Skip to main content

Assess Microsoft 365 Security Compliance with cnspec

cnspec assesses your Microsoft 365 environment for misconfigurations that put your organization at risk. You can scan your Microsoft 365 organization for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.

cnspec can test any aspect of your Microsoft 365 configuration. For a list of Microsoft 365 resources you can test, read Mondoo Microsoft 365 (MS365) Resource Pack Reference and Mondoo Core Resource Pack Reference.

Connect cnspec with your Microsoft 365 environment


To test your Microsoft 365 environment with cnspec, you must have:

Give cnspec access through the Microsoft 365 API

To remotely scan your Microsoft 365 environment, cnspec must have API credentials with access to the subscription. Follow these steps to give cnspec access:

  1. Log into the Azure CLI:
az login --allow-no-subscriptions
  1. Create a new service principal and certificate:
az ad sp create-for-rbac --name "mondoo-ms365" --create-cert
  1. Record the appId and tenant values to use later. Copy the newly created certificate file to a safe location.

  2. Log into the Azure Active Directory portal, navigate to App Registrations, and select the application you just created.

  3. In the sidebar, select API Permissions.

    Azure Active Directory Admin Center App Registrations

    By default, Microsoft grants your new application with User.Read permission for Microsoft Graph. It's not required for Mondoo, so you can remove it.

  4. Select Add a permission.

    Azure Active Directory Admin Center App Registrations

  5. From the list of Commonly used Microsoft APIs, select Microsoft Graph.

    Azure Active Directory Admin Center App Registrations

  6. Because Mondoo acts as a service, select Application permissions. Then select the API permissions:

    Show or hide required API permissions.
    Microsoft GraphTypeDescription
    Application.Read.AllApplicationRead all applications
    AuditLog.Read.AllApplicationRead all audit log data
    Calendars.ReadApplicationRead calendars in all mailboxes
    Device.Read.AllApplicationRead all devices
    DeviceManagementApps.Read.AllApplicationRead Microsoft Intune apps
    DeviceManagementConfiguration.Read.AllApplicationRead Microsoft Intune device configuration and policies
    DeviceManagementManagedDevices.Read.AllApplicationRead Microsoft Intune devices
    DeviceManagementRBAC.Read.AllApplicationRead Microsoft Intune RBAC settings
    DeviceManagementServiceConfig.Read.AllApplicationRead Microsoft Intune configuration
    Directory.Read.AllApplicationRead directory data
    Domain.Read.AllApplicationRead domains
    IdentityProvider.Read.AllApplicationRead identity providers
    IdentityRiskEvent.Read.AllApplicationRead all identity risk event information
    IdentityRiskyUser.Read.AllApplicationRead all identity risky user information
    InformationProtectionPolicy.Read.AllApplicationRead all published labels and label policies for an organization.
    MailboxSettings.ReadApplicationRead all user mailbox settings
    Organization.Read.AllApplicationRead organization information
    OrgContact.Read.AllApplicationRead organizational contacts
    Policy.Read.AllApplicationRead your organization's policies
    Policy.Read.ConditionalAccessApplicationRead your organization's conditional access policies
    Policy.Read.PermissionGrantApplicationRead consent and permission grant policies
    RoleManagement.Read.AllApplicationRead role management data for all RBAC providers
    SecurityActions.Read.AllApplicationRead your organization's security actions
    SecurityEvents.Read.AllApplicationRead your organization’s security events
    TeamsAppInstallation.ReadForUser.AllApplicationRead all users' installed Teams apps
    TeamSettings.Read.AllApplicationRead all teams' settings
    ThreatAssessment.Read.AllApplicationRead threat assessment requests
    ThreatIndicators.Read.AllApplicationRead all threat indicators
  7. Grant Mondoo read permissions for Office 365 Management API.

    Azure Active Directory Admin Center App Registrations - API permissions

    Office 365 Management APIsTypeDescription
    ActivityFeed.ReadApplicationRead activity data for your organization
    ActivityFeed.ReadDlpApplicationRead DLP policy events including detected sensitive data
    ServiceHealth.ReadApplicationRead service health information for your organization

    Confirm the selected permissions by selecting Add permissions.

    Azure Active Directory Admin Center App Registrations

  8. To complete the process, select Grant admin consent for tenant.

Azure Active Directory Admin Center App Registrations

Verify with a quick Microsoft 365 check

To quickly confirm that cnspec has access to your Microsoft 365 environment, run this check from your terminal:

cnspec run ms365 -c 'microsoft.organizations { id!="foo" }'

It asserts that none of your Microsoft organizations have the ID foo.

cnspec lists your resources and indicates that the check is true, none of them has foo as its ID.

You've successfully used cnspec to run your first check on your Microsoft 365 environment. Now you're ready to explore. The method you choose depends on your goals:

  • For widescale assessment of your Microsoft 