Mondoo
Docs
SaaS

Assess Microsoft 365 Security with cnspec

Use cnspec to assess Microsoft 365 for security misconfigurations

Rely on cnspec to ensure your Microsoft 365 environment follows security best practices, such as verifying security defaults, controlling third-party application access, auditing authorization policies, and reviewing conditional access rules across your tenant.

Before you begin

To test your Microsoft 365 environment with cnspec, you must have:

Give cnspec access

cnspec relies on the Microsoft Graph API. To give cnspec permission to access your data, you must create a registered app in Azure. To learn how, read Secure Microsoft 365 with Mondoo.

Use environment variables for credentials

Instead of passing credentials on every command, you can set environment variables:

On Linux / macOS:

export AZURE_TENANT_ID=YOUR-TENANT-ID
export AZURE_CLIENT_ID=YOUR-CLIENT-ID
export AZURE_CLIENT_SECRET='YOUR-SECRET'

On Windows, using PowerShell:

$Env:AZURE_TENANT_ID = "YOUR-TENANT-ID"
$Env:AZURE_CLIENT_ID = "YOUR-CLIENT-ID"
$Env:AZURE_CLIENT_SECRET = "YOUR-SECRET"

When these variables are set, you can omit the corresponding flags from all the commands below.

Test your connection

Before running a full scan, verify that your credentials work by opening a cnspec shell:

cnspec shell ms365 --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID
cnspec> microsoft.tenant.name
microsoft.tenant.name: "your-tenant-name"

If you see your tenant name, cnspec is connected and ready to scan. You can also use help ms365 and help microsoft to explore available resources.

Scan Microsoft 365

To scan using the default policies:

cnspec scan ms365 --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID

To specify a particular policy bundle:

cnspec scan ms365 --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --policy-bundle mondoo-m365-security.mql.yaml

Understand scan output

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:

✓ Pass:  Ensure security defaults are appropriately managed
✕ Fail:  Ensure third-party applications cannot connect to services
✓ Pass:  Ensure all domains are verified

At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.

By default, cnspec applies the Mondoo Microsoft 365 Security policy, which covers security defaults, authorization policies, conditional access, Exchange Online settings, and more. You can also create your own policies or specify a particular policy bundle with --policy-bundle.

Example checks

Run cnspec shell ms365 (with the required flags above) to open the cnspec interactive shell. From there you can make checks like the examples below.

Ensure security defaults are disabled

When conditional access policies are in place, security defaults should be disabled to avoid conflicts:

cnspec> microsoft.policies.identitySecurityDefaultsEnforcementPolicy["isEnabled"] == false
[ok] value: false

Ensure third-party apps can't connect to your services

cnspec> microsoft.policies.authorizationPolicy {
 _['defaultUserRolePermissions']['allowedToCreateApps'] == false
}
[ok] value: false

Ensure all domains are verified

cnspec> microsoft.domains { id isVerified == true }
[ok] value: true

Ensure MFA is enabled for all users

cnspec> microsoft.users { userPrincipalName mfaEnabled == true }

Ensure on-premises sync is properly configured

cnspec> microsoft.tenant.onPremisesSyncEnabled

Continuously scan your fleet

To move beyond one-off scans, set up a Microsoft 365 integration in Mondoo Platform. You get continuous monitoring across your Microsoft 365 tenant, a dashboard to track security posture over time, and integration with ticketing systems to manage remediation.

Learn more

GitLab

Secure and enforce policy for GitLab

Okta

Secure and enforce policy for Okta

On this page

Before you beginGive cnspec accessUse environment variables for credentialsTest your connectionScan Microsoft 365Understand scan outputExample checksEnsure security defaults are disabledEnsure third-party apps can't connect to your servicesEnsure all domains are verifiedEnsure MFA is enabled for all usersEnsure on-premises sync is properly configuredContinuously scan your fleetLearn more