Entra ID - Security Config Analyzer Tests

Overview

The tests in this section are based on the Entra ID Attack and Defense Playbook specifically the Entra ID Security Config Analyzer (EIDSCA).

These tests verify if mitigations are in place to protect from various common attack scenarios on Microsoft Entra. Each test in EIDSCA is mapped to the MITRE ATT&CK framework.

Tests

• EIDSCA.AF01 - Authentication Method - FIDO2 security key - StateWhether the FIDO2 security keys is enabled in the tenant.
• EIDSCA.AF02 - Authentication Method - FIDO2 security key - Allow self-service set upAllows users to register a FIDO key through the MySecurityInfo portal, even if enabled by Authentication Methods policy.
• EIDSCA.AF03 - Authentication Method - FIDO2 security key - Enforce attestationRequires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft's additional set of validation testing.
• EIDSCA.AF04 - Authentication Method - FIDO2 security key - Enforce key restrictionsManages if registration of FIDO2 keys should be restricted.
• EIDSCA.AF05 - Authentication Method - FIDO2 security key - RestrictedYou can work with your Security key provider to determine the AAGuids of their devices for allowing or blocking usage.
• EIDSCA.AF06 - Authentication Method - FIDO2 security key - Restrict specific keysDefines if list of AADGUID will be used to allow or block registration.
• EIDSCA.AG01 - Authentication Method - General Settings - Manage migrationThe state of migration of the authentication methods policy from the legacy multifactor authentication and self-service password reset (SSPR) policies. In January 2024, the legacy multifactor authentication and self-service password reset policies will be deprecated and you'll manage all authentication methods here in the authentication methods policy. Use this control to manage your migration from the legacy policies to the new unified policy.
• EIDSCA.AG02 - Authentication Method - General Settings - Report suspicious activity - StateAllows users to report suspicious activities if they receive an authentication request that they did not initiate. This control is available when using the Microsoft Authenticator app and voice calls. Reporting suspicious activity will set the user's risk to high. If the user is subject to risk-based Conditional Access policies, they may be blocked.
• EIDSCA.AG03 - Authentication Method - General Settings - Report suspicious activity - Included users/groupsObject Id or scope of users which will be included to report suspicious activities if they receive an authentication request that they did not initiate.
• EIDSCA.AM01 - Authentication Method - Microsoft Authenticator - StateWhether the Authenticator App is enabled in the tenant.
• EIDSCA.AM02 - Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTPDefines if users can use the OTP code generated by the Authenticator App.
• EIDSCA.AM03 - Authentication Method - Microsoft Authenticator - Require number matching for push notificationsDefines if number matching is required for MFA notifications.
• EIDSCA.AM04 - Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notificationsObject Id or scope of users which will be showing number matching in the Authenticator App.
• EIDSCA.AM06 - Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notificationsDetermines whether the user's Authenticator app will show them the client app they are signing into.
• EIDSCA.AM07 - Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notificationsObject Id or scope of users which will be showing app information in the Authenticator App.
• EIDSCA.AM09 - Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notificationsDetermines whether the user's Authenticator app will show them the geographic location of where the authentication request originated from.
• EIDSCA.AM10 - Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notificationsObject Id or scope of users which will be showing geographic location in the Authenticator App.
• EIDSCA.AP01 - Default Authorization Settings - Enabled Self service password reset for administratorsIndicates whether administrators of the tenant can use the Self-Service Password Reset (SSPR). The policy applies to some critical critical roles in Microsoft Entra ID.
• EIDSCA.AP04 - Default Authorization Settings - Guest invite restrictionsManages controls who can invite guests to your directory to collaborate on resources secured by your Azure AD, such as SharePoint sites or Azure resources.
• EIDSCA.AP05 - Default Authorization Settings - Sign-up for email based subscriptionIndicates whether users can sign up for email based subscriptions.
• EIDSCA.AP06 - Default Authorization Settings - User can join the tenant by email validationControls whether users can join the tenant by email validation. To join, the user must have an email address in a domain which matches one of the verified domains in the tenant.
