit actions are sufficient. Without mailbox auditing, unauthorized mailbox access and data exfiltration cannot be detected or investigated.
Recommended: Mailbox auditing enabled for all mailboxes; default audit actions include MailItemsAccessed, Send, and SoftDelete for all logon types
Current Value: Not configured / Non-compliant
Remediation: Verify that mailbox auditing is enabled organization-wide by checking that the AuditDisabled parameter is set to False on all mailboxes. Review the audited actions for each logon type (Owner, Delegate, Admin) and ensure that critical actions such as MailItemsAccessed, Send, SoftDelete, HardDelete, and UpdateFolderPermissions are being recorded. For mailboxes that have audit disabled, re-enable auditing and investigate why it was disabled to rule out malicious tampering.
Compliance: NIST AU-2NIST AU-3CIS M365 3.1.1

M365EXO-011 — OAuth/SMTP AUTH per-mailbox audit

High FAIL

Description: Legacy authentication protocols such as SMTP AUTH allow mailbox authentication using only username and password, bypassing multi-factor authentication and Conditional Access controls. Attackers who obtain mailbox credentials through phishing or password spraying can use SMTP AUTH to access email without triggering MFA challenges. Disabling SMTP AUTH and legacy OAuth flows on mailboxes that do not require them closes a significant authentication bypass vector.
Recommended: SMTP AUTH disabled organization-wide with per-mailbox exceptions only for documented service accounts; legacy OAuth disabled
Current Value: Not configured / Non-compliant
Remediation: Disable SMTP AUTH at the organization level using Set-TransportConfig and then selectively enable it only for specific service account mailboxes that require it for application integration. Audit all mailboxes with SMTP AUTH enabled to verify there is a documented business justification and that the credentials are managed securely. Monitor sign-in logs for SMTP AUTH usage to detect potential credential abuse and plan migration of legacy applications to modern authentication methods.
Compliance: NIST IA-2MITRE T1078CIS M365 1.1.16

M365EXO-012 — Remote domains auto-forward setting

High FAIL

Description: Remote domain settings in Exchange Online control message formatting and out-of-office delivery to external domains, including whether auto-forwarding is permitted per domain. The default remote domain (*) may be configured to allow auto-forwarding, which overrides the outbound spam policy and enables data exfiltration through mailbox forwarding rules. This setting must be audited independently from the outbound spam filter to ensure consistent external forwarding controls.
Recommended: Auto-forwarding disabled on the default remote domain (*) and all custom remote domains unless explicitly required
Current Value: Not configured / Non-compliant
Remediation: Review the default remote domain (*) configuration and set AutoForwardEnabled to False to prevent automatic forwarding to all external domains. Audit any custom remote domain entries and disable auto-forwarding unless there is a documented business requirement for a specific partner domain. Verify that the remote domain settings align with the outbound spam policy auto-forwarding configuration to ensure consistent enforcement across both control layers.
Compliance: NIST AC-4MITRE T1114.003

M365EXO-008 — Transport rules inventory and analysis

Medium FAIL

Description: Exchange Online transport rules (mail flow rules) process email messages in transit and can modify headers, redirect messages, add disclaimers, or bypass security controls. Malicious or misconfigured transport rules can silently redirect email, strip security headers, or bypass spam filtering for specific senders. A comprehensive audit of all transport rules is necessary to identify rules that may weaken security or facilitate data exfiltration.
Recommended: All transport rules documented with business justification; no rules bypassing spam filtering or security controls without explicit approval
Current Value: Not configured / Non-compliant
Remediation: Export and review all Exchange Online transport rules, paying particular attention to rules that bypass spam filtering, redirect email to external addresses, or modify message headers. Remove or disable any rules that lack a documented business justification or that were created by accounts that have since been compromised or deprovisioned. Implement a change management process for transport rule creation and modification, and set up audit log alerts for transport rule changes.
Compliance: NIST AC-4

M365EXO-010 — External sender warnings

Medium FAIL

Description: External sender identification helps users recognize when an email originates from outside the organization, reducing the effectiveness of impersonation and social engineering attacks. Without visible external sender indicators, users may not distinguish between internal colleagues and external senders spoofing internal display names. Configuring external sender tags or mail tips provides a visual cue that prompts users to exercise additional caution.
Recommended: External sender tag or mail tip enabled to visually identify emails from external senders
Current Value: Not configured / Non-compliant
Remediation: Enable the external sender identification feature in the Exchange Online anti-phishing policy to display a visual indicator on emails from external senders. Consider implementing a transport rule that prepends '[External]' to the subject line of inbound emails from outside the organization as an additional visual warning. Communicate the change to end users and provide guidance on how to identify and respond to suspicious external emails.
Compliance: NIST SI-8CIS M365 2.1.7

Intune / Endpoint Management (23 checks, 19 failing)

INTUNE-008 — Windows Defender/Antivirus policy audit

Critical FAIL

Description: Windows Defender Antivirus is the primary endpoint protection agent on Windows devices and must be properly configured to provide real-time protection, cloud-delivered protection, and sample submission. Disabled or weakened antivirus settings leave devices vulnerable to malware infections that can lead to data theft, ransomware, and lateral movement. Attackers frequently attempt to tamper with or disable antivirus as a first step in an attack chain.
Recommended: Real-time protection enabled, cloud-delivered protection enabled, automatic sample submission enabled, tamper protection enabled
Current Value: Not configured / Non-compliant
Remediation: Deploy an Intune antivirus policy that enforces real-time protection, cloud-delivered protection, automatic sample submission, and tamper protection on all managed Windows devices. Verify that PUA (Potentially Unwanted Application) protection is enabled and that scheduled scans are configured for at least weekly full scans. Monitor the Defender antivirus agent status across the fleet and investigate any devices reporting disabled protection or outdated definitions.
Compliance: NIST SI-3MITRE T1562.001

