Microsoft 365 Security Inspection Report

Modified on Tue, Jul 29 at 9:11 AM

You can find this module at the Company level only.

The Microsoft 365 Security Inspection Report provides a comprehensive overview of the security posture within the Microsoft 365 environment. It evaluates various security controls, identifies vulnerabilities, and offers recommendations to enhance security measures, ensuring robust protection against potential threats and breaches.

For the complete listing of all configuration checks, please refer to the end of this document.


CS-Video.png

Visit our YouTube Channel for more video content: https://www.youtube.com/@connectsecure


Table of Contents


Microsoft 365 Security Inspection - Licensing Requirements

M365 Inspector requires the tenant to have an active subscription to Microsoft Entra ID P1 (formerly known as Azure Active Directory Premium P1) or Microsoft Entra ID P2 (formerly known as Azure Active Directory Premium P2) or a subscription that includes Microsoft Entra ID P1 or P2.


Microsoft 365 Security Inspection - Details

Access the Microsoft 365 Security Inspection from the Cloud Assessments category.

image-20250129-164546.png

Getting Started - Application Thumbprint Certificate

Before you begin the setups below, you must download the Certificate for Application Thumbprint.

  1. Log in to your ConnectSecure portal tenant (https://portal.myconnectsecure.com)

  2. Navigate to Global > Settings > Integrations > Microsoft 365 Security Inspector.

image-20250303-194549.png
  1. Scroll down and click on the Download Certificate. This file will be used directly in the Azure Portal in later steps.

image-20241219-142622.png

M365 Audit - Setup in Azure Portal

  1. Log in to the Azure portal (http://portal.azure.com ).

  2. Tap on the ‘App registrations’ option in Azure services (or use the Search).

image-20241219-143105.png
  1. Tap on the ‘New registration’ option.

image-20241219-143126.png
  1. Complete the required fields.

    1. Name = Give this application registration a name of your choice (IE: ConnectSecure_M365_Audit)

    2. Support Account Type = Single Tenant for Non-CSP, Multi Tenant for CSP

    3. Redirect URI = Set the platform to Web and use: https://authccns.mycybercns.com

    4. Tap on Register to complete

image-20241219-143420.png
  1. Record the Application (client) ID and Directory (Tenant ID) values from the screen.

image-20241219-143610.png

Generate Client Secret

  1. Click on the ‘Add a certificate or secret’ link from the Client credentials section.

image-20241219-143740.png
  1. Tap on ‘New client secret’.

image-20241220-165442.png
  1. Set the client secret required fields for Description and Expires, then tap Add.

image-20241219-144013.png
  1. Copy the Value generated and store it; this will be used in the ConnectSecure portal setup.

image-20241219-144124.png
  1. Tap on the Certificates option.

image-20241219-144420 (1).png
  1. Tap on ‘Upload certificate’.

image-20241219-144457.png
  1. Select the application thumbprint certificate you downloaded at the beginning steps and give it a description (IE: ConnectSecure_M365_Audit), then tap Add.

image-20241219-144623.png
  1. After the upload, you will see the Thumbprint value; record this for use in ConnectSecure.

image-20241220-165213.png

NOTE: When you copy the thumbprint value it will copy the full value; you will only see a partial thumbprint value on the screen in the UI


Configure API Permissions

  1. Under the Manage section, tap on the Manifest option.

image-20241219-145123.png
  1. Download one of the two JSON files below, open it, and make the necessary edits.

We have two options to choose from. The second option has a limited scope that aligns with best practices for readers with the least privileged access. Selecting the second option will restrict the scan findings.

(Option 1)

CS_Global_Admin contains global admin permissions.

CS_Global_Admin.json

(Option 2)

CS_Security_Reader contains limited security reader permissions

CS_Security_Reader.json

  1. In the ‘Microsoft Graph App Manifest (New) file, replace the 'requiredResourceAccess’ section with the copied data from the downloaded JSON file from the step above. You can open the JSON file with notepad or a word processor to copy the contents.

image-20241219-145638.png
  1. Tap on the Save button to complete.

image-20241219-145745.png
  1. Tap on API Permissions from the left panel, then tap the ‘Grant admin consent for…’ button.

image-20241219-145916.png

The status should display green check marks once permissions are granted:

image-20250303-201124.png

Assign Roles in Microsoft Entra Roles and Administrators

  1. At the top, use the Search, enter ‘Microsoft Entra Roles and Administrators, and tap to select.

image-20241219-150228.png
  1. Search for and tap on the ‘Global Reader’ option.

