/
MICROSOFT 365 Security Inspector (BETA)

MICROSOFT 365 Security Inspector (BETA)

Owned by Ryan Seymour, created
Last updated: Feb 25, 2025
9 min read

M365 Audit - Overview

The Microsoft 365 Security Inspection Report provides a comprehensive overview of the security posture within the Microsoft 365 environment. It evaluates various security controls, identifies vulnerabilities, and offers recommendations to enhance security measures, ensuring robust protection against potential threats and breaches.

image-20250129-164546.png

Getting Started - Application Thumbprint Certificate

Before you begin the setups below, you must download the Certificate for Application Thumbprint.

  1. Login to the ConnectSecure portal.

  2. Navigate to Global > Settings > Integrations > Microsoft 365 Security Inspector.

  3. Scroll down and tap the Download Certificate; this will be uploaded directly in the Azure Portal next.

image-20241219-142622.png

M365 Audit - Setup in Azure Portal

  1. Log in to the Azure portal (portal.azure.com).

  2. Tap on the ‘App registrations’ option in Azure services (or use the Search).

  1. Tap on the ‘New registration’ option.

  1. Complete the required fields.

    1. Name = Give this app reg a name of your choice (IE: ConnectSecure_M365_Audit)

    2. Support Account Type = Single Tenant

    3. Redirect URI = Set the platform to Web and use: https://authccns.mycybercns.com

    4. Tap on Register to complete

  1. Record the Application (client) ID and Directory (Tenant ID) values from the screen.

Generate Client Secret

  1. Click on the ‘Add a certificate or secret’ link from the Client credentials section.

  1. Tap on ‘New client secret’.

  1. Set the client secret required fields for Description and Expires, then tap Add.

  1. Copy the Value generated and store it; this will be used in the ConnectSecure portal setup.

  1. Tap on the Certificates option.

  1. Tap on ‘Upload certificate’.

  1. Select the application thumbprint certificate you downloaded at the beginning steps and give it a description (IE: ConnectSecure_M365_Audit), then tap Add.

  1. After the upload, you will see the Thumbprint value; record this for use in ConnectSecure.

Configure API Permissions

  1. Under the Manage section, tap on the Manifest option.

  1. Download the JSON file.

We have two options to choose from. The second option has a limited scope that aligns with best practices for readers with the least privileged access.

CS_Global_Admin contains global admin permissions.

CS_Security_Reader contains limited security reader permissions (may permit full scan findings).

  1. In the ‘Microsoft Graph App Manifest (New) file, replace the 'requiredResourceAccess’ section with the copied data.

  1. Tap on the Save button to complete.

  1. Tap on API Permissions from the left panel, then tap the ‘Grant admin consent for…’ button.

Assign Roles in Microsoft Entra Roles and Administrators

Assign Roles in Microsoft Entra Roles and Administrators for O365

  • These Roles works for O365 Sync Scan

  • Global Reader Privileges

  1. At the top, use the Search, enter ‘Microsoft Entra Roles and Administrators, and tap to select.

  1. Search for and tap on the ‘Global Reader’ option.

  1. Select the ‘Add Assignments’ button.

  1. Search for your added application name here and tap Add. (IE: ConnectSecure_M365_Audit)

  1. Once you add the application, tap on the name to add the user members.

  1. Click on the Users and Groups section from the left under Manage.

  1. Select a member and add an application.

  1. Shows selected member and application details as follows:

Enter any optional policy descriptions and justifications as required; this may vary depending on your Azure portal settings.

M365 Audit - Setup in ConnectSecure

  1. Login to your ConnectSecure portal (IE: portal.myconnectsecure.com)

  2. Please navigate back to Global > Settings > Integrations > Microsoft 365 Security Inspector, where we originally obtained the download certificate (application thumbprint).

Credentials

Complete the required fields with your values from the previous steps outlined above.

Field Name

Description

Field Name

Description

Enter Name

Use a name of your choice to identify the M365 creds being used.

Microsoft 365 Auth Endpoint

(Default) Global Service (https://login.microsoftonline.com)

US Government (https://login.microsoftonline.us)

Tenant ID

Enter the Directory (tenant) ID from the Azure portal app registration.

Application Client ID

Enter the Application (client) ID from the Azure portal app registration.

User Principal Name

Enter the username (with domain) of the user who created the app registration.

Application Client Secret

Enter the ‘Value’ from the Client Secret.

Application Thumbprint

Enter the value generated from the Thumbprint under the app registration ‘Certificates’ section.

Select Associated Company

Select to associate with a ConnectSecure company.

Proceed to Company Mapping below.

Company Mapping

You will need to map the ConnectSecure company to the M365 company.

  1. Tap on the Company Mapping tab from within the Microsoft 365 Security Inspector integration and use the ‘Add’ button to create a new mapping.

  1. Select from the options to import a new company from M365 into ConnectSecure, or map an existing ConnectSecure company to the M365 company.

  1. In this case, I will map to an existing ConnectSecure company and tap the next button. You will then select the M365 company from the Local Company (ConnectSecure).

