Microsoft 365
Monkey365
Execution
Information
Juan Garrido
silverhack@monkeytenant.onmicrosoft.com
Execution info
Ruleset details
Issues by service
Issues by severity
Dashboard Table
Resources
| Services | Resources | Rules | Findings |
|---|---|---|---|
Microsoft Entra ID Identity |
5 | 5 | 3 |
Identity Protection |
1 | 8 | 2 |
Conditional Access |
3 | 1 | 1 |
General |
1 | 7 | 2 |
Exchange Online |
1 | 15 | 7 |
SharePoint Online |
1 | 6 | 5 |
Microsoft Forms |
1 | 1 | 0 |
Microsoft Teams |
1 | 2 | 2 |
Security and Compliance |
7 | 3 | 2 |
Microsoft OneDrive |
1 | 1 | 1 |
| Monkey365 Dashboard | |||
Monkey365 findings
azure ad identity
Description:
Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like:
-
Service Co-Administrators
-
Subscription Owners
-
Contributors
Rationale:
Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Impact:
Users would require two forms of authentication before any action is granted. Also, this requires an overhead for managing dual forms of authentication.
Remediation:
Follow Microsoft Azure documentation and setup multi-factor authentication in your environment.
Secure user sign-in events with Microsoft Entra ID Multi-Factor Authentication
References:
https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access
https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.1.1
- Microsoft Entra ID Identity checked: 5
- Microsoft Entra ID Identity flagged: 2
Description:
The total number of Global Administrators was higher than recommended. A tenancy should have more than two but fewer than five Global Administrators. Having an excessive number of Global Administrators has an increased risk that one of those accounts will be successfully breached by an external attacker.
Rationale:
If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.
Impact:
The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access.
References:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.1.3
- Microsoft Entra ID Identity checked: 5
- Microsoft Entra ID Identity flagged: 1
Description:
Microsoft Entra ID Privileged Identity Management can be used to audit roles, allow just in time activation of roles and allow for periodic role attestation. Organizations should remove permanent members from privileged Office 365 roles and instead make them eligible, through a JIT activation workflow.
Rationale:
Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Microsoft Entra ID and Office 365. Organizations can give users just-in-time (JIT) privileged access to roles. There is a need for oversight for what those users are doing with their administrator privileges. PIM helps to mitigate the risk of excessive, unnecessary, or misused access rights.
Impact:
Implementation of Just in Time privileged access is likely to necessitate changes to administrator routine. Administrators will only be granted access to administrative roles when required. When administrators request role activation, they will need to document the reason for requiring role access, anticipated time required to have the access, and to reauthenticate to enable role access.
Remediation:
To configure sensitive Microsoft Entra ID roles for Privileged Identity Management Role activation, use the following steps:
From Azure Entra portal
-
Sign in to the Azure Entra portal as a global administrator.
-
In the Azure Entra portal, click
Identity and Governanceand search for and click onPrivileged Identity Management. -
Under
Manageclick onMicrosoft Entra ID Roles. -
Under
Manageclick onRoles. -
Inspect the following sensitive roles. For each of the members that have an
ASSIGNMENT TYPEofPermanent, click on the...and chooseMake eligible:
-
Application Administrator
-
Authentication Administrator
-
Billing Administrator
-
Cloud Application Administrator
-
Cloud Device Administrator
-
Compliance Administrator
-
Customer LockBox Access Approver
-
Device Administrators
-
Exchange Administrators
-
Global Administrators
-
HelpDesk Administrator
-
Information Protection Administrator
-
Intune Service Administrator
-
Kaizala Administrator
-
License Administrator
-
Password Administrator
-
PowerBI Service Administrator
-
Privileged Authentication Administrator
-
Privileged Role Administrator
-
Security Administrator
-
SharePoint Service Administrator
-
Skype for Business Administrator
-
Teams Service Administrator
-
User Administrator
References:
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.1.10
- Microsoft Entra ID Identity checked: 19
- Microsoft Entra ID Identity flagged: 14
| UPN | Object Type | User Type | Role | isBuiltIn | MFA enabled |
|---|---|---|---|---|---|
| LidiaH@monkeytenant.OnMicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| NestorW@monkeytenant.OnMicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| AllanD@monkeytenant.OnMicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| admin@monkeytenant.onmicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| MeganB@monkeytenant.OnMicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| provisioninguser0@monkeytenant.OnMicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| silverhack@monkeytenant.onmicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| dromero@monkeytenant.onmicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| provisioninguser4@monkeytenant.OnMicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| provisioninguser2@monkeytenant.OnMicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| IsaiahL@monkeytenant.OnMicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| provisioninguser3@monkeytenant.OnMicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| provisioninguser1@monkeytenant.OnMicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| ms-serviceaccount@monkeytenant.OnMicrosoft.com | User | Member | Global Administrator | Enabled | Disabled |
| julia@monkeytenant.onmicrosoft.com | User | Member | Global Reader | Enabled | Disabled |
| NotSet | NotSet | NotSet | Global Reader | Enabled | NotSet |
