Checking Microsoft 365 security configuration
Was your M365 tenant configured securely when it was deployed? Is it still configured securely now? Update on state of SaaS security posture management (SSPM) post from 2022. This time looking at community projects too.
The risk
Internet hosted software services have lots of security configuration options. It’s your responsibility to review these and make configuration choices. Your data could be exposed over the public internet if your software is misconfigured.
This Darknet Diaries episode describes curious kids getting into corporate online file systems due to misconfiguration and oversharing, disrupting product launches. Darknet Diaries episode 148.
Regularly Reviewing Microsoft 365 Configuration: Identifying Security Risks and Misconfigurations
Ensuring the security of your Microsoft 365 environment is paramount. Regularly reviewing and optimizing your configuration can help identify and mitigate security risks and misconfigurations that could otherwise leave your organization vulnerable to data loss.
Built-in Tools for Microsoft 365
Microsoft 365 has no built-in policy engine for customers to build rules and enforce configuration. But it offers a couple of built-in tools to help administrators maintain a secure environment:
-
Microsoft Secure Score provides high level guidance for improving security posture (hardening).
-
Microsoft 365 Defender Configuration Analyser provides more detailed guidance around configuring Defender for 365.
Buy a solution or build one?
I’d say it’s no longer necessary to role your own continuous assurance system as I did years ago talk slides here. In-house, scripted solutions require regular maintenance to keep in step with the rapid feature release cycles of SaaS software. “Buy rather than build” would be my advice as the SaaS Security Posture Management (SSPM) products on the market have matured.
Open Source projects to look into:
-
Monkey365 - This tool helps automate the security assessment of your Microsoft 365 environment, identifying potential misconfigurations and vulnerabilities.
-
Maester - Based on the Pester unit testing framework, this is designed to monitor the security configuration of your Microsoft 365 setup, providing insights and recommendations for improvement. Quick to get running. Works well with Azure DevOps or Github for regular scheduled runs. Easy to extend with your own Pester tests.
-
CISA scuba gear - US gov framework for M365 security assessment.
Commercial Products:
-
Simeon Cloud: A comprehensive M365 security posture management solution that offers continuous monitoring and automated remediation of security issues in your Microsoft 365 environment. Compares your prod and pre-prod tenants to a reference to identify config drift.
-
Adaptive Shield: This tool provides advanced security posture management, helping organizations identify and fix misconfigurations across various SaaS applications, including Microsoft 365.
-
AppOmni: A robust platform that offers deep visibility into your SaaS environment, enabling you to detect and remediate security risks and misconfigurations effectively.
Discover the rest of your SaaS products
Discover the other SaaS software used in your organisation. Your identity services team will know software that is integrated with your identity providers for single sign-on (SSO). M365 E5 customers can use the Cloud App Discovery part of Microsoft Defender for Cloud Apps to discover, and risk score, cloud apps based on telemetry from desktops or by ingesting proxy logs. This will include the unsanctioned apps (shadow IT) used by your organisation. If you have Defender for Endpoint you could explore that dataset for file upload to cloud app events to understand which cloud apps are used with your files.
General advice
-
Ensure staff and administrators only use company managed identities, with strong authentication (not only ID+password), to login to SaaS software. Assuming some credentials will get phished, require multifactor authentication and/or the use of a company managed device to login. Companies using ADFS and Azure AD, move SaaS authentication from ADFS to Azure AD to benefit from Conditional Access policies. Remove all local accounts within the SaaS software and replace with SAML/oAuth federation to your company identity service (for example Entra ID and its Conditional Access policies) to inherit your strong authentication services. If you can’t disable built-in administration accounts, put them beyond use with an extremely complex password stored in a vault, and audit use of local admin accounts in SaaS. A01 Broken Access Control - OWASP Top 10:2021
-
Identify a SSPM product to continuously audit the SaaS software security controls that are important to your organisation. Enforce SaaS software configuration policies such as: No local accounts, MFA enabled, legacy protocols such as POP3/IMAP are disabled for mailbox access etc.. Integrate with your incident management service to automatically raise tickets for investigation & resolution. A05 Security Misconfiguration - OWASP Top 10:2021
-
Automatically collect and analyse administrative activity logs from SaaS software where you can (SIEM integration is uncommon for SaaS software.) Detect and respond to logins using local (backdoor) accounts bypassing the company identity service. Detect and respond to unusual activity such as the creation of local accounts or changes to administrative role membership. A09 Security Logging and Monitoring Failures - OWASP Top 10:2021