INTUNE-010 — Endpoint Detection and Response configuration

Critical FAIL

Description: Endpoint Detection and Response (EDR) capabilities provided by Microsoft Defender for Endpoint enable advanced threat detection, investigation, and automated response on managed devices. Without EDR onboarding and proper sensor configuration, security teams lack visibility into sophisticated attacks that bypass traditional antivirus. EDR is critical for detecting fileless malware, living-off-the-land techniques, and advanced persistent threats.
Recommended: All managed devices onboarded to Defender for Endpoint with EDR in block mode; sample sharing and cloud protection enabled
Current Value: Not configured / Non-compliant
Remediation: Verify that all managed Windows devices are onboarded to Microsoft Defender for Endpoint through the Intune EDR policy and that the sensor health status shows as active. Enable EDR in block mode to provide additional blocking capabilities even when a third-party antivirus is the primary engine. Review the device inventory in the Defender portal to identify devices with sensor health issues and remediate connectivity or configuration problems preventing successful onboarding.
Compliance: NIST SI-4MITRE T1562.001

INTUNE-018 — PowerShell script deployment audit

Critical FAIL

Description: Intune allows administrators to deploy PowerShell scripts to managed Windows devices, which execute with SYSTEM-level privileges by default. Malicious or poorly written scripts deployed through this channel can compromise device security, exfiltrate data, or install unauthorized software across the entire fleet. Every deployed script must be reviewed for security implications and tracked for authorized deployment.
Recommended: All deployed scripts reviewed and approved through change management; scripts run in user context where possible; script content documented
Current Value: Not configured / Non-compliant
Remediation: Audit all PowerShell scripts currently deployed through Intune and review their content for security risks such as hardcoded credentials, unrestricted remote downloads, or excessive permission changes. Ensure that scripts run in the user context rather than SYSTEM context wherever possible and that script execution is limited to the minimum required device scope. Implement a change management process for script deployment that includes peer review of script content and formal approval before production deployment.
Compliance: NIST CM-6MITRE T1059.001

INTUNE-023 — Multi-admin approval for destructive device actions

Critical FAIL

Description: Microsoft Intune supports multi-admin approval policies that require a second administrator to approve high-impact operations such as bulk device wipe, bulk device retire, and script deployments before they execute. Without multi-admin approval, a single compromised admin account can trigger mass device wipes across the entire organization. This check verifies that operation approval policies are configured to protect against destructive actions performed by a compromised or rogue admin account.
Recommended: Multi-admin approval enabled for destructive operations including bulk device wipe, bulk device retire, and script deployment actions
Current Value: Not configured / Non-compliant
Remediation: Navigate to Microsoft Intune admin center > Tenant administration > Multi-admin approval. Create an approval policy that requires a second admin to approve destructive operations. At minimum, enable approval for: Bulk device actions (Wipe, Retire, Delete), Apps deployment to large groups, and Script deployments. Assign an approval group containing trusted senior administrators who will review and approve these requests. Consider implementing an expedited approval process for emergency scenarios.
Compliance: NIST AC-3NIST AC-6NIST CM-5MITRE T1485MITRE T1561CIS 16.7

INTUNE-002 — Device compliance status overview

High FAIL

Description: The overall device compliance status indicates whether enrolled devices meet their assigned compliance policy requirements. A high percentage of non-compliant or not-evaluated devices signals enforcement gaps that could allow insecure devices to access corporate resources. Continuous monitoring of compliance status is essential for maintaining the security posture of the device fleet.
Recommended: 95% or higher device compliance rate across all enrolled devices
Current Value: Not configured / Non-compliant
Remediation: Review the device compliance overview dashboard to identify the distribution of compliant, non-compliant, and not-evaluated devices. Investigate devices in a not-evaluated state to determine if they lack assigned policies or have sync issues preventing evaluation. Set up compliance status notifications and integrate with Conditional Access to block non-compliant devices from accessing corporate resources.
Compliance: NIST CM-6

INTUNE-003 — Non-compliant device enumeration

High FAIL

Description: Devices that fail compliance policy evaluation pose a direct risk to the organization by potentially lacking encryption, running outdated operating systems, or having disabled security features. Enumerating non-compliant devices and understanding the specific compliance failures enables targeted remediation. Without this visibility, insecure devices may continue accessing corporate data undetected.
Recommended: Zero non-compliant devices with access to corporate resources; all non-compliant devices should be blocked or in remediation
Current Value: Not configured / Non-compliant
Remediation: Generate a detailed report of non-compliant devices including the specific compliance settings that are failing for each device. Prioritize remediation of devices failing critical compliance checks such as encryption or antivirus requirements, and work with device owners to resolve issues. Configure actions for non-compliance in each compliance policy to mark devices as non-compliant after a grace period and integrate with Conditional Access to restrict resource access.
Compliance: NIST CM-6

INTUNE-006 — Windows Update for Business ring configuration

High FAIL

Description: Windows Update for Business rings control the cadence and deferral periods for quality and feature updates on managed Windows devices. Misconfigured update rings can result in devices running outdated builds with known vulnerabilities for extended periods. Properly staged update rings balance operational stability with timely security patching.
Recommended: Quality updates deferred no more than 7 days; feature updates deferred no more than 60 days; all rings assigned and actively delivering updates
Current Value: Not configured / Non-compliant
Remediation: Review all Windows Update for Business ring configurations and verify that quality update deferral periods do not exceed 7 days for security-critical rings. Ensure that at least a pilot and broad deployment ring exist with appropriate deferral staging. Monitor update compliance reports to identify devices that have not installed recent updates and investigate any update failures or stalled installations.
Compliance: NIST SI-2