| User Principal Name | Object Type | User Type | MFA enabled | actions |
|---|---|---|---|---|
| LidiaH@monkeytenant.OnMicrosoft.com | User | Member | Disabled | |
| NestorW@monkeytenant.OnMicrosoft.com | User | Member | Disabled | |
| AllanD@monkeytenant.OnMicrosoft.com | User | Member | Disabled | |
| admin@monkeytenant.onmicrosoft.com | User | Member | Disabled | |
| MeganB@monkeytenant.OnMicrosoft.com | User | Member | Disabled | |
| provisioninguser0@monkeytenant.OnMicrosoft.com | User | Member | Disabled | |
| silverhack@monkeytenant.onmicrosoft.com | User | Member | Disabled | |
| dromero@monkeytenant.onmicrosoft.com | User | Member | Disabled | |
| provisioninguser4@monkeytenant.OnMicrosoft.com | User | Member | Disabled | |
| provisioninguser2@monkeytenant.OnMicrosoft.com | User | Member | Disabled | |
| IsaiahL@monkeytenant.OnMicrosoft.com | User | Member | Disabled | |
| provisioninguser3@monkeytenant.OnMicrosoft.com | User | Member | Disabled | |
| provisioninguser1@monkeytenant.OnMicrosoft.com | User | Member | Disabled | |
| ms-serviceaccount@monkeytenant.OnMicrosoft.com | User | Member | Disabled |
| Principal Name | Display Name | Object Type | Role Name | State | actions |
|---|---|---|---|---|---|
| NestorW@monkeytenant.OnMicrosoft.com | Nestor Wilke | User | Global Administrator | Active | |
| dromero@monkeytenant.onmicrosoft.com | Daniel Romero | User | Global Administrator | Active | |
| MeganB@monkeytenant.OnMicrosoft.com | Megan Bowen | User | Global Administrator | Active | |
| LidiaH@monkeytenant.OnMicrosoft.com | Lidia Holloway | User | Global Administrator | Active | |
| provisioninguser4@monkeytenant.OnMicrosoft.com | Johanna Lorenz | User | Global Administrator | Active | |
| provisioninguser3@monkeytenant.OnMicrosoft.com | Christie Cline | User | Global Administrator | Active | |
| AllanD@monkeytenant.OnMicrosoft.com | Allan Deyoung | User | Global Administrator | Active | |
| admin@monkeytenant.onmicrosoft.com | MOD Administrator | User | Global Administrator | Active | |
| silverhack@monkeytenant.onmicrosoft.com | Juan Garrido | User | Global Administrator | Active | |
| provisioninguser1@monkeytenant.OnMicrosoft.com | Pradeep Gupta | User | Global Administrator | Active | |
| ms-serviceaccount@monkeytenant.OnMicrosoft.com | Microsoft Service Account | User | Global Administrator | Active | |
| IsaiahL@monkeytenant.OnMicrosoft.com | Isaiah Langer | User | Global Administrator | Active | |
| provisioninguser2@monkeytenant.OnMicrosoft.com | Alex Wilber | User | Global Administrator | Active | |
| provisioninguser0@monkeytenant.OnMicrosoft.com | Lynne Robbins | User | Global Administrator | Active |
identity protection
Description:
Enabling self-service password reset allows users to reset their own passwords in Microsoft Entra ID. When your users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. As of August 2020 combined registration is enabled by default.
Rationale:
Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords.
Impact:
The impact associated with this setting is that users will be required to provide additional contact information to enroll in self-service password reset. Additionally, minor user education may be required for users that are used to calling a help desk for assistance with password resets. As of August of 2020 combined registration is automatic for new tenants therefor users will not need to register for password reset separately from multi-factor authentication.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.1.4
- Identity Protection checked: 1
- Identity Protection flagged: 0
Description:
Microsoft Entra ID Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.
Rationale:
Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.
Impact:
When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.
Remediation:
From Microsoft Entra ID Portal
-
Log in to https://aad.portal.azure.com as a Global Administrator.
-
Select
Security. -
Select
Identity Protection. -
Select
Sign-in risk policy. -
Set the following conditions within the policy.
-
Under Users or workload identities choose
All users -
Under
Sign-in riskset the appropriate level. -
Under
AccessselectAllow accessthen in the right pane selectRequire multi-factor authentication.
-
Click
Done -
In
Enforce PolicysetOn.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.1.8
- Identity Protection checked: 9
- Identity Protection flagged: 1
Description:
Microsoft Entra ID Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.
Rationale:
Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.
Impact:
When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.
Remediation:
From Microsoft Entra ID Portal
-
Log in to https://aad.portal.azure.com as a Global Administrator.
-
Select
Security. -
Select
Identity Protection. -
Select
Sign-in risk policy. -
Set the following conditions within the policy.
-
Under Users or workload identities choose
All users -
Under
Sign-in riskset the appropriate level. -
Under
AccessselectAllow accessthen in the right pane selectRequire multi-factor authentication.
-
Click
Done -
In
Enforce PolicysetOn.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.1.8
- Identity Protection checked: 9
- Identity Protection flagged: 0
Description:
Microsoft Entra ID Identity Protection user risk policies detect the probability that a user account has been compromised.
Rationale:
With the user risk policy turned on, Microsoft Entra ID detects the probability that a user account has been compromised. As an administrator, you can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.
Impact:
When the policy triggers, access to the account will either be blocked or the user would be required to use multi-factor authentication and change their password. Users who haven't registered MFA on their account will be blocked from accessing it. If account access is blocked, an admin would need to recover the account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the User Risk policy.
