Microsoft 365 Security Inspection Report

Enter Name

Use a name of your choice to identify the M365 creds being used.

Microsoft 365 Auth Endpoint

(Default) Global Service (https://login.microsoftonline.com)

US Government (https://login.microsoftonline.us)

Tenant ID

Enter the Directory (tenant) ID from the Azure portal app registration.

Application Client ID

Enter the Application (client) ID from the Azure portal app registration.

User Principal Name

Enter the username (with domain) of the user who created the app registration.

Application Client Secret

Enter the ‘Value’ from the Client Secret.

Application Thumbprint

Enter the value generated from the Thumbprint under the app registration ‘Certificates’ section.

Select Associated Company

Select to associate with a ConnectSecure company.

ADFS Configuration Found

Administrative Users with No Multi-Factor Authentication Enforced

Anti-Domain Spoofing Not Fully Enabled

Applications Registered to Tenant with Certificate Credentials

Applications Registered to Tenant with Client Secret (Password) Credentials

Azure PowerShell Service Principal Assignment Not Enforced

Azure PowerShell Service Principal Configuration Missing

Basic Authentication is Enabled

Calendar Sharing with External Users Enabled

Common Malicious Attachment Extensions are Not Filtered

Conditional Access Policies

Conditional Access Policies - Device Platforms

Conditional Access Policies - Legacy Authentication

DKIM Not Enabled for Exchange Online Domains

DLP Policies Not Enabled and Enforced

Dangerous Attachment Extensions are Not Filtered

Dangerous Default Permissions

Directory Synced Users Found in Admin Roles

Directory Synchronization Enabled

Directory Synchronization Service Account Found

Do Not Bypass the Safe Attachments Filter

Do Not Bypass the Safe Links Feature

Domains with No DKIM Selector 1 DNS Record

Domains with No SPF Records

Domains with SPF Soft Fail Configured

Domains with no DKIM Record Selector 2

Domains with no DMARC Records

Email Security Checks are Bypassed Based on Sender’s Domain

Email Security Checks are Bypassed Based on Sender’s IP

Entities Allowed to Perform Domain Spoofing

eDiscovery Case Administrators

Exchange Mailboxes Hidden from Global Address Lists Found

Exchange Mailboxes with Forwarding Rules to External Recipients

Exchange Mailboxes with FullAccess Delegates Found

Exchange Mailboxes with IMAP Enabled

Exchange Mailboxes with Internal Forwarding Rules Enabled

Exchange Mailboxes with POP-Enabled

Exchange Mailboxes with SendAs Delegates Found

Exchange Mailboxes with SendOnBehalfOf Delegates Found

Exchange Mobile Device Mailbox Security Policies

Exchange Modern Authentication is Not Enabled

Exchange Online Mailboxes with SMTP Authentication Enabled

Expired Domain Registration Found

Federation Trusts in Tenant

Iframes Not Identified as Spam

Improper Number of Company/Global Administrators

MFA Not Required for Device Registration

MFA Not Required for Security Information Registration

MSOnline (MSOL) PowerShell Module Enabled on Tenant

Mailbox Auditing Should be Enabled at the Tenant Level

Mailboxes without Mailbox Auditing Enabled

Malware Filter Policies Don't Alert for Internal Users Sending Malware

Microsoft Secure Defaults

Microsoft Teams Consumer Communication Policies

Microsoft Teams External Access Policies

Microsoft Teams External Domain Communication Policies

Microsoft Teams Policies Allow Anonymous Members

Microsoft Teams Users Allowed to Invite Anonymous Users

Microsoft Teams Users Allowed to Preview Links in Messages

No Conditional Access Policies Block Risky Sign-in

No Conditional Access Policies Mitigate User Risk

No Custom Anti-Malware Policy Present

No Custom Anti-Phishing Policy Present

No Spam Filters to Flag Emails containing IP Addresses as Spam

No Transport Rules to Block Exchange Auto-Forwarding

No Transport Rules to Block Executable Attachments