• EIDSCA.AP07 - Default Authorization Settings - Guest user accessRepresents role templateId for the role that should be granted to guest user.
• EIDSCA.AP08 - Default Authorization Settings - User consent policy assigned for applicationsDefines if user consent to apps is allowed, and if it is, which app consent policy (permissionGrantPolicy) governs the permissions.
• EIDSCA.AP09 - Default Authorization Settings - Risk-based step-up consentIndicates whether user consent for risky apps is allowed. For example, consent requests for newly registered multi-tenant apps that are not publisher verified and require non-basic permissions are considered risky.
• EIDSCA.AP10 - Default Authorization Settings - Default User Role Permissions - Allowed to create AppsControls if non-admin users may register custom-developed applications for use within this directory.
• EIDSCA.AP14 - Default Authorization Settings - Default User Role Permissions - Allowed to read other usersPrevents all non-admins from reading user information from the directory. This flag doesn't prevent reading user information in other Microsoft services like Exchange Online.
• EIDSCA.AS04 - Authentication Method - SMS - Use for sign-inDetermines if users can use this authentication method to sign in to Microsoft Entra ID. true if users can use this method for primary authentication, otherwise false.
• EIDSCA.AT01 - Authentication Method - Temporary Access Pass - StateWhether the Temporary Access Pass is enabled in the tenant.
• EIDSCA.AT02 - Authentication Method - Temporary Access Pass - One-timeDetermines whether the pass is limited to a one-time use.
• EIDSCA.AV01 - Authentication Method - Voice call - StateWhether the Voice call is enabled in the tenant.
• EIDSCA.CP01 - Default Settings - Consent Policy Settings - Group owner consent for apps accessing dataGroup and team owners can authorize applications, such as applications published by third-party vendors, to access your organization's data associated with a group. For example, a team owner in Microsoft Teams can allow an app to read all Teams messages in the team, or list the basic profile of a group's members.
• EIDSCA.CP03 - Default Settings - Consent Policy Settings - Block user consent for risky appsDefines whether user consent will be blocked when a risky request is detected
• EIDSCA.CP04 - Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent toIf this option is set to enabled, then users request admin consent to any app that requires access to data they do not have the permission to grant. If this option is set to disabled, then users must contact their admin to request to consent in order to use the apps they need.
• EIDSCA.CR01 - Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request featureDefines if admin consent request feature is enabled or disabled
• EIDSCA.CR02 - Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requestsSpecifies whether reviewers will receive notifications
• EIDSCA.CR03 - Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expireSpecifies whether reviewers will receive reminder emails
• EIDSCA.CR04 - Consent Framework - Admin Consent Request - Consent request duration (days)Specifies the duration the request is active before it automatically expires if no decision is applied
• EIDSCA.PR01 - Default Settings - Password Rule Settings - Password Protection - ModeIf set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged.
• EIDSCA.PR02 - Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active DirectoryIf set to Yes, password protection is turned on for Active Directory domain controllers when the appropriate agent is installed.
• EIDSCA.PR03 - Default Settings - Password Rule Settings - Enforce custom listWhen enabled, the words in the list below are used in the banned password system to prevent easy-to-guess passwords.
• EIDSCA.PR05 - Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in secondsThe minimum length in seconds of each lockout. If an account locks repeatedly, this duration increases.
• EIDSCA.PR06 - Default Settings - Password Rule Settings - Smart Lockout - Lockout thresholdHow many failed sign-ins are allowed on an account before its first lockout. If the first sign-in after a lockout also fails, the account locks out again.
• EIDSCA.ST08 - Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group OwnerIndicating whether or not a guest user can be an owner of groups, manage
• EIDSCA.ST09 - Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups contentIndicating whether or not a guest user can have access to Microsoft 365 groups content. This setting does not require an Azure Active Directory Premium P1 license.
• 🛡️ Entra ID SCA Tests OverviewOverview of the Entra ID Security Config Analyzer tests