Remediation:
From Microsoft Entra ID Portal
-
Log in to https://aad.portal.azure.com as a Global Administrator.
-
Select
Security. -
Select
Identity Protection. -
Select
User risk policy. -
Set the following conditions within the policy.
-
Under Users or workload identities choose
All users -
Under
User riskset the appropriate level. -
Under
AccessselectAllow accessthen in the right pane selectRequire password change.
-
Click
Done -
In
Enforce PolicysetOn.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.1.9
- Identity Protection checked: 9
- Identity Protection flagged: 0
Description:
The option for the user to Stay signed in or the Keep me signed in option will prompt a user after a successful login, when the user selects this option a persistent refresh token is created. Typically this lasts for 90 days and does not prompt for sign-in or Multi-Factor.
Rationale:
Allowing users to select this option presents risk, especially in the even that the user signs into their account on a publicly accessible computer/web browser. In this case anyone with access to the profile said users utilized would have access to their account when directing the web browser to office.com.
Impact:
Once you have changed this setting users will no longer be prompted upon sign-in with the message Stay signed in?. This may mean users will be forced to sign in more frequently. Important: some features of SharePoint Online and Office 2010 have a dependency on users remaining signed in. If you hide this option, users may get additional and unexpected sign in prompts.
Remediation:
From Azure Portal
-
Go to
Microsoft Entra ID -
Scroll down and select
Company brandingunderManagefollowed by the appropriate policy.
- If no policy exists you will need to create one.
-
Scroll to the bottom of the newly opened pane and ensure Show option to
remain signedin is set toNo. -
Click
Save.
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.1.16
- Identity Protection checked: 39
- Identity Protection flagged: 1
Description:
Review the password expiration policy, to ensure that user passwords in Office 365 are not set to expire.
Rationale:
NIST has updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Microsoft Entra ID.
Impact:
The primary impact associated with this change is ensuring that users understand the process for making or requesting a password change when required.
Remediation:
To set Office 365 Passwords to Expire, use the Microsoft 365 Admin Center
-
Expand
Settingsthen select theOrg Settingssubcategory. -
Click on
Security & privacy. -
Select
Password expiration policy. -
If the
Set user passwords to expire after a number of days boxis checked, uncheck it. -
Click
Save.
References:
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.4
- Identity Protection checked: 1
- Identity Protection flagged: 0
| odata.type | objectType | objectId | deletionTimestamp | displayName | keyCredentials | policyType | policyDetail | policyIdentifier | tenantDefaultPolicy |
|---|---|---|---|---|---|---|---|---|---|
| Microsoft.DirectoryServices.Policy | Policy | 59347dc8-cf1a-4e6a-89bb-ab249a97b17c | NotSet | Sign-In Risk Policy | 1 | @{AuthenticationPolicies=} | NotSet | 1 |
| PolicyName | Status |
|---|---|
| Hide Keep Me Signed-In option | Disabled |
conditional access
Description:
Use Conditional Access to block legacy authentication protocols in Office 365.
Rationale:
Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.
Impact:
Enablig this setting will prevent users from connecting with older versions of Office, ActiveSync or using protocols like IMAP, POP or SMTP and may require upgrades to older versions of Office, and use of mobile mail clients that support modern authentication.
There is also an increased cost, as Conditional Access policies require Microsoft Entra ID Premium. Similarly, MFA may require additional overhead to maintain. There is also a potential scenario in which the multi-factor authentication method can be lost, and administrative users are no longer able to log in. For this scenario, there should be an emergency access account. Please see References for creating this.
Remediation:
From Azure Console
-
From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID
-
Scroll down in the menu on the left, and select
Security -
Select on the left side
Conditional Access -
Click the
+ New policy
References:
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa
https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.1.6
- Conditional Access checked: 3
- Conditional Access flagged: 3
| Name | Status | Exchange ActiveSync | Apply Condition | Exchange V2 ActiveSync | Mobile Desktop | Other Clients | V2 Apply Condition | actions |
|---|---|---|---|---|---|---|---|---|
| Exchange Online Requires Compliant Device | Disabled | Disabled | Disabled | Disabled | Disabled | Disabled | Disabled | |
| Office 365 App Control | Disabled | Disabled | Disabled | Disabled | Disabled | Disabled | Disabled | |
| MFA All | Disabled | Disabled | Disabled | Disabled | Disabled | Disabled | Disabled |
general
Description:
Security defaults in Microsoft Entra ID (Microsoft Entra ID) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. The use of security defaults however will prohibit custom settings which are being set with more advanced settings.
Rationale:
Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.
For example doing the following:
-
Requiring all users and admins to register for MFA.
-
Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
-
Disabling authentication from legacy authentication clients, which can’t do MFA.
Impact:
The potential impact associated with disabling of Security Defaults is dependent upon the security controls implemented in the environment. It is likely that most organizations disabling Security Defaults plan to implement equivalent controls to replace Security Defaults.
It may be necessary to check settings in other Microsoft products, such as Azure, to ensure settings and functionality are as expected when disabling security defaults for MS365.
Remediation:
From Azure Console
-
Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
-
Browse to Microsoft Entra ID > Properties.
-
Select Manage security defaults.
-
Set the Enable security defaults toggle to No.
-
Select Save.
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
http://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.1.11
- General checked: 1
- General flagged: 0
Description:
Consider to disable integration with LinkedIn as a measure to help prevent phishing scams.
References:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups
https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.1.14
- General checked: 1
- General flagged: 1
Description:
Consider to prevent regular users from consenting to applications on their own behalf. Once this feature is disabled, an administrator will be required to consent to any new application a user needs to use.
Rationale:
Unless Microsoft Entra ID is running as an identity provider for third-party applications, do not allow users to use their identity outside of the cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.
Impact:
It might be an additional request that administrators need to fulfill quite often.
Remediation:
From Azure Console
-
Go to
Microsoft Entra ID -
Go to
Users -
Go to
User settings -
Click on
Manage how end users launch and view their applications -
Set
Users can consent to apps accessing company data on their behalftoNo
References:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/
https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/
https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#configure-user-consent-to-applications
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
Compliance:
CIS Microsoft 365 Foundations
1.5.0
2.6
- General checked: 1
- General flagged: 0
Description:
Consider to disable in the Azure directory from registering applications and from signing in to applications without an administrator approval. Once this feature is disabled, an administrator will be required to consent to any new application a user needs to use.
Rationale:
It is recommended to let administrator register custom-developed applications. This ensures that the application undergoes a security review before exposing active directory data to it.
Impact:
This might create additional requests that administrators need to fulfill quite often.
Remediation:
From Azure Console
-
Go to
Microsoft Entra ID -
Go to
Users -
Go to
User settings -
Set
Users can register applicationstoNo
References:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/
https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/
https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems
Compliance:
CIS Microsoft 365 Foundations
1.5.0
2.7
- General checked: 1
- General flagged: 1
| Display Name: | Monkey365 |
| User can register apps: | Enabled |
| Linkedin Sync enabled: | 0 |
| Object Id: | 384486fb-160a-4ea1-a95e-e0a6fd7c1517 |
| Display Name: | Monkey365 |
| Users can register apps: | Enabled |
exchange online
Description:
Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third party SAML identity providers. When you enable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use modern authentication to log in to Microsoft 365 mailboxes. When you disable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use basic authentication to log in to Microsoft 365 mailboxes.When users initially configure certain email clients, like Outlook 2013 and Outlook 2016, they may be required to authenticate using enhanced authentication mechanisms, such as multifactor authentication. Other Outlook clients that are available in Microsoft 365 (for example, Outlook Mobile and Outlook for Mac 2016) always use modern authentication to log in to Microsoft 365 mailboxes.
Rationale:
Strong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by Exchange Online email clients such as Outlook 2016 and Outlook 2013. Enabling modern authentication for Exchange Online ensures strong authentication mechanisms are used when establishing sessions between email clients and Exchange Online.
Impact:
Users of older email clients, such as Outlook 2013 and Outlook 2016, will no longer be able to authenticate to Exchange using Basic Authentication, which will necessitate migration to modern authentication practices.
Remediation:
To disable basic authentication, use the Exchange Online PowerShell Module
-
Connect to Exchange Online using
Connect-ExchangeOnline -
Run the following PowerShell command:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
References:
Compliance:
CIS Microsoft 365 Foundations
1.5.0
1.2
- Exchange Online checked: 1
- Exchange Online flagged: 0
Description:
Enabling the Advanced Threat Protection (ATP) Safe Links policy for Office applications allows URL's that existing inside of Office documents opened by Office, Office Online and Office mobile to be processed against ATP time-of-click verification.
Rationale:
ATP Safe Links for Office applications extends phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.
Impact:
User impact associated with this change is minor - users may experience a very short delay when clicking on URLs in Office documents before being directed to the requested site.
Remediation:
To enable the ATP Safe Links policy for Office, use the Microsoft 365 Admin Center
-
Select
Admin Centerand Click to expandSecurity. -
Navigate to
Threat managementand selectPolicy. -
Select
Safe Linksfollowed byGlobal Settings. -
Select
Use Safe Links in Office 365 apps and Do not let users click through to the original URL in Office 365 apps. -
Click
Save.
To enable the ATP Safe Links policy for Office 365, use the Exchange Online PowerShell Module
-
Connect to Exchange Online using
Connect-ExchangeOnline -
Run the following PowerShell command:
Set-AtpPolicyForO365 -AllowClickThrough $False -EnableSafeLinksForClients $true
References:
Compliance:
CIS Microsoft 365 Foundations
1.5.0
2.3
- Exchange Online checked: 1
- Exchange Online flagged: 0
Description:
Consider to enable the Customer Lockbox feature. It requires Microsoft to get your approval for any datacenter operation that grants a Microsoft support engineer or other employee direct access to any of your data. For example, in some cases a Microsoft support engineer might need access to your Microsoft 365 content in order to help troubleshoot and fix an issue for you. Customer lockbox requests also have an expiration time, and content access is removed after the support engineer has fixed the issue.
Rationale:
Enabling this feature protects your data against data spillage and exfiltration.
Impact:
The impact associated with this setting is a requirement to grant Microsoft access to the tenant environment prior to a Microsoft engineer accessing the environment for support or troubleshooting.
Remediation:
To enable the Customer Lockbox feature, use the Microsoft 365 Admin Portal
-
Browse to the
Microsoft 365 admin center. -
Expand
Settingsand then selectOrg Settings. -
Choose
Security & privacyin the right pane. -
Click
Customer Lockbox. -
Check the the box
Require approval for all data access requests. -
Click
Save changes.
