Versions Compared

Version Old Version 1 New Version Current
Changes made by

Ryan Seymour

Ryan Seymour

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Table of Contents

...

M365 Audit - Overview

The Microsoft 365 Security Inspection Report provides a comprehensive overview of the security posture within the Microsoft 365 environment. It evaluates various security controls, identifies vulnerabilities, and offers recommendations to enhance security measures, ensuring robust protection against potential threats and breaches.

...

Getting Started - Application Thumbprint Certificate

Before you begin the setups below, you must download the Certificate for Application Thumbprint.

  1. Login to the ConnectSecure portal.

  2. Navigate to Global > Settings > Integrations > Microsoft 365 Security Inspector.

  3. Scroll down and tap the Download Certificate; this will be uploaded directly in the Azure Portal next.

...

M365 Audit - Setup in Azure Portal

  1. Log in to the Azure portal (portal.azure.com).

  2. Tap on the ‘App registrations’ option in Azure services (or use the Search).

...

  1. Record the Application (client) ID and Directory (Tenant ID) values from the screen.

...

Generate Client Secret

  1. Click on the ‘Add a certificate or secret’ link from the Client credentials section.

...

  1. After the upload, you will see the Thumbprint value; record this for use in ConnectSecure.

...

Configure API Permissions

  1. Under the Manage section, tap on the Manifest option.

...

  1. Download the JSON file provided below and copy its entire contents. (You can open in Notepad or Word)

...

  1. file.

We have two options to choose from. The second option has a limited scope that aligns with best practices for readers with the least privileged access.

Info

CS_Global_Admin contains global admin permissions.

View file
nameCS_Global_Admin.json

CS_Security_Reader contains limited security reader permissions (may permit full scan findings).

View file
nameCS_Security_Reader.json

  1. In the ‘Microsoft Graph App Manifest (New) file, replace the 'requiredResourceAccess’ section with the copied data.

...

  1. Tap on API Permissions from the left panel, then tap the ‘Grant admin consent for…’ button.

...

Assign Roles in Microsoft Entra Roles and Administrators

Panel
bgColor#DEEBFF

The following roles will be added:

  • Exchange Administrator

  • Teams Administrator

  • Global Administrator

  • SharePoint Administrator

Assign Roles in Microsoft Entra Roles and Administrators for O365

  • These Roles works for O365 Sync Scan

  • Global Reader Privileges

  1. At the top, use the Search, enter ‘Microsoft Entra Roles and Administrators’Administrators, and tap to select.

...

  1. Search for and tap on the ‘Exchange Administrator’ Global Readeroption.

...

  1. Select the ‘Add Assignments’ button.

...

  1. Search for your added application name here and tap Add. (IE: ConnectSecure_M365_Audit)

...

  1. Once you add the application, tap on the name to add the user members.

...

  1. Click on the Users and Groups section from the left under Manage.

...

  1. Select a member and add an application.

...

  1. Shows selected member and application details as follows:

...

Info

Enter any optional policy descriptions and justifications as required; this may vary depending on your Azure portal settings.

  1. Repeat the same steps for the ‘Teams Administrator’ option.

    1. Add assignments

    2. Search for and add your application name

...

  1. Repeat the same steps for the ‘Global Administrator’ option.

    1. Add assignments

    2. Search for and add your application name

...

.

  1. Add assignments

  2. Search for and add your application name

...

M365 Audit - Setup in ConnectSecure

  1. Login to your ConnectSecure portal (IE: portal.myconnectsecure.com)

  2. Please navigate back to Global > Settings > Integrations > Microsoft 365 Security Inspector, where we originally obtained the download certificate (application thumbprint).

Credentials

Complete the required fields with your values from the previous steps outlined above.

...

🏁 Proceed to Company Mapping below.

...

Company Mapping

You will need to map the ConnectSecure company to the M365 company.

...

  1. Tap on the Add, then Finish to complete mapping.

...

Start M365 Sync

Once you complete the mapping(s), navigate to Active Directory > M365 Audit Report.

Click on the Sync option to start the assessment.

...

Job gets created for the Sync with the Job Status.

...

The results will be displayed in the M365 Audit Report once the assessment is finished.

Tap on the Word or PPT icons for report/PPT outputs.

...

...

Results Summary

...

Microsoft 365 Security Inspection Dashboard

Review the findings in the company-level dashboard.

...

