Identity

Tier 1 Checks

#	Check	License
I01	High Global Administrator to privileged user ratio	—
I02	Administrative privileges are tightly limited to prevent compromise	—
I03	All privileged role assignments are activated just in time and not permanently active	P2
I04	All Microsoft Entra privileged role assignments are managed with PIM	P2
I05	Privileged accounts are cloud native identities	—
I06	Privileged accounts have phishing-resistant methods registered	—
I07	Emergency access accounts are configured appropriately	—
I08	Block legacy authentication policy is configured	P1
I09	All users are required to register for MFA	P1
I10	SMS and Voice Call authentication methods are disabled	—
I11	All user sign-in activity uses phishing-resistant authentication methods	P1
I12	User consent settings are restricted	—
I13	Admin consent workflow is enabled	—
I14	Guest access is limited to approved tenants	—
I15	Guests are not assigned high privileged directory roles	—
I16	Guest access is protected by strong authentication methods	—
I17	Diagnostic settings are configured for all Microsoft Entra logs	—
I18	Privileged role activations have monitoring and alerting configured	P2
I19	Token protection policies are configured	P1
I20	Migrate from legacy MFA and SSPR policies	P1
I21	Manage the local administrators on Microsoft Entra joined devices	—
I22	Sign-in risk-based Conditional Access policy is configured	P2
I23	User risk-based Conditional Access policy is configured	P2
I24	Password Hash Sync is enabled for resilience and leaked-credential detection	—
I25	Group-based licensing is used to manage license assignment	P1

Tier 2 / Tier 3 coverage

This is Tier 1 — the highest-impact starting set. Microsoft publishes ~120 additional Identity checks at the source page, spanning deeper privileged-identity governance, advanced conditional-access scenarios, and lifecycle-management automation. Tier 2 and Tier 3 coverage is scoped per engagement.