block_legacy_auth
Block legacy authentication (MS.AAD.1.1v1)
block_high_risk_users
Block users detected as high risk (MS.AAD.2.1v1)
block_high_risk_signins
Block sign-ins detected as high risk (MS.AAD.2.3v1)
enforce_phishing_resistant_mfa
Enforce phishing-resistant MFA for all users (MS.AAD.3.1v1)
enforce_alternative_mfa
Enforce alternative MFA method if phishing-resistant MFA not enforced (MS.AAD.3.2v1)
configure_authenticator_context
Configure Microsoft Authenticator to show login context (MS.AAD.3.3v1)
complete_auth_methods_migration
Set Authentication Methods Manage Migration to Complete (MS.AAD.3.4v1)
enforce_privileged_mfa
Enforce phishing-resistant MFA for privileged roles (MS.AAD.3.6v1)
restrict_app_registration
Allow only administrators to register applications (MS.AAD.5.1v1)
restrict_app_consent
Allow only administrators to consent to applications (MS.AAD.5.2v1)
configure_admin_consent
Configure admin consent workflow for applications (MS.AAD.5.3v1)
restrict_group_consent
Prevent group owners from consenting to applications (MS.AAD.5.4v1)
disable_password_expiry
Disable password expiration (MS.AAD.6.1v1)
configure_global_admins
Configure Global Administrator role assignments (MS.AAD.7.1v1)
enforce_granular_roles
Enforce use of granular roles instead of Global Administrator (MS.AAD.7.2v1)
enforce_cloud_accounts
Enforce cloud-only accounts for privileged users (MS.AAD.7.3v1)
enforce_pam
Enforce PAM system for privileged role assignments (MS.AAD.7.5v1)
configure_global_admin_approval
Configure approval requirement for Global Administrator activation (MS.AAD.7.6v1)
configure_role_alerts
Configure alerts for privileged role assignments (MS.AAD.7.7v1)
configure_admin_alerts
Configure alerts for Global Administrator activation (MS.AAD.7.8v1)
get_policy_status
Get current status of all CISA M365 security policies