To set the Customer Lockbox feature to enabled, use the Microsoft Online PowerShell Module
-
Connect to Exchange Online using
Connect-ExchangeOnline -
Run the following PowerShell command:
Set-OrganizationConfig -CustomerLockBoxEnabled $true
References:
Compliance:
CIS Microsoft 365 Foundations
1.5.0
3.1
- Exchange Online checked: 1
- Exchange Online flagged: 1
Description:
The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails.
Rationale:
Blocking known malicious file types can help prevent malware-infested files from infecting a host.
Impact:
Blocking common malicious file types should not cause an impact in modern computing environments.
Remediation:
To enable the Common Attachment Types Filter, use the Microsoft 365 Admin Portal
-
Click
Securityto open the Security portal. -
Navigate to
Threat management, thenPolicy, and selectAnti-malware. -
Edit the
Defaultprofile, then click Edit protection settings at the bottom of the window. -
Select
Enable the common attachments filter. -
Click
Save.
To enable the Common Attachment Types Filter, use the Exchange Online PowerShell Module
-
Connect to Exchange Online using
Connect-ExchangeOnline -
Run the following PowerShell command:
Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true
References:
https://docs.microsoft.com/en-us/powershell/module/exchange/antispam-antimalware/Get-MalwareFilterPolicy?view=exchange-ps
https://docs.microsoft.com/en-us/office365/SecurityCompliance/configure-anti-malware-policies#use-remote-powershell-to-configure-anti-malware-policies
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection?view=o365-worldwide
Compliance:
CIS Microsoft 365 Foundations
1.5.0
4.1
- Exchange Online checked: 1
- Exchange Online flagged: 1
Description:
Organisations should set Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails.
Rationale:
A blocked account is a good indication that the account in question has been breached and an attacker is using it to send spam emails to other people.
Impact:
Notification of users that have been blocked should not cause an impact to the user.
Remediation:
To set the Exchange Online Spam Policies correctly, use the Microsoft 365 Admin Center
-
Click
Securityto open the Security portal. -
Navigate to
Threat management, thenPolicy, and selectAnti-spam. -
Click
Anti-spam outbound policy. -
Select
Edit policythen expandNotification. -
Check
Send a copy of outbound messages that exceed these limits to these users and groups, then select+Add people, and enter the desired email addresses. -
Check
Notify specific people if senders are blocked, then select+Add people, and enter the desired email addresses. -
Click
Save.
To set the Exchange Online Spam Policies correctly, use the Exchange Online PowerShell Module
-
Connect to Exchange Online using
Connect-ExchangeOnline -
Run the following PowerShell command:
$BccEmailAddress = @("<INSERT-EMAIL>")
$NotifyEmailAddress = @("<INSERT-EMAIL>")
Set-HostedOutboundSpamFilterPolicy -Identity Default -
BccSuspiciousOutboundAdditionalRecipients $BccEmailAddress -
BccSuspiciousOutboundMail $true -NotifyOutboundSpam $true -
NotifyOutboundSpamRecipients $NotifyEmailAddress
References:
Compliance:
CIS Microsoft 365 Foundations
1.5.0
4.2
- Exchange Online checked: 1
- Exchange Online flagged: 1
Description:
Consider to set Exchange Online mail transport rules to not forward email to domains outside of your organization.
Rationale:
Attackers often create these rules to exfiltrate data from your tenancy.
Impact:
Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization.
Remediation:
To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center
-
Select
Exchange. -
Select
Mail FlowandRules. -
For each rule that forwards email to external domains, select the rule and click the Delete icon.
To perform remediation you may also use the Exchange Online PowerShell Module
-
Connect to Exchange Online using
Connect-ExchangeOnline -
Run the following PowerShell command:
Remove-TransportRule {RuleName}
- To verify this worked you may re-run the audit command as follows:
Get-TransportRule | Where-Object {$null -ne $_.RedirectMessageTo} | ft Name,RedirectMessageTo
References:
Compliance:
CIS Microsoft 365 Foundations
1.5.0
4.3
- Exchange Online checked: 4
- Exchange Online flagged: 0
Description:
Consider to disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web.
Rationale:
In the event that an attacker gains control of an end-user account they could create rules to ex-filtrate data from your environment.
Impact:
Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization.
Remediation:
To perform remediation you may use the Exchange Online PowerShell Module:
-
Connect to Exchange Online using
Connect-ExchangeOnline -
Run the following PowerShell command:
Set-RemoteDomain Default -AutoForwardEnabled $false
- To verify this worked you may re-run the audit command as follows:
Get-RemoteDomain Default | fl AllowedOOFType, AutoForwardEnabled
References:
https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi
Compliance:
CIS Microsoft 365 Foundations
1.5.0
4.3
- Exchange Online checked: 1
- Exchange Online flagged: 1
Description:
Consider to set Exchange Online mail transport rules so they do not whitelist any specific domains.
Rationale:
Whitelisting domains in transport rules bypasses regular malware and phishing scanning, which can enable an attacker to launch attacks against your users from a safe haven domain.
Impact:
Care should be taken before implementation to ensure there is no business need for case-by-case whitelisting. Removing all whitelisted domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this.
