Microsoft 365

This page details how to use Mondoo to assess Microsoft 365 for security misconfigurations.

Create an application ID, application secret, and application certificate

You can create a new application for Microsoft 365 via the Azure Active Directory Admin Center. Login with your Global Administrator, Application Administrator or Cloud Application Administrator. Then select Azure Active Directory and go to App registrations. Create a new application with credentials via the Azure Dashboard.

Set the application name (we use Mondoo Security) and choose the Accounts in this organizational directory only as the supported account type. Mondoo does not require an application redirect URI. Then select Register.

Your Application ID is created and displayed in the application overview. To complete the configured, we need to assign and grant api permissions. Then, select API Permissions on the sidebar.

By default, your new application is granted with User.Read permission for Microsoft Graph. It is not required for Mondoo, and can be removed it. Then select Add a permission

Select Microsoft Graph from the list of Commonly used Microsoft APIs

Azure AD applications are configured with either Delegated or Application permissions.

• Delegated permissions require a signed-in user present who approves the permissions for every call
• Application permissions are approved by an administrator once

Since Mondoo acts as a service it requires Application permissions. Then select the following API permissions from the list of available permissions:

Required API permissions

Microsoft Graph	Type	Description
Application.Read.All	Application	Read all applications
AuditLog.Read.All	Application	Read all audit log data
Calendars.Read	Application	Read calendars in all mailboxes
Device.Read.All	Application	Read all devices
DeviceManagementApps.Read.All	Application	Read Microsoft Intune apps
DeviceManagementConfiguration.Read.All	Application	Read Microsoft Intune device configuration and policies
DeviceManagementManagedDevices.Read.All	Application	Read Microsoft Intune devices
DeviceManagementRBAC.Read.All	Application	Read Microsoft Intune RBAC settings
DeviceManagementServiceConfig.Read.All	Application	Read Microsoft Intune configuration
Directory.Read.All	Application	Read directory data
Domain.Read.All	Application	Read domains
IdentityProvider.Read.All	Application	Read identity providers
IdentityRiskEvent.Read.All	Application	Read all identity risk event information
IdentityRiskyUser.Read.All	Application	Read all identity risky user information
InformationProtectionPolicy.Read.All	Application	Read all published labels and label policies for an organization.
MailboxSettings.Read	Application	Read all user mailbox settings
Organization.Read.All	Application	Read organization information
OrgContact.Read.All	Application	Read organizational contacts
Policy.Read.All	Application	Read your organization's policies
Policy.Read.ConditionalAccess	Application	Read your organization's conditional access policies
Policy.Read.PermissionGrant	Application	Read consent and permission grant policies
RoleManagement.Read.All	Application	Read role management data for all RBAC providers
SecurityActions.Read.All	Application	Read your organization's security actions
SecurityEvents.Read.All	Application	Read your organization’s security events
TeamsAppInstallation.ReadForUser.All	Application	Read all users' installed Teams apps
TeamSettings.Read.All	Application	Read all teams' settings
ThreatAssessment.Read.All	Application	Read threat assessment requests
ThreatIndicators.Read.All	Application	Read all threat indicators

Mondoo requires read permissions for Office 365 Management API.

Office 365 Management APIs	Type	Description
ActivityFeed.Read	Application	Read activity data for your organization
ActivityFeed.ReadDlp	Application	Read DLP policy events including detected sensitive data
ServiceHealth.Read	Application	Read service health information for your organization

Confirm the selection permissions with Add permissions

To complete the process, the new permission need to be granted by the administrator for the tenant. Select Grant admin consent for tenant.

Now, the new applications is configured and we need to create an application secret. Select Certificates & secrets and select New client secret

In addition to the application secrets, we need a user with the administrative role 'Global reader' and 'SharePoint administrator'. Because Global Reader currently can't access SharePoint using PowerShell (Official Microsoft Statement).

Now you have all the credentials to start scanning a Microsoft Office 365 account.

Scan Microsoft 365 with Mondoo

We need to store the credentials that we've created in a local json file that looks as following:

{
  "tenantId": "<tenant id>",
  "clientId": "<application id>",
  "clientSecret": "<secret>"
}

Assign the Microsoft 365 Foundations Benchmark via Mondoo Console to your space and run the following on CLI:

NOTE: future versions of Mondoo will call those PowerShell commands itself

Install PowerShell modules

# install modules
Set-ExecutionPolicy RemoteSigned
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser -Force
Install-Module MicrosoftTeams -Scope CurrentUser -Force

# sign in with your credential
$UserCredential = Get-Credential
Connect-ExchangeOnline -Credential $UserCredential
Connect-SPOService -Url https://<tenant name>-admin.sharepoint.com -Credential $UserCredential
Connect-MicrosoftTeams -Credential $UserCredential

Download ms365-datareport.ps1 and run the scan

# run the script to generate a json data report
.\mondoo-ms365-datareport.ps1 | Out-File report.json

# use the collected data from powershell as input for the transport
mondoo scan ms365 -i path/to/ms365_account.json --option mondoo-ms365-datareport=/path/to/report.json

Disconnect from PowerShell

Disconnect-ExchangeOnline
Disconnect-SPOService
Disconnect-MicrosoftTeams