GR.png
  1. Select the ‘Add Assignments’ button.

GR Assigmnent.png
  1. Search for your added application name here and tap Add. (IE: ConnectSecure_M365_Audit)

image-20241219-194208.png
  1. You must tap on Add to save.

image-20250303-201427.png
  1. Select that newly saved assignment and tap to Select Members.

image-20250303-201549.pngimage-20250303-201700.png
  1. The user who created the app registration will appear; you can add additional users here if needed.

image-20250303-201930.png

Enter optional policy descriptions and justifications as required; this may vary depending on your Azure portal settings.


M365 Audit - Setup in ConnectSecure

  1. Login to your ConnectSecure portal (IE: portal.myconnectsecure.com)

  2. Please navigate back to Global > Settings > Integrations > Microsoft 365 Security Inspector, where we originally obtained the download certificate (application thumbprint).

image-20250303-202037.png

Credentials

Complete the required fields with your values from the previous steps outlined above.

Field Name

Description

Enter Name

Use a name of your choice to identify the M365 creds being used.

Microsoft 365 Auth Endpoint

(Default) Global Service (https://login.microsoftonline.com)

US Government (https://login.microsoftonline.us)

Tenant ID

Enter the Directory (tenant) ID from the Azure portal app registration.

Application Client ID

Enter the Application (client) ID from the Azure portal app registration.

User Principal Name

Enter the username (with domain) of the user who created the app registration.

Application Client Secret

Enter the ‘Value’ from the Client Secret.

Application Thumbprint

Enter the value generated from the Thumbprint under the app registration ‘Certificates’ section.

Select Associated Company

Select to associate with a ConnectSecure company.

image-20241219-195152.png

(blue star) Proceed to Company Mapping below.


Company Mapping

You will need to map the ConnectSecure company to the M365 company.

  1. Tap on the Company Mapping tab within the Microsoft 365 Security Inspector integration and use the ‘Add’ button to create a new mapping.

image-20241220-134518.png
  1. Select from the options to import a new company from M365 into ConnectSecure or map an existing ConnectSecure company to the M365 company.

image-20241220-134613.png
  1. In this case, I will map to an existing ConnectSecure company and tap the next button. You will then select the M365 company from the Local Company (ConnectSecure).

image-20241220-134858.png
  1. Tap on the Add, then Finish to complete mapping.

image-20241220-134939.png

Start M365 Sync

Once you complete the mappings, navigate to Cloud Assessments > Microsoft 365 Security Inspection Report and click on the Sync option to start the assessment scan.

image-20250320-014716.png

Tap on the jobs to see the syncing status.

image-20250320-014919.png

The results will be displayed in the M365 Audit Report once the assessment is finished.

Tap on the PowerPoint, Word, or Excel file icons for report data.

image-20250303-202947.png

Microsoft 365 Security Inspection Dashboard

Review the findings in the company-level dashboard.