INTUNE-007 — BitLocker encryption policy audit

High FAIL

Description: BitLocker drive encryption protects data at rest on Windows devices, preventing unauthorized access to the hard drive contents if a device is lost or stolen. Without a properly configured BitLocker policy, devices may store corporate data unencrypted, exposing sensitive information. The policy must enforce encryption on OS and fixed data drives with secure key recovery options.
Recommended: BitLocker enabled on all OS and fixed data drives with XTS-AES 256-bit encryption and Azure AD key escrow
Current Value: Not configured / Non-compliant
Remediation: Create or update the Intune endpoint protection profile to require BitLocker encryption on operating system and fixed data drives using XTS-AES 256-bit encryption. Configure recovery key escrow to Azure AD to ensure key recovery is possible and set the policy to silently enable encryption without user interaction. Monitor the encryption status report to identify devices that have not completed encryption and remediate any failures.
Compliance: NIST SC-28CIS M365 1.1.17

INTUNE-009 — Attack Surface Reduction rules configuration

High FAIL

Description: Attack Surface Reduction (ASR) rules in Microsoft Defender block common attack techniques such as obfuscated scripts, Office macro exploitation, and credential theft from LSASS. Without ASR rules configured and enforced, endpoints remain vulnerable to well-known attack patterns that commodity malware and adversaries routinely exploit. Properly configured ASR rules significantly reduce the attack surface of Windows endpoints.
Recommended: All recommended ASR rules enabled in block mode; audit mode for newly deployed rules during testing
Current Value: Not configured / Non-compliant
Remediation: Review the current ASR rule configuration in Intune endpoint security and enable all Microsoft-recommended rules in at least audit mode. After a monitoring period to identify false positives, transition rules to block mode starting with high-impact rules such as blocking Office applications from creating child processes and blocking credential theft from LSASS. Configure ASR rule exclusions sparingly and only for documented business-critical applications, monitoring the ASR events report for ongoing effectiveness.
Compliance: NIST CM-7MITRE T1059

INTUNE-011 — Application protection policies (MAM)

High FAIL

Description: Application protection policies (Mobile Application Management) control how corporate data is handled within managed applications on both enrolled and unenrolled devices. Without these policies, users can copy corporate data to personal applications, share files through unmanaged channels, or back up corporate data to personal cloud storage. MAM policies are essential for preventing data leakage on mobile devices.
Recommended: App protection policies applied to all managed apps on iOS and Android; cut/copy/paste restricted to managed apps; backup to unmanaged services blocked
Current Value: Not configured / Non-compliant
Remediation: Create application protection policies for both iOS and Android platforms targeting all Microsoft 365 and line-of-business applications that handle corporate data. Configure data protection settings to prevent cut/copy/paste to unmanaged applications, block backup to personal cloud services, and require app-level PIN or biometric authentication. Assign the policies to all users who access corporate data on mobile devices and monitor the app protection status report for non-compliant applications.
Compliance: NIST AC-19

INTUNE-015 — Disk encryption status

High FAIL

Description: Full disk encryption ensures that data stored on device drives is protected if the physical device is lost, stolen, or decommissioned. Devices without encryption enabled expose corporate data including cached credentials, documents, and email to physical theft attacks. Monitoring encryption status across the fleet identifies devices that have failed encryption or have not yet been encrypted.
Recommended: 100% of managed devices reporting encryption enabled on all drives
Current Value: Not configured / Non-compliant
Remediation: Review the Intune encryption report to identify all devices that are not reporting full disk encryption as enabled. Investigate encryption failures which may be caused by unsupported hardware, TPM issues, or policy conflicts and resolve the underlying causes. For devices that cannot support encryption, evaluate whether they should be allowed to access corporate resources and consider blocking them through Conditional Access policies.
Compliance: NIST SC-28

INTUNE-016 — Firewall policy configuration

High FAIL

Description: The Windows Defender Firewall provides host-based network protection that blocks unauthorized inbound and outbound connections. Without a centrally managed firewall policy through Intune, individual devices may have inconsistent or disabled firewall settings, leaving them vulnerable to network-based attacks. Centralized firewall management ensures consistent protection across all managed endpoints regardless of network location.
Recommended: Windows Defender Firewall enabled for all profiles (Domain, Private, Public); block inbound connections by default; log dropped packets
Current Value: Not configured / Non-compliant
Remediation: Deploy an Intune endpoint security firewall policy that enables Windows Defender Firewall for Domain, Private, and Public network profiles with inbound connections blocked by default. Configure firewall rules for any required application exceptions and enable logging for dropped and successful connections. Monitor the firewall policy deployment status and investigate any devices reporting policy application errors or firewall disabled states.
Compliance: NIST SC-7

INTUNE-017 — Security baselines compliance

High FAIL

Description: Microsoft security baselines in Intune provide pre-configured groups of Windows settings recommended by Microsoft security teams, covering areas such as credential protection, browser security, and attack surface reduction. Devices that deviate from the security baseline have weakened security postures and may be vulnerable to known attack vectors. Monitoring baseline compliance identifies configuration drift and helps maintain a consistent security posture.
Recommended: 90% or higher compliance with assigned security baselines; all conflict and error states resolved
Current Value: Not configured / Non-compliant
Remediation: Deploy the latest Microsoft security baseline profile for Windows and Defender for Endpoint to all managed devices and monitor the per-setting compliance status. Investigate settings reporting conflict or error states, as these often indicate competing policies that need to be reconciled. Address non-compliant settings by evaluating whether the deviation is due to a legitimate business requirement that warrants a documented exception or a configuration issue that should be corrected.
Compliance: NIST CM-6NIST SI-2

INTUNE-021 — Remote actions audit (wipe, retire, lock)

