Microsoft 365
This page details how to use Mondoo to assess Microsoft 365 for security misconfigurations.
Create application ID, application secret, and application certificate
You can create a new application for Microsoft 365 via the Azure Active Directory Admin Center. Login with your Global Administrator, Application Administrator or Cloud Application Administrator. Then select Azure Active Directory and go to App registrations. Create a new application with credentials via the Azure Dashboard.
Set the application name (we use Mondoo Security
) and choose the Accounts in this organizational directory only as the supported account type. Mondoo does not require an application redirect URI. Then click Register.
Your Application ID is created and displayed in the application overview. To complete the configured, we need to assign and grant api permissions. Then, select API Permissions on the sidebar.
By default, your new application is granted with User.Read
permission for Microsoft Graph. It is not required for Mondoo, and can be removed it. Then click Add a permission
Select Microsoft Graph from the list of Commonly used Microsoft APIs
Azure AD applications are configured with either Delegated or Application permissions.
- Delegated permissions require a signed-in user present who approves the permissions for every call
- Application permissions are approved by an administrator once
Since Mondoo acts as a service it requires Application permissions. Then select the following API permissions from the list of available permissions:
Required API Permissions
Microsoft Graph | Type | Description |
---|---|---|
Application.Read.All | Application | Read all applications |
AuditLog.Read.All | Application | Read all audit log data |
Calendars.Read | Application | Read calendars in all mailboxes |
Device.Read.All | Application | Read all devices |
DeviceManagementApps.Read.All | Application | Read Microsoft Intune apps |
DeviceManagementConfiguration.Read.All | Application | Read Microsoft Intune device configuration and policies |
DeviceManagementManagedDevices.Read.All | Application | Read Microsoft Intune devices |
DeviceManagementRBAC.Read.All | Application | Read Microsoft Intune RBAC settings |
DeviceManagementServiceConfig.Read.All | Application | Read Microsoft Intune configuration |
Directory.Read.All | Application | Read directory data |
Domain.Read.All | Application | Read domains |
IdentityProvider.Read.All | Application | Read identity providers |
IdentityRiskEvent.Read.All | Application | Read all identity risk event information |
IdentityRiskyUser.Read.All | Application | Read all identity risky user information |
InformationProtectionPolicy.Read.All | Application | Read all published labels and label policies for an organization. |
MailboxSettings.Read | Application | Read all user mailbox settings |
Organization.Read.All | Application | Read organization information |
OrgContact.Read.All | Application | Read organizational contacts |
Policy.Read.All | Application | Read your organization's policies |
Policy.Read.ConditionalAccess | Application | Read your organization's conditional access policies |
Policy.Read.PermissionGrant | Application | Read consent and permission grant policies |
RoleManagement.Read.All | Application | Read role management data for all RBAC providers |
SecurityActions.Read.All | Application | Read your organization's security actions |
SecurityEvents.Read.All | Application | Read your organization’s security events |
TeamsApp.Read.All | Application | Read all users' installed Teams apps |
TeamSettings.Read.All | Application | Read all teams' settings |
ThreatAssessment.Read.All | Application | Read threat assessment requests |
ThreatIndicators.Read.All | Application | Read all threat indicators |
Mondoo requires read permisions for Office 365 Management API.
Office 365 Management APIs | Type | Description |
---|---|---|
ActivityFeed.Read | Application | Read activity data for your organization |
ActivityFeed.ReadDlp | Application | Read DLP policy events including detected sensitive data |
ServiceHealth.Read | Application | Read service health information for your organization |
Confirm the selection permissions with Add permissions
To complete the process, the new permission need to be granted by the administrator for the tenant. Click Grant admin consent for tenant.
Now, the new applications is configured and we need to create an application secret. Click on Certificates & secrets and select New client secret
In addition to the application secrets, we need a user with the administrative role 'Global reader' and 'SharePoint administrator'. Because Global Reader currently can't access SharePoint using PowerShell (Official Microsoft Statement).
Now you have all the credentials to start scanning a Microsoft Office 365 account.
Scan Microsoft 365 with Mondoo
We need to store the credentials that we've created in a local json file that looks as following:
{
"tenantId": "<tenant id>",
"clientId": "<application id>",
"clientSecret": "<secret>"
}
Assign the Microsoft 365 Foundations Benchmark via Mondoo Console to your space and run the following on CLI:
NOTE: future versions of Mondoo will call those PowerShell commands itself
Install Powershell modules
# install modules
Set-ExecutionPolicy RemoteSigned
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser -Force
Install-Module MicrosoftTeams -Scope CurrentUser -Force
# sign in with your credential
$UserCredential = Get-Credential
Connect-ExchangeOnline -Credential $UserCredential
Connect-SPOService -Url https://<tenant name>-admin.sharepoint.com -Credential $UserCredential
Connect-MicrosoftTeams -Credential $UserCredential
Download ms365-datareport.ps1 and run run the scan
# run the script to generate a json data report
.\mondoo-ms365-datareport.ps1 | Out-File report.json
# use the collected data from powershell as input for the transport
mondoo scan -t ms365:// -i path/to/ms365_account.json --option mondoo-ms365-datareport=/path/to/report.json
Disconnect from PowerShell
Disconnect-ExchangeOnline
Disconnect-SPOService
Disconnect-MicrosoftTeams