{"assessment-results":{"uuid":"09050425-ff1e-5fcd-a067-3d323da06f9c","metadata":{"roles":[{"id":"assessor","title":"Lead Assessor"},{"id":"assessment-team","title":"Assessment Team"}],"title":"CISA SCuBA Assessment Results - M365 Tenant","parties":[{"name":"Easy Dynamics","type":"organization","uuid":"33da91b4-3178-49d6-babb-948c9542fd13","links":[{"href":"https://easydynamics.com"}]}],"version":"1.0","published":"2026-03-05T16:00:00-05:00","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"e1f36a7e-7f07-4c35-bf16-f72ffa9cc9e5"}],"last-modified":"2026-03-05T16:00:00-05:00","oscal-version":"1.1.3","responsible-parties":[{"role-id":"assessor","party-uuids":["33da91b4-3178-49d6-babb-948c9542fd13"]}]},"import-ap":{"href":"https://registry.oscal.io/api/v1/pirooz-javan/assessment-plans/efec600c-da47-42da-9e1c-0ab44d965bf1"},"results":[{"end":"2026-03-05T15:30:00-05:00","uuid":"3ffdaf31-5f43-5df1-a2e2-6f471a28a8db","risks":[{"uuid":"88e5aaf0-5376-5cfa-b9a6-815dd03ed79f","title":"Risk: Device Code Phishing Attack Vector Is Active and Unblocked","status":"open","deadline":"2026-04-05T00:00:00-05:00","statement":"The unblocked device code flow represents an actively exploited attack vector that can result in full account takeover without requiring credential exposure, and without being stopped by phishing-resistant MFA controls.","description":"The device code authentication flow is available to all users and has no Conditional Access restriction. Nation-state threat actors (including Storm-2372) have demonstrated active exploitation of this flow to steal long-lived OAuth tokens via social engineering, bypassing MFA entirely. A successful attack yields persistent authenticated access that survives password resets.","remediations":[{"uuid":"31ec1b42-e9e8-50cb-821e-23a113543449","tasks":[{"type":"action","uuid":"3aa2c563-df9c-5456-b73e-dc6574d4f415","title":"Audit for legitimate device code flow usage","description":"Query Entra ID sign-in logs for device code flow authentications over the prior 30 days to identify any operational dependencies before blocking."},{"type":"action","uuid":"a794c515-3449-5c73-b5db-3acfc143e865","title":"Create and enable blocking Conditional Access policy","description":"Create the Conditional Access policy in report-only mode, review impact for 72 hours, then switch to enforce."}],"title":"Block Device Code Authentication Flow via Conditional Access","lifecycle":"recommendation","description":"Create and enable a Conditional Access policy scoped to all users and all cloud apps that blocks the device code authentication flow as an authentication flow condition. Verify no operational use cases depend on device code flow prior to enabling in production. Microsoft's managed policy 'Block device code flow' may be used as a starting point."}],"characterizations":[{"facets":[{"name":"likelihood","value":"high","system":"https://csrc.nist.gov/ns/oscal/assessment/risk-system"},{"name":"impact","value":"high","system":"https://csrc.nist.gov/ns/oscal/assessment/risk-system"}],"origin":{"actors":[{"type":"party","actor-uuid":"33da91b4-3178-49d6-babb-948c9542fd13"}]}}]},{"uuid":"d252238d-6078-549d-a8a0-9a510e752665","title":"Risk: Two Permanent Active Privileged Role Assignments Bypass All PAM Controls","status":"open","deadline":"2026-04-05T00:00:00-05:00","statement":"Permanent active privileged role assignments outside PIM eliminate the full set of compensating controls that PIM provides. Compromise of either account results in immediate, unrestricted, and silently persistent privileged access to the tenant.","description":"A Privileged Role Administrator and an Exchange Administrator account hold permanent active role assignments outside of PIM. These accounts receive no just-in-time access, no approval gate, no activation duration limit, and no activation-triggered alert. If either credential is compromised, the adversary immediately holds persistent privileged access with no automated detection signal.","remediations":[{"uuid":"45ecfa95-3603-553d-9019-b38a07e6767e","tasks":[{"type":"action","uuid":"8bf17fcb-af4e-5918-9ba2-87cdf20c4f09","title":"Create eligible PIM assignments for both accounts","description":"In Entra ID PIM, assign both accounts as eligible for their respective roles and configure: maximum activation of 4 hours, require MFA on activation, require justification, and notify the security operations mailbox on activation."},{"type":"action","uuid":"5843a58b-688e-56e3-80db-548e899b49a7","title":"Remove permanent active role assignments","description":"After PIM eligible assignments are confirmed working, remove the permanent active role assignments via the Entra ID roles and administrators blade."}],"title":"Convert Permanent Active Role Assignments to PIM-Managed Eligible Assignments","lifecycle":"recommendation","description":"For both the Privileged Role Administrator and Exchange Administrator accounts with permanent active assignments, remove the direct role assignment from the Entra ID roles blade and create eligible assignments within PIM with appropriate activation duration, approval, and MFA activation requirements configured."}],"characterizations":[{"facets":[{"name":"likelihood","value":"low","system":"https://csrc.nist.gov/ns/oscal/assessment/risk-system"},{"name":"impact","value":"critical","system":"https://csrc.nist.gov/ns/oscal/assessment/risk-system"}],"origin":{"actors":[{"type":"party","actor-uuid":"33da91b4-3178-49d6-babb-948c9542fd13"}]}}]},{"uuid":"b4000cec-c228-5663-aa59-2fd7f56e14b2","title":"Risk: Valid Credentials Alone Sufficient to Authenticate from Any Device","status":"open","deadline":"2026-06-05T00:00:00-05:00","statement":"The absence of a tenant-wide device compliance Conditional Access policy means that credential compromise alone is sufficient for full M365 access, undermining the defense-in-depth principle that device health signals should accompany identity signals per OMB M-22-09.","description":"Without a managed device requirement for the general user population, an adversary who obtains valid user credentials (via phishing, credential stuffing, or purchase on dark markets) can authenticate to M365 services from any device, including personally owned or compromised hardware with no endpoint security controls. This eliminates the device posture layer of defense.","remediations":[{"uuid":"f3399cfe-64f9-5550-a504-5d3173fa54fd","tasks":[{"type":"action","uuid":"00bdcc08-3b7c-53ba-83ee-ac20753fc083","title":"Audit Intune device enrollment coverage","description":"Identify what percentage of active users have compliant or hybrid-joined devices enrolled in Intune before enabling the policy to avoid inadvertent lockouts."},{"type":"action","uuid":"8e990ea6-f1b6-5a48-962e-a7da113e32d6","title":"Deploy policy in report-only mode then enforce","description":"Create the Conditional Access policy targeting all users in report-only mode, review sign-in logs for 5 business days, resolve any gaps in device enrollment, then switch to enforce."}],"title":"Implement Tenant-Wide Device Compliance Conditional Access Policy","lifecycle":"recommendation","description":"Create and enable a Conditional Access policy requiring device compliance (Intune-managed) or Hybrid Azure AD Join as a condition for all cloud app authentication for all users. Pilot with a targeted group and expand once Intune enrollment coverage is confirmed sufficient."}],"characterizations":[{"facets":[{"name":"likelihood","value":"moderate","system":"https://csrc.nist.gov/ns/oscal/assessment/risk-system"},{"name":"impact","value":"high","system":"https://csrc.nist.gov/ns/oscal/assessment/risk-system"}],"origin":{"actors":[{"type":"party","actor-uuid":"33da91b4-3178-49d6-babb-948c9542fd13"}]}}]}],"start":"2026-03-05T08:00:00-05:00","title":"SCuBA M365 Baseline Assessment - Full Tenant Scan","findings":[{"uuid":"b5d014ae-23b1-51b8-845a-972f40def692","title":"MS.AAD.1.1v1: Legacy Authentication Blocking","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.1.1v1"},"description":"Conditional Access policy confirmed blocking all legacy authentication protocols for all users.","related-observations":[{"observation-uuid":"941e3133-152b-5301-8762-abd228b5ee80"}]},{"uuid":"834f1d49-ccff-539c-bb62-a1cd263b71cc","title":"MS.AAD.2.1v1: High-Risk Users Blocked","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.2.1v1"},"description":"A risk-based Conditional Access policy blocking high-risk users is present and enabled.","related-observations":[{"observation-uuid":"d4337622-1625-5388-9149-e570a170fc86"}]},{"uuid":"4c94c5a7-9465-5974-9e8f-546391017779","title":"MS.AAD.3.1v1: Phishing-Resistant MFA Enforced for All Users","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.3.1v1"},"description":"A Conditional Access policy requiring phishing-resistant MFA authentication strength is applied to all users and is enabled.","related-observations":[{"observation-uuid":"e40c8114-14a1-5baa-9c1c-5bb8000f9af1"}]},{"uuid":"62d18ee5-d71d-5db0-8190-3e5d10730a11","title":"MS.AAD.3.7v1: Managed Device Requirement Not Enforced for General Users","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.aad.3.7v1"},"description":"No tenant-wide Conditional Access policy requiring a managed device for authentication was identified. The gap covers the majority of the user population. Controls AC-20(b) and IA-3 are not satisfied.","related-risks":[{"risk-uuid":"b4000cec-c228-5663-aa59-2fd7f56e14b2"}],"related-observations":[{"observation-uuid":"eaabc3f4-c7ed-5ce7-a26f-a3f79180b310"}]},{"uuid":"c20e384e-af0f-546b-afb9-673691680e45","title":"MS.AAD.3.9v1: Device Code Authentication Flow Not Blocked","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.aad.3.9v1"},"description":"No Conditional Access policy blocks the device code authentication flow. This flow has been actively exploited in phishing campaigns (Storm-2372) to steal OAuth tokens. Control CM-7 is not satisfied.","related-risks":[{"risk-uuid":"88e5aaf0-5376-5cfa-b9a6-815dd03ed79f"}],"related-observations":[{"observation-uuid":"ec6ef48b-e73b-5d8a-a60a-919f5efbed1d"}]},{"uuid":"17874a73-cbad-5310-9e58-d3d137e80e18","title":"MS.AAD.4.1v1: Security Logs Sent to SOC","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.4.1v1"},"description":"Entra ID sign-in and audit logs are exported to the agency SOC SIEM via Azure Monitor. Control AU-4 is satisfied.","related-observations":[{"observation-uuid":"27f80a7e-b877-5e74-a96a-d78be6edd259"}]},{"uuid":"a2638710-c0df-5f05-a0e8-ce50fa8e3939","title":"MS.AAD.7.1v1: Global Administrator Count Exceeds Maximum","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"other"},"target-id":"ms.aad.7.1v1"},"description":"The tenant has 11 active Global Administrator assignments, exceeding the SCuBA maximum of 8. Control AC-6(5) is not satisfied.","related-observations":[{"observation-uuid":"6cbdcb7e-0700-5dc6-99c9-7932e2d258f3"}]},{"uuid":"a9fbd0cd-62b9-50cc-9546-0660f8e23c26","title":"MS.AAD.7.2v1: Four Global Administrators Not Using Least-Privilege Roles","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.aad.7.2v1"},"description":"Four accounts hold Global Administrator despite job functions requiring only Exchange Administrator and Compliance Administrator access. Control AC-5 is not satisfied for those accounts.","related-observations":[{"observation-uuid":"48318f52-3112-5604-84bd-23757a40cd35"}]},{"uuid":"e654a10f-3761-5639-b9a8-22a7f54d535e","title":"MS.AAD.7.4v1: Two Permanent Active Highly Privileged Role Assignments Outside PIM","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.aad.7.4v1"},"description":"A Privileged Role Administrator and an Exchange Administrator account have permanent active role assignments outside of PIM, bypassing just-in-time access, approval gates, and session time limits. Control AC-2 is not satisfied.","related-risks":[{"risk-uuid":"d252238d-6078-549d-a8a0-9a510e752665"}],"related-observations":[{"observation-uuid":"c4f66e44-f13d-5eae-ba98-7d91317fbdab"}]},{"uuid":"a19769e2-ff4d-5a58-8a5c-95bb17024678","title":"MS.AAD.7.6v1: Global Administrator Activation Requires Approval","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.7.6v1"},"description":"PIM is configured to require approver sign-off before Global Administrator activation is granted, with a 4-hour maximum activation window. Control AC-6(1) is satisfied.","related-observations":[{"observation-uuid":"4f296617-5ab6-5256-800f-875c3f7501eb"}]},{"uuid":"428ebd53-0709-5487-bd9f-2708c377a1f7","title":"MS.DEFENDER.1.1v1: Standard and Strict Preset Security Policies Enabled","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.1.1v1"},"description":"Both preset security policies are in the enabled state. Controls CM-6(a), SI-3(a), and SI-8 are satisfied.","related-observations":[{"observation-uuid":"822cc280-9b3b-52c4-8b7d-5e6b5767dddf"}]},{"uuid":"3cf982ee-0013-5010-ac76-2798d2a30e52","title":"MS.DEFENDER.2.1v1: User Impersonation Protection Not Configured","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.defender.2.1v1"},"description":"Neither preset policy has protected users defined for impersonation protection. Executive leadership, IT administrators, and security personnel are unprotected against impersonation-based spearphishing. Control SI-8 is not fully satisfied.","related-observations":[{"observation-uuid":"ef43a194-1829-5c8c-b197-845fa3e05eab"}]},{"uuid":"219bb2dd-1390-59e3-981f-3d63e8ad313e","title":"MS.DEFENDER.4.1v2: DLP Policy for PII Configured","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.4.1v2"},"description":"A custom DLP policy detecting and blocking SSNs, ITINs, and credit card numbers is active. Control SC-7(10) is satisfied.","related-observations":[{"observation-uuid":"2821955c-d13f-50d3-be5e-0e5632ffedd9"}]},{"uuid":"9010d6d3-a0fb-5db7-af37-d92f65d187c3","title":"MS.DEFENDER.4.2v1: DLP Policy Does Not Include Devices Workload","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.defender.4.2v1"},"description":"The DLP policy covers Exchange, SharePoint, OneDrive, and Teams but excludes the Devices workload due to incomplete Defender for Endpoint onboarding. Control SC-7(10) is not fully satisfied.","related-observations":[{"observation-uuid":"33b330b7-871f-57cb-a041-3585789f9f44"}]},{"uuid":"6d87690d-26a0-5948-a7b2-8d39e2e2dcfe","title":"MS.DEFENDER.6.1v1: Unified Audit Logging Enabled","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.6.1v1"},"description":"Unified Audit Log is enabled for the tenant. Control AU-12 is satisfied.","related-observations":[{"observation-uuid":"285313bf-ff69-5d5e-8dcf-5b3fe5fed33e"}]},{"uuid":"ababc9f0-a19e-5be3-bfba-98a30ac21def","title":"MS.EXO.1.1v2: Automatic External Forwarding Disabled","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.1.1v2"},"description":"AutoForwardingMode is set to Off in the default outbound spam filter policy. Control AC-4 is satisfied.","related-observations":[{"observation-uuid":"495a5d77-8ec3-59c4-a209-4a6016cb73b8"}]},{"uuid":"b37c77d0-de2f-5a5a-80ea-a88ba8ff006a","title":"MS.EXO.3.1v1: DKIM Not Enabled for All Agency Domains","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.exo.3.1v1"},"description":"DKIM signing is disabled for two of four agency domains (legacy-agency.gov and agency-program.gov). Emails from these domains cannot be cryptographically verified for integrity. Control SC-8 is not satisfied for those domains.","related-observations":[{"observation-uuid":"b16a4012-c0dc-5548-b278-5e7d9af63ae9"}]},{"uuid":"ab049cca-70b0-55f9-a027-302629f3da1d","title":"MS.EXO.4.2v1: DMARC Policy Set to p=reject","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.4.2v1"},"description":"All four agency domains publish DMARC records with p=reject, providing the strongest available spoofing protection. Control SI-8 is satisfied.","related-observations":[{"observation-uuid":"513f2560-7470-5ada-8957-f35bf015fb37"}]},{"uuid":"d1e7a1c7-9609-5253-aeb2-6a5da9af313e","title":"MS.EXO.9.5v1: Click-to-Run File Types Not Blocked in Attachment Filter","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.exo.9.5v1"},"description":"The attachment block list omits .exe, .cmd, and .vbe. Users may receive and execute malicious email attachments of these types. Control SI-3 is not fully satisfied.","related-observations":[{"observation-uuid":"eac260f1-247e-554c-a724-62566d48ef89"}]},{"uuid":"6091b9df-f845-5430-b46d-c6e77b6a0ce1","title":"MS.EXO.13.1v1: Mailbox Auditing Enabled","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.13.1v1"},"description":"Mailbox auditing is enabled by default for all Exchange Online mailboxes at the organization level. Control AU-12(c) is satisfied.","related-observations":[{"observation-uuid":"67e534ae-46c0-55e3-b860-c1df7774d0b6"}]},{"uuid":"e31550d5-b20a-5112-ace3-551376ca9c81","title":"MS.POWERBI.1.1v1: Publish to Web Disabled","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.powerbi.1.1v1"},"description":"The PublishToWebAllowedStates setting is Disabled. Controls CM-7 and SC-7(10)(a) are satisfied.","related-observations":[{"observation-uuid":"8615d1d4-7de2-5edb-b618-33e647fbfe29"}]},{"uuid":"70895221-d703-5d4d-a2a0-f21eec2efdaf","title":"MS.POWERBI.7.1v1: Sensitivity Labels Not Enabled for Power BI","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.powerbi.7.1v1"},"description":"The EnableSensitivityLabels setting is disabled at the Power BI tenant level. BI content cannot be