High FAIL

Description: Intune remote actions such as wipe, retire, and remote lock are powerful device management capabilities that, if misused, can result in data loss or denial of service to legitimate users. Unauthorized or accidental remote wipes can destroy business-critical data on devices, while unaudited remote lock actions could indicate account compromise. All remote actions must be logged and reviewed for authorized use.
Recommended: All remote actions logged with operator identity; wipe actions require documented approval; audit logs reviewed weekly
Current Value: Not configured / Non-compliant
Remediation: Review the Intune audit logs for all remote action events including wipe, retire, remote lock, and passcode reset to identify any unauthorized or unusual activity. Implement an approval workflow for destructive remote actions such as full wipe that requires documented justification and secondary approval. Configure alert notifications for remote wipe actions to ensure security teams are immediately aware when devices are being wiped.
Compliance: NIST AU-6NIST MP-6

INTUNE-005 — Configuration profile assignment analysis

Medium FAIL

Description: Configuration profiles are only effective when properly assigned to the correct device or user groups. Profiles assigned to overly broad groups may cause conflicts or apply settings to inappropriate devices, while narrowly assigned profiles may leave devices unconfigured. Analyzing assignment coverage ensures that security configurations reach all intended endpoints without conflicts.
Recommended: All security-critical profiles assigned to appropriate groups with no unassigned critical profiles and no conflicting assignments
Current Value: Not configured / Non-compliant
Remediation: Review the assignment status and target groups for each configuration profile, paying attention to profiles with errors or conflicts. Resolve any profile conflicts by adjusting assignments, merging similar profiles, or using filters to target specific device characteristics. Ensure security-critical profiles such as BitLocker, firewall, and antivirus settings are assigned to all applicable devices through comprehensive group membership.
Compliance: NIST CM-6

INTUNE-012 — Conditional launch settings

Medium FAIL

Description: Conditional launch settings within application protection policies define the conditions under which a managed application can be launched, such as minimum OS version, maximum allowed threat level, or jailbreak/root detection. Without these settings, compromised or outdated devices can access corporate data through managed applications even when the device itself is insecure. These controls provide a critical last line of defense for data protection.
Recommended: Block access on jailbroken/rooted devices; require minimum OS version; block access when device threat level is high
Current Value: Not configured / Non-compliant
Remediation: Review and update the conditional launch settings in each application protection policy to block app access on jailbroken or rooted devices. Configure minimum OS version requirements that align with vendor-supported versions and set maximum device threat level thresholds that integrate with your Mobile Threat Defense solution. Test the conditional launch settings with a pilot group before broad deployment to ensure that legitimate users are not inadvertently blocked.
Compliance: NIST AC-19

INTUNE-013 — Device enrollment restrictions

Medium FAIL

Description: Device enrollment restrictions control which device types, platforms, and OS versions are allowed to enroll in Intune management. Without proper restrictions, users could enroll personal devices running unsupported or vulnerable operating system versions, expanding the attack surface. Enrollment restrictions also prevent unauthorized device types from gaining access to corporate resources through device management.
Recommended: Block personally owned devices or limit to specific platforms; enforce minimum OS version requirements; limit per-user device enrollment count
Current Value: Not configured / Non-compliant
Remediation: Review the device enrollment restrictions in Intune and configure platform-specific restrictions that align with your organization's supported device policy. Set minimum operating system version requirements for each platform and configure the maximum number of devices a single user can enroll to prevent abuse. If corporate-owned device enrollment is preferred, block personally owned device enrollment and direct users to use app protection policies for BYOD scenarios.
Compliance: NIST IA-3

INTUNE-019 — Win32 app deployment security review

Medium FAIL

Description: Win32 application deployments through Intune package and distribute traditional desktop applications to managed devices. Improperly vetted applications may contain vulnerabilities, bundled malware, or excessive system modifications that weaken device security. Reviewing the Win32 app deployment catalog ensures that only approved and secure applications are distributed to the managed device fleet.
Recommended: All Win32 apps sourced from trusted vendors with documented approval; install commands reviewed for security implications
Current Value: Not configured / Non-compliant
Remediation: Review all Win32 applications deployed through Intune and verify that each application is sourced from a trusted vendor and has been approved through your software approval process. Examine the install and uninstall command lines for any suspicious parameters, script execution, or registry modifications that could weaken security. Implement an application review process that evaluates new Win32 app packages for security risks before deployment to production device groups.
Compliance: NIST CM-11

INTUNE-022 — OneDrive sync restrictions

Medium FAIL

Description: OneDrive sync client settings control how corporate files are synchronized between cloud storage and managed devices, and unrestricted sync can lead to corporate data being stored on unmanaged or non-compliant devices. Without domain restrictions on the sync client, users may sync corporate SharePoint and OneDrive content to personal devices outside of IT control. Proper sync restrictions prevent data leakage through unmanaged file synchronization.
Recommended: OneDrive sync restricted to domain-joined or Intune-managed devices; Known Folder Move enabled for backup; Files On-Demand enabled
Current Value: Not configured / Non-compliant
Remediation: Configure the OneDrive sync client through Intune to restrict synchronization to devices that are Azure AD joined or Intune managed using the tenant allow list. Enable Known Folder Move to automatically redirect Desktop, Documents, and Pictures to OneDrive for data protection and enable Files On-Demand to minimize local data storage. Block sync of personal OneDrive accounts on corporate devices if permitted by organizational policy to prevent data commingling.
Compliance: NIST AC-19

INTUNE-001 — Device compliance policy inventory

Info INFO

Description: Device compliance policies define the security baseline requirements that enrolled devices must meet, such as OS version, encryption, and password complexity. Without a comprehensive inventory of these policies, organizations cannot verify that all device platforms and user groups have adequate compliance requirements. Missing or incomplete policies leave devices ungoverned and potentially non-compliant.
Recommended: At least one compliance policy per supported platform (Windows, iOS, Android, macOS)
Current Value: Not configured / Non-compliant
Remediation: Review the current inventory of device compliance policies in the Intune admin center and verify that each supported platform has at least one policy assigned. Create compliance policies for any platforms that lack coverage, defining appropriate requirements for OS version, encryption, and device health. Assign policies to the appropriate user or device groups and ensure no devices fall outside of policy scope.
Compliance: NIST CM-8

