Skip to main content

cnspec shell ms365

Connect to a Microsoft 365 tenant.


This command opens a shell to a Microsoft 365 tenant:

$ cnspec shell ms365 --tenant-id {tenant id} --client-id {client id} --client-secret {client secret}

This example connects to Microsoft 365 using the PKCS #12 formatted certificate:

$ cnspec shell ms365 --tenant-id {tenant id} --client-id {client id} --certificate-path {certificate.pfx} --certificate-secret {certificate secret}
$ cnspec shell ms365 --tenant-id {tenant id} --client-id {client id} --certificate-path {certificate.pfx} --ask-pass
cnspec shell ms365 [flags]


      --ask-pass                         Prompt for connection password.
--certificate-path string Path (in PKCS #12/PFX or PEM format) to the authentication certificate
--certificate-secret string passphrase for certificate file
--client-id string application (client) ID of the service principal
--client-secret string secret for application
-c, --command string MQL query to execute in the shell.
--datareport string set the MS365 datareport for the scan
--discover string Enable the discovery of nested assets. Supported: 'all|auto|instances|host-instances|host-machines|container|container-images|pods|cronjobs|statefulsets|deployments|jobs|replicasets|daemonsets' (default "auto")
--discover-filter stringToString Additional filter for asset discovery. (default [])
-h, --help help for ms365
--host-machines Also scan host machines like ESXi server.
-i, --identity-file string Select a file from which to read the identity (private key) for public key authentication.
--insecure Disable TLS/SSL checks or SSH hostkey config.
--instances Also scan instances. This only applies to API targets like AWS, Azure, or GCP.
--option --option key=value Additional connection options. You can pass multiple options using --option key=value. (default [])
-p, --password string Set the connection password, such as for SSH/WinRM.
--path string Path to a local file or directory for the connection to use.
--platform-id string Select a specific target asset by providing its platform ID.
--sudo Elevate privileges with sudo.
--tenant-id string directory (tenant) ID of the service principal

Options inherited from parent commands

      --api-proxy string   Set proxy for communications with Mondoo API
--config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
--log-level string Set log level: error, warn, info, debug, trace (default "info")
-v, --verbose Enable verbose output