classified under enterprise data protection policy. Controls AC-21(b) and SC-7(10)(a) are not satisfied.","related-observations":[{"observation-uuid":"492c19a0-0639-532f-8983-666b2c42cdfd"}]},{"uuid":"9a5eefc2-239e-5c6f-85cb-3b03c0f1b565","title":"MS.POWERPLATFORM.1.1v1: Environment Creation Restricted to Admins","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.powerplatform.1.1v1"},"description":"Production and sandbox environment creation is restricted to Power Platform and Global Administrators. Control AC-6(10) is satisfied.","related-observations":[{"observation-uuid":"a6ee4fb1-73e3-5f82-948a-ccbed45dca97"}]},{"uuid":"b95f4d18-de84-5e73-943d-b4f2eb4ed62e","title":"MS.POWERPLATFORM.2.2v1: Three Non-Default Environments Lack DLP Coverage","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.powerplatform.2.2v1"},"description":"Three developer-created environments have no DLP policy applied. Connector data flows in these environments are ungoverned. Control SC-7(10) is not satisfied for those environments.","related-observations":[{"observation-uuid":"eb453600-d645-541f-b65a-14ab71c7a292"}]},{"uuid":"2a648bf3-00f1-521c-9a0e-aedc3eaea8e4","title":"MS.POWERPLATFORM.3.1v1: Tenant Isolation Enabled","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.powerplatform.3.1v1"},"description":"Power Platform tenant isolation is enabled, preventing cross-tenant connector data flows. Controls AC-3 and SC-7(5) are satisfied.","related-observations":[{"observation-uuid":"e04539ed-0258-5e02-bd2a-3d2a460ac5fc"}]},{"uuid":"5f5dcdca-05b5-5406-961d-eca466cd70cd","title":"MS.SHAREPOINT.1.1v1: SharePoint External Sharing Limited to Existing Guests","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.sharepoint.1.1v1"},"description":"SharePoint external sharing is restricted to existing guest accounts. Controls AC-2, AC-3, and IA-8 are satisfied.","related-observations":[{"observation-uuid":"b989ed58-8984-5b39-9f37-c6c1d2adac55"}]},{"uuid":"06cfd0ac-b41e-5867-88ec-edce050a7bed","title":"MS.SHAREPOINT.3.3v1: Guest Reauthentication Period Exceeds 30-Day Maximum","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.sharepoint.3.3v1"},"description":"The reauthentication period for verification code users is set to 45 days, exceeding the SHALL maximum of 30 days under CISA BOD 25-01. Control IA-11 is not satisfied.","related-observations":[{"observation-uuid":"fd21f994-e744-5162-89f4-d050b0bcd37b"}]},{"uuid":"402ff4e2-07aa-5f4b-8573-9dcb5ee64b4f","title":"MS.TEAMS.1.2v2: Anonymous Users Cannot Start Meetings","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.1.2v2"},"description":"AllowAnonymousUsersToStartMeeting is false in the global policy. Control SC-15(a) is satisfied.","related-observations":[{"observation-uuid":"f37e351a-89f4-523c-a08b-6c3984a3cf18"}]},{"uuid":"6ab81235-4957-5955-a985-da31ca71afa7","title":"MS.TEAMS.1.6v1: Meeting Recording Enabled in Global Policy","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.teams.1.6v1"},"description":"AllowCloudRecording is true in the global Teams meeting policy, allowing all users to record meetings by default. Control CM-7 is not satisfied.","related-observations":[{"observation-uuid":"cb0d7717-8e01-54cb-8d5a-511e0863558c"}]},{"uuid":"2df9e191-254a-58fa-956e-046da21b3a28","title":"MS.TEAMS.2.1v2: External Access Restricted Per-Domain","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.2.1v2"},"description":"Teams external access is configured to allow communication only with explicitly listed domains. Control AC-3 is satisfied.","related-observations":[{"observation-uuid":"e51c45aa-d335-57e6-9d5c-0a91200cac08"}]},{"uuid":"8104b49f-f24d-58de-ac2d-3331704626c7","title":"MS.TEAMS.5.2v2: All Third-Party Teams Apps Permitted Without Agency Allowlist","target":{"type":"objective-id","status":{"state":"not-satisfied","reason":"not-implemented"},"target-id":"ms.teams.5.2v2"},"description":"The global Teams app permission policy allows all third-party apps. No agency-curated allowlist exists. Users may install unvetted applications with broad data access permissions. Control CM-11 is not satisfied.","related-observations":[{"observation-uuid":"bfc9b7fb-4f05-5cab-ad68-d9103a7a4b88"}]},{"uuid":"a10e4a6a-a954-5dbf-90db-06f21453615b","title":"MS.TEAMS.6.1v1: DLP Enabled for Teams","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.6.1v1"},"description":"The agency's DLP policy includes Teams Chat and Channel Messages as an active workload. Control SC-7(10) is satisfied.","related-observations":[{"observation-uuid":"31da940c-1354-5803-821d-e56bd6a41ce5"}]},{"uuid":"a928bc85-7557-5a6d-a973-06f97fddff51","title":"MS.AAD.3.2v1: If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.3.2v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.3.2v1. Controls: IA-2.1, IA-2.2.","description":"Assessment of MS.AAD.3.2v1: If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.","related-observations":[{"observation-uuid":"21708604-31a9-52dd-b9e5-f5d86ab34950"}]},{"uuid":"f605372a-5f9f-5786-aa5d-3678b7d416bb","title":"MS.DEFENDER.1.3v1: All users SHALL be added to Defender for Office 365 protection in either the sta","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.1.3v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.1.3v1. Controls: CM-6, SI-3, SI-8.","description":"Assessment of MS.DEFENDER.1.3v1: All users SHALL be added to Defender for Office 365 protection in either the standard or strict preset security policy.","related-observations":[{"observation-uuid":"561182d5-53ec-5bfd-bb11-c8d514096b31"}]},{"uuid":"bffec46b-c44f-5579-ab5e-c8d958ac1b4c","title":"MS.DEFENDER.1.4v1: Sensitive accounts SHALL be added to Exchange Online Protection in the strict pr","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.1.4v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.1.4v1. Controls: CM-6, SI-3, SI-8.","description":"Assessment of MS.DEFENDER.1.4v1: Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.","related-observations":[{"observation-uuid":"a7690a5d-b354-5821-b23b-1e2079b5f14e"}]},{"uuid":"e9c38cdd-4e9f-59e1-b5ee-9e9b43f708ca","title":"MS.DEFENDER.1.5v1: Sensitive accounts SHALL be added to Defender for Office 365 protection in the s","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.1.5v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.1.5v1. Controls: CM-6, SI-3, SI-8.","description":"Assessment of MS.DEFENDER.1.5v1: Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy.","related-observations":[{"observation-uuid":"c807a4da-7fa6-59b6-bc7b-5ca17cbb904f"}]},{"uuid":"66d38c82-3e57-50fa-9446-98903c84e254","title":"MS.DEFENDER.2.2v1: Domain impersonation protection SHOULD be enabled for domains owned by the agenc","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.2.2v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.2.2v1. Controls: SI-8.","description":"Assessment of MS.DEFENDER.2.2v1: Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies.","related-observations":[{"observation-uuid":"9252cbda-427a-519f-81d8-a06903fb6102"}]},{"uuid":"ca974146-2a8e-5c1f-88d6-e1fa9badf015","title":"MS.DEFENDER.2.3v1: Domain impersonation protection SHOULD be added for important partners in both t","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.2.3v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.2.3v1. Controls: SI-8.","description":"Assessment of MS.DEFENDER.2.3v1: Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies.","related-observations":[{"observation-uuid":"716195eb-9b27-54d4-bc31-2ae2e7f4c669"}]},{"uuid":"8dd605b6-0714-5bf0-b6e5-f7c870295f96","title":"MS.DEFENDER.3.1v1: Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.3.1v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.3.1v1. Controls: SI-3.","description":"Assessment of MS.DEFENDER.3.1v1: Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams.","related-observations":[{"observation-uuid":"d3fb11f1-acfb-59bf-b731-2ee7df67d8ae"}]},{"uuid":"bfa1b653-0fc5-5386-9c89-a529bc24130f","title":"MS.DEFENDER.4.3v1: The action for the custom policy SHOULD be set to block sharing sensitive inform","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.4.3v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.4.3v1. Controls: AC-3, SC-7.10.","description":"Assessment of MS.DEFENDER.4.3v1: The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.","related-observations":[{"observation-uuid":"3ab7f213-0be4-5e82-b89f-dfbae25a6684"}]},{"uuid":"92bc4543-db59-54a0-8657-3a8b42ef88da","title":"MS.DEFENDER.4.4v1: Notifications to inform users and help educate them on the proper use of sensiti","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.4.4v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.4.4v1. Controls: AT-2.","description":"Assessment of MS.DEFENDER.4.4v1: Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy.","related-observations":[{"observation-uuid":"18591c06-c915-5dd3-8c90-ac0a8f318501"}]},{"uuid":"0e001b21-5a9f-5554-b258-f6a48d1bfb7f","title":"MS.DEFENDER.4.5v1: A list of apps that are restricted from accessing files protected by DLP policy ","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.4.5v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.4.5v1. Controls: SC-7.10.","description":"Assessment of MS.DEFENDER.4.5v1: A list of apps that are restricted from accessing files protected by DLP policy SHOULD be defined.","related-observations":[{"observation-uuid":"ce100301-a757-5d4a-888f-ed5b3d658728"}]},{"uuid":"89d07b6b-1d88-5062-9438-50adbc32d4d9","title":"MS.DEFENDER.4.6v1: The custom policy SHOULD include an action to block access to sensitive","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.4.6v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.4.6v1. Controls: AC-19.","description":"Assessment of MS.DEFENDER.4.6v1: The custom policy SHOULD include an action to block access to sensitive","related-observations":[{"observation-uuid":"52488375-5d43-517a-b1cf-776394c6dc13"}]},{"uuid":"5393ddfc-529f-5287-85b4-b5a80de859c9","title":"MS.DEFENDER.5.1v1: At a minimum, the alerts required by the CISA M365 Secure Configuration Baseline","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.5.1v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.5.1v1. Controls: SI-4.5.","description":"Assessment of MS.DEFENDER.5.1v1: At a minimum, the alerts required by the CISA M365 Secure Configuration Baseline for Exchange Online SHALL be enabled.","related-observations":[{"observation-uuid":"8d04c27e-2414-5b2a-bf4a-ce6ea89b5aef"}]},{"uuid":"5f46ef01-a759-552e-973e-93e0df4f8611","title":"MS.DEFENDER.5.2v1: The alerts SHOULD be sent to a monitored address or incorporated into a Security","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.5.2v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.5.2v1. Controls: SI-4.5.","description":"Assessment of MS.DEFENDER.5.2v1: The alerts SHOULD be sent to a monitored address or incorporated into a Security Information and Event Management (SIEM).","related-observations":[{"observation-uuid":"7908216c-171b-5360-8896-73736c5657ab"}]},{"uuid":"ff15f696-5966-5e92-8506-5d74fb372498","title":"MS.EXO.4.4v1: An agency point of contact SHOULD be included for aggregate and failure reports.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.4.4v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.4.4v1. Controls: SI-4.5.","description":"Assessment of MS.EXO.4.4v1: An agency point of contact SHOULD be included for aggregate and failure reports.","related-observations":[{"observation-uuid":"0099f0ef-b383-5fc8-b8bb-46bdab08aa74"}]},{"uuid":"31b46548-277e-513a-9257-8f8dd590fcc8","title":"MS.EXO.5.1v1: SMTP AUTH SHALL be disabled.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.5.1v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.5.1v1. Controls: CM-7.","description":"Assessment of MS.EXO.5.1v1: SMTP AUTH SHALL be disabled.","related-observations":[{"observation-uuid":"b7cbd17e-1c64-5f78-bb70-75e5ffc54234"}]},{"uuid":"5e85b658-5ca4-5906-a3f3-2f015e2ec3bd","title":"MS.EXO.6.1v1: Contact folders SHALL NOT be shared with all domains.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.6.1v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.6.1v1. Controls: AC-3, SC-7.10.","description":"Assessment of MS.EXO.6.1v1: Contact folders SHALL NOT be shared with all domains.","related-observations":[{"observation-uuid":"e5d2cef5-9566-5f8e-845e-5243afd53bdd"}]},{"uuid":"05e9f940-7b04-5a35-a875-4219a2bfcfc6","title":"MS.EXO.6.2v1: Calendar details SHALL NOT be shared with all domains.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.6.2v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.6.2v1. Controls: AC-3, SC-7.10.","description":"Assessment of MS.EXO.6.2v1: Calendar details SHALL NOT be shared with all domains.","related-observations":[{"observation-uuid":"972e929a-cfc4-52e6-9519-bdbe163b0f9e"}]},{"uuid":"1dec17b4-e06a-5473-8784-5ef0d111af53","title":"MS.EXO.7.1v1: External sender warnings SHALL be implemented.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.7.1v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.7.1v1. Controls: SI-8.","description":"Assessment of MS.EXO.7.1v1: External sender warnings SHALL be implemented.","related-observations":[{"observation-uuid":"a0fc6089-a9c4-5444-a100-3d3a66048f92"}]},{"uuid":"5d968a6c-4c81-5d31-8c56-bab11bb892bf","title":"MS.EXO.8.1v2: A DLP solution SHALL be used.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.8.1v2"},"remarks":"Tenant configuration meets the requirement for MS.EXO.8.1v2. Controls: SC-7.10.","description":"Assessment of MS.EXO.8.1v2: A DLP solution SHALL be used.","related-observations":[{"observation-uuid":"5e128c2f-a33e-584b-aa2b-d15c54889a28"}]},{"uuid":"1df20be3-ab6b-51c9-900c-5f6858bb1c02","title":"MS.EXO.8.2v2: The DLP solution SHALL protect personally identifiable information (PII) and sen","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.8.2v2"},"remarks":"Tenant configuration meets the requirement for MS.EXO.8.2v2. Controls: SC-7.10.","description":"Assessment of MS.EXO.8.2v2: The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.","related-observations":[{"observation-uuid":"f8476861-7805-5849-81c3-8cc6de1307ca"}]},{"uuid":"3abbe8f7-7550-5a04-8725-2bfda8c2c052","title":"MS.EXO.8.3v1: The selected DLP solution SHOULD offer services comparable to the native DLP sol","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.8.3v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.8.3v1. Controls: SC-7.10.","description":"Assessment of MS.EXO.8.3v1: The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.","related-observations":[{"observation-uuid":"bef86a2f-bb9b-5555-856d-02cf3be54618"}]},{"uuid":"0b2df7dd-c2be-558f-ae6c-02ed1fd81a7a","title":"MS.EXO.8.4v1: At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. ","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.8.4v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.8.4v1. Controls: SC-7.10.","description":"Assessment of MS.EXO.8.4v1: At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.","related-observations":[{"observation-uuid":"fbfd86db-0579-5ab9-82df-3e2ab88f7563"}]},{"uuid":"61551d4e-3c0b-5aca-b1f0-5f64e4513996","title":"MS.EXO.9.2v1: The attachment filter SHOULD attempt to determine the true file type and assess ","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.9.2v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.9.2v1. Controls: SI-3.","description":"Assessment of MS.EXO.9.2v1: The attachment filter SHOULD attempt to determine the true file type and assess the file extension.","related-observations":[{"observation-uuid":"51b35060-5a23-5767-b5ac-366afa08114f"}]},{"uuid":"8f7308f3-6f3d-5d2c-9efc-579cc33b24d7","title":"MS.EXO.9.3v2: Disallowed file types SHALL be determined and enforced.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.9.3v2"},"remarks":"Tenant configuration meets the requirement for MS.EXO.9.3v2. Controls: SI-3.","description":"Assessment of MS.EXO.9.3v2: Disallowed file types SHALL be determined and enforced.","related-observations":[{"observation-uuid":"1d2992a0-cccf-5644-a6d6-dd5240884dff"}]},{"uuid":"b6737e08-bafe-5521-b2b0-f663368fe9c5","title":"MS.EXO.9.4v1: Alternatively chosen filtering solutions SHOULD offer services comparable to Mic","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.9.4v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.9.4v1. Controls: SI-3.","description":"Assessment of MS.EXO.9.4v1: Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter.","related-observations":[{"observation-uuid":"54dbca6a-6465-5148-bda0-b7d96ce77e7b"}]},{"uuid":"7b1b3d98-c6a2-5f9a-b9bd-ea94665e2bb3","title":"MS.EXO.10.1v1: Emails SHALL be scanned for malware.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.10.1v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.10.1v1. Controls: SI-3.","description":"Assessment of MS.EXO.10.1v1: Emails SHALL be scanned for malware.","related-observations":[{"observation-uuid":"10893c8f-f9ff-5633-8c23-4ae787ef42cd"}]},{"uuid":"6bd5d941-c41e-5988-bf1c-8d0f181f1960","title":"MS.EXO.10.2v1: Emails identified as containing malware SHALL be quarantined or dropped.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.10.2v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.10.2v1. Controls: SI-3.","description":"Assessment of MS.EXO.10.2v1: Emails identified as containing malware SHALL be quarantined or dropped.","related-observations":[{"observation-uuid":"2a7c31b1-2af2-5814-9dd1-8959a8bf1824"}]},{"uuid":"e6bf6705-5431-5d7c-b8c7-5ae2852f6305","title":"MS.EXO.10.3v1: Email scanning SHALL be capable of reviewing emails after delivery.