INTUNE-004 — Configuration profile inventory

Info INFO

Description: Configuration profiles push security settings, restrictions, and feature configurations to enrolled devices. An incomplete inventory of configuration profiles can lead to security gaps where critical settings such as screen lock, Wi-Fi security, or certificate deployment are not applied. Understanding the full scope of configuration profiles is necessary for identifying coverage gaps across the device fleet.
Recommended: Documented inventory of all configuration profiles with clear naming conventions and assignment documentation
Current Value: Not configured / Non-compliant
Remediation: Export the complete list of configuration profiles from Intune and review each profile's purpose, platform target, and current assignment status. Identify any profiles that are unassigned, conflicting, or redundant and consolidate where appropriate. Establish a naming convention and documentation standard for all profiles to facilitate ongoing management and auditing.
Compliance: NIST CM-8

INTUNE-014 — Autopilot configuration

Info INFO

Description: Windows Autopilot provides a zero-touch deployment experience that ensures new devices are configured with the correct security baselines from first boot. A poorly configured or missing Autopilot deployment profile means new devices may be provisioned without critical security settings, creating a window of vulnerability. Reviewing Autopilot configurations ensures consistent and secure device provisioning.
Recommended: Autopilot deployment profile configured for all corporate devices with user-driven or self-deploying mode and Azure AD join
Current Value: Not configured / Non-compliant
Remediation: Review existing Autopilot deployment profiles and verify they are configured for Azure AD join with appropriate user-driven or self-deploying mode settings. Ensure that the Enrollment Status Page is enabled to prevent users from accessing the desktop before all critical policies and applications are installed. Verify that all corporate device hardware hashes are registered with the Autopilot service and assigned to the appropriate deployment profile.
Compliance: NIST CM-2

INTUNE-020 — Device categories and grouping

Info INFO

Description: Device categories and dynamic groups in Intune organize managed devices for targeted policy and application deployment. Without a structured categorization scheme, policies may be applied inconsistently, and critical security configurations could miss entire segments of the device population. Proper device grouping enables differentiated security postures for different device roles and user populations.
Recommended: Defined device categories aligned with organizational needs; dynamic groups based on device properties for automated policy targeting
Current Value: Not configured / Non-compliant
Remediation: Review and establish device categories that align with organizational device roles such as executive, standard user, kiosk, or shared device. Create dynamic device groups based on device properties including category, OS, ownership type, and compliance status for automated policy and application targeting. Verify that all policy assignments reference appropriate groups and that no devices fall outside of the grouping structure.
Compliance: NIST CM-8

Microsoft Teams Security (8 checks, 8 failing)

M365TEAMS-001 — External access settings

High FAIL

Description: External access (federation) in Microsoft Teams controls whether users can communicate with people in other Microsoft 365 organizations or Skype users. Unrestricted external access allows any external organization to initiate chats and calls with your users, creating vectors for social engineering and phishing through the Teams client. Limiting federation to specific trusted domains reduces the attack surface while maintaining necessary business communication.
Recommended: External access limited to specific allowed domains rather than open federation; Skype consumer access disabled
Current Value: Not configured / Non-compliant
Remediation: Configure Teams external access to use a domain allow list containing only trusted partner organization domains rather than allowing open federation with all external tenants. Disable communication with Skype consumer users unless there is a specific business requirement. Review and update the allowed domain list quarterly to remove organizations that no longer require federation access.
Compliance: NIST AC-20CIS M365 8.1.1

M365TEAMS-002 — Guest access settings

High FAIL

Description: Guest access in Microsoft Teams allows external users to be added to teams and channels, granting them access to conversations, files, and shared resources. Overly permissive guest settings can allow external users to create channels, modify team settings, or access sensitive content that should be restricted to internal users. Guest capabilities must be configured to provide the minimum necessary access for external collaboration.
Recommended: Guest access enabled with restricted capabilities; guests cannot create or update channels, participate in private chats, or share files without approval
Current Value: Not configured / Non-compliant
Remediation: Review the Teams guest access settings and restrict guest capabilities to prevent guests from creating or deleting channels, adding or removing apps, and sharing screen in meetings. Disable guest access entirely if external collaboration is not required, or configure it with the most restrictive settings that still support business needs. Implement Azure AD access reviews for Teams guest accounts to regularly validate that guest access is still appropriate.
Compliance: NIST AC-14CIS M365 8.1.2

M365TEAMS-004 — Anonymous meeting join settings

High FAIL

Description: Anonymous meeting join allows anyone with a meeting link to join Teams meetings without authentication, making it impossible to verify the identity of participants. This setting is frequently exploited in meeting bombing attacks where uninvited participants join to disrupt meetings or eavesdrop on confidential discussions. Disabling anonymous join or requiring all participants to authenticate significantly improves meeting security.
Recommended: Anonymous meeting join disabled; all meeting participants required to authenticate; lobby enabled for unauthenticated users
Current Value: Not configured / Non-compliant
Remediation: Disable anonymous meeting join in the Teams meeting policy to require all participants to sign in before joining meetings. If anonymous join must be allowed for specific use cases such as public webinars, create a separate meeting policy with anonymous join enabled and assign it only to the users who need it. Enable the lobby for all external and guest participants and configure meeting organizers to manually admit attendees from the lobby.
Compliance: NIST AC-14CIS M365 8.5.2

M365TEAMS-003 — External meeting participant settings

Medium FAIL

Description: External meeting participant settings control what capabilities external users have when joining Teams meetings hosted by your organization. Allowing external participants to have presenter roles, bypass the lobby, or share screens without restriction can lead to meeting hijacking, unauthorized content sharing, and sensitive information exposure. Restricting external participant capabilities reduces the risk of meeting disruption and data leakage.
Recommended: External participants default to attendee role; lobby bypass disabled for external users; screen sharing restricted to organizer and presenters only
Current Value: Not configured / Non-compliant
Remediation: Configure the global meeting policy to require external participants to wait in the lobby and default to the attendee role when admitted to meetings. Restrict screen sharing and content sharing to meeting organizers and designated presenters to prevent unauthorized content sharing by external attendees. Create specific meeting policies for different user groups if some departments require more permissive settings for regular external collaboration.
Compliance: NIST AC-20CIS M365 8.5.1