image-20250122-210809.png

Microsoft 365 Security Inspection Items

M365 Security Inspection Items

ADFS Configuration Found

Administrative Users with No Multi-Factor Authentication Enforced

Anti-Domain Spoofing Not Fully Enabled

Applications Registered to Tenant with Certificate Credentials

Applications Registered to Tenant with Client Secret (Password) Credentials

Azure PowerShell Service Principal Assignment Not Enforced

Azure PowerShell Service Principal Configuration Missing

Basic Authentication is Enabled

Calendar Sharing with External Users Enabled

Common Malicious Attachment Extensions are Not Filtered

Conditional Access Policies

Conditional Access Policies - Device Platforms

Conditional Access Policies - Legacy Authentication

DKIM Not Enabled for Exchange Online Domains

DLP Policies Not Enabled and Enforced

Dangerous Attachment Extensions are Not Filtered

Dangerous Default Permissions

Directory Synced Users Found in Admin Roles

Directory Synchronization Enabled

Directory Synchronization Service Account Found

Do Not Bypass the Safe Attachments Filter

Do Not Bypass the Safe Links Feature

Domains with No DKIM Selector 1 DNS Record

Domains with No SPF Records

Domains with SPF Soft Fail Configured

Domains with no DKIM Record Selector 2

Domains with no DMARC Records

Email Security Checks are Bypassed Based on Sender’s Domain

Email Security Checks are Bypassed Based on Sender’s IP

Entities Allowed to Perform Domain Spoofing

eDiscovery Case Administrators

Exchange Mailboxes Hidden from Global Address Lists Found

Exchange Mailboxes with Forwarding Rules to External Recipients

Exchange Mailboxes with FullAccess Delegates Found

Exchange Mailboxes with IMAP Enabled

Exchange Mailboxes with Internal Forwarding Rules Enabled

Exchange Mailboxes with POP-Enabled

Exchange Mailboxes with SendAs Delegates Found

Exchange Mailboxes with SendOnBehalfOf Delegates Found

Exchange Mobile Device Mailbox Security Policies

Exchange Modern Authentication is Not Enabled

Exchange Online Mailboxes with SMTP Authentication Enabled

Expired Domain Registration Found

Federation Trusts in Tenant

Iframes Not Identified as Spam

Improper Number of Company/Global Administrators

MFA Not Required for Device Registration

MFA Not Required for Security Information Registration

MSOnline (MSOL) PowerShell Module Enabled on Tenant

Mailbox Auditing Should be Enabled at the Tenant Level

Mailboxes without Mailbox Auditing Enabled

Malware Filter Policies Don't Alert for Internal Users Sending Malware

Microsoft Secure Defaults

Microsoft Teams Consumer Communication Policies

Microsoft Teams External Access Policies

Microsoft Teams External Domain Communication Policies

Microsoft Teams Policies Allow Anonymous Members

Microsoft Teams Users Allowed to Invite Anonymous Users

Microsoft Teams Users Allowed to Preview Links in Messages

No Conditional Access Policies Block Risky Sign-in

No Conditional Access Policies Mitigate User Risk

No Custom Anti-Malware Policy Present

No Custom Anti-Phishing Policy Present

No Spam Filters to Flag Emails containing IP Addresses as Spam

No Transport Rules to Block Exchange Auto-Forwarding

No Transport Rules to Block Executable Attachments

No Transport Rules to Block Large Attachments

Office Message Encryption is Not Enabled

Outgoing Sharing Invitations are Not Monitored

Password Expiration Period is Set

Password Synchronization Enabled

SMTP Authentication not Globally Disabled

SSPR Allows Email Authentication

Safe Attachments Not Enabled

Safe Links Click-Through is Allowed

Safe Links Does Not Flag Links in Real Time

Safe Links Not Enabled

Self-Serve Password Reset is Not Enabled

Service Principals Found on Tenant with Certificate Credentials

Service Principals Found on Tenant with Client Secret (Password) Credentials

SharePoint External Sharing Enabled (Global)

Simulated Phishing Transport Rules - Security Bypasses

Spam ZAP (Zero-Hour Auto Purge) Not Enabled

Suspicious Outgoing Spam Messages Not Monitored

Tenant Federation Configuration

Tenant License Level

Tenant Transport Rules

Third-Party File Sharing Enabled in Microsoft Teams

Third-Party Applications Allowed

Unified Audit Log Search is Not Enabled

User consent to OAUTH applications is not restricted

Users Allowed to Link Work Accounts to LinkedIn

Users Found in Azure AD Roles

Users with No MFA Configured


Microsoft Graph API Permissions

Tap below for an Excel file download of all the Microfot Graph API Permissions used for the Global Reader permissions.

M365_Inspector_GraphAPI_Permissions.xlsx


Microsoft CSP Configuration

  • Login to the ConnectSecure portal.

  • Navigate to Global > Integration > Microsoft 365 Security Inspector.

  • Navigate to Company Mapping.