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.10.3v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.10.3v1. Controls: SI-3.","description":"Assessment of MS.EXO.10.3v1: Email scanning SHALL be capable of reviewing emails after delivery.","related-observations":[{"observation-uuid":"87238f45-334b-5abf-9476-0b9687525496"}]},{"uuid":"d6221f4e-e6d8-5e64-8f35-c4cb25b896a3","title":"MS.EXO.11.1v1: Impersonation protection checks SHOULD be used.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.11.1v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.11.1v1. Controls: SI-8.","description":"Assessment of MS.EXO.11.1v1: Impersonation protection checks SHOULD be used.","related-observations":[{"observation-uuid":"2f76b3d2-7d6e-5de3-beed-8343bdbe2438"}]},{"uuid":"46e98563-0987-557a-b77b-823ffc8eea02","title":"MS.EXO.11.2v1: User warnings, comparable to the user safety tips included with EOP, SHOULD be d","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.11.2v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.11.2v1. Controls: AT-2, SI-8.","description":"Assessment of MS.EXO.11.2v1: User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.","related-observations":[{"observation-uuid":"74eaa29c-4980-5c74-91ba-b0adfe401f31"}]},{"uuid":"2efaf7f9-ee48-502c-860d-0bac8e11906a","title":"MS.EXO.11.3v1: The phishing protection solution SHOULD include an AI-based phishing detection t","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.11.3v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.11.3v1. Controls: SI-8.","description":"Assessment of MS.EXO.11.3v1: The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.","related-observations":[{"observation-uuid":"0dbf5d8e-99f9-50e4-9187-c1b5930f5563"}]},{"uuid":"86f1536c-4b9c-5ab3-9af1-6e07c2c62d7c","title":"MS.EXO.12.1v1: IP allow lists SHOULD NOT be created.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.12.1v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.12.1v1. Controls: AC-4.","description":"Assessment of MS.EXO.12.1v1: IP allow lists SHOULD NOT be created.","related-observations":[{"observation-uuid":"fa7b704b-92b0-5979-b8b5-294c261db359"}]},{"uuid":"9f9b8673-a195-51de-ad6b-4c1d78e1a26e","title":"MS.EXO.12.2v1: Safe lists SHOULD NOT be enabled.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.12.2v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.12.2v1. Controls: AC-4.","description":"Assessment of MS.EXO.12.2v1: Safe lists SHOULD NOT be enabled.","related-observations":[{"observation-uuid":"939e8941-5ca3-53f5-acc1-1f0456a8b020"}]},{"uuid":"86b2a79d-c3c7-5288-9b92-9008a2509e3c","title":"MS.EXO.14.1v2: A spam filter SHALL be enabled.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.14.1v2"},"remarks":"Tenant configuration meets the requirement for MS.EXO.14.1v2. Controls: SI-8.","description":"Assessment of MS.EXO.14.1v2: A spam filter SHALL be enabled.","related-observations":[{"observation-uuid":"3e3aa9d7-7b3c-5693-9178-b2c3992904e1"}]},{"uuid":"aac053dc-6e92-53ab-982c-188f9a6376f4","title":"MS.EXO.14.2v1: Spam and high confidence spam SHALL be moved to either the junk email folder or ","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.14.2v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.14.2v1. Controls: SI-8.","description":"Assessment of MS.EXO.14.2v1: Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.","related-observations":[{"observation-uuid":"7e49451f-db92-54ac-ad4f-60bf920ab30a"}]},{"uuid":"a1261b5d-75a3-59a1-b552-eebf7a50876e","title":"MS.EXO.14.3v1: Allowed domains SHALL NOT be added to inbound anti-spam protection policies.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.14.3v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.14.3v1. Controls: SI-8.","description":"Assessment of MS.EXO.14.3v1: Allowed domains SHALL NOT be added to inbound anti-spam protection policies.","related-observations":[{"observation-uuid":"51eb9f10-f44a-5273-b358-9546c3e80eb9"}]},{"uuid":"0d30e609-1b94-59df-9e79-74cd0fe00080","title":"MS.EXO.14.4v1: If a third-party party filtering solution is used, the solution SHOULD offer ser","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.14.4v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.14.4v1. Controls: SI-8.","description":"Assessment of MS.EXO.14.4v1: If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft.","related-observations":[{"observation-uuid":"99c386ef-1f4c-5492-871a-295a2e47b1be"}]},{"uuid":"9f1624f8-33d7-5b09-861b-a261b3ed5b8d","title":"MS.EXO.15.1v1: URL comparison with a block-list SHOULD be enabled.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.15.1v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.15.1v1. Controls: SI-3.","description":"Assessment of MS.EXO.15.1v1: URL comparison with a block-list SHOULD be enabled.","related-observations":[{"observation-uuid":"72062428-fd75-5567-ae7c-a46bc03677ec"}]},{"uuid":"071a8eaf-7a1e-50a1-bf2c-45fb7b4a456f","title":"MS.EXO.15.2v1: Direct download links SHOULD be scanned for malware.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.15.2v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.15.2v1. Controls: SI-3.","description":"Assessment of MS.EXO.15.2v1: Direct download links SHOULD be scanned for malware.","related-observations":[{"observation-uuid":"e44b36a0-56e1-52e7-b1dd-8839dc4dd191"}]},{"uuid":"c97e562d-26aa-51a9-94b6-e56b02d0b352","title":"MS.EXO.15.3v1: User click tracking SHOULD be enabled.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.15.3v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.15.3v1. Controls: SI-3, AU-12.","description":"Assessment of MS.EXO.15.3v1: User click tracking SHOULD be enabled.","related-observations":[{"observation-uuid":"14869376-8495-533c-b759-d02952416a24"}]},{"uuid":"002b763e-cb3e-50db-8dfd-1d31c65e52ae","title":"MS.EXO.16.1v1: At a minimum, the following alerts SHALL be enabled:","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.16.1v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.16.1v1. Controls: SI-4.5.","description":"Assessment of MS.EXO.16.1v1: At a minimum, the following alerts SHALL be enabled:","related-observations":[{"observation-uuid":"694245f1-8f4f-5702-9344-0e3c01095fc8"}]},{"uuid":"301f0581-bc6c-5ed8-b539-8c68e2451dbd","title":"MS.EXO.16.2v1: The alerts SHOULD be sent to a monitored address or incorporated into a security","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.16.2v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.16.2v1. Controls: SI-4.12.","description":"Assessment of MS.EXO.16.2v1: The alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system.","related-observations":[{"observation-uuid":"7286e5bf-6f61-5b24-a6d2-401ba853e179"}]},{"uuid":"9bf4cf57-044a-59f7-b7d2-b456276f4d22","title":"MS.EXO.17.1v1: Unified Audit logging SHALL be enabled.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.17.1v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.17.1v1. Controls: AU-12.","description":"Assessment of MS.EXO.17.1v1: Unified Audit logging SHALL be enabled.","related-observations":[{"observation-uuid":"f381ffb6-96a6-5380-b972-19be0f28d5f2"}]},{"uuid":"569679c9-d7ce-5c13-8153-e9e61e73c6b8","title":"MS.EXO.17.3v1: Audit logs SHALL be maintained for at least the minimum duration dictated by OMB","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.17.3v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.17.3v1. Controls: AU-11.","description":"Assessment of MS.EXO.17.3v1: Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C).","related-observations":[{"observation-uuid":"752b2300-1d0b-5314-8bd5-8f36e186c25b"}]},{"uuid":"1a22e797-fbb1-5e97-9161-67886980f28d","title":"MS.POWERBI.2.1v1: Guest user access to the Power BI tenant SHOULD be disabled unless the agency mi","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.powerbi.2.1v1"},"remarks":"Tenant configuration meets the requirement for MS.POWERBI.2.1v1. Controls: CM-7, AC-6.","description":"Assessment of MS.POWERBI.2.1v1: Guest user access to the Power BI tenant SHOULD be disabled unless the agency mission requires the capability.","related-observations":[{"observation-uuid":"c8d4761a-832b-56f5-bf4d-cbb7f8270196"}]},{"uuid":"bf05c960-f12e-5ff5-85e7-e8372b8dd646","title":"MS.POWERBI.3.1v1: The Invite external users to your organization feature SHOULD be disabled unless","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.powerbi.3.1v1"},"remarks":"Tenant configuration meets the requirement for MS.POWERBI.3.1v1. Controls: CM-7, AC-6.","description":"Assessment of MS.POWERBI.3.1v1: The Invite external users to your organization feature SHOULD be disabled unless agency mission requires the capability.","related-observations":[{"observation-uuid":"a9329c80-aad5-52d8-a5ce-85636b1f1490"}]},{"uuid":"fa7173f5-dde1-51c7-a78c-dbda4cf9d1bc","title":"MS.POWERBI.4.1v1: Service principals with access to APIs SHOULD be restricted to specific security","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.powerbi.4.1v1"},"remarks":"Tenant configuration meets the requirement for MS.POWERBI.4.1v1. Controls: AC-4, AC-6.5.","description":"Assessment of MS.POWERBI.4.1v1: Service principals with access to APIs SHOULD be restricted to specific security groups.","related-observations":[{"observation-uuid":"dd9d74cc-1e85-5588-b6f8-03be3009e24f"}]},{"uuid":"6ea037a2-e157-5833-ae4c-52dd7b299958","title":"MS.POWERBI.4.2v1: Service principals creating and using profiles SHOULD be restricted to specific ","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.powerbi.4.2v1"},"remarks":"Tenant configuration meets the requirement for MS.POWERBI.4.2v1. Controls: AC-4, AC-6.5.","description":"Assessment of MS.POWERBI.4.2v1: Service principals creating and using profiles SHOULD be restricted to specific security groups.","related-observations":[{"observation-uuid":"399a63aa-3171-5fbf-9628-0d09a131f4c7"}]},{"uuid":"2a3fc195-99c5-5ce7-8510-562dce5a5fd6","title":"MS.POWERBI.5.1v1: ResourceKey-based authentication SHOULD be blocked unless a specific use case (e","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.powerbi.5.1v1"},"remarks":"Tenant configuration meets the requirement for MS.POWERBI.5.1v1. Controls: CM-7, IA-5.","description":"Assessment of MS.POWERBI.5.1v1: ResourceKey-based authentication SHOULD be blocked unless a specific use case (e.g., streaming and/or PUSH datasets) merits its use.","related-observations":[{"observation-uuid":"6f506791-ec88-5a6a-be2a-15af1d2480ef"}]},{"uuid":"12ca1234-8051-56bd-b930-b4bcdcf56caa","title":"MS.POWERBI.6.1v1: Python and R interactions SHOULD be disabled.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.powerbi.6.1v1"},"remarks":"Tenant configuration meets the requirement for MS.POWERBI.6.1v1. Controls: CM-7, SI-3.","description":"Assessment of MS.POWERBI.6.1v1: Python and R interactions SHOULD be disabled.","related-observations":[{"observation-uuid":"df51b629-4ef9-5c4a-a7e8-e7c80d7b0858"}]},{"uuid":"a21a495c-847a-5c37-98b2-a9e55ad15587","title":"MS.POWERPLATFORM.1.2v1: The ability to create trial environments SHALL be restricted to admins.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.powerplatform.1.2v1"},"remarks":"Tenant configuration meets the requirement for MS.POWERPLATFORM.1.2v1. Controls: AC-6.10.","description":"Assessment of MS.POWERPLATFORM.1.2v1: The ability to create trial environments SHALL be restricted to admins.","related-observations":[{"observation-uuid":"0693a3b9-81dc-5be0-9088-8135513e277e"}]},{"uuid":"91eaf006-469e-5126-bb77-e0a9c7f37c52","title":"MS.POWERPLATFORM.3.2v1: An inbound/outbound connection allowlist SHOULD be configured.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.powerplatform.3.2v1"},"remarks":"Tenant configuration meets the requirement for MS.POWERPLATFORM.3.2v1. Controls: AC-3, SC-7.5.","description":"Assessment of MS.POWERPLATFORM.3.2v1: An inbound/outbound connection allowlist SHOULD be configured.","related-observations":[{"observation-uuid":"2a21e3ff-f5e3-51d3-905a-c2b2d0613fd0"}]},{"uuid":"97c7c6c4-505c-5d72-b917-27c5a4106e56","title":"MS.SHAREPOINT.1.2v1: External sharing for OneDrive SHALL be limited to Existing guests or Only people","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.sharepoint.1.2v1"},"remarks":"Tenant configuration meets the requirement for MS.SHAREPOINT.1.2v1. Controls: AC-2, AC-3, IA-8.","description":"Assessment of MS.SHAREPOINT.1.2v1: External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization.","related-observations":[{"observation-uuid":"f44d0729-20d9-5f4d-afa7-0a460a90972d"}]},{"uuid":"d24a094e-5efb-5440-83db-115430bd245b","title":"MS.SHAREPOINT.1.3v1: External sharing SHALL be restricted to approved external domains and/or users i","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.sharepoint.1.3v1"},"remarks":"Tenant configuration meets the requirement for MS.SHAREPOINT.1.3v1. Controls: AC-3, AC-6.10.","description":"Assessment of MS.SHAREPOINT.1.3v1: External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.","related-observations":[{"observation-uuid":"133ffee6-2c37-5469-9127-36ee7507c446"}]},{"uuid":"aba95b9f-c120-5e9f-9466-24bf1bebff5d","title":"MS.SHAREPOINT.2.2v1: File and folder default sharing permissions SHALL be set to View.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.sharepoint.2.2v1"},"remarks":"Tenant configuration meets the requirement for MS.SHAREPOINT.2.2v1. Controls: AC-6.","description":"Assessment of MS.SHAREPOINT.2.2v1: File and folder default sharing permissions SHALL be set to View.","related-observations":[{"observation-uuid":"00973cc0-7453-5ffc-a798-afb244034088"}]},{"uuid":"496aa256-2867-5ff4-97b1-eb37a034650e","title":"MS.SHAREPOINT.3.1v1: Expiration days for Anyone links SHALL be set to 30 days or less.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.sharepoint.3.1v1"},"remarks":"Tenant configuration meets the requirement for MS.SHAREPOINT.3.1v1. Controls: AC-3, AC-21.","description":"Assessment of MS.SHAREPOINT.3.1v1: Expiration days for Anyone links SHALL be set to 30 days or less.","related-observations":[{"observation-uuid":"3db67f16-31c5-5a9a-bcdb-745b2401668b"}]},{"uuid":"4aa4d0ca-be85-526b-9a6b-6332534f67cd","title":"MS.SHAREPOINT.3.2v1: The allowable file and folder permissions for links SHALL be set to View only.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.sharepoint.3.2v1"},"remarks":"Tenant configuration meets the requirement for MS.SHAREPOINT.3.2v1. Controls: AC-6.","description":"Assessment of MS.SHAREPOINT.3.2v1: The allowable file and folder permissions for links SHALL be set to View only.","related-observations":[{"observation-uuid":"8f107628-b16e-5f48-ab59-23346eb20772"}]},{"uuid":"49b3026b-f2e4-5f2e-aaa6-51fca4659efe","title":"MS.TEAMS.1.1v1: External meeting participants SHOULD NOT be enabled to request control of shared","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.1.1v1"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.1.1v1. Controls: AC-17.","description":"Assessment of MS.TEAMS.1.1v1: External meeting participants SHOULD NOT be enabled to request control of shared desktops or windows.","related-observations":[{"observation-uuid":"d380d53c-52fc-5284-9706-f18b92124221"}]},{"uuid":"8e815c9e-f648-50e7-b150-c6ad6315373a","title":"MS.TEAMS.1.3v1: Anonymous users and dial-in callers SHOULD NOT be admitted automatically.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.1.3v1"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.1.3v1. Controls: SC-15.","description":"Assessment of MS.TEAMS.1.3v1: Anonymous users and dial-in callers SHOULD NOT be admitted automatically.","related-observations":[{"observation-uuid":"b369b8b9-a822-535d-9df5-48ed6e6180f9"}]},{"uuid":"7545f875-53a0-50bc-bda8-f7d5c3f3d262","title":"MS.TEAMS.1.4v1: Internal users SHOULD be admitted automatically.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.1.4v1"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.1.4v1. Controls: AC-3.","description":"Assessment of MS.TEAMS.1.4v1: Internal users SHOULD be admitted automatically.","related-observations":[{"observation-uuid":"e08fdc67-7b4b-53c5-8326-827d84fd2a97"}]},{"uuid":"8330796d-786c-5000-acc3-f28e07070c71","title":"MS.TEAMS.1.5v1: Dial-in users SHOULD NOT be enabled to bypass the lobby.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.1.5v1"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.1.5v1. Controls: SC-15.","description":"Assessment of MS.TEAMS.1.5v1: Dial-in users SHOULD NOT be enabled to bypass the lobby.","related-observations":[{"observation-uuid":"e6a7bb64-a4c0-5047-a59c-f2671d79dac3"}]},{"uuid":"77eb7162-8ecb-58f0-9cac-8ff491377592","title":"MS.TEAMS.1.7v2: Record an event SHOULD NOT be set to Always record.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.1.7v2"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.1.7v2. Controls: AC-21.","description":"Assessment of MS.TEAMS.1.7v2: Record an event SHOULD NOT be set to Always record.","related-observations":[{"observation-uuid":"c0c0fa50-7a0c-5964-8b29-7f7171642a8c"}]},{"uuid":"2b837343-6856-52f1-968c-070ad1f89ef4","title":"MS.TEAMS.2.2v2: Unmanaged users SHALL NOT be enabled to initiate contact with internal users.