Remediation:
To alter the mail transport rules so they do not whitelist any specific domains, use the Microsoft 365 Admin Center
-
Select
Exchange. -
Select
Mail FlowandRules. -
For each rule that whitelists specific domains, select the rule and click the Delete icon.
To remove mail transport rules you may also use the Exchange Online PowerShell
-
Connect to Exchange Online using
Connect-ExchangeOnline -
Run the following PowerShell command:
Remove-TransportRule {RuleName}
- To verify this worked you may re-run the audit command as follows:
Get-TransportRule | Where-Object {($_.setscl -eq -1 -and $null -ne $_.SenderDomainIs)} | ft Name,SenderDomainIs
References:
https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide
Compliance:
CIS Microsoft 365 Foundations
1.5.0
4.4
- Exchange Online checked: 4
- Exchange Online flagged: 0
Description:
By default, Microsoft 365 includes built-in features that help protect your users from phishing attacks. Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks. The default policy applies to all users within the organization, and is a single view where you can fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users.
Rationale:
Protects users from phishing attacks (like impersonation and spoofing), and uses safety tips to warn users about potentially harmful messages.
Impact:
Turning on Anti-Phishing should not cause an impact, messages will be displayed when applicable.
Remediation:
To set the anti-phishing policy, use the Microsoft 365 Admin Center
-
Select Security.
-
Expand
Threat Managementthen selectPolicy. -
Select
Anti-phishing. -
Click
Createto create an anti-phishing policy.
To create an anti-phishing policy, use the Exchange Online PowerShell Module
-
Connect to Exchange Online using
Connect-ExchangeOnline -
Run the following PowerShell command:
New-AntiPhishPolicy -Name "Microsoft 365 AntiPhish Policy"
References:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies?view=o365-worldwide
Compliance:
CIS Microsoft 365 Foundations
1.5.0
4.6
- Exchange Online checked: 1
- Exchange Online flagged: 0
Description:
Consider to setup the Exchange Online Protection malware filter to notify administrators if internal senders are blocked for sending malware.
Rationale:
This setting alerts administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise, that would need to be investigated.
Impact:
Notification of account with potential issues should not cause an impact to the user.
Remediation:
To enable notifications for internal users sending malware, use the Microsoft 365 Admin Center
-
Select Security.
-
Expand
Threat Managementthen selectPolicy. -
Select
Anti-Malware. -
Change the setting
Notify administrator about undelivered messages from internal senderstoAlways Onand enter the email address of the administrator who should be notified underAdministrator email address.
To check the setting from PowerShell, use the Exchange Online Module for PowerShell
-
Connect to Exchange Online using
Connect-ExchangeOnline -
Run the following PowerShell command:
set-MalwareFilterPolicy -Identity '{Identity Name}' -EnableInternalSenderAdminNotifications $True -InternalSenderAdminAddress {admin@domain1.com}
References:
Compliance:
CIS Microsoft 365 Foundations
1.5.0
4.10
- Exchange Online checked: 1
- Exchange Online flagged: 1
Description:
Consider to enable MailTips, which is designed to assist end users with identifying strange patterns to emails they send.
Rationale:
Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.
Remediation:
To enable MailTips, use the Exchange Online PowerShell Module
-
Connect to Exchange Online using
Connect-ExchangeOnline -
Run the following PowerShell command:
Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold '25'
References:
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips
Compliance:
CIS Microsoft 365 Foundations
1.5.0
4.11
- Exchange Online checked: 1
- Exchange Online flagged: 0
Description:
Consider to restrict storage providers that are integrated with Outlook on the Web.
Rationale:
By default additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage.
Impact:
Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.
Remediation:
To disable external storage providers, use the Exchange Online PowerShell Module
-
Connect to Exchange Online using
Connect-EXOPSSession -
Run the following PowerShell command:
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false
- Run the following Powershell command to verify that the value is now False:
Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable
References:
Compliance:
CIS Microsoft 365 Foundations
1.5.0
6.4
- Exchange Online checked: 1
- Exchange Online flagged: 1
Description:
Enabling the Advanced Threat Protection (ATP) Safe Links policy allows email messages that include URLs to be processed and rewritten if required. ATP Safe Links provides time of-click verification of web addresses in email messages and Office documents.
Rationale:
ATP Safe Links extends phishing protection to include redirecting all email hyperlinks through a forwarding service which will block malicious ones even after the email has been delivered to the end user.
Impact:
When enabling and configuring ATP Safe Links impact to the end-user should be low. Users should be informed of the change as, in the event a link is unsafe and blocked, they will receive a message that it has been blocked
Remediation:
To enable the Safe Links policy, use the Microsoft 365 Admin Center
-
Click
Securityto open theSecurity portal. -
Navigate to
Threat management>Policy>Safe Links. -
Click
Create, name the policy, and then clickNext. -
Choose whether the policy will apply to
Users, Groups, or Domainsthen selectNext. -
Under
Protection settingsclick `On - URLs will be rewritten and checked
against a list of known malicious links when user clicks on the link.`, select the same for Microsoft Teams.
-
Click the following options -
Apply Safe Links to email messages sent within the organization, Do not let users click through to the original URLthen click Next. -
You may choose to use default or a custom text, then click
Next. -
Click
Submit.