  • Select the Credentials and click Add.

  • Choose a ConnectSecure local company and a Customer Tenant, then click Save.

  • Under Actions, click Provide Consent.

  • Log into the Microsoft 365 prompt using your subtenant’s Admin credentials.

  • Select all required API permissions and click save.

image-20250327-134810.png

Assign Global Reader Role in Sub Tenant

  • Go to Microsoft Entra Roles & Administrators.

  • Locate and select Global Reader.

  • Click Add Assignment.

  • Search for the App Name from the CSP Tenant.

  • Assign the role and save changes.

image-20250324-134923.pngimage-20250324-134928.pngimage-20250324-134934.pngimage-20250324-134941.png

Event Set Alerts

Event Name

Description

Severity

AddMemberOutsidePIM

A user was added to a privileged role outside of the approved PIM workflow.

High

AdminDeletedSecurityInfo

An administrator deleted security information (e.g., MFA methods) from their account.

High

AdminsWithoutMFA

One or more admin accounts are operating without Multi-Factor Authentication enabled.

High

CrossTenantAccessAdded

Cross-tenant access permissions were granted to an external organization.

High

DLP-USFinancialHighVolume

Data Loss Prevention triggered on a high volume of US financial data transfer.

High

DLPHighVolumeUSFinancialData

A high volume of sensitive US financial information was flagged by DLP policies.

High

DLPIDNumberPolicy

Sensitive ID numbers were detected and flagged by Data Loss Prevention rules.

High

DeleteConditionalAccessPolicy

A Conditional Access Policy was deleted from the environment.

High

DisableStrongAuthentication

Strong authentication mechanisms were disabled on a user or admin account.

High

EmailReportedByUserAsJunk

A user reported an email as junk, potentially indicating phishing or spam.

High

ErgoFlexMailFlow

Anomalous mail flow detected by the ErgoFlex policy, possibly indicating misuse.

High

InboxManipulationRule

A suspicious rule was created to manipulate the inbox (e.g., auto-forward or hide emails).

High

MailboxPermissions

Mailbox permissions were modified, possibly granting unauthorized access.

High

MaliciousURLClickDetected

A user clicked a URL that was identified as malicious.

High

NewUsersWithoutMFA

New user accounts were created without enforcing Multi-Factor Authentication.

High

OutsideOperatingCountrySignIn

Sign-in activity was detected from outside the organization’s typical countries.

High

PasswordSpray

A password spray attack was detected against M365 accounts.

High

PhishingAttemptDetected

A suspected phishing attempt was identified by Microsoft Defender.

High

PrivilegeAccountSignInFailureSpikes

A spike in failed sign-ins was observed for privileged accounts.

High

SuccessfulNoMFAOutsideCountrySignIn

A successful sign-in from outside the country occurred without MFA.

High

SuccessfulSuspiciousCountrySignIn

A successful login was detected from a suspicious or high-risk country.

High

SuspiciousCountrySignIn

A login attempt was made from a country flagged as suspicious.

High

TriggeredPIMAlert

An alert was triggered based on Privileged Identity Management activity.

High

UserRestrictedFromSendingEmail

A user was blocked from sending emails due to suspicious behavior.

High

AddServicePrincipalCredentials

Credentials were added to a service principal, potentially enabling automated access.

Medium

BlockLegacyAuth

Legacy authentication was blocked to improve security posture.

Medium

BlockSharePointDownload

SharePoint download was blocked, likely due to policy enforcement.

Medium

BruteForceAzurePortal

Brute-force login attempts detected against the Azure portal.

Medium

DLP-UKPIIScanLowCount

Data Loss Prevention detected a low volume of UK Personally Identifiable Information.

Medium

DeletePolicy

A security or compliance policy was deleted, which could weaken defences.

Medium

DistributedPwdCrackingAzureAD

Distributed password cracking activity detected on Azure AD accounts.

Medium

EmailSendingLimitExceeded

A user exceeded email sending limits, possibly indicating spam or compromise.

Medium

ExplicitMFADeny

A user explicitly denied an MFA challenge, possibly indicating unauthorized access attempts.