M365TEAMS-005 — Recording and transcription policies

Medium FAIL

Description: Teams meeting recording and transcription features capture audio, video, and text content of meetings that may contain sensitive business discussions, strategic planning, or confidential information. Unrestricted recording capabilities allow any meeting participant to record conversations without other participants' awareness or consent. Recording and transcription policies must balance business needs with data protection and privacy compliance requirements.
Recommended: Cloud recording restricted to meeting organizers; automatic transcription requires consent; recordings stored in approved locations with appropriate retention
Current Value: Not configured / Non-compliant
Remediation: Configure the meeting policy to restrict cloud recording initiation to meeting organizers and co-organizers rather than all participants. Enable recording consent notifications so that all participants are aware when a recording begins, and configure automatic transcription settings to comply with privacy regulations in your jurisdiction. Review the storage location and retention policies for meeting recordings to ensure they are stored in a governed location with appropriate access controls and lifecycle management.
Compliance: NIST AU-2CIS M365 8.5.5

M365TEAMS-006 — Messaging policies (external communication)

Medium FAIL

Description: Teams messaging policies control user capabilities within chat and channel conversations, including the ability to communicate with external users through chat. Unrestricted messaging to external users enables data exfiltration through chat, file sharing, and link sharing without the visibility and controls applied to email communication. Messaging policies must be configured to prevent sensitive data leakage through the Teams chat channel.
Recommended: External chat limited to specific domains; URL preview disabled for external conversations; file sharing restricted in external chats
Current Value: Not configured / Non-compliant
Remediation: Review the Teams messaging policies and restrict the ability to chat with external users to only those personnel who have a business need for cross-organization communication. Disable URL previews in conversations with external users to prevent accidental data exposure through link expansion. Consider implementing DLP policies for Teams chat to detect and block sharing of sensitive information types in external conversations.
Compliance: NIST AC-20CIS M365 8.2.1

M365TEAMS-007 — App permission policies

Medium FAIL

Description: Teams app permission policies control which third-party and custom applications can be installed and used within the Teams environment. Unrestricted app installation allows users to add third-party applications that may request excessive permissions, access corporate data, or introduce security vulnerabilities. App governance policies must balance user productivity with security by curating the available application catalog.
Recommended: Third-party apps restricted to an approved list; custom app uploads restricted to authorized developers; app permission requests reviewed by administrators
Current Value: Not configured / Non-compliant
Remediation: Configure the Teams app permission policy to block all third-party apps by default and selectively allow only approved applications that have been vetted by the security team. Restrict custom app sideloading to authorized developers and require all custom apps to go through an approval process before publication. Review the list of currently installed third-party apps, remove any that are unapproved or no longer needed, and audit the permissions each app has been granted.
Compliance: NIST CM-7CIS M365 8.6.1

M365TEAMS-008 — File sharing settings in Teams

Medium FAIL

Description: File sharing within Microsoft Teams is backed by SharePoint Online and OneDrive, and the sharing settings determine how files shared in channels and chats can be accessed by internal and external users. Misconfigured file sharing settings can result in sensitive documents being accessible to guest users or through overly permissive sharing links generated from Teams. Aligning Teams file sharing settings with organizational data protection policies prevents unintended data exposure.
Recommended: File sharing with external users restricted to authenticated guests; cloud storage providers limited to OneDrive and SharePoint; external file sharing disabled in private channels
Current Value: Not configured / Non-compliant
Remediation: Review the Teams file sharing configuration and ensure that files shared in channels and chats inherit the SharePoint Online sharing restrictions configured at the organizational level. Disable third-party cloud storage integration (Citrix Files, Dropbox, Box, Google Drive, Egnyte) in Teams to prevent data from being uploaded to unmanaged storage services. Configure sensitivity labels for Teams and associated SharePoint sites to enforce file protection policies that persist when documents are shared or downloaded.
Compliance: NIST AC-21

Power Platform Security (3 checks, 3 failing)

M365PP-001 — Environment creation restrictions

High FAIL

Description: By default, all users in a Microsoft 365 tenant can create new Power Platform environments, which spin up associated Dataverse databases and can host Power Apps and Power Automate flows with access to organizational data. Unrestricted environment creation leads to shadow IT sprawl where ungoverned applications are built with data connections that bypass IT security controls. Restricting environment creation to administrators ensures proper governance and prevents uncontrolled data exposure.
Recommended: Environment creation restricted to Global Admins and Power Platform Admins only; all production environments managed through a formal provisioning process
Current Value: Not configured / Non-compliant
Remediation: Navigate to the Power Platform admin center and restrict environment creation to only Global Administrators and Power Platform Administrators by configuring the tenant-level setting. Implement a formal request and provisioning process for new environments that includes security review, data classification, and DLP policy assignment before environment creation. Audit existing environments to identify and decommission any ungoverned environments that were created before restrictions were put in place.
Compliance: NIST CM-7CIS M365 9.1