  1. Tap on the Add, then Finish to complete mapping.

Start M365 Sync

Once you complete the mapping(s), navigate to Active Directory > M365 Audit Report.

Click on the Sync option to start the assessment.

Job gets created for the Sync with the Job Status.

The results will be displayed in the M365 Audit Report once the assessment is finished.

Tap on the Word or PPT icons for report/PPT outputs.

Results Summary

Microsoft 365 Security Inspection Dashboard

Review the findings in the company-level dashboard.

Microsoft 365 Security Inspection Items

M365 Security Inspection Items

M365 Security Inspection Items

ADFS Configuration Found

Administrative Users with No Multi-Factor Authentication Enforced

Anti-Domain Spoofing Not Fully Enabled

Applications Registered to Tenant with Certificate Credentials

Applications Registered to Tenant with Client Secret (Password) Credentials

Azure PowerShell Service Principal Assignment Not Enforced

Azure PowerShell Service Principal Configuration Missing

Basic Authentication is Enabled

Calendar Sharing with External Users Enabled

Common Malicious Attachment Extensions are Not Filtered

Conditional Access Policies

Conditional Access Policies - Device Platforms

Conditional Access Policies - Legacy Authentication

DKIM Not Enabled for Exchange Online Domains

DLP Policies Not Enabled and Enforced

Dangerous Attachment Extensions are Not Filtered

Dangerous Default Permissions

Directory Synced Users Found in Admin Roles

Directory Synchronization Enabled

Directory Synchronization Service Account Found

Do Not Bypass the Safe Attachments Filter

Do Not Bypass the Safe Links Feature

Domains with No DKIM Selector 1 DNS Record

Domains with No SPF Records

Domains with SPF Soft Fail Configured

Domains with no DKIM Record Selector 2

Domains with no DMARC Records

Email Security Checks are Bypassed Based on Sender Domain

Email Security Checks are Bypassed Based on Sender IP

Entities Allowed to Perform Domain Spoofing

eDiscovery Case Administrators

Exchange Mailboxes Hidden from Global Address Lists Found

Exchange Mailboxes with Forwarding Rules to External Recipients

Exchange Mailboxes with FullAccess Delegates Found

Exchange Mailboxes with IMAP Enabled

Exchange Mailboxes with Internal Forwarding Rules Enabled

Exchange Mailboxes with POP-Enabled

Exchange Mailboxes with SendAs Delegates Found

Exchange Mailboxes with SendOnBehalfOf Delegates Found

Exchange Mobile Device Mailbox Security Policies

Exchange Modern Authentication is Not Enabled

Exchange Online Mailboxes with SMTP Authentication Enabled

Expired Domain Registration Found

Federation Trusts in Tenant

Iframes Not Identified as Spam

Improper Number of Company/Global Administrators

MFA Not Required for Device Registration

MFA Not Required for Security Information Registration

MSOnline (MSOL) PowerShell Module Enabled on Tenant

Mailbox Auditing Should be Enabled at the Tenant Level

Mailboxes without Mailbox Auditing Enabled

Malware Filter Policies Don't Alert for Internal Users Sending Malware

Microsoft Secure Defaults

Microsoft Teams Consumer Communication Policies

Microsoft Teams External Access Policies

Microsoft Teams External Domain Communication Policies

Microsoft Teams Policies Allow Anonymous Members

Microsoft Teams Users Allowed to Invite Anonymous Users

Microsoft Teams Users Allowed to Preview Links in Messages

No Conditional Access Policies Block Risky Sign-in

No Conditional Access Policies Mitigate User Risk

No Custom Anti-Malware Policy Present

No Custom Anti-Phishing Policy Present

No Spam Filters to Flag Emails containing IP Addresses as Spam

No Transport Rules to Block Exchange Auto-Forwarding

No Transport Rules to Block Executable Attachments

No Transport Rules to Block Large Attachments

Office Message Encryption is Not Enabled

Outgoing Sharing Invitations are Not Monitored

Password Expiration Period is Set

Password Synchronization Enabled

SMTP Authentication not Globally Disabled

SSPR Allows Email Authentication

Safe Attachments Not Enabled

Safe Links Click-Through is Allowed

Safe Links Does Not Flag Links in Real Time

Safe Links Not Enabled

Self-Serve Password Reset is Not Enabled

Service Principals Found on Tenant with Certificate Credentials

Service Principals Found on Tenant with Client Secret (Password) Credentials

SharePoint External Sharing Enabled (Global)

Simulated Phishing Transport Rules - Security Bypasses

Spam ZAP (Zero-Hour Auto Purge) Not Enabled

Suspicious Outgoing Spam Messages Not Monitored

Tenant Federation Configuration

Tenant License Level

Tenant Transport Rules

Third-Party File Sharing Enabled in Microsoft Teams

Third-Party Applications Allowed

Unified Audit Log Search is Not Enabled

User consent to OAUTH applications not restricted

Users Allowed to Link Work Accounts to LinkedIn

Users Found in Azure AD Roles

Users with No MFA Configured

Need Support?

Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.

https://cybercns.freshdesk.com/en/support/login