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.2.2v2"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.2.2v2. Controls: CM-7, SI-8.","description":"Assessment of MS.TEAMS.2.2v2: Unmanaged users SHALL NOT be enabled to initiate contact with internal users.","related-observations":[{"observation-uuid":"71b60cf1-b3a4-519b-8193-b4aaf4e97bf1"}]},{"uuid":"f38d05ac-1d4f-518c-8991-35869f29ab98","title":"MS.TEAMS.2.3v2: Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.2.3v2"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.2.3v2. Controls: CM-7, SC-7.10.","description":"Assessment of MS.TEAMS.2.3v2: Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.","related-observations":[{"observation-uuid":"7754895b-c1a2-508a-a662-75adb1eca5e3"}]},{"uuid":"695b97e9-e1cc-5d3e-aaed-a3128883dd0c","title":"MS.TEAMS.4.1v1: Teams email integration SHALL be disabled.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.4.1v1"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.4.1v1. Controls: SI-8, SC-7.10, AC-4.","description":"Assessment of MS.TEAMS.4.1v1: Teams email integration SHALL be disabled.","related-observations":[{"observation-uuid":"cc404693-2cbe-567e-97e2-18862f238f3b"}]},{"uuid":"ae227edf-7087-5fee-80e9-2b83857e5d48","title":"MS.TEAMS.5.1v2: Agencies SHOULD only allow installation of Microsoft apps approved by the agency","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.5.1v2"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.5.1v2. Controls: CM-11.","description":"Assessment of MS.TEAMS.5.1v2: Agencies SHOULD only allow installation of Microsoft apps approved by the agency.","related-observations":[{"observation-uuid":"c7a60255-77e2-5369-9c8c-2b841fd1def9"}]},{"uuid":"baa579c7-b61b-590d-b466-f18ac55f82c6","title":"MS.TEAMS.5.3v2: Agencies SHOULD only allow installation of custom apps approved by the agency.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.5.3v2"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.5.3v2. Controls: CM-11.","description":"Assessment of MS.TEAMS.5.3v2: Agencies SHOULD only allow installation of custom apps approved by the agency.","related-observations":[{"observation-uuid":"bb70cee0-2b0b-55e4-a048-05bded446455"}]},{"uuid":"3b3e97ee-bc30-5931-ae61-ef3523e4cd0c","title":"MS.TEAMS.6.2v1: The DLP solution SHALL protect personally identifiable information (PII)","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.6.2v1"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.6.2v1. Controls: SC-7.10.","description":"Assessment of MS.TEAMS.6.2v1: The DLP solution SHALL protect personally identifiable information (PII)","related-observations":[{"observation-uuid":"4a1df495-1c4e-5d20-94de-9257b1ba0f51"}]},{"uuid":"cf3cc431-b6fb-5a6d-a00e-4d25f7aaadf1","title":"MS.TEAMS.7.1v1: Attachments included with Teams messages SHOULD be scanned for malware.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.7.1v1"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.7.1v1. Controls: SI-3.","description":"Assessment of MS.TEAMS.7.1v1: Attachments included with Teams messages SHOULD be scanned for malware.","related-observations":[{"observation-uuid":"705fc3f0-a2d2-52c3-a896-306bd6c6deb3"}]},{"uuid":"6d9df248-8fbe-56c7-979b-952a80d4da30","title":"MS.TEAMS.7.2v1: Users SHOULD be prevented from opening or downloading files detected as malware.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.7.2v1"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.7.2v1. Controls: SI-3.","description":"Assessment of MS.TEAMS.7.2v1: Users SHOULD be prevented from opening or downloading files detected as malware.","related-observations":[{"observation-uuid":"f92eb9ff-815e-5ab6-8218-52d199943c7f"}]},{"uuid":"453edbc2-519a-5f79-8f30-56e6f492ac0f","title":"MS.TEAMS.8.1v1: URL comparison with a blocklist SHOULD be enabled.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.8.1v1"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.8.1v1. Controls: SI-3.","description":"Assessment of MS.TEAMS.8.1v1: URL comparison with a blocklist SHOULD be enabled.","related-observations":[{"observation-uuid":"ef33635f-d2d6-5f1b-a3df-a166adb3e1c2"}]},{"uuid":"1fab9748-8960-5045-892f-483ae432aadc","title":"MS.TEAMS.8.2v1: User click tracking SHOULD be enabled.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.teams.8.2v1"},"remarks":"Tenant configuration meets the requirement for MS.TEAMS.8.2v1. Controls: AU-12.","description":"Assessment of MS.TEAMS.8.2v1: User click tracking SHOULD be enabled.","related-observations":[{"observation-uuid":"53e5cad0-05c1-5564-a06b-81fdfc2041bd"}]},{"uuid":"64cccc1e-104f-55a8-a8e9-5928b1ff4d6a","title":"MS.AAD.2.2v1: A notification SHOULD be sent to the administrator when high-risk users are dete","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.2.2v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.2.2v1. Controls: AC-2.12.","description":"Assessment of MS.AAD.2.2v1: A notification SHOULD be sent to the administrator when high-risk users are detected.","related-observations":[{"observation-uuid":"5ab38426-7f42-51f5-b7b5-f9faf3232219"}]},{"uuid":"740278d0-34c9-57c5-9dbe-96522c241be1","title":"MS.AAD.2.3v1: Sign-ins detected as high risk SHALL be blocked.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.2.3v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.2.3v1. Controls: AC-2.12, AC-2.13.","description":"Assessment of MS.AAD.2.3v1: Sign-ins detected as high risk SHALL be blocked.","related-observations":[{"observation-uuid":"ab461bc6-bfce-5f40-bc54-8a1b9692d957"}]},{"uuid":"bd3930a7-3039-5e18-a7e6-7882408f8190","title":"MS.AAD.3.3v2: If Microsoft Authenticator is enabled, it SHALL be configured to show login cont","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.3.3v2"},"remarks":"Tenant configuration meets the requirement for MS.AAD.3.3v2. Controls: IA-2.1, IA-2.2, IA-5, IA-2.8, IA-2.13.","description":"Assessment of MS.AAD.3.3v2: If Microsoft Authenticator is enabled, it SHALL be configured to show login context information.","related-observations":[{"observation-uuid":"2889a67e-6e18-50ee-b4db-0589398c6560"}]},{"uuid":"ddf23bf7-8c7c-5b1d-8caf-f9cff6e9781d","title":"MS.AAD.3.4v1: The Authentication Methods Manage Migration feature SHALL be set to Migration Co","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.3.4v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.3.4v1. Controls: CM-7.","description":"Assessment of MS.AAD.3.4v1: The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.","related-observations":[{"observation-uuid":"8de61ebd-70b9-578e-b9b6-a4ed8933d04e"}]},{"uuid":"8843aa1c-be03-55d2-ae85-8e153b94ab99","title":"MS.AAD.3.5v1: The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SH","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.3.5v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.3.5v1. Controls: CM-7, IA-5.","description":"Assessment of MS.AAD.3.5v1: The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.","related-observations":[{"observation-uuid":"86f394a4-9265-5868-90d9-1582b815a5b6"}]},{"uuid":"47d600bf-1d5b-5e6f-a0b5-2d3c6ca4ab5e","title":"MS.AAD.3.6v1: Phishing-resistant MFA SHALL be required for highly privileged roles.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.3.6v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.3.6v1. Controls: IA-2.1, IA-5, IA-2.8.","description":"Assessment of MS.AAD.3.6v1: Phishing-resistant MFA SHALL be required for highly privileged roles.","related-observations":[{"observation-uuid":"8299cf0b-45e5-5117-93d7-2db4aa558fde"}]},{"uuid":"b8bdc6a7-e606-5cc5-aac3-b2cd3654832c","title":"MS.AAD.3.8v1: Managed Devices SHOULD be required to register MFA.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.3.8v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.3.8v1. Controls: AC-20, IA-3.","description":"Assessment of MS.AAD.3.8v1: Managed Devices SHOULD be required to register MFA.","related-observations":[{"observation-uuid":"9bfdacc1-452d-5ee4-beb5-d72481dbb7ce"}]},{"uuid":"f5737141-a037-526b-a3d5-0377c21abf18","title":"MS.AAD.5.1v1: Only administrators SHALL be allowed to register applications.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.5.1v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.5.1v1. Controls: AC-6.10, CM-5.","description":"Assessment of MS.AAD.5.1v1: Only administrators SHALL be allowed to register applications.","related-observations":[{"observation-uuid":"afc1a3d5-514e-570c-af1a-e2119e38cabd"}]},{"uuid":"0d468d9a-29be-5401-83e9-8bb4d0144fed","title":"MS.AAD.5.2v1: Only administrators SHALL be allowed to consent to applications.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.5.2v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.5.2v1. Controls: AC-6.10, CM-5.","description":"Assessment of MS.AAD.5.2v1: Only administrators SHALL be allowed to consent to applications.","related-observations":[{"observation-uuid":"803fe688-780e-525e-ac8e-827a4452c2e0"}]},{"uuid":"bc93822f-6873-55ae-a578-c956b792ecf4","title":"MS.AAD.5.3v1: An admin consent workflow SHALL be configured for applications.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.5.3v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.5.3v1. Controls: CM-4.","description":"Assessment of MS.AAD.5.3v1: An admin consent workflow SHALL be configured for applications.","related-observations":[{"observation-uuid":"b978bbe1-8fb5-5811-8f1f-836ecc0214e3"}]},{"uuid":"85409c5f-fc8e-53b2-a5df-094edb59c567","title":"MS.AAD.6.1v1: User passwords SHALL NOT expire.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.6.1v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.6.1v1. Controls: IA-5.1.","description":"Assessment of MS.AAD.6.1v1: User passwords SHALL NOT expire.","related-observations":[{"observation-uuid":"ddbc8d69-e365-5450-8e28-0fe27237d825"}]},{"uuid":"c73efc83-eb94-5730-a6bd-b4a29d719943","title":"MS.AAD.7.3v1: Privileged users SHALL be provisioned cloud-only accounts separate from an on-pr","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.7.3v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.7.3v1. Controls: AC-6.5.","description":"Assessment of MS.AAD.7.3v1: Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.","related-observations":[{"observation-uuid":"5f20317f-79c8-5e3f-a59d-d19faddf4d8e"}]},{"uuid":"ca36bb87-161d-513c-9880-bf33726a689c","title":"MS.AAD.7.5v1: Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM s","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.7.5v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.7.5v1. Controls: AC-2.","description":"Assessment of MS.AAD.7.5v1: Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.","related-observations":[{"observation-uuid":"f62e6ebb-cb0a-52d5-8613-74460dc9b993"}]},{"uuid":"0aa79a84-ac34-58d1-9523-dc97f6ff2b09","title":"MS.AAD.7.7v1: Eligible and Active highly privileged role assignments SHALL trigger an alert.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.7.7v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.7.7v1. Controls: AC-2.1.","description":"Assessment of MS.AAD.7.7v1: Eligible and Active highly privileged role assignments SHALL trigger an alert.","related-observations":[{"observation-uuid":"3ee57d79-8286-5a5b-adaa-17ba2bc758e1"}]},{"uuid":"ede732db-3ba8-5142-8139-cadd94578982","title":"MS.AAD.7.8v1: User activation of the Global Administrator role SHALL trigger an alert.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.7.8v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.7.8v1. Controls: AC-6.9.","description":"Assessment of MS.AAD.7.8v1: User activation of the Global Administrator role SHALL trigger an alert.","related-observations":[{"observation-uuid":"818b42ac-9b42-5abb-ab63-cbad64518a49"}]},{"uuid":"ad5c971b-7cfa-597d-9057-c3ff60694cc0","title":"MS.AAD.7.9v1: User activation of other highly privileged roles SHOULD trigger an alert.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.aad.7.9v1"},"remarks":"Tenant configuration meets the requirement for MS.AAD.7.9v1. Controls: AC-6.9.","description":"Assessment of MS.AAD.7.9v1: User activation of other highly privileged roles SHOULD trigger an alert.","related-observations":[{"observation-uuid":"66b09bd0-7f86-5b96-9ce7-5d7a0f495267"}]},{"uuid":"cde64d35-d3c0-5a6a-9c69-cb2078605f0b","title":"MS.DEFENDER.1.2v1: All users SHALL be added to Exchange Online Protection (EOP) in either the stand","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.1.2v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.1.2v1. Controls: CM-6, SI-3, SI-8.","description":"Assessment of MS.DEFENDER.1.2v1: All users SHALL be added to Exchange Online Protection (EOP) in either the standard or strict preset security policy.","related-observations":[{"observation-uuid":"bfa7b393-2dca-5358-94a2-2faad11ba0c1"}]},{"uuid":"c10d714e-15ae-57ac-ad1d-9cf076c469bb","title":"MS.DEFENDER.6.3v1: Audit logs SHALL be maintained for at least the minimum duration dictated by OMB","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.defender.6.3v1"},"remarks":"Tenant configuration meets the requirement for MS.DEFENDER.6.3v1. Controls: AU-11.","description":"Assessment of MS.DEFENDER.6.3v1: Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31.","related-observations":[{"observation-uuid":"700bf35b-8471-570a-9793-b6e9a773fc0c"}]},{"uuid":"d5449d8c-5902-5647-a24b-bff13ba9b4ea","title":"MS.EXO.2.2v2: An SPF policy SHALL be published for each domain that fails all non-approved sen","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.2.2v2"},"remarks":"Tenant configuration meets the requirement for MS.EXO.2.2v2. Controls: AC-2.","description":"Assessment of MS.EXO.2.2v2: An SPF policy SHALL be published for each domain that fails all non-approved senders.","related-observations":[{"observation-uuid":"b86c7934-dd78-5178-9789-c72d069f8ec4"}]},{"uuid":"5b689b09-b8a6-5be0-b9e2-985733748d5a","title":"MS.EXO.4.1v1: A DMARC policy SHALL be published for every second-level domain.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.4.1v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.4.1v1. Controls: SI-8.","description":"Assessment of MS.EXO.4.1v1: A DMARC policy SHALL be published for every second-level domain.","related-observations":[{"observation-uuid":"d4834c20-0345-53ff-9c16-49a39512d5a3"}]},{"uuid":"9fa25b57-39a9-5ecb-8259-f608168cb731","title":"MS.EXO.4.3v1: The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cy","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.4.3v1"},"remarks":"Tenant configuration meets the requirement for MS.EXO.4.3v1. Controls: SI-4.5.","description":"Assessment of MS.EXO.4.3v1: The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cyber.dhs.gov`.","related-observations":[{"observation-uuid":"7d45c3d4-9738-5a2b-b1f1-c9394682f5b0"}]},{"uuid":"dcf35762-44e7-51a8-a1a1-dc30f8c8e536","title":"MS.EXO.9.1v2: Emails SHALL be filtered by attachment file types.","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.exo.9.1v2"},"remarks":"Tenant configuration meets the requirement for MS.EXO.9.1v2. Controls: SI-3.","description":"Assessment of MS.EXO.9.1v2: Emails SHALL be filtered by attachment file types.","related-observations":[{"observation-uuid":"23e5ab77-bae8-5c7f-a029-f0d1587e6647"}]},{"uuid":"18e75db4-ada8-56af-9656-909129cafaf5","title":"MS.POWERPLATFORM.2.1v1: A DLP policy SHALL be created to restrict connector access in the default Power ","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.powerplatform.2.1v1"},"remarks":"Tenant configuration meets the requirement for MS.POWERPLATFORM.2.1v1. Controls: SC-7.10.","description":"Assessment of MS.POWERPLATFORM.2.1v1: A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.","related-observations":[{"observation-uuid":"c81f0074-3767-5bbd-8849-eb07f6342e67"}]},{"uuid":"e4e55bbf-7603-5255-8b21-2cf6d8a22b48","title":"MS.SHAREPOINT.2.1v1: File and folder default sharing scope SHALL be set to Specific people (only the ","target":{"type":"objective-id","status":{"state":"satisfied"},"target-id":"ms.sharepoint.2.1v1"},"remarks":"Tenant configuration meets the requirement for MS.SHAREPOINT.2.1v1. Controls: AC-6.","description":"Assessment of MS.SHAREPOINT.2.1v1: File and folder default sharing scope SHALL be set to Specific people (only the people the user specifies).","related-observations":[{"observation-uuid":"3992921d-42c0-56dc-8b48-ea3f52697765"}]}],"description":"This assessment result documents the findings of an automated and examiner-reviewed evaluation of the M365 tenant against the CISA Secure Cloud Business Applications (SCuBA) baselines. Assessment was conducted using read-only API queries executed by ScubaGear and supplemented by manual examiner review. The tenant was evaluated across seven product areas: Microsoft Entra ID (MS.AAD), Microsoft Defender (MS.DEFENDER), Exchange Online (MS.EXO), Power BI (MS.POWERBI), Power Platform (MS.POWERPLATFORM), SharePoint Online and OneDrive (MS.SHAREPOINT), and Microsoft Teams (MS.TEAMS). Results reflect the tenant configuration state as of the assessment date.","observations":[{"uuid":"941e3133-152b-5301-8762-abd228b5ee80","title":"Observation: MS.AAD.1.1v1 - Legacy Authentication Blocking","types":["finding"],"methods":["TEST"],"remarks":"Legacy authentication is blocked tenant-wide via a Conditional Access policy in the enabled state. Control CM-7 is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"422ccfe4-7b60-4fe8-81ff-3d4464cc6e05"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried the Conditional Access policy configuration via Microsoft Graph API. A policy targeting all users with a condition for legacy authentication protocols and a grant control of 'Block' was identified and confirmed enabled."