M365PP-002 — DLP policy configuration

High FAIL

Description: Data Loss Prevention policies for Power Platform control which connectors can be used together within Power Apps and Power Automate flows, preventing unauthorized data movement between business and non-business data sources. Without DLP policies, users can create flows that automatically transfer corporate data from SharePoint, Dynamics 365, or Azure SQL to personal email, social media, or third-party cloud storage. DLP connector classification is the primary mechanism for preventing data exfiltration through citizen-developed applications.
Recommended: Tenant-level DLP policy classifying business-critical connectors (SharePoint, Outlook, Dataverse) as Business and blocking their combination with non-business connectors; environment-level policies for specific use cases
Current Value: Not configured / Non-compliant
Remediation: Create a tenant-level DLP policy that classifies all connectors containing corporate data (such as SharePoint, Outlook, Dataverse, Azure SQL, and OneDrive) in the Business group and moves known non-business connectors to the Blocked group. Review the default connector classification to ensure that newly released connectors are automatically placed in the Non-Business group until reviewed and approved. Create environment-specific DLP policies for environments that require access to additional connectors beyond the tenant-level policy, ensuring they are at least as restrictive as the tenant policy.
Compliance: NIST AC-4CIS M365 9.2

M365PP-003 — Tenant isolation settings

High FAIL

Description: Power Platform tenant isolation controls whether connectors in your tenant can establish connections to other Azure AD tenants, and whether other tenants can connect to yours. Without tenant isolation, users can create flows and apps that connect to external organizations' data sources, and external organizations can build automations that access your tenant's resources. Enabling tenant isolation prevents unauthorized cross-tenant data flows that could result in data leakage or supply chain compromise.
Recommended: Tenant isolation enabled with inbound and outbound restrictions; allow-listed exceptions only for approved partner tenants
Current Value: Not configured / Non-compliant
Remediation: Enable Power Platform tenant isolation in the Power Platform admin center to restrict both inbound and outbound cross-tenant connections by default. Configure an allow list of specific trusted partner tenant IDs that require cross-tenant connectivity for legitimate business scenarios. Review the allow list quarterly to remove tenants that no longer require cross-tenant access and monitor the audit logs for any cross-tenant connection attempts that are being blocked by the isolation policy.
Compliance: NIST AC-20CIS M365 9.3

SharePoint & OneDrive Security (5 checks, 5 failing)

M365SPO-001 — External sharing settings

High FAIL

Description: SharePoint Online external sharing settings control whether and how content can be shared with users outside the organization. Overly permissive sharing settings such as allowing anonymous sharing links can lead to uncontrolled data exposure and make it impossible to track who has accessed corporate content. Restricting external sharing to authenticated guests with verified identities is essential for maintaining data governance.
Recommended: External sharing limited to existing guests or new and existing guests with authentication required; anonymous sharing links disabled
Current Value: Not configured / Non-compliant
Remediation: Navigate to the SharePoint admin center sharing settings and configure the organization-level sharing to 'New and existing guests' or 'Existing guests only' based on your collaboration requirements. Disable anonymous access links (Anyone links) to ensure all external access requires authentication and can be tracked. Review site-level sharing overrides to ensure no individual sites have more permissive sharing settings than the organizational default.
Compliance: NIST AC-21CIS M365 7.2.1

M365SPO-005 — DLP policy configuration

High FAIL

Description: Data Loss Prevention policies in SharePoint Online and OneDrive detect and protect sensitive information such as personally identifiable information, financial data, and health records from being shared inappropriately. Without DLP policies, users can inadvertently share documents containing sensitive data with external users or through unmonitored channels. DLP policies provide automated detection, user notification, and blocking of sensitive data exposure.
Recommended: DLP policies configured for all regulated data types with user notifications and sharing blocks for external sharing of sensitive content
Current Value: Not configured / Non-compliant
Remediation: Create DLP policies targeting SharePoint Online and OneDrive locations that detect sensitive information types relevant to your regulatory requirements such as PII, PCI, or HIPAA data. Configure policy rules to display user notifications with guidance on proper handling when sensitive content is detected, and block external sharing of documents containing high-sensitivity data. Enable incident reports to notify the compliance team of policy matches and review the DLP activity reports to tune policy accuracy and reduce false positives.
Compliance: NIST AC-4NIST SC-7

M365SPO-002 — Guest access expiration

Medium FAIL

Description: Guest access to SharePoint and OneDrive content without an expiration policy leads to perpetual external access that is rarely reviewed or revoked. Former partners, vendors, and collaborators may retain access to sensitive corporate content long after the business relationship has ended. Configuring automatic guest access expiration ensures that external sharing is time-limited and requires periodic re-authorization.
Recommended: Guest access expiration set to 30-90 days; sharing links expire within 30 days
Current Value: Not configured / Non-compliant
Remediation: Configure the guest access expiration policy in the SharePoint admin center to automatically expire guest permissions after 30 to 90 days based on organizational data sensitivity requirements. Set sharing link expiration to a maximum of 30 days for external sharing links to prevent long-lived access tokens. Implement a recurring guest access review process to audit active external sharing and remove access that is no longer needed.
Compliance: NIST AC-2(3)CIS M365 7.2.3

M365SPO-003 — Default sharing link type

Medium FAIL

Description: The default sharing link type determines the initial permission level when users create sharing links, and a permissive default increases the likelihood of accidental oversharing. If the default is set to 'Anyone' or 'Organization-wide,' users may inadvertently share sensitive documents with a broader audience than intended. Setting the default to 'Specific people' ensures users make a conscious choice about who receives access to shared content.
Recommended: Default sharing link type set to 'Specific people' with 'View' permission level
Current Value: Not configured / Non-compliant
Remediation: Set the default sharing link type to 'Specific people' in the SharePoint admin center to require users to explicitly specify recipients when sharing. Configure the default link permission to 'View' rather than 'Edit' to enforce a least-privilege approach to shared content. Educate users on the differences between sharing link types and the importance of selecting the most restrictive link type appropriate for their sharing scenario.
Compliance: NIST AC-3CIS M365 7.2.2