Microsoft 365 Security Inspection Items

M365 Security Inspection Items

ADFS Configuration Found

Administrative Users with No Multi-Factor Authentication Enforced

Anti-Domain Spoofing Not Fully Enabled

Applications Registered to Tenant with Certificate Credentials

Applications Registered to Tenant with Client Secret (Password) Credentials

Azure PowerShell Service Principal Assignment Not Enforced

Azure PowerShell Service Principal Configuration Missing

Basic Authentication is Enabled

Calendar Sharing with External Users Enabled

Common Malicious Attachment Extensions are Not Filtered

Conditional Access Policies

Conditional Access Policies - Device Platforms

Conditional Access Policies - Legacy Authentication

DKIM Not Enabled for Exchange Online Domains

DLP Policies Not Enabled and Enforced

Dangerous Attachment Extensions are Not Filtered

Dangerous Default Permissions

Directory Synced Users Found in Admin Roles

Directory Synchronization Enabled

Directory Synchronization Service Account Found

Do Not Bypass the Safe Attachments Filter

Do Not Bypass the Safe Links Feature

Domains with No DKIM Selector 1 DNS Record

Domains with No SPF Records

Domains with SPF Soft Fail Configured

Domains with no DKIM Record Selector 2

Domains with no DMARC Records

Email Security Checks are Bypassed Based on Sender Domain

Email Security Checks are Bypassed Based on Sender IP

Entities Allowed to Perform Domain Spoofing

eDiscovery Case Administrators

Exchange Mailboxes Hidden from Global Address Lists Found

Exchange Mailboxes with Forwarding Rules to External Recipients

Exchange Mailboxes with FullAccess Delegates Found

Exchange Mailboxes with IMAP Enabled

Exchange Mailboxes with Internal Forwarding Rules Enabled

Exchange Mailboxes with POP-Enabled

Exchange Mailboxes with SendAs Delegates Found

Exchange Mailboxes with SendOnBehalfOf Delegates Found

Exchange Mobile Device Mailbox Security Policies

Exchange Modern Authentication is Not Enabled

Exchange Online Mailboxes with SMTP Authentication Enabled

Expired Domain Registration Found

Federation Trusts in Tenant

Iframes Not Identified as Spam

Improper Number of Company/Global Administrators

MFA Not Required for Device Registration

MFA Not Required for Security Information Registration

MSOnline (MSOL) PowerShell Module Enabled on Tenant

Mailbox Auditing Should be Enabled at the Tenant Level

Mailboxes without Mailbox Auditing Enabled

Malware Filter Policies Don't Alert for Internal Users Sending Malware

Microsoft Secure Defaults

Microsoft Teams Consumer Communication Policies

Microsoft Teams External Access Policies

Microsoft Teams External Domain Communication Policies

Microsoft Teams Policies Allow Anonymous Members

Microsoft Teams Users Allowed to Invite Anonymous Users

Microsoft Teams Users Allowed to Preview Links in Messages

No Conditional Access Policies Block Risky Sign-in

No Conditional Access Policies Mitigate User Risk

No Custom Anti-Malware Policy Present

No Custom Anti-Phishing Policy Present

No Spam Filters to Flag Emails containing IP Addresses as Spam

No Transport Rules to Block Exchange Auto-Forwarding

No Transport Rules to Block Executable Attachments

No Transport Rules to Block Large Attachments

Office Message Encryption is Not Enabled

Outgoing Sharing Invitations are Not Monitored

Password Expiration Period is Set

Password Synchronization Enabled

SMTP Authentication not Globally Disabled

SSPR Allows Email Authentication

Safe Attachments Not Enabled

Safe Links Click-Through is Allowed

Safe Links Does Not Flag Links in Real Time

Safe Links Not Enabled

Self-Serve Password Reset is Not Enabled

Service Principals Found on Tenant with Certificate Credentials

Service Principals Found on Tenant with Client Secret (Password) Credentials

SharePoint External Sharing Enabled (Global)

Simulated Phishing Transport Rules - Security Bypasses

Spam ZAP (Zero-Hour Auto Purge) Not Enabled

Suspicious Outgoing Spam Messages Not Monitored

Tenant Federation Configuration

Tenant License Level

Tenant Transport Rules

Third-Party File Sharing Enabled in Microsoft Teams

Third-Party Applications Allowed

Unified Audit Log Search is Not Enabled

User consent to OAUTH applications not restricted

Users Allowed to Link Work Accounts to LinkedIn

Users Found in Azure AD Roles

Users with No MFA Configured

...

Need Support?

Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.

https://cybercns.freshdesk.com/en/support/login

...