},{"uuid":"d4337622-1625-5388-9149-e570a170fc86","title":"Observation: MS.AAD.2.1v1 - High-Risk Users Blocked","types":["finding"],"methods":["TEST"],"remarks":"High-risk users are blocked via Identity Protection Conditional Access policy. Controls AC-2(12) and AC-2(13) are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"f8778b31-80d0-4ce7-8089-eaef63db47aa"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed via Microsoft Graph API that a Conditional Access policy with user risk condition set to 'high' and a grant control of 'Block access' is present and enabled."},{"uuid":"5ab38426-7f42-51f5-b7b5-f9faf3232219","title":"Observation: MS.AAD.2.2v1 - High-Risk User Notifications","types":["finding"],"methods":["TEST"],"remarks":"Administrator notifications for high-risk user events are enabled. Control AC-2(12) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"2ba05345-887d-4306-9378-e04ac6bf13e7"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed Identity Protection alert configuration. An alert notification to the tenant's global administrator group is confirmed active for high-risk user detections."},{"uuid":"ab461bc6-bfce-5f40-bc54-8a1b9692d957","title":"Observation: MS.AAD.2.3v1 - High-Risk Sign-ins Blocked","types":["finding"],"methods":["TEST"],"remarks":"High-risk sign-ins are blocked via Conditional Access. Controls AC-2(12) and AC-2(13) are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"e7273bf6-6251-41f1-919e-d7d45f8f8c69"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed a Conditional Access policy with sign-in risk condition set to 'high' and a grant control of 'Block access' is present and enabled."},{"uuid":"e40c8114-14a1-5baa-9c1c-5bb8000f9af1","title":"Observation: MS.AAD.3.1v1 - Phishing-Resistant MFA Enforced for All Users","types":["finding"],"methods":["TEST"],"remarks":"Phishing-resistant MFA enforced for all users. Controls IA-2(1), IA-2(2), IA-5, and IA-2(8) are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"b5b21ca4-bb3e-44e2-bc26-2363f8d3e0dc"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed Conditional Access policies for MFA enforcement. A policy requiring phishing-resistant authentication strength (FIDO2 security keys and Windows Hello for Business) is applied to all users and is in the enabled state."},{"uuid":"2889a67e-6e18-50ee-b4db-0589398c6560","title":"Observation: MS.AAD.3.3v2 - Microsoft Authenticator Login Context","types":["finding"],"methods":["TEST"],"remarks":"Microsoft Authenticator is configured to display login context. Controls IA-2(1), IA-2(2), IA-5, IA-2(8), and IA-2(13) are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"3b09e019-74d8-4bb8-828c-2e7909c7947b"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried authentication methods policy via Microsoft Graph API. Microsoft Authenticator is enabled and configured with number matching and additional context (application name and geographic location) enabled."},{"uuid":"8de61ebd-70b9-578e-b9b6-a4ed8933d04e","title":"Observation: MS.AAD.3.4v1 - Authentication Methods Migration Complete","types":["finding"],"methods":["TEST"],"remarks":"Authentication Methods migration is complete. Control CM-7 is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"4e57b673-52ca-4eaa-a85c-42e688609054"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried the authentication methods policy configuration. The Manage Migration feature is set to 'MigrationComplete'."},{"uuid":"86f394a4-9265-5868-90d9-1582b815a5b6","title":"Observation: MS.AAD.3.5v1 - Weak Authentication Methods Disabled","types":["finding"],"methods":["TEST"],"remarks":"SMS, Voice, and Email OTP disabled. Controls CM-7(b) and IA-5 are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"23547b83-ce20-4be1-a64b-abacba60733c"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed authentication methods policy. SMS, voice call, and email OTP are confirmed disabled in the Authentication Methods policy."},{"uuid":"8299cf0b-45e5-5117-93d7-2db4aa558fde","title":"Observation: MS.AAD.3.6v1 - Phishing-Resistant MFA for Highly Privileged Roles","types":["finding"],"methods":["TEST"],"remarks":"Phishing-resistant MFA required for highly privileged roles. Controls IA-2(1), IA-5, and IA-2(8) are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"08c5c660-c8c3-4e9b-b76e-dc0afbbeabb6"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed a dedicated Conditional Access policy requiring phishing-resistant authentication strength is scoped to all highly privileged roles as defined in the SCuBA baseline."},{"uuid":"eaabc3f4-c7ed-5ce7-a26f-a3f79180b310","title":"Observation: MS.AAD.3.7v1 - Managed Devices Required for Authentication","types":["finding"],"methods":["TEST"],"remarks":"No tenant-wide Conditional Access policy requiring a managed device for authentication was found. Controls AC-20(b) and IA-3 are not satisfied for the general user population.","subjects":[{"type":"assessment-activity","subject-uuid":"4b7f6f09-84da-4c03-ba7b-d02ff52d5b69"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed Conditional Access policies for device compliance requirements. No policy exists requiring a compliant or Hybrid Azure AD Joined device as a condition for authentication for the general user population. Only a subset of users in the 'Privileged Users' security group are covered by a device compliance requirement."},{"uuid":"9bfdacc1-452d-5ee4-beb5-d72481dbb7ce","title":"Observation: MS.AAD.3.8v1 - Managed Devices Required for MFA Registration","types":["finding"],"methods":["TEST"],"remarks":"Managed device requirement for MFA registration not enforced. Controls AC-20(b) and IA-3 are not satisfied. This gap allows an adversary with stolen credentials to register their own MFA device from an unmanaged device.","subjects":[{"type":"assessment-activity","subject-uuid":"9413f12e-db95-44e6-96c3-e1617d313346"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed Conditional Access policies governing MFA registration. No policy enforcing a managed device requirement at the time of MFA method registration was identified."},{"uuid":"ec6ef48b-e73b-5d8a-a60a-919f5efbed1d","title":"Observation: MS.AAD.3.9v1 - Device Code Authentication Blocked","types":["finding"],"methods":["TEST"],"remarks":"Device code authentication flow is not blocked. Control CM-7 is not satisfied. This presents a phishing risk as demonstrated by the Storm-2372 threat actor campaign.","subjects":[{"type":"assessment-activity","subject-uuid":"44d65b67-ad4f-4f45-bec3-dabf87e3ee39"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried Conditional Access policies for device code flow restrictions. No policy blocking the device code authentication flow was identified in the tenant."},{"uuid":"27f80a7e-b877-5e74-a96a-d78be6edd259","title":"Observation: MS.AAD.4.1v1 - Security Logs Sent to SOC","types":["finding"],"methods":["TEST"],"remarks":"Security logs are forwarded to SOC infrastructure. Control AU-4 is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"f7faa6e0-d544-4f04-bd22-42d6bc4a0b45"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed that Entra ID sign-in and audit logs are configured for export to the agency's Azure Monitor Log Analytics workspace, which feeds the security operations center SIEM."},{"uuid":"afc1a3d5-514e-570c-af1a-e2119e38cabd","title":"Observation: MS.AAD.5.1v1 - App Registration Restricted to Admins","types":["finding"],"methods":["TEST"],"remarks":"Application registration limited to admins. Controls AC-6(10) and CM-5 are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"b7afe9cf-d85c-43cc-b220-1e299c503814"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried Entra ID user settings. The 'Users can register applications' toggle is set to 'No', restricting application registration to administrator roles only."},{"uuid":"803fe688-780e-525e-ac8e-827a4452c2e0","title":"Observation: MS.AAD.5.2v1 - App Consent Restricted to Admins","types":["finding"],"methods":["TEST"],"remarks":"User consent to applications is disabled. Controls AC-6(10) and CM-5 are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"6c265210-a3af-4d88-8afc-a7aceaf03f15"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner verified the enterprise application user consent settings. The consent policy is set to 'Do not allow user consent', requiring administrative consent for all application permissions."},{"uuid":"b978bbe1-8fb5-5811-8f1f-836ecc0214e3","title":"Observation: MS.AAD.5.3v1 - Admin Consent Workflow Configured","types":["finding"],"methods":["TEST"],"remarks":"Admin consent workflow is active. Control CM-4 is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"396592ab-bb71-4b97-93c5-b9941b8eb415"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed the admin consent workflow is enabled with at least one designated reviewer, allowing users to submit consent requests for administrative review."},{"uuid":"ddbc8d69-e365-5450-8e28-0fe27237d825","title":"Observation: MS.AAD.6.1v1 - Password Expiration Disabled","types":["finding"],"methods":["TEST"],"remarks":"Password expiration is disabled for cloud accounts. Control IA-5(1) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"1341cd43-6d42-4eea-8f26-f3e06cfb9fca"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried tenant password policies. Cloud-only user passwords are set to never expire, consistent with NIST SP 800-63B and OMB M-22-09 guidance."},{"uuid":"6cbdcb7e-0700-5dc6-99c9-7932e2d258f3","props":[{"ns":"http://comply0.com/ns/oscal","name":"actual-count","value":"11"},{"ns":"http://comply0.com/ns/oscal","name":"allowed-maximum","value":"8"}],"title":"Observation: MS.AAD.7.1v1 - Global Administrator Count","types":["finding"],"methods":["TEST"],"remarks":"Eleven accounts hold the Global Administrator role, exceeding the maximum of 8 permitted by the SCuBA baseline. Three additional break-glass accounts are contributing to the overage. Control AC-6(5) is not satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"37617d5c-9685-4d2a-aca6-6d0f764f521a"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried Privileged Identity Management (PIM) for the count of accounts assigned to the Global Administrator role, both eligible and active. The query returned 11 active Global Administrator assignments: 8 standard user accounts and 3 break-glass emergency access accounts. The SCuBA baseline permits a maximum of 8."},{"uuid":"48318f52-3112-5604-84bd-23757a40cd35","title":"Observation: MS.AAD.7.2v1 - Least-Privilege Roles for Privileged Users","types":["finding"],"methods":["TEST"],"remarks":"Four Global Administrators have documented roles that could be fulfilled with finer-grained assignments. Control AC-5 is not satisfied for those accounts.","subjects":[{"type":"assessment-activity","subject-uuid":"5490e069-0158-41da-bf12-0a5dffa1317f"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed role assignments for users currently holding the Global Administrator role. Of the 8 standard user accounts, 4 are assigned Global Administrator as their sole privileged role and have documented job functions requiring only Exchange Administrator and Compliance Administrator scoped access."},{"uuid":"5f20317f-79c8-5e3f-a59d-d19faddf4d8e","title":"Observation: MS.AAD.7.3v1 - Cloud-Only Privileged Accounts","types":["finding"],"methods":["TEST"],"remarks":"All privileged accounts are cloud-only. Control AC-6(5) is satisfied for this check.","subjects":[{"type":"assessment-activity","subject-uuid":"9b2bcceb-a877-4cec-9cba-4d880c4a153c"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried Entra ID user properties for all Global Administrators and other highly privileged role holders. All accounts with privileged role assignments have an 'onPremisesSyncEnabled' property of null or false, confirming they are cloud-only accounts."},{"uuid":"c4f66e44-f13d-5eae-ba98-7d91317fbdab","props":[{"ns":"http://comply0.com/ns/oscal","name":"permanent-active-count","value":"2"}],"title":"Observation: MS.AAD.7.4v1 - No Permanent Active Highly Privileged Roles","types":["finding"],"methods":["TEST"],"remarks":"Two highly privileged role assignments exist as permanent active outside PIM. Control AC-2 is not satisfied. These accounts should be converted to eligible assignments within PIM.","subjects":[{"type":"assessment-activity","subject-uuid":"e592f49f-ba58-4d35-beb9-0e5ee3aeef98"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried PIM for permanent active role assignments to the 16 highly privileged roles identified by the SCuBA baseline. Two accounts were identified with permanent active assignments to the Privileged Role Administrator and Exchange Administrator roles respectively, both outside of PIM management."},{"uuid":"f62e6ebb-cb0a-52d5-8613-74460dc9b993","title":"Observation: MS.AAD.7.5v1 - Privileged Provisioning via PAM System Only","types":["finding"],"methods":["TEST"],"remarks":"Privileged role provisioning occurs within PIM with minor exceptions noted in 7.4. Control AC-2 is substantially satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"b7bb79bc-6bc6-4690-b468-a245baa9f569"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed that all eligible and active role assignments for the 16 SCuBA-defined highly privileged roles are managed through Entra ID PIM. No direct role assignments outside of PIM were identified for in-scope roles other than the two permanent active assignments noted in MS.AAD.7.4v1."},{"uuid":"4f296617-5ab6-5256-800f-875c3f7501eb","title":"Observation: MS.AAD.7.6v1 - Global Administrator Activation Requires Approval","types":["finding"],"methods":["TEST"],"remarks":"Global Administrator activation requires approval. Control AC-6(1) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"d72f1f68-e016-4be9-83a0-a8c7c6a2d0c5"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed PIM role settings for the Global Administrator role. The activation settings require approval from a designated approver before activation is granted, and the maximum activation duration is set to 4 hours."},{"uuid":"3ee57d79-8286-5a5b-adaa-17ba2bc758e1","title":"Observation: MS.AAD.7.7v1 - Role Assignment Alerts Configured","types":["finding"],"methods":["TEST"],"remarks":"Role assignment alerts are active. Control AC-2(1) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"67518f12-9f60-4ac9-9bdc-69dfb9d243ab"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner verified PIM alert settings for all 16 highly privileged roles. Eligible and active assignment alerts are confirmed enabled and routed to the security compliance mailbox."},{"uuid":"818b42ac-9b42-5abb-ab63-cbad64518a49","title":"Observation: MS.AAD.7.8v1 - Global Administrator Activation Alert","types":["finding"],"methods":["TEST"],"remarks":"Global Administrator activation triggers an alert. Control AC-6(9) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"e56c4f86-f578-4c38-8855-54af56517b4e"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed that PIM is configured to send an alert whenever the Global Administrator role is activated, routed to the security operations mailbox."},{"uuid":"66b09bd0-7f86-5b96-9ce7-5d7a0f495267","title":"Observation: MS.AAD.7.9v1 - Other Highly Privileged Role Activation Alerts","types":["finding"],"methods":["TEST"],"remarks":"Activation alerts configured for all highly privileged roles. Control AC-6(9) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"2ff8ff69-7b5e-41da-8410-b0438b86a2ea"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed PIM notification settings for all 16 SCuBA-defined highly privileged roles. Activation alerts are confirmed configured for all 16 roles."},{"uuid":"822cc280-9b3b-52c4-8b7d-5e6b5767dddf","title":"Observation: MS.DEFENDER.1.1v1 - Standard and Strict Preset Security Policies Enabled","types":["finding"],"methods":["TEST"],"remarks":"Standard and Strict preset policies are active. Controls CM-6(a), SI-3(a), and SI-8 are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"0763d718-a66e-4eac-9b3e-00eb007e141a"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed both the Standard and Strict preset security policies are in the enabled state within Microsoft Defender for Office 365."},{"uuid":"bfa7b393-2dca-5358-94a2-2faad11ba0c1","title":"Observation: MS.DEFENDER.1.2v1 - All Users in EOP Preset Policy","types":["finding"],"methods":["TEST"],"remarks":"All users covered by EOP preset policy. Controls CM-6(a), SI-3(a), and SI-8 are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"d217c197-f8d7-4f29-afd5-aba7e3d084e7"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed that all licensed users are included in either the Standard or Strict EOP preset security policy via the 'All users' assignment."},{"uuid":"ef43a194-1829-5c8c-b197-845fa3e05eab","title":"Observation: MS.DEFENDER.2.1v1 - User Impersonation Protection for Sensitive Accounts","types":["finding"],"methods":["TEST"],"remarks":"No protected users have been added to impersonation protection in either preset policy. Control SI-8 is not fully satisfied. Sensitive accounts such as executives and security personnel are at elevated risk of impersonation-based phishing.","subjects":[{"type":"assessment-activity","subject-uuid":"fffd38b9-3d2c-4fdd-91ac-b1852f52394d"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed anti-phishing policy settings for both Standard and Strict preset policies. User impersonation protection has not been configured with any protected users in either policy. The agency has not defined a list of sensitive accounts for the purpose of impersonation protection."