NOTICE: Due to a lapse in annual appropriations, this website is not being updated. Learn more.

U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

Entra ID - SCuBA 1.6 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Microsoft Azure Active Directory cpe:/a:microsoft:azure_active_directory:- (View CVEs)

Checklist Highlights

Checklist Name:
Entra ID - SCuBA
Checklist ID:
1082
Version:
1.6
Type:
Compliance
Review Status:
Final
Authority:
Governmental Authority: Cybersecurity and Infrastructure Security Agency (CISA)
Original Publication Date:
12/20/2023

Checklist Summary:

Microsoft Entra ID is a cloud-based identity and access control service that provides security and functional capabilities. This Secure Configuration Baseline (SCB) provides specific policies to help secure Microsoft Entra ID.

Checklist Role:

  • Active Directory Server
  • Client / Server
  • Domain Controller
  • Domain Member Server
  • Office Software
  • Virtualization Server

Known Issues:

Not provided.

Target Audience:

The Secure Cloud Business Applications (SCuBA) project run by the Cybersecurity and Infrastructure Security Agency (CISA) provides guidance and capabilities to secure federal civilian executive branch (FCEB) agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.

Target Operational Environment:

  • Managed
  • Standalone

Testing Information:

Not provided.

Regulatory Compliance:

A Binding Operational Directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. 44 U.S.C. § 3552(b)(1). Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives. Federal agencies are required to comply with these directives. 44 U.S.C. § 3554(a)(1)(B)(ii). These directives do not apply to statutorily defined “national security systems” or to certain systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. §?3553(b), (d), (e)(2), (e)(3). This directive refers to the systems to which it applies as “Federal Civilian Executive Branch” systems, and to agencies operating those systems as “Federal Civilian Executive Branch” agencies. BOD 25-01: Implementing Secure Practices for Cloud Services

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

The information in this document is being provided “as is” for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA. This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Product Support:

[email protected] [email protected]

Point of Contact:

[email protected] [email protected]

Sponsor:

Not provided.

Licensing:

Portions of this document are adapted from documents in Microsoft’s M365 and Azure GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Sources are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.

Change History: 

checklist approved - 2/1/24
checklist approved - 2/5/24
correcting submission error
correcting submission error
checklist approved - 2/16/24
updated to FINAL - 3/18/2024
Changes Approved - 11/29/2024
Reviewed Updated Contents from Resources - 03/27/2025
Reviewed Updated Contents from Resources - 08/13/2025

Dependency/Requirements:

URL Description

References:

Reference URL Description
https://learn.microsoft.com/en-us/entra/external-id/authentication-conditional-access Provides an understanding of how MFA and device claims are passed from the home tenant to the resource tenant
https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview To configure the inbound and outbound cross-tenant access settings in Microsoft Entra External ID

NIST checklist record last modified on 08/13/2025