We have run several assessments in multiple Microsoft 365 tenants and while every organization has unique needs, the gaps are consistent. Here are the most common security vulnerabilities identified in the initial assessment.

Entra ID:

• Over-Privileged Admins: 80% of the tenants have more than eight Global Admins, and it always turns out that most of them don’t need that role. Also, none of them use PIM (Privileged Identity Management).
• High Sign-in and User risks are not blocked with Conditional Access Policies. Sometimes MFA is required, but blocking those attempts is never the case. After checking the reports and it shows that it wouldn’t block a lot of users, we enable it (also for medium risk).
• Usually there is no “BreakGlass” account configured, and if there is one, the regular logon test due at least every six months is forgotten. Although 40% of the Tenants had it configured, they didn’t exclude it from every Conditional Access Policy.
• Compliant Devices: they do not require compliant devices to sign-in or register MFA. This creates an attack surface, also increasing the possibility for the attacker to become persistent by registering their own MFA factors.
• App registrations: controls are not present, leaving the organization vulnerable to consent phishing. Even if the strictest policy is enabled, applications with overprivileged permissions often remain in the tenant, because they aren’t reviewed.

Exchange Online:

• Domain Spoofing: There is always a domain missing an SPF, DMARC policy or DKIM. Domains not in use should deploy an SPF and DMARC policy which rejects all e-mails, so no one can impersonate those domains silently.
• Silent Leak: Automatic forwarding is not disabled. If someone gains access to the mailbox, it only takes a minute to create a rule to forward all incoming emails outside the organization, and it’s also a risk factor for insider risk scenarios by creating an automated exfiltration channel.

Microsoft Teams:

• Eight out of ten tenants allow unmanaged users to initiate contact with internal users. The users may be subjected to social engineering to get them to execute malicious code, or open malicious links.
• Anonymous users can start meetings, and it allows them to scrape internal contacts.

SharePoint & OneDrive:

• External sharing is not limited which increases intentional and unintentional oversharing risk.
• External sharing is not restricted to approved external domains, or security groups.

The first step to close these gaps is to identify them. To ensure your Tenant is secure, we have three levels of support.

Tenant Assessment: We perform a thorough analysis of your current environment to determine how you compare to best practices like CISA, CIS and our recommendations based on the Microsoft Zero Trust Assessment.

Roadmap: We provide a clear roadmap for implementing these changes without disrupting your organization’s workflow.

Managed Configuration: We can configure the settings for you and provide documentation in case you lack the internal resources.

Zero Trust Assessment

If your organization is ready to move beyond the must-have security settings, we recommend our Zero Trust Assessment. This more robust, in-depth assessment also covers Endpoint Management (Intune), Data Protection (Purview). In this engagement, we also audit your internal workflows for device and user onboarding, offboarding and application management.