},{"uuid":"2821955c-d13f-50d3-be5e-0e5632ffedd9","title":"Observation: MS.DEFENDER.4.1v2 - DLP Policy for PII","types":["finding"],"methods":["TEST"],"remarks":"DLP policy for PII is in place. Control SC-7(10) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"ca0432d2-27c3-4405-87cf-f375c86bcdf7"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed Microsoft Purview Data Loss Prevention policies. A custom DLP policy is configured that detects and blocks sharing of U.S. Social Security numbers, U.S. Individual Taxpayer Identification Numbers, and credit card numbers."},{"uuid":"33b330b7-871f-57cb-a041-3585789f9f44","title":"Observation: MS.DEFENDER.4.2v1 - DLP Policy Scope","types":["finding"],"methods":["TEST"],"remarks":"The DLP policy does not include the Devices workload. Control SC-7(10) is not fully satisfied. Endpoint device coverage for DLP is pending Defender for Endpoint onboarding completion.","subjects":[{"type":"assessment-activity","subject-uuid":"86f06431-57be-496f-9ddc-e1f143733f43"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed the DLP policy workload scope. The agency's custom PII DLP policy is applied to Exchange, SharePoint, OneDrive, and Teams Chat. However, the 'Devices' workload is not included due to incomplete Defender for Endpoint onboarding."},{"uuid":"285313bf-ff69-5d5e-8dcf-5b3fe5fed33e","title":"Observation: MS.DEFENDER.6.1v1 - Unified Audit Logging Enabled","types":["finding"],"methods":["TEST"],"remarks":"Unified Audit Log is enabled. Control AU-12 is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"3ea722d7-e3cb-444e-9782-20088526b7f6"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed via PowerShell that the Unified Audit Log is enabled for the tenant."},{"uuid":"700bf35b-8471-570a-9793-b6e9a773fc0c","title":"Observation: MS.DEFENDER.6.3v1 - Audit Log Retention Duration","types":["finding"],"methods":["TEST"],"remarks":"Audit log retention meets OMB M-21-31 requirements. Control AU-11 is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"71268fc6-3a91-479a-bf82-ce47daa41070"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed the tenant holds Microsoft Purview Audit (Premium) licenses, enabling one-year default retention. A custom retention policy extends coverage for high-value workloads to ten years per OMB M-21-31 requirements."},{"uuid":"495a5d77-8ec3-59c4-a209-4a6016cb73b8","title":"Observation: MS.EXO.1.1v2 - Automatic External Forwarding Disabled","types":["finding"],"methods":["TEST"],"remarks":"External auto-forwarding is disabled. Control AC-4 is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"b10db434-d24a-47d9-ad36-cbfe7af7d61d"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed the default outbound spam filter policy has the 'AutoForwardingMode' set to 'Off', blocking automatic forwarding to external domains."},{"uuid":"b86c7934-dd78-5178-9789-c72d069f8ec4","title":"Observation: MS.EXO.2.2v2 - SPF Policy Published for All Domains","types":["finding"],"methods":["TEST"],"remarks":"SPF records with hard fail (-all) are published for all domains. Control AC-2(d) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"c5f6468d-4450-4d92-8f9a-80d85bf4629e"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried DNS TXT records for all 4 agency domains. All four have an SPF record ending in '-all', failing all non-approved senders."},{"uuid":"b16a4012-c0dc-5548-b278-5e7d9af63ae9","props":[{"ns":"http://comply0.com/ns/oscal","name":"domains-with-dkim","value":"2 of 4"}],"title":"Observation: MS.EXO.3.1v1 - DKIM Enabled for All Domains","types":["finding"],"methods":["TEST"],"remarks":"DKIM is not enabled for all agency domains. Control SC-8 is not fully satisfied. Two secondary domains lack DKIM signing, reducing email integrity verification coverage.","subjects":[{"type":"assessment-activity","subject-uuid":"23dc5124-e18e-4e3c-b88d-b53dc7485b99"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried Exchange Online DKIM configuration for all 4 registered domains. DKIM signing is enabled for 2 of 4 domains. Two secondary domains ('legacy-agency.gov' and 'agency-program.gov') have DKIM disabled."},{"uuid":"d4834c20-0345-53ff-9c16-49a39512d5a3","title":"Observation: MS.EXO.4.1v1 - DMARC Policy Published","types":["finding"],"methods":["TEST"],"remarks":"DMARC records published for all second-level domains. Control SI-8 is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"f443dd5c-d88d-45b1-ba37-2f51fc0dbbfa"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed DMARC records are published for all 4 second-level domains."},{"uuid":"513f2560-7470-5ada-8957-f35bf015fb37","title":"Observation: MS.EXO.4.2v1 - DMARC Policy Set to p=reject","types":["finding"],"methods":["TEST"],"remarks":"DMARC rejection policy (p=reject) is in place. Control SI-8 is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"d6310203-b683-426d-9640-9805eb372546"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed all 4 DMARC records include p=reject."},{"uuid":"7d45c3d4-9738-5a2b-b1f1-c9394682f5b0","title":"Observation: MS.EXO.4.3v1 - DMARC CISA Reporting Address","types":["finding"],"methods":["TEST"],"remarks":"CISA DMARC reporting address included. Control SI-4(5) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"428d2c9f-92c5-444e-a3f6-5162d743b440"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed the DMARC aggregate report (rua) tag on all 4 domains includes reports@dmarc.cyber.dhs.gov."},{"uuid":"23e5ab77-bae8-5c7f-a029-f0d1587e6647","title":"Observation: MS.EXO.9.1v2 - Attachment File Type Filtering Enabled","types":["finding"],"methods":["TEST"],"remarks":"Attachment file type filtering is active. Control SI-3 is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"9bc9a8da-e2bc-4b9b-a4f2-93d96d123682"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed the Common Attachments Filter in the tenant's default anti-malware policy is enabled."},{"uuid":"eac260f1-247e-554c-a724-62566d48ef89","title":"Observation: MS.EXO.9.5v1 - Click-to-Run File Types Blocked","types":["finding"],"methods":["TEST"],"remarks":"Common click-to-run executable types (.exe, .cmd, .vbe) are not included in the attachment block list. Control SI-3 is not fully satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"5a425426-6f96-411b-8c20-811b888311aa"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed the list of blocked file types in the Common Attachments Filter. The current blocked list does not include .exe, .cmd, or .vbe. The agency's custom blocked list only covers .bat and .ps1 file types."},{"uuid":"67e534ae-46c0-55e3-b860-c1df7774d0b6","title":"Observation: MS.EXO.13.1v1 - Mailbox Auditing Enabled","types":["finding"],"methods":["TEST"],"remarks":"Mailbox auditing is enabled. Control AU-12(c) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"48380507-2926-49ad-a64d-02402894fbc7"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed that mailbox auditing is enabled by default for all Exchange Online mailboxes, with the 'AuditEnabled' property set to true at the organization level."},{"uuid":"8615d1d4-7de2-5edb-b618-33e647fbfe29","title":"Observation: MS.POWERBI.1.1v1 - Publish to Web Disabled","types":["finding"],"methods":["TEST"],"remarks":"Publish to Web feature is disabled. Controls CM-7 and SC-7(10)(a) are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"388a42ef-40d9-48c0-bbd5-b3e24a025f15"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed that the Power BI tenant 'PublishToWebAllowedStates' setting is set to 'Disabled', preventing users from publishing reports to public web URLs."},{"uuid":"492c19a0-0639-532f-8983-666b2c42cdfd","title":"Observation: MS.POWERBI.7.1v1 - Sensitivity Labels in Power BI","types":["finding"],"methods":["TEST"],"remarks":"Sensitivity labels are not enabled for Power BI content. Controls AC-21(b) and SC-7(10)(a) are not satisfied. Business intelligence reports and datasets cannot be classified per enterprise data protection policy.","subjects":[{"type":"assessment-activity","subject-uuid":"7f494fc7-11b6-4f74-8b53-71e216c37fab"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried Power BI tenant settings and Microsoft Information Protection configuration. The 'EnableSensitivityLabels' setting is disabled at the Power BI tenant level. The tenant does have Microsoft Purview Information Protection sensitivity labels defined, but they have not been enabled for Power BI content."},{"uuid":"a6ee4fb1-73e3-5f82-948a-ccbed45dca97","title":"Observation: MS.POWERPLATFORM.1.1v1 - Environment Creation Restricted to Admins","types":["finding"],"methods":["TEST"],"remarks":"Production and sandbox environment creation is restricted. Control AC-6(10) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"dfce43a6-851c-492c-a636-5bd256ade4d3"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed via Power Platform admin center that environment creation for production and sandbox environments is restricted to users with the Power Platform Administrator or Global Administrator roles."},{"uuid":"c81f0074-3767-5bbd-8849-eb07f6342e67","title":"Observation: MS.POWERPLATFORM.2.1v1 - DLP Policy for Default Environment","types":["finding"],"methods":["TEST"],"remarks":"DLP policy exists for the default environment. Control SC-7(10) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"e4a06cc7-1196-45b1-b6d6-8b5a9a994e66"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed a DLP policy scoped to the default Power Platform environment is active, classifying connectors into Business and Non-Business data groups."},{"uuid":"eb453600-d645-541f-b65a-14ab71c7a292","props":[{"ns":"http://comply0.com/ns/oscal","name":"uncovered-environments","value":"3 of 12"}],"title":"Observation: MS.POWERPLATFORM.2.2v1 - DLP Policy for Non-Default Environments","types":["finding"],"methods":["TEST"],"remarks":"Three non-default environments lack a DLP policy. Control SC-7(10) is not satisfied for those environments.","subjects":[{"type":"assessment-activity","subject-uuid":"db9edd8e-4cfd-4ce7-a55e-7e5438d3bdd8"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner enumerated all non-default Power Platform environments (12 total). Of these, 3 developer environments created within the last 60 days do not have any DLP policy applied to them."},{"uuid":"e04539ed-0258-5e02-bd2a-3d2a460ac5fc","title":"Observation: MS.POWERPLATFORM.3.1v1 - Power Platform Tenant Isolation Enabled","types":["finding"],"methods":["TEST"],"remarks":"Tenant isolation is enabled. Controls AC-3 and SC-7(5) are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"b4f0269c-17cc-48c7-b489-b2c7d05cca10"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed Power Platform tenant isolation is set to enabled."},{"uuid":"b989ed58-8984-5b39-9f37-c6c1d2adac55","title":"Observation: MS.SHAREPOINT.1.1v1 - SharePoint External Sharing Limited","types":["finding"],"methods":["TEST"],"remarks":"SharePoint external sharing is restricted to existing guests. Controls AC-2, AC-3, and IA-8 are satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"61e4e855-e81b-4d81-8eba-ec5ab5030bb1"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed SharePoint external sharing is set to 'Existing guests', preventing sharing with anyone outside the organization who does not already have a guest account."},{"uuid":"3992921d-42c0-56dc-8b48-ea3f52697765","title":"Observation: MS.SHAREPOINT.2.1v1 - Default Sharing Scope","types":["finding"],"methods":["TEST"],"remarks":"Default sharing scope is most restrictive. Control AC-6 is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"0ad08cf0-dde6-43c6-8702-7978ce040d5a"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed the default link type for file and folder sharing is set to 'Specific people (only the people the user specifies)'."},{"uuid":"fd21f994-e744-5162-89f4-d050b0bcd37b","props":[{"ns":"http://comply0.com/ns/oscal","name":"configured-days","value":"45"},{"ns":"http://comply0.com/ns/oscal","name":"required-maximum-days","value":"30"}],"title":"Observation: MS.SHAREPOINT.3.3v1 - Guest Reauthentication Period","types":["finding"],"methods":["TEST"],"remarks":"Reauthentication for verification code users is set to 45 days, exceeding the 30-day maximum. Control IA-11 is not satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"10992cf7-a6bc-4dcb-a80b-1b563301e71c"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner queried the SharePoint Online tenant settings for the 'RequireAcceptingAccountMatchInvitedAccount' and guest reauthentication period. The reauthentication period for users who access content using a verification code is set to 45 days, exceeding the maximum of 30 days required by the SCuBA baseline."},{"uuid":"f37e351a-89f4-523c-a08b-6c3984a3cf18","title":"Observation: MS.TEAMS.1.2v2 - Anonymous Users Cannot Start Meetings","types":["finding"],"methods":["TEST"],"remarks":"Anonymous users cannot start meetings. Control SC-15(a) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"7313a2da-a6f8-4984-9fe3-595c116ef2de"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed the global Teams meeting policy setting 'AllowAnonymousUsersToStartMeeting' is set to false."},{"uuid":"cb0d7717-8e01-54cb-8d5a-511e0863558c","title":"Observation: MS.TEAMS.1.6v1 - Meeting Recording Disabled","types":["finding"],"methods":["TEST"],"remarks":"Meeting recording is enabled in the global policy, allowing any user to record. Control CM-7 is not satisfied. Recording of meetings containing sensitive discussions may result in unauthorized disclosure if recordings are not properly secured.","subjects":[{"type":"assessment-activity","subject-uuid":"9a97a8f0-6bff-4984-abe8-b4b2ed456710"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed the global Teams meeting policy. The 'AllowCloudRecording' setting is enabled (true) in the global meeting policy, allowing all users to record meetings by default."},{"uuid":"e51c45aa-d335-57e6-9d5c-0a91200cac08","title":"Observation: MS.TEAMS.2.1v2 - External Access Per-Domain","types":["finding"],"methods":["TEST"],"remarks":"Teams external access is restricted to approved domains. Control AC-3 is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"4c0be109-33a3-4a6c-b6fc-4492de067406"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed that Teams external access is configured to allow communication only with explicitly listed domains, rather than allowing all external domains."},{"uuid":"bfc9b7fb-4f05-5cab-ad68-d9103a7a4b88","title":"Observation: MS.TEAMS.5.2v2 - Only Approved Third-Party Apps Allowed","types":["finding"],"methods":["TEST"],"remarks":"Third-party apps are not restricted to an agency-approved allowlist in the global policy. Control CM-11 is not satisfied. Users may install unapproved third-party apps, introducing unmanaged data access vectors.","subjects":[{"type":"assessment-activity","subject-uuid":"8dc70ce3-4724-4a3d-84ec-0fe0e64f60c6"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner reviewed the Teams app permission policy. The global (org-wide default) app permission policy is configured to allow all third-party apps, rather than restricting to an agency-approved allowlist. No custom app permission policies have been created to scope third-party app access."},{"uuid":"31da940c-1354-5803-821d-e56bd6a41ce5","title":"Observation: MS.TEAMS.6.1v1 - DLP Solution Enabled for Teams","types":["finding"],"methods":["TEST"],"remarks":"DLP is enabled for Teams. Control SC-7(10) is satisfied.","subjects":[{"type":"assessment-activity","subject-uuid":"e93b699a-d37f-4656-a704-a74d462e9a94"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner confirmed the agency's Microsoft Purview DLP policy includes the Teams Chat and Channel Messages workload as an active location."},{"uuid":"21708604-31a9-52dd-b9e5-f5d86ab34950","title":"Observation: MS.AAD.3.2v1 - If phishing-resistant MFA has not been enforced, an alternat","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.AAD.3.2v1. Related controls: IA-2.1, IA-2.2.","subjects":[{"type":"assessment-activity","subject-uuid":"c05380d7-88be-475b-92e5-9aeeb3fdcbfa"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.AAD.3.2v1. Assessment method: EXAMINE. Requirement: If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users."},{"uuid":"561182d5-53ec-5bfd-bb11-c8d514096b31","title":"Observation: MS.DEFENDER.1.3v1 - All users SHALL be added to Defender for Office 365 protecti","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.DEFENDER.1.3v1. Related controls: CM-6, SI-3, SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"bda5bac4-da43-490b-8647-e1de133e02f2"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.DEFENDER.1.3v1. Assessment method: EXAMINE. Requirement: All users SHALL be added to Defender for Office 365 protection in either the standard or strict preset security policy."},{"uuid":"a7690a5d-b354-5821-b23b-1e2079b5f14e","title":"Observation: MS.DEFENDER.1.4v1 - Sensitive accounts SHALL be added to Exchange Online Protect","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.DEFENDER.1.4v1. Related controls: CM-6, SI-3, SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"eaa53c5c-c4b4-45cc-a9da-32461480820d"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.DEFENDER.1.4v1. Assessment method: EXAMINE. Requirement: Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy."