Skip to main content

Microsoft 365

This page details how to use Mondoo to assess Microsoft 365 for security misconfigurations.

Create an application ID, application secret, and application certificate​

You can create a new application for Microsoft 365 via the Azure Active Directory Admin Center. Login with your Global Administrator, Application Administrator or Cloud Application Administrator. Then select Azure Active Directory and go to App registrations. Create a new application with credentials via the Azure Dashboard.

Azure Active Directory Admin Center App Registrations

Set the application name (we use Mondoo Security) and choose the Accounts in this organizational directory only as the supported account type. Mondoo does not require an application redirect URI. Then select Register.

Azure Active Directory Admin Center App Registrations

Your Application ID is created and displayed in the application overview. To complete the configured, we need to assign and grant api permissions. Then, select API Permissions on the sidebar.

Azure Active Directory Admin Center App Registrations

By default, your new application is granted with User.Read permission for Microsoft Graph. It is not required for Mondoo, and can be removed it. Then select Add a permission

Azure Active Directory Admin Center App Registrations

Select Microsoft Graph from the list of Commonly used Microsoft APIs

Azure Active Directory Admin Center App Registrations

Azure AD applications are configured with either Delegated or Application permissions.

  • Delegated permissions require a signed-in user present who approves the permissions for every call
  • Application permissions are approved by an administrator once

Since Mondoo acts as a service it requires Application permissions. Then select the following API permissions from the list of available permissions:

Required API permissions​

Microsoft GraphTypeDescription
Application.Read.AllApplicationRead all applications
AuditLog.Read.AllApplicationRead all audit log data
Calendars.ReadApplicationRead calendars in all mailboxes
Device.Read.AllApplicationRead all devices
DeviceManagementApps.Read.AllApplicationRead Microsoft Intune apps
DeviceManagementConfiguration.Read.AllApplicationRead Microsoft Intune device configuration and policies
DeviceManagementManagedDevices.Read.AllApplicationRead Microsoft Intune devices
DeviceManagementRBAC.Read.AllApplicationRead Microsoft Intune RBAC settings
DeviceManagementServiceConfig.Read.AllApplicationRead Microsoft Intune configuration
Directory.Read.AllApplicationRead directory data
Domain.Read.AllApplicationRead domains
IdentityProvider.Read.AllApplicationRead identity providers
IdentityRiskEvent.Read.AllApplicationRead all identity risk event information
IdentityRiskyUser.Read.AllApplicationRead all identity risky user information
InformationProtectionPolicy.Read.AllApplicationRead all published labels and label policies for an organization.
MailboxSettings.ReadApplicationRead all user mailbox settings
Organization.Read.AllApplicationRead organization information
OrgContact.Read.AllApplicationRead organizational contacts
Policy.Read.AllApplicationRead your organization's policies
Policy.Read.ConditionalAccessApplicationRead your organization's conditional access policies
Policy.Read.PermissionGrantApplicationRead consent and permission grant policies
RoleManagement.Read.AllApplicationRead role management data for all RBAC providers
SecurityActions.Read.AllApplicationRead your organization's security actions
SecurityEvents.Read.AllApplicationRead your organization’s security events
TeamsAppInstallation.ReadForUser.AllApplicationRead all users' installed Teams apps
TeamSettings.Read.AllApplicationRead all teams' settings
ThreatAssessment.Read.AllApplicationRead threat assessment requests
ThreatIndicators.Read.AllApplicationRead all threat indicators

Mondoo requires read permissions for Office 365 Management API.

Azure Active Directory Admin Center App Registrations - API permissions

Office 365 Management APIsTypeDescription
ActivityFeed.ReadApplicationRead activity data for your organization
ActivityFeed.ReadDlpApplicationRead DLP policy events including detected sensitive data
ServiceHealth.ReadApplicationRead service health information for your organization

Confirm the selection permissions with Add permissions

Azure Active Directory Admin Center App Registrations

To complete the process, the new permission need to be granted by the administrator for the tenant. Select Grant admin consent for tenant.

Azure Active Directory Admin Center App Registrations

Now, the new applications is configured and we need to create an application secret. Select Certificates & secrets and select New client secret

Azure Active Directory Admin Center App Registrations

Azure Active Directory Admin Center App Registrations

In addition to the application secrets, we need a user with the administrative role 'Global reader' and 'SharePoint administrator'. Because Global Reader currently can't access SharePoint using PowerShell (Official Microsoft Statement).

Azure Active Directory Admin Center App Registrations - API permissions

Now you have all the credentials to start scanning a Microsoft Office 365 account.

Scan Microsoft 365 with Mondoo​

We need to store the credentials that we've created in a local json file that looks as following:

{
"tenantId": "<tenant id>",
"clientId": "<application id>",
"clientSecret": "<secret>"
}

Assign the Microsoft 365 Foundations Benchmark via Mondoo Console to your space and run the following on CLI:

NOTE: future versions of Mondoo will call those PowerShell commands itself

Install PowerShell modules

# install modules
Set-ExecutionPolicy RemoteSigned
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser -Force
Install-Module MicrosoftTeams -Scope CurrentUser -Force

# sign in with your credential
$UserCredential = Get-Credential
Connect-ExchangeOnline -Credential $UserCredential
Connect-SPOService -Url https://<tenant name>-admin.sharepoint.com -Credential $UserCredential
Connect-MicrosoftTeams -Credential $UserCredential

Download ms365-datareport.ps1 and run the scan

# run the script to generate a json data report
.\mondoo-ms365-datareport.ps1 | Out-File report.json

# use the collected data from powershell as input for the transport
mondoo scan ms365 -i path/to/ms365_account.json --option mondoo-ms365-datareport=/path/to/report.json

Disconnect from PowerShell

Disconnect-ExchangeOnline
Disconnect-SPOService
Disconnect-MicrosoftTeams