No Transport Rules to Block Large Attachments

Office Message Encryption is Not Enabled

Outgoing Sharing Invitations are Not Monitored

Password Expiration Period is Set

Password Synchronization Enabled

SMTP Authentication not Globally Disabled

SSPR Allows Email Authentication

Safe Attachments Not Enabled

Safe Links Click-Through is Allowed

Safe Links Does Not Flag Links in Real Time

Safe Links Not Enabled

Self-Serve Password Reset is Not Enabled

Service Principals Found on Tenant with Certificate Credentials

Service Principals Found on Tenant with Client Secret (Password) Credentials

SharePoint External Sharing Enabled (Global)

Simulated Phishing Transport Rules - Security Bypasses

Spam ZAP (Zero-Hour Auto Purge) Not Enabled

Suspicious Outgoing Spam Messages Not Monitored

Tenant Federation Configuration

Tenant License Level

Tenant Transport Rules

Third-Party File Sharing Enabled in Microsoft Teams

Third-Party Applications Allowed

Unified Audit Log Search is Not Enabled

User consent to OAUTH applications is not restricted

Users Allowed to Link Work Accounts to LinkedIn

Users Found in Azure AD Roles

Users with No MFA Configured

AddMemberOutsidePIM

A user was added to a privileged role outside of the approved PIM workflow.

High

AdminDeletedSecurityInfo

An administrator deleted security information (e.g., MFA methods) from their account.

High

AdminsWithoutMFA

One or more admin accounts are operating without Multi-Factor Authentication enabled.

High

CrossTenantAccessAdded

Cross-tenant access permissions were granted to an external organization.

High

DLP-USFinancialHighVolume

Data Loss Prevention triggered on a high volume of US financial data transfer.

High

DLPHighVolumeUSFinancialData

A high volume of sensitive US financial information was flagged by DLP policies.

High

DLPIDNumberPolicy

Sensitive ID numbers were detected and flagged by Data Loss Prevention rules.

High

DeleteConditionalAccessPolicy

A Conditional Access Policy was deleted from the environment.

High

DisableStrongAuthentication

Strong authentication mechanisms were disabled on a user or admin account.

High

EmailReportedByUserAsJunk

A user reported an email as junk, potentially indicating phishing or spam.

High

ErgoFlexMailFlow

Anomalous mail flow detected by the ErgoFlex policy, possibly indicating misuse.

High

InboxManipulationRule

A suspicious rule was created to manipulate the inbox (e.g., auto-forward or hide emails).

High

MailboxPermissions

Mailbox permissions were modified, possibly granting unauthorized access.

High

MaliciousURLClickDetected

A user clicked a URL that was identified as malicious.

High

NewUsersWithoutMFA

New user accounts were created without enforcing Multi-Factor Authentication.

High

OutsideOperatingCountrySignIn

Sign-in activity was detected from outside the organization’s typical countries.

High

PasswordSpray

A password spray attack was detected against M365 accounts.

High

PhishingAttemptDetected

A suspected phishing attempt was identified by Microsoft Defender.

High

PrivilegeAccountSignInFailureSpikes

A spike in failed sign-ins was observed for privileged accounts.

High

SuccessfulNoMFAOutsideCountrySignIn

A successful sign-in from outside the country occurred without MFA.

High

SuccessfulSuspiciousCountrySignIn

A successful login was detected from a suspicious or high-risk country.

High

SuspiciousCountrySignIn

A login attempt was made from a country flagged as suspicious.

High

TriggeredPIMAlert

An alert was triggered based on Privileged Identity Management activity.

High

UserRestrictedFromSendingEmail

A user was blocked from sending emails due to suspicious behavior.

High

AddServicePrincipalCredentials

Credentials were added to a service principal, potentially enabling automated access.

Medium

BlockLegacyAuth

Legacy authentication was blocked to improve security posture.