To enable the ATP Safe Links policy, use the Exchange Online PowerShell Module
-
Connect to Exchange Online using
Connect-ExchangeOnline -
Run the following PowerShell command:
$p = @{
Name = "Monkey 365 all company";
EnableSafeLinksForEmail = $true;
EnableSafeLinksForTeams = $true;
ScanUrls = $true;
DeliverMessageAfterScan = $true;
EnableForInternalSenders = $true;
AllowClickThrough = $false;
}
New-SafeLinksPolicy @p
Once a new Safe Link policy is created, a new Safe Link rule should be set.
$p = @{
Name = "Monkey 365 all company";
SafeLinksPolicy = "Monkey 365 all company";
RecipientDomainIs = "monkey365domain.com";
}
New-SafeLinksRule @p
References:
https://docs.microsoft.com/en-us/office365/securitycompliance/atp-safe-links
https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-atp-safe-links-policies
Compliance:
CIS Microsoft 365 Foundations
1.4.0
4.5
- Exchange Online checked: 1
- Exchange Online flagged: 1
| Name | Guest Enabled | Customer LockBox | actions |
|---|---|---|---|
| monkeytenant.onmicrosoft.com | Enabled | Disabled |
| Policy Name | Is Enabled | Enable File Filter | Filetypes | actions |
|---|---|---|---|---|
| Default | Enabled | Disabled | ace,apk,app,appx,ani,arj,bat,cab,cmd,com,deb,dex,dll,docm,elf,exe,hta,img,iso,jar,jnlp,kext,lha,lib,library,lnk,lzh,macho,msc,msi,msix,msp,mst,pif,ppa,ppam,reg,rev,scf,scr,sct,sys,uif,vb,vbe,vbs,vxd,wsc,wsf,wsh,xll,xz,z |
| Name | BCC Nofity | Notify Outbound Spam | actions |
|---|---|---|---|
| Default | Disabled | Disabled |
| Policy Name | Organization | Automatic Forward | actions |
|---|---|---|---|
| Default | monkeytenant.onmicrosoft.com | Enabled |
| Name | Enabled | Internal Senders Admin Notify | Internal Senders Admin Address | actions |
|---|---|---|---|---|
| Default | Enabled | Disabled | NotSet |
| Name | Organization | Conditional Access Policy | Additional Storage Providers | actions |
|---|---|---|---|---|
| OwaMailboxPolicy-Default | monkeytenant.onmicrosoft.com | Off | Enabled |
| Policy Name | Enabled | Enable SafeLinks For Email | Enable SafeLinks For Teams | Allow Click Through | actions |
|---|---|---|---|---|---|
| Built-In Protection Policy | Enabled | Enabled | Enabled | Enabled |
sharepoint online
microsoft forms
Description:
Microsoft Forms can be used for phishing attacks by asking personal or sensitive information and collecting the results. Microsoft 365 has built-in protection that will proactively scan for phishing attempt in forms such personal information request.
Rationale:
Enabling internal phishing protection for Microsoft Forms will prevent attackers using forms for phishing attacks by asking personal or other sensitive information and URLs.
Impact:
If potential phishing was detected, the form will be temporarily blocked and cannot be distributed and response collection will not happen until it is unblocked by the administrator or keywords were removed by the creator.
Remediation:
To set Microsoft Forms settings use the Microsoft 365 Admin Center
-
Expand
Settingsthen selectOrg settings. -
Under Services select
Microsoft Forms. -
Select the checkbox for
Add internal phishing protection. -
Click
Save
References:
https://support.microsoft.com/en-us/office/administrator-settings-for-microsoft-forms-48161c55-fbae-4f37-8951-9e3befc0248b
https://support.microsoft.com/en-us/office/review-and-unblock-forms-or-users-detected-and-blocked-for-potential-phishing-879a90d7-6ef9-4145-933a-fb53a430bced
Compliance:
CIS Microsoft 365 Foundations
1.5.0
2.10
- Microsoft Forms checked: 1
- Microsoft Forms flagged: 0
microsoft teams
Description:
Disable the ability of your users to communicate via Skype or Teams with users outside your organization.
Rationale:
You should not allow your users to communicate with Skype or Teams users outside your organization. While there are legitimate, productivity-improving scenarios for this, it also represents a potential security threat because those external users will be able to interact with your users over Skype for Business or Teams. Attackers may be able to pretend to be someone your user knows and then send malicious links or attachments, resulting in an account breach or leaked information.
Impact:
Impact associated with this change is highly dependent upon current practices in the tenant. If users do not regularly communicate with external parties using Skype or Teams channels, then minimal impact is likely. However, if users do regularly utilize Teams and Skype for client communication, potentially significant impacts could occur, and users should be contacts, and if necessary, alternate mechanisms to continue this communication should be identified prior to disabling external access to Teams and Skype.
Remediation:
To disable Skype forBusiness and Teams access with external users, use the Microsoft 365 Admin Center
-
Under
Admin CenterschooseTeams. -
Expand
Org Wide Settingsthen selectExternal Access. -
Set
Users can communicate with Skype for Business and Teams userstoOff. -
Set
Skype for Business users can communicate with Skype userstoOff.
References:
https://docs.microsoft.com/en-us/microsoftteams/teams-skype-interop
https://docs.microsoft.com/en-us/skypeforbusiness/set-up-skype-for-business-online/allow-users-to-contact-external-skype-for-business-users
Compliance:
CIS Microsoft 365 Foundations
1.5.0
3.3
- Microsoft Teams checked: 1
- Microsoft Teams flagged: 1
Description:
Microsoft Teams enables collaboration via file sharing. This file sharing is conducted within Teams, using SharePoint Online, by default; however, third-party cloud services are allowed as well.