Medium

ExternallySharedFile

A file was shared with an external party, potentially exposing sensitive data.

Medium

ExternallySharedFolder

A folder was shared externally, potentially breaching data boundaries.

Medium

FailedUserLoginAttempt

A failed login attempt occurred, possibly signalling an attack or user error.

Medium

GrantedMailboxAccess

Mailbox access was granted to another user or service.

Medium

GrantedMailboxPermission

Permissions were granted for access to a user’s mailbox.

Medium

HighFileDeletionVolume

A high volume of files was deleted, which may indicate malicious activity.

Medium

HoneytokenActivity

Activity detected on a honeytoken account, suggesting reconnaissance or compromise.

Medium

MailForwardRuleEnabled

A rule was created to auto-forward mail, often used in account compromise.

Medium

MailboxPermissionsChange

Mailbox permission changes were made, possibly allowing unauthorized access.

Medium

MalwareDetected

Malware was detected in the M365 environment, requiring immediate attention.

Medium

MultipleForeignSigninAttemptsDay

Multiple logins attempt from foreign locations were detected in a day.

Medium

MultipleForeignSigninAttemptsHour

A high rate of foreign login attempts was observed in one hour.

Medium

NoMFASigninForeignCountry

A user signed in from a foreign country without MFA enforcement.

Medium

OAuthCredAddition

OAuth credentials were added, potentially allowing token-based access.

Medium

PasswordSprayIPActivity

Password spray attack activity detected from a suspicious IP address.

Medium

PhishingAttempts

Potential phishing attempts detected by M365 security tools.

Medium

RareAppConsent

Consent was granted to a rarely used app, which may indicate malicious intent.

Medium

RemoteCodeExecutionAttempt

An attempt to execute remote code was detected, indicating a serious threat.

Medium

SharePointNewIPFileOp

A file operation in SharePoint was performed from a new IP address.

Medium

SuspiciousAuthActivity

Suspicious authentication patterns were identified in user behaviour.

Medium

SuspiciousEmailSending

Unusual or suspicious email sending behaviour was observed.

Medium

UnidentifiableSignin

A sign-in event occurred from an unidentifiable or suspicious location/device.

Medium

UnmanagedDeviceDetected

Access attempt detected from a device not managed by the organization.

Medium

UpdateAppCertSecrets

Certificate secrets were updated for an application, possibly altering access controls.

Medium

UpdateAuthorizationPolicy

An authorization policy was updated, potentially affecting access rules.

Medium

UpdateConditionalAccess

Conditional access policies were modified, which may impact login controls.

Medium

UpdateRole

An Azure AD role was updated, possibly elevating privileges.

Medium

UploadSensitiveFileThirdParty

A sensitive file was uploaded to a third-party service or user.

Medium

UserAppConsent

A user granted consent to an application, which could expose data or permissions.

Medium

UserCompromiseInvestigation

A user is under investigation due to potential account compromise.

Medium

UserMFA

Multi-Factor Authentication settings were changed for a user account.

Medium

EmailReportedByUserAsMalwareOrPhish

A user reported an email as malware or phishing, indicating a potential threat that bypassed initial filters.

Low

Microsoft 365 Security Inspection - Toolbar Options

image-20250210-192343.png

Sync

Tap to start a sync manually.


Alerts

View our timeline style of System Events captured for each company. You can set an optional date filter range to target a specific date range of events.

image-20250206-143947.png

Info

Tap here to view your V4 Getting Started Info.

https://cybercns.atlassian.net/wiki/x/MIDKfw


image-20250206-144503.png

Click to access the related documentation page; this link is functional on all screens and will take you to the appropriate documentation page.


Layout Settings

Here, you can change the UI look and feel using various options, including the Theme for color, the Scheme for dark and light mode, the Layout for toolbar and module positions, and the toggle to set the table view default.

I prefer the Teal color, Light mode, and Classic layout with an asset table view.

image-20250206-150338.png

Get Support

Our support team is here to help. Use one of three options to start a support request.

  1. Email to support@connectsecure.com

  2. Login to our Freshdesk partner portal at https://cybercns.freshdesk.com

image-20240206-144508.png

Attachments (61)

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article