},{"uuid":"c807a4da-7fa6-59b6-bc7b-5ca17cbb904f","title":"Observation: MS.DEFENDER.1.5v1 - Sensitive accounts SHALL be added to Defender for Office 365","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.DEFENDER.1.5v1. Related controls: CM-6, SI-3, SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"95840a4a-b69c-4c5a-9910-d4b9f00a5547"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.DEFENDER.1.5v1. Assessment method: EXAMINE. Requirement: Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy."},{"uuid":"9252cbda-427a-519f-81d8-a06903fb6102","title":"Observation: MS.DEFENDER.2.2v1 - Domain impersonation protection SHOULD be enabled for domain","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.DEFENDER.2.2v1. Related controls: SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"8bc70a06-a190-4ff5-8106-81200137d53c"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.DEFENDER.2.2v1. Assessment method: EXAMINE. Requirement: Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies."},{"uuid":"716195eb-9b27-54d4-bc31-2ae2e7f4c669","title":"Observation: MS.DEFENDER.2.3v1 - Domain impersonation protection SHOULD be added for importan","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.DEFENDER.2.3v1. Related controls: SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"92387cd9-4372-4654-8dd8-88078e229209"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.DEFENDER.2.3v1. Assessment method: EXAMINE. Requirement: Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies."},{"uuid":"d3fb11f1-acfb-59bf-b731-2ee7df67d8ae","title":"Observation: MS.DEFENDER.3.1v1 - Safe attachments SHOULD be enabled for SharePoint, OneDrive,","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.DEFENDER.3.1v1. Related controls: SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"325c4deb-02c3-432b-8ad5-dab3a22dcced"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.DEFENDER.3.1v1. Assessment method: EXAMINE. Requirement: Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams."},{"uuid":"3ab7f213-0be4-5e82-b89f-dfbae25a6684","title":"Observation: MS.DEFENDER.4.3v1 - The action for the custom policy SHOULD be set to block shar","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.DEFENDER.4.3v1. Related controls: AC-3, SC-7.10.","subjects":[{"type":"assessment-activity","subject-uuid":"c6f0aacd-e1ff-4584-b602-ec722891d6c4"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.DEFENDER.4.3v1. Assessment method: EXAMINE. Requirement: The action for the custom policy SHOULD be set to block sharing sensitive information with everyone."},{"uuid":"18591c06-c915-5dd3-8c90-ac0a8f318501","title":"Observation: MS.DEFENDER.4.4v1 - Notifications to inform users and help educate them on the p","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.DEFENDER.4.4v1. Related controls: AT-2.","subjects":[{"type":"assessment-activity","subject-uuid":"8fd58b5d-22bf-4663-a48b-da0f64aa19f9"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.DEFENDER.4.4v1. Assessment method: EXAMINE. Requirement: Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy."},{"uuid":"ce100301-a757-5d4a-888f-ed5b3d658728","title":"Observation: MS.DEFENDER.4.5v1 - A list of apps that are restricted from accessing files prot","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.DEFENDER.4.5v1. Related controls: SC-7.10.","subjects":[{"type":"assessment-activity","subject-uuid":"36f09006-cacf-41c8-b319-518a77f77a7c"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.DEFENDER.4.5v1. Assessment method: EXAMINE. Requirement: A list of apps that are restricted from accessing files protected by DLP policy SHOULD be defined."},{"uuid":"52488375-5d43-517a-b1cf-776394c6dc13","title":"Observation: MS.DEFENDER.4.6v1 - The custom policy SHOULD include an action to block access t","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.DEFENDER.4.6v1. Related controls: AC-19.","subjects":[{"type":"assessment-activity","subject-uuid":"c5b4a410-efcb-4830-9246-3e46f31102f0"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.DEFENDER.4.6v1. Assessment method: EXAMINE. Requirement: The custom policy SHOULD include an action to block access to sensitive"},{"uuid":"8d04c27e-2414-5b2a-bf4a-ce6ea89b5aef","title":"Observation: MS.DEFENDER.5.1v1 - At a minimum, the alerts required by the CISA M365 Secure Co","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.DEFENDER.5.1v1. Related controls: SI-4.5.","subjects":[{"type":"assessment-activity","subject-uuid":"67db1541-7fdb-4e97-bee4-54a59104c489"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.DEFENDER.5.1v1. Assessment method: EXAMINE. Requirement: At a minimum, the alerts required by the CISA M365 Secure Configuration Baseline for Exchange Online SHALL be enabled."},{"uuid":"7908216c-171b-5360-8896-73736c5657ab","title":"Observation: MS.DEFENDER.5.2v1 - The alerts SHOULD be sent to a monitored address or incorpor","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.DEFENDER.5.2v1. Related controls: SI-4.5.","subjects":[{"type":"assessment-activity","subject-uuid":"34a2869b-9c5c-44e4-8ba6-0f87675f7a50"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.DEFENDER.5.2v1. Assessment method: EXAMINE. Requirement: The alerts SHOULD be sent to a monitored address or incorporated into a Security Information and Event Management (SIEM)."},{"uuid":"0099f0ef-b383-5fc8-b8bb-46bdab08aa74","title":"Observation: MS.EXO.4.4v1 - An agency point of contact SHOULD be included for aggregate ","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.4.4v1. Related controls: SI-4.5.","subjects":[{"type":"assessment-activity","subject-uuid":"b9f50163-d4ef-4cd1-8335-acbd34d5fdc1"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.4.4v1. Assessment method: EXAMINE. Requirement: An agency point of contact SHOULD be included for aggregate and failure reports."},{"uuid":"b7cbd17e-1c64-5f78-bb70-75e5ffc54234","title":"Observation: MS.EXO.5.1v1 - SMTP AUTH SHALL be disabled.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.5.1v1. Related controls: CM-7.","subjects":[{"type":"assessment-activity","subject-uuid":"a84151c7-f0c2-4c57-b17e-35b8bb5942ae"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.5.1v1. Assessment method: EXAMINE. Requirement: SMTP AUTH SHALL be disabled."},{"uuid":"e5d2cef5-9566-5f8e-845e-5243afd53bdd","title":"Observation: MS.EXO.6.1v1 - Contact folders SHALL NOT be shared with all domains.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.6.1v1. Related controls: AC-3, SC-7.10.","subjects":[{"type":"assessment-activity","subject-uuid":"c8192dc7-b900-474f-95a0-a919528c6718"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.6.1v1. Assessment method: EXAMINE. Requirement: Contact folders SHALL NOT be shared with all domains."},{"uuid":"972e929a-cfc4-52e6-9519-bdbe163b0f9e","title":"Observation: MS.EXO.6.2v1 - Calendar details SHALL NOT be shared with all domains.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.6.2v1. Related controls: AC-3, SC-7.10.","subjects":[{"type":"assessment-activity","subject-uuid":"4690b7e7-1850-46e8-a1c0-e7e907434e56"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.6.2v1. Assessment method: EXAMINE. Requirement: Calendar details SHALL NOT be shared with all domains."},{"uuid":"a0fc6089-a9c4-5444-a100-3d3a66048f92","title":"Observation: MS.EXO.7.1v1 - External sender warnings SHALL be implemented.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.7.1v1. Related controls: SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"facbf9ae-ce69-42ad-ba49-3ef8f6dc0034"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.7.1v1. Assessment method: EXAMINE. Requirement: External sender warnings SHALL be implemented."},{"uuid":"5e128c2f-a33e-584b-aa2b-d15c54889a28","title":"Observation: MS.EXO.8.1v2 - A DLP solution SHALL be used.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.8.1v2. Related controls: SC-7.10.","subjects":[{"type":"assessment-activity","subject-uuid":"b6a6e389-43ae-46fe-b103-6beb644bedfe"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.8.1v2. Assessment method: EXAMINE. Requirement: A DLP solution SHALL be used."},{"uuid":"f8476861-7805-5849-81c3-8cc6de1307ca","title":"Observation: MS.EXO.8.2v2 - The DLP solution SHALL protect personally identifiable infor","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.8.2v2. Related controls: SC-7.10.","subjects":[{"type":"assessment-activity","subject-uuid":"3d5c53da-e083-4bb9-bcc4-17394700105f"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.8.2v2. Assessment method: EXAMINE. Requirement: The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency."},{"uuid":"bef86a2f-bb9b-5555-856d-02cf3be54618","title":"Observation: MS.EXO.8.3v1 - The selected DLP solution SHOULD offer services comparable t","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.8.3v1. Related controls: SC-7.10.","subjects":[{"type":"assessment-activity","subject-uuid":"1a972df9-30d8-412c-82d2-24b8c949d702"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.8.3v1. Assessment method: EXAMINE. Requirement: The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft."},{"uuid":"fbfd86db-0579-5ab9-82df-3e2ab88f7563","title":"Observation: MS.EXO.8.4v1 - At a minimum, the DLP solution SHALL restrict sharing credit","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.8.4v1. Related controls: SC-7.10.","subjects":[{"type":"assessment-activity","subject-uuid":"875100dc-c4ea-4d67-80d4-6e2693cb6f1f"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.8.4v1. Assessment method: EXAMINE. Requirement: At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email."},{"uuid":"51b35060-5a23-5767-b5ac-366afa08114f","title":"Observation: MS.EXO.9.2v1 - The attachment filter SHOULD attempt to determine the true f","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.9.2v1. Related controls: SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"818b4fde-58c2-4206-893a-0f2c17d63ee8"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.9.2v1. Assessment method: EXAMINE. Requirement: The attachment filter SHOULD attempt to determine the true file type and assess the file extension."},{"uuid":"1d2992a0-cccf-5644-a6d6-dd5240884dff","title":"Observation: MS.EXO.9.3v2 - Disallowed file types SHALL be determined and enforced.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.9.3v2. Related controls: SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"f6b8f5b6-da0d-4379-b462-510253162327"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.9.3v2. Assessment method: EXAMINE. Requirement: Disallowed file types SHALL be determined and enforced."},{"uuid":"54dbca6a-6465-5148-bda0-b7d96ce77e7b","title":"Observation: MS.EXO.9.4v1 - Alternatively chosen filtering solutions SHOULD offer servic","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.9.4v1. Related controls: SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"8b01e1bc-ad7e-457c-acde-98eb22adfbd3"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.9.4v1. Assessment method: EXAMINE. Requirement: Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter."},{"uuid":"10893c8f-f9ff-5633-8c23-4ae787ef42cd","title":"Observation: MS.EXO.10.1v1 - Emails SHALL be scanned for malware.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.10.1v1. Related controls: SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"8051511e-127c-4045-b6a8-c2d8d920ce1a"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.10.1v1. Assessment method: EXAMINE. Requirement: Emails SHALL be scanned for malware."},{"uuid":"2a7c31b1-2af2-5814-9dd1-8959a8bf1824","title":"Observation: MS.EXO.10.2v1 - Emails identified as containing malware SHALL be quarantined","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.10.2v1. Related controls: SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"71ba0c56-49fb-40b9-8a05-331e902533bc"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.10.2v1. Assessment method: EXAMINE. Requirement: Emails identified as containing malware SHALL be quarantined or dropped."},{"uuid":"87238f45-334b-5abf-9476-0b9687525496","title":"Observation: MS.EXO.10.3v1 - Email scanning SHALL be capable of reviewing emails after de","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.10.3v1. Related controls: SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"8e423d35-657e-4c63-88b1-4627c1a9aaff"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.10.3v1. Assessment method: EXAMINE. Requirement: Email scanning SHALL be capable of reviewing emails after delivery."},{"uuid":"2f76b3d2-7d6e-5de3-beed-8343bdbe2438","title":"Observation: MS.EXO.11.1v1 - Impersonation protection checks SHOULD be used.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.11.1v1. Related controls: SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"3675cf88-4597-4404-bbae-72c47b0713e9"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.11.1v1. Assessment method: EXAMINE. Requirement: Impersonation protection checks SHOULD be used."},{"uuid":"74eaa29c-4980-5c74-91ba-b0adfe401f31","title":"Observation: MS.EXO.11.2v1 - User warnings, comparable to the user safety tips included w","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.11.2v1. Related controls: AT-2, SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"3610b529-bba6-4531-a154-04a9e20cece7"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.11.2v1. Assessment method: EXAMINE. Requirement: User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed."},{"uuid":"0dbf5d8e-99f9-50e4-9187-c1b5930f5563","title":"Observation: MS.EXO.11.3v1 - The phishing protection solution SHOULD include an AI-based ","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.11.3v1. Related controls: SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"f2cd380a-9334-4ef9-a8eb-ce809ba1d0ce"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.11.3v1. Assessment method: EXAMINE. Requirement: The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence."},{"uuid":"fa7b704b-92b0-5979-b8b5-294c261db359","title":"Observation: MS.EXO.12.1v1 - IP allow lists SHOULD NOT be created.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.12.1v1. Related controls: AC-4.","subjects":[{"type":"assessment-activity","subject-uuid":"79657b3b-0308-448b-813a-1658a2f93c53"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.12.1v1. Assessment method: EXAMINE. Requirement: IP allow lists SHOULD NOT be created."},{"uuid":"939e8941-5ca3-53f5-acc1-1f0456a8b020","title":"Observation: MS.EXO.12.2v1 - Safe lists SHOULD NOT be enabled.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.12.2v1. Related controls: AC-4.","subjects":[{"type":"assessment-activity","subject-uuid":"e90a4f4a-19ea-426c-8a96-9ca3ad1e12cb"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.12.2v1. Assessment method: EXAMINE. Requirement: Safe lists SHOULD NOT be enabled."},{"uuid":"3e3aa9d7-7b3c-5693-9178-b2c3992904e1","title":"Observation: MS.EXO.14.1v2 - A spam filter SHALL be enabled.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.14.1v2. Related controls: SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"97d24991-a166-48a5-a372-450bbda85180"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.14.1v2. Assessment method: EXAMINE. Requirement: A spam filter SHALL be enabled."},{"uuid":"7e49451f-db92-54ac-ad4f-60bf920ab30a","title":"Observation: MS.EXO.14.2v1 - Spam and high confidence spam SHALL be moved to either the j","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.14.2v1. Related controls: SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"be50d37a-8745-4571-9e0f-829e0ae7dc9b"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.14.2v1. Assessment method: EXAMINE. Requirement: Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder."},{"uuid":"51eb9f10-f44a-5273-b358-9546c3e80eb9","title":"Observation: MS.EXO.14.3v1 - Allowed domains SHALL NOT be added to inbound anti-spam prot","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.14.3v1. Related controls: SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"c77702d6-7722-4870-a9e9-f831b4921db4"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.14.3v1. Assessment method: EXAMINE. Requirement: Allowed domains SHALL NOT be added to inbound anti-spam protection policies."},{"uuid":"99c386ef-1f4c-5492-871a-295a2e47b1be","title":"Observation: MS.EXO.14.4v1 - If a third-party party filtering solution is used, the solut","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.14.4v1. Related controls: SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"9e4518ec-84cc-4a3d-a19b-b604177f9993"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.14.4v1. Assessment method: EXAMINE. Requirement: If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft."},{"uuid":"72062428-fd75-5567-ae7c-a46bc03677ec","title":"Observation: MS.EXO.15.1v1 - URL comparison with a block-list SHOULD be enabled.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.15.1v1. Related controls: SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"9fd1d767-ebf8-458f-8713-67155ef02ecf"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.15.1v1. Assessment method: EXAMINE. Requirement: URL comparison with a block-list SHOULD be enabled."},{"uuid":"e44b36a0-56e1-52e7-b1dd-8839dc4dd191","title":"Observation: MS.EXO.15.2v1 - Direct download links SHOULD be scanned for malware.