M365SPO-004 — Site creation restrictions

Medium FAIL

Description: Unrestricted site creation in SharePoint Online allows any user to create new sites, teams, and associated resources without governance oversight. Uncontrolled site proliferation leads to inconsistent security settings, ungoverned data repositories, and difficulty enforcing classification and retention policies. Restricting site creation to authorized personnel or requiring an approval workflow ensures proper governance from the point of creation.
Recommended: Site creation restricted to authorized administrators or governed through an approval process; Microsoft 365 group creation restricted
Current Value: Not configured / Non-compliant
Remediation: Restrict self-service site creation in the SharePoint admin center by disabling the ability for users to create new sites directly. Implement a site provisioning request process that routes creation requests through an approval workflow ensuring appropriate classification, sharing settings, and ownership are established. If self-service creation must be allowed, configure default sensitivity labels and sharing policies that are automatically applied to newly created sites.
Compliance: NIST CM-6CIS M365 7.2.4

Unified Audit & Logging (3 checks, 3 failing)

M365AUDIT-001 — Unified Audit Log enabled

Critical FAIL

Description: The Microsoft 365 Unified Audit Log records user and administrator activities across Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, and other services, providing the foundational data source for security investigations. If unified auditing is disabled, the organization loses visibility into critical activities such as mailbox access, file sharing, permission changes, and administrative operations. Disabling the audit log is a known adversary technique used to cover tracks after compromising a tenant.
Recommended: Unified Audit Log enabled organization-wide with no per-user or per-mailbox overrides disabling auditing
Current Value: Not configured / Non-compliant
Remediation: Verify that unified audit logging is enabled by running Get-AdminAuditLogConfig and confirming that UnifiedAuditLogIngestionEnabled is set to True. If auditing is disabled, enable it immediately and investigate the audit history to determine when and by whom it was disabled, as this may indicate a security compromise. Set up a monitoring alert to detect any future attempts to disable the unified audit log and restrict the permissions required to modify audit log settings to a minimal set of trusted administrators.
Compliance: NIST AU-2NIST AU-3MITRE T1562.008CIS M365 3.1.1

M365AUDIT-002 — Audit log retention policy

High FAIL

Description: By default, Microsoft 365 audit log records are retained for 180 days (or 90 days for standard licenses), which may be insufficient for detecting long-running attacks or meeting regulatory compliance requirements. Advanced persistent threats may operate within an environment for months before detection, and without adequate log retention, the forensic evidence needed for investigation may have already been purged. Extending audit log retention ensures that historical activity data is available when needed.
Recommended: Audit log retention set to at least 365 days; priority activity types retained for longer periods; logs exported to external SIEM for long-term storage
Current Value: Not configured / Non-compliant
Remediation: Configure audit log retention policies in the Microsoft Purview compliance portal to retain all audit log records for at least 365 days, extending retention for high-priority record types such as MailItemsAccessed, FileAccessed, and UserLoggedIn. For organizations with Microsoft 365 E5 or equivalent licensing, configure 10-year retention policies for critical audit record types to support long-term forensic investigations. Implement log export to an external SIEM or log analytics platform such as Microsoft Sentinel for long-term storage and advanced correlation beyond the native retention period.
Compliance: NIST AU-11CIS M365 3.1.2

M365AUDIT-003 — Audit log search capability

Medium FAIL

Description: The ability to effectively search and analyze audit log data is critical for security investigations, compliance audits, and incident response activities. Without verified search capability and trained personnel, audit log data that exists cannot be leveraged during time-sensitive security incidents. Organizations must ensure that audit log search tools are accessible, functional, and that response procedures include audit log analysis.
Recommended: Audit log search accessible to security team; search queries tested and documented for common investigation scenarios; SIEM integration operational
Current Value: Not configured / Non-compliant
Remediation: Verify that members of the security operations and incident response teams have the appropriate role assignments (Audit Logs or View-Only Audit Logs role) to search the unified audit log. Create and document standard search queries for common investigation scenarios such as mailbox compromise, unauthorized file access, and administrative privilege escalation. Test the audit log search functionality regularly and validate that SIEM integration is ingesting and indexing audit events correctly for automated detection and correlation.
Compliance: NIST AU-6

PSGuerrilla Technical Security Report

Severity Distribution

Theater Overview

Category Breakdown

Table of Contents

Google Workspace

Admin & User Management (13 checks, 13 failing)

Authentication & Access Controls (13 checks, 13 failing)

Collaboration & Communication Security (10 checks, 10 failing)

Device & Endpoint Management (11 checks, 11 failing)

Drive Security & Data Protection (13 checks, 13 failing)

Email Security (22 checks, 22 failing)

Logging, Alerting & Monitoring (6 checks, 6 failing)

OAuth & API Security (10 checks, 10 failing)

Active Directory

AD ACL & Delegation (16 checks, 16 failing)

AD Certificate Services (19 checks, 17 failing)

AD Domain & Forest Configuration (20 checks, 19 failing)

AD Group Policy (24 checks, 23 failing)

AD Kerberos Security (11 checks, 10 failing)

AD Logon Scripts & Network Shares (11 checks, 10 failing)

AD Password & Lockout Policies (22 checks, 21 failing)

AD Privileged Account Security (30 checks, 30 failing)

AD Stale & Obsolete Objects (11 checks, 11 failing)

AD Trust Relationships (11 checks, 9 failing)

Entra ID / Azure / M365

Azure IAM & Resource Security (10 checks, 9 failing)

Defender for Office 365 (3 checks, 3 failing)

Entra ID Application & Service Principal Security (19 checks, 16 failing)

Entra ID Authentication Methods & MFA (17 checks, 14 failing)

Entra ID Conditional Access (16 checks, 13 failing)

Entra ID Federation & Hybrid Identity (12 checks, 10 failing)

Entra ID Privileged Identity Management (14 checks, 11 failing)

Entra ID Tenant Configuration (13 checks, 9 failing)

Exchange Online Security (12 checks, 12 failing)

Intune / Endpoint Management (23 checks, 19 failing)

Microsoft Teams Security (8 checks, 8 failing)

Power Platform Security (3 checks, 3 failing)

SharePoint & OneDrive Security (5 checks, 5 failing)

Unified Audit & Logging (3 checks, 3 failing)