Medium

BlockSharePointDownload

SharePoint download was blocked, likely due to policy enforcement.

Medium

BruteForceAzurePortal

Brute-force login attempts detected against the Azure portal.

Medium

DLP-UKPIIScanLowCount

Data Loss Prevention detected a low volume of UK Personally Identifiable Information.

Medium

DeletePolicy

A security or compliance policy was deleted, which could weaken defences.

Medium

DistributedPwdCrackingAzureAD

Distributed password cracking activity detected on Azure AD accounts.

Medium

EmailSendingLimitExceeded

A user exceeded email sending limits, possibly indicating spam or compromise.

Medium

ExplicitMFADeny

A user explicitly denied an MFA challenge, possibly indicating unauthorized access attempts.

Medium

ExternallySharedFile

A file was shared with an external party, potentially exposing sensitive data.

Medium

ExternallySharedFolder

A folder was shared externally, potentially breaching data boundaries.

Medium

FailedUserLoginAttempt

A failed login attempt occurred, possibly signalling an attack or user error.

Medium

GrantedMailboxAccess

Mailbox access was granted to another user or service.

Medium

GrantedMailboxPermission

Permissions were granted for access to a user’s mailbox.

Medium

HighFileDeletionVolume

A high volume of files was deleted, which may indicate malicious activity.

Medium

HoneytokenActivity

Activity detected on a honeytoken account, suggesting reconnaissance or compromise.

Medium

MailForwardRuleEnabled

A rule was created to auto-forward mail, often used in account compromise.

Medium

MailboxPermissionsChange

Mailbox permission changes were made, possibly allowing unauthorized access.

Medium

MalwareDetected

Malware was detected in the M365 environment, requiring immediate attention.

Medium

MultipleForeignSigninAttemptsDay

Multiple logins attempt from foreign locations were detected in a day.

Medium

MultipleForeignSigninAttemptsHour

A high rate of foreign login attempts was observed in one hour.

Medium

NoMFASigninForeignCountry

A user signed in from a foreign country without MFA enforcement.

Medium

OAuthCredAddition

OAuth credentials were added, potentially allowing token-based access.

Medium

PasswordSprayIPActivity

Password spray attack activity detected from a suspicious IP address.

Medium

PhishingAttempts

Potential phishing attempts detected by M365 security tools.

Medium

RareAppConsent

Consent was granted to a rarely used app, which may indicate malicious intent.

Medium

RemoteCodeExecutionAttempt

An attempt to execute remote code was detected, indicating a serious threat.

Medium

SharePointNewIPFileOp

A file operation in SharePoint was performed from a new IP address.

Medium

SuspiciousAuthActivity

Suspicious authentication patterns were identified in user behaviour.

Medium

SuspiciousEmailSending

Unusual or suspicious email sending behaviour was observed.

Medium

UnidentifiableSignin

A sign-in event occurred from an unidentifiable or suspicious location/device.

Medium

UnmanagedDeviceDetected

Access attempt detected from a device not managed by the organization.

Medium

UpdateAppCertSecrets

Certificate secrets were updated for an application, possibly altering access controls.

Medium

UpdateAuthorizationPolicy

An authorization policy was updated, potentially affecting access rules.

Medium

UpdateConditionalAccess

Conditional access policies were modified, which may impact login controls.

Medium

UpdateRole

An Azure AD role was updated, possibly elevating privileges.

Medium

UploadSensitiveFileThirdParty

A sensitive file was uploaded to a third-party service or user.

Medium

UserAppConsent

A user granted consent to an application, which could expose data or permissions.

Medium

UserCompromiseInvestigation

A user is under investigation due to potential account compromise.

Medium

UserMFA

Multi-Factor Authentication settings were changed for a user account.

Medium

EmailReportedByUserAsMalwareOrPhish

A user reported an email as malware or phishing, indicating a potential threat that bypassed initial filters.

Low