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.15.2v1. Related controls: SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"62560aa4-4d7d-4781-8e32-06e10ab163eb"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.15.2v1. Assessment method: EXAMINE. Requirement: Direct download links SHOULD be scanned for malware."},{"uuid":"14869376-8495-533c-b759-d02952416a24","title":"Observation: MS.EXO.15.3v1 - User click tracking SHOULD be enabled.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.15.3v1. Related controls: SI-3, AU-12.","subjects":[{"type":"assessment-activity","subject-uuid":"f28dc80f-22f8-41fa-95db-7336839b11ae"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.15.3v1. Assessment method: EXAMINE. Requirement: User click tracking SHOULD be enabled."},{"uuid":"694245f1-8f4f-5702-9344-0e3c01095fc8","title":"Observation: MS.EXO.16.1v1 - At a minimum, the following alerts SHALL be enabled:","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.16.1v1. Related controls: SI-4.5.","subjects":[{"type":"assessment-activity","subject-uuid":"038cfee8-4558-4ba4-8d5f-a44d74039988"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.16.1v1. Assessment method: EXAMINE. Requirement: At a minimum, the following alerts SHALL be enabled:"},{"uuid":"7286e5bf-6f61-5b24-a6d2-401ba853e179","title":"Observation: MS.EXO.16.2v1 - The alerts SHOULD be sent to a monitored address or incorpor","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.16.2v1. Related controls: SI-4.12.","subjects":[{"type":"assessment-activity","subject-uuid":"23b29791-f99f-40dd-9157-b9cfd9c85e1f"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.16.2v1. Assessment method: EXAMINE. Requirement: The alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system."},{"uuid":"f381ffb6-96a6-5380-b972-19be0f28d5f2","title":"Observation: MS.EXO.17.1v1 - Unified Audit logging SHALL be enabled.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.17.1v1. Related controls: AU-12.","subjects":[{"type":"assessment-activity","subject-uuid":"25d3c635-cd50-4dd4-b958-8ac713894f60"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.17.1v1. Assessment method: EXAMINE. Requirement: Unified Audit logging SHALL be enabled."},{"uuid":"752b2300-1d0b-5314-8bd5-8f36e186c25b","title":"Observation: MS.EXO.17.3v1 - Audit logs SHALL be maintained for at least the minimum dura","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.EXO.17.3v1. Related controls: AU-11.","subjects":[{"type":"assessment-activity","subject-uuid":"54a70863-322d-49bb-bc01-cf9a7b1e9697"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.EXO.17.3v1. Assessment method: EXAMINE. Requirement: Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C)."},{"uuid":"c8d4761a-832b-56f5-bf4d-cbb7f8270196","title":"Observation: MS.POWERBI.2.1v1 - Guest user access to the Power BI tenant SHOULD be disabled ","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.POWERBI.2.1v1. Related controls: CM-7, AC-6.","subjects":[{"type":"assessment-activity","subject-uuid":"d552d20a-1187-47d0-b6a5-e89327a533fc"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.POWERBI.2.1v1. Assessment method: EXAMINE. Requirement: Guest user access to the Power BI tenant SHOULD be disabled unless the agency mission requires the capability."},{"uuid":"a9329c80-aad5-52d8-a5ce-85636b1f1490","title":"Observation: MS.POWERBI.3.1v1 - The Invite external users to your organization feature SHOUL","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.POWERBI.3.1v1. Related controls: CM-7, AC-6.","subjects":[{"type":"assessment-activity","subject-uuid":"3a86a404-961e-41af-9079-ebb0ce6d5d5d"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.POWERBI.3.1v1. Assessment method: EXAMINE. Requirement: The Invite external users to your organization feature SHOULD be disabled unless agency mission requires the capability."},{"uuid":"dd9d74cc-1e85-5588-b6f8-03be3009e24f","title":"Observation: MS.POWERBI.4.1v1 - Service principals with access to APIs SHOULD be restricted ","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.POWERBI.4.1v1. Related controls: AC-4, AC-6.5.","subjects":[{"type":"assessment-activity","subject-uuid":"1b689575-ca99-4876-9910-6b048be93b0a"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.POWERBI.4.1v1. Assessment method: EXAMINE. Requirement: Service principals with access to APIs SHOULD be restricted to specific security groups."},{"uuid":"399a63aa-3171-5fbf-9628-0d09a131f4c7","title":"Observation: MS.POWERBI.4.2v1 - Service principals creating and using profiles SHOULD be res","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.POWERBI.4.2v1. Related controls: AC-4, AC-6.5.","subjects":[{"type":"assessment-activity","subject-uuid":"736e069a-c0d6-4f9a-ae2c-2e53341e5462"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.POWERBI.4.2v1. Assessment method: EXAMINE. Requirement: Service principals creating and using profiles SHOULD be restricted to specific security groups."},{"uuid":"6f506791-ec88-5a6a-be2a-15af1d2480ef","title":"Observation: MS.POWERBI.5.1v1 - ResourceKey-based authentication SHOULD be blocked unless a ","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.POWERBI.5.1v1. Related controls: CM-7, IA-5.","subjects":[{"type":"assessment-activity","subject-uuid":"11f8cfa8-75a8-4727-9536-bf8919e60ba1"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.POWERBI.5.1v1. Assessment method: EXAMINE. Requirement: ResourceKey-based authentication SHOULD be blocked unless a specific use case (e.g., streaming and/or PUSH datasets) merits its use."},{"uuid":"df51b629-4ef9-5c4a-a7e8-e7c80d7b0858","title":"Observation: MS.POWERBI.6.1v1 - Python and R interactions SHOULD be disabled.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.POWERBI.6.1v1. Related controls: CM-7, SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"f5193489-93b6-4faf-8560-650d7026b0d7"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.POWERBI.6.1v1. Assessment method: EXAMINE. Requirement: Python and R interactions SHOULD be disabled."},{"uuid":"0693a3b9-81dc-5be0-9088-8135513e277e","title":"Observation: MS.POWERPLATFORM.1.2v1 - The ability to create trial environments SHALL be restricted","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.POWERPLATFORM.1.2v1. Related controls: AC-6.10.","subjects":[{"type":"assessment-activity","subject-uuid":"54c54c04-c6ce-41ec-bb8b-36a937990bcf"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.POWERPLATFORM.1.2v1. Assessment method: EXAMINE. Requirement: The ability to create trial environments SHALL be restricted to admins."},{"uuid":"2a21e3ff-f5e3-51d3-905a-c2b2d0613fd0","title":"Observation: MS.POWERPLATFORM.3.2v1 - An inbound/outbound connection allowlist SHOULD be configure","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.POWERPLATFORM.3.2v1. Related controls: AC-3, SC-7.5.","subjects":[{"type":"assessment-activity","subject-uuid":"373b4103-7405-4221-9bc4-0bf293a7fbc9"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.POWERPLATFORM.3.2v1. Assessment method: EXAMINE. Requirement: An inbound/outbound connection allowlist SHOULD be configured."},{"uuid":"f44d0729-20d9-5f4d-afa7-0a460a90972d","title":"Observation: MS.SHAREPOINT.1.2v1 - External sharing for OneDrive SHALL be limited to Existing g","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.SHAREPOINT.1.2v1. Related controls: AC-2, AC-3, IA-8.","subjects":[{"type":"assessment-activity","subject-uuid":"a20b7081-e9df-4ee5-8dc1-26e60ee85b5d"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.SHAREPOINT.1.2v1. Assessment method: EXAMINE. Requirement: External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization."},{"uuid":"133ffee6-2c37-5469-9127-36ee7507c446","title":"Observation: MS.SHAREPOINT.1.3v1 - External sharing SHALL be restricted to approved external do","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.SHAREPOINT.1.3v1. Related controls: AC-3, AC-6.10.","subjects":[{"type":"assessment-activity","subject-uuid":"72c78ccd-bc7b-4397-93e7-566faa78110c"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.SHAREPOINT.1.3v1. Assessment method: EXAMINE. Requirement: External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs."},{"uuid":"00973cc0-7453-5ffc-a798-afb244034088","title":"Observation: MS.SHAREPOINT.2.2v1 - File and folder default sharing permissions SHALL be set to ","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.SHAREPOINT.2.2v1. Related controls: AC-6.","subjects":[{"type":"assessment-activity","subject-uuid":"0c986939-6fd7-4dca-b0fe-5282ea3f787c"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.SHAREPOINT.2.2v1. Assessment method: EXAMINE. Requirement: File and folder default sharing permissions SHALL be set to View."},{"uuid":"3db67f16-31c5-5a9a-bcdb-745b2401668b","title":"Observation: MS.SHAREPOINT.3.1v1 - Expiration days for Anyone links SHALL be set to 30 days or ","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.SHAREPOINT.3.1v1. Related controls: AC-3, AC-21.","subjects":[{"type":"assessment-activity","subject-uuid":"6eb1cff6-08f8-4213-be89-e4f8623ffd10"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.SHAREPOINT.3.1v1. Assessment method: EXAMINE. Requirement: Expiration days for Anyone links SHALL be set to 30 days or less."},{"uuid":"8f107628-b16e-5f48-ab59-23346eb20772","title":"Observation: MS.SHAREPOINT.3.2v1 - The allowable file and folder permissions for links SHALL be","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.SHAREPOINT.3.2v1. Related controls: AC-6.","subjects":[{"type":"assessment-activity","subject-uuid":"fda85380-893f-42b4-b093-c18c667d1430"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.SHAREPOINT.3.2v1. Assessment method: EXAMINE. Requirement: The allowable file and folder permissions for links SHALL be set to View only."},{"uuid":"d380d53c-52fc-5284-9706-f18b92124221","title":"Observation: MS.TEAMS.1.1v1 - External meeting participants SHOULD NOT be enabled to reque","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.1.1v1. Related controls: AC-17.","subjects":[{"type":"assessment-activity","subject-uuid":"45a266d9-c274-44a1-899b-935abd5801b1"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.1.1v1. Assessment method: EXAMINE. Requirement: External meeting participants SHOULD NOT be enabled to request control of shared desktops or windows."},{"uuid":"b369b8b9-a822-535d-9df5-48ed6e6180f9","title":"Observation: MS.TEAMS.1.3v1 - Anonymous users and dial-in callers SHOULD NOT be admitted a","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.1.3v1. Related controls: SC-15.","subjects":[{"type":"assessment-activity","subject-uuid":"b04e3728-f290-4ab6-88ec-8a42bc2291de"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.1.3v1. Assessment method: EXAMINE. Requirement: Anonymous users and dial-in callers SHOULD NOT be admitted automatically."},{"uuid":"e08fdc67-7b4b-53c5-8326-827d84fd2a97","title":"Observation: MS.TEAMS.1.4v1 - Internal users SHOULD be admitted automatically.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.1.4v1. Related controls: AC-3.","subjects":[{"type":"assessment-activity","subject-uuid":"922ca471-e6be-4bb5-b032-6c6c9d24ecca"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.1.4v1. Assessment method: EXAMINE. Requirement: Internal users SHOULD be admitted automatically."},{"uuid":"e6a7bb64-a4c0-5047-a59c-f2671d79dac3","title":"Observation: MS.TEAMS.1.5v1 - Dial-in users SHOULD NOT be enabled to bypass the lobby.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.1.5v1. Related controls: SC-15.","subjects":[{"type":"assessment-activity","subject-uuid":"ac43c228-bb65-4ba5-854e-2646990181bd"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.1.5v1. Assessment method: EXAMINE. Requirement: Dial-in users SHOULD NOT be enabled to bypass the lobby."},{"uuid":"c0c0fa50-7a0c-5964-8b29-7f7171642a8c","title":"Observation: MS.TEAMS.1.7v2 - Record an event SHOULD NOT be set to Always record.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.1.7v2. Related controls: AC-21.","subjects":[{"type":"assessment-activity","subject-uuid":"268fdbe7-a572-42ef-beca-dd7ca98f35ce"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.1.7v2. Assessment method: EXAMINE. Requirement: Record an event SHOULD NOT be set to Always record."},{"uuid":"71b60cf1-b3a4-519b-8193-b4aaf4e97bf1","title":"Observation: MS.TEAMS.2.2v2 - Unmanaged users SHALL NOT be enabled to initiate contact wit","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.2.2v2. Related controls: CM-7, SI-8.","subjects":[{"type":"assessment-activity","subject-uuid":"cf9ce45a-4aa2-468e-9a7b-5993fd8a4ebe"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.2.2v2. Assessment method: EXAMINE. Requirement: Unmanaged users SHALL NOT be enabled to initiate contact with internal users."},{"uuid":"7754895b-c1a2-508a-a662-75adb1eca5e3","title":"Observation: MS.TEAMS.2.3v2 - Internal users SHOULD NOT be enabled to initiate contact wit","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.2.3v2. Related controls: CM-7, SC-7.10.","subjects":[{"type":"assessment-activity","subject-uuid":"034d265f-7df8-403f-a78d-0c310d51da2d"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.2.3v2. Assessment method: EXAMINE. Requirement: Internal users SHOULD NOT be enabled to initiate contact with unmanaged users."},{"uuid":"cc404693-2cbe-567e-97e2-18862f238f3b","title":"Observation: MS.TEAMS.4.1v1 - Teams email integration SHALL be disabled.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.4.1v1. Related controls: SI-8, SC-7.10, AC-4.","subjects":[{"type":"assessment-activity","subject-uuid":"94b2f653-90d6-4bb6-9643-cb7b75f239b4"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.4.1v1. Assessment method: EXAMINE. Requirement: Teams email integration SHALL be disabled."},{"uuid":"c7a60255-77e2-5369-9c8c-2b841fd1def9","title":"Observation: MS.TEAMS.5.1v2 - Agencies SHOULD only allow installation of Microsoft apps ap","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.5.1v2. Related controls: CM-11.","subjects":[{"type":"assessment-activity","subject-uuid":"587319da-067a-4fef-8caf-237fabbad093"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.5.1v2. Assessment method: EXAMINE. Requirement: Agencies SHOULD only allow installation of Microsoft apps approved by the agency."},{"uuid":"bb70cee0-2b0b-55e4-a048-05bded446455","title":"Observation: MS.TEAMS.5.3v2 - Agencies SHOULD only allow installation of custom apps appro","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.5.3v2. Related controls: CM-11.","subjects":[{"type":"assessment-activity","subject-uuid":"1745f3e7-32ac-49b4-a531-394f08835793"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.5.3v2. Assessment method: EXAMINE. Requirement: Agencies SHOULD only allow installation of custom apps approved by the agency."},{"uuid":"4a1df495-1c4e-5d20-94de-9257b1ba0f51","title":"Observation: MS.TEAMS.6.2v1 - The DLP solution SHALL protect personally identifiable infor","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.6.2v1. Related controls: SC-7.10.","subjects":[{"type":"assessment-activity","subject-uuid":"963093a1-3299-4a9e-9c8e-89b0051f625e"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.6.2v1. Assessment method: EXAMINE. Requirement: The DLP solution SHALL protect personally identifiable information (PII)"},{"uuid":"705fc3f0-a2d2-52c3-a896-306bd6c6deb3","title":"Observation: MS.TEAMS.7.1v1 - Attachments included with Teams messages SHOULD be scanned f","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.7.1v1. Related controls: SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"c4fc1f31-0fae-4f82-8c6a-4c3db20524ce"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.7.1v1. Assessment method: EXAMINE. Requirement: Attachments included with Teams messages SHOULD be scanned for malware."},{"uuid":"f92eb9ff-815e-5ab6-8218-52d199943c7f","title":"Observation: MS.TEAMS.7.2v1 - Users SHOULD be prevented from opening or downloading files ","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.7.2v1. Related controls: SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"9c74778d-3552-40ac-83f7-f3ea163af154"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.7.2v1. Assessment method: EXAMINE. Requirement: Users SHOULD be prevented from opening or downloading files detected as malware."},{"uuid":"ef33635f-d2d6-5f1b-a3df-a166adb3e1c2","title":"Observation: MS.TEAMS.8.1v1 - URL comparison with a blocklist SHOULD be enabled.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.8.1v1. Related controls: SI-3.","subjects":[{"type":"assessment-activity","subject-uuid":"40a2e5b5-d0e4-4eaa-9069-e3344d00c975"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.8.1v1. Assessment method: EXAMINE. Requirement: URL comparison with a blocklist SHOULD be enabled."},{"uuid":"53e5cad0-05c1-5564-a06b-81fdfc2041bd","title":"Observation: MS.TEAMS.8.2v1 - User click tracking SHOULD be enabled.","types":["finding"],"methods":["TEST"],"remarks":"Automated and examiner assessment for MS.TEAMS.8.2v1. Related controls: AU-12.","subjects":[{"type":"assessment-activity","subject-uuid":"5cf09325-25bb-4ede-b5e0-a27fcaa42077"}],"collected":"2026-03-05T15:30:00-05:00","description":"Examiner evaluated the tenant configuration for MS.TEAMS.8.2v1. Assessment method: EXAMINE. Requirement: User click tracking SHOULD be enabled."}],"reviewed-controls":{"control-selections":[{"include-all":{}}]}}]}}