Rationale:
Ensuring that only authorized cloud storage providers are accessible from Teams will help to dissuade the use of non-approved storage providers.
Impact:
Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.
Remediation:
To Set external file sharing in Teams, use the Microsoft 365 Admin Center:
-
Under
Admin CenterschooseTeams. -
Expand
Org Wide SettingsselectTeams settings. -
Set each cloud storage service under Files to
Onif it is authorized.
To verify external file sharing in Teams you may also utilize Powershell. Ensure that the Skype for business online, Windows Powershell module and Microsoft Teams module are both installed.
- Install the Powershell module for teams. Skype module will need downloaded from Microsoft
Install-Module MicrosoftTeams -Scope CurrentUser
Import-Module SkypeOnlineConnector
- Connect to your tenant as a Global Administrator, methods will differ based on whether 2FA is enabled. See the following article for more information:
- Run the following command to verify which cloud storage providers are enabled for Teams
Get-CsTeamsClientConfiguration | select allow*
- Run the following Powershell command to disable external providers that are not authorized. (the example disables ShareFile, GoogleDrive, Box, and DropBox)
Set-CsTeamsClientConfiguration -AllowGoogleDrive $false `
-AllowShareFile $false `
-AllowBox $false `
-AllowDropBox $false `
-AllowEgnyte $false
- You may verify this worked by running the following Powershell command again.
Get-CsTeamsClientConfiguration | select allow*
References:
Compliance:
CIS Microsoft 365 Foundations
1.5.0
3.7
- Microsoft Teams checked: 1
- Microsoft Teams flagged: 1
| Identity | Allow Public Users | Allow Federated Users | actions |
|---|---|---|---|
| Global | Enabled | Enabled |
| Identity | Allow Public Users | Allow Federated Users | actions |
|---|---|---|---|
| Global | NotSet | NotSet |
security and compliance
Description:
Enabling Data Loss Prevention (DLP) policies allows Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.
References:
https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide
Compliance:
CIS Microsoft 365 Foundations
1.5.0
3.4
- Security and Compliance checked: 7
- Security and Compliance flagged: 0
Description:
Enabling Data Loss Prevention (DLP) policies for Microsoft Teams, blocks sensitive content when shared in teams or channels. Content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.
Rationale:
Enabling DLP policies alerts users and administrators that specific types of data should not be exposed, helping to protect the data from accidental exposure.
Impact:
Enabling a Teams DLP policy will allow sensitive data in Teams channels or chat messages to be detected or blocked.
References:
https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-microsoft-teams?view=o365-worldwide
Compliance:
CIS Microsoft 365 Foundations
1.5.0
3.5
- Security and Compliance checked: 7
- Security and Compliance flagged: 1
Description:
When audit log search in the Microsoft 365 Security & Compliance Center is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365.
Rationale:
Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes
Remediation:
To enable Microsoft 365 audit log search, use the Microsoft 365 Admin Center
-
Log in as an Global Administrator
-
Navigate to Office 365 security & compliance center.
-
In the
Security & Compliance Center, expandSearchthen selectAudit log search. -
Click
Start recording user and admin activitiesnext to the information warning at the top. -
Click
Yeson the dialog box to confirm.
To enable Microsoft 365 audit log search, use the Exchange Online PowerShell Module
-
Run Microsoft Exchange Online PowerShell Module.
-
Connect using
Connect-EXOPSSession. -
Run the following PowerShell command:
Set-AdminAuditLogConfig -AdminAutidLogEnabled $true -UnifiedAuditLogIngestionEnabled $true
References:
https://docs.microsoft.com/en-us/office365/securitycompliance/turn-audit-log-search-on-or-off
Compliance:
CIS Microsoft 365 Foundations
1.5.0
5.1
- Security and Compliance checked: 1
- Security and Compliance flagged: 1
| Feature | Status | actions |
|---|---|---|
| Enabled DLP Policies For Teams | DoesNotExists |
| Audit Log | Unified ingestion | Mailbox auditing | actions |
|---|---|---|---|
| Enabled | Disabled | NotSet |
microsoft onedrive
Description:
Consider to prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices.
Rationale:
Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked
Impact:
Enabling this feature will prevent users from using the OneDrive for Business Sync client on devices that are not joined to the domains that were defined.
Remediation:
To block the sync client on unmanaged devices, use the Microsoft 365 Admin Center
-
Navigate to Microsoft 365 administration portal, Click on
All Admin Centersand thenOneDrive. -
Click
Sync. -
Ensure that
Allow syncing only on PCs joined to specific domainsis checked. -
Use the
Get-ADDomainPowerShell command to obtain the GUID from each domain in your environment and add them to the box below. -
Click
Save
References:
Compliance:
CIS Microsoft 365 Foundations
1.5.0
6.2
- Microsoft OneDrive checked: 1
- Microsoft OneDrive flagged: 1
| Conditional Access Policy | Disable Personal List Creation | Prevent Infected File Download | Restrict Access From Unmanaged Devices | actions |
|---|---|---|---|---|
| 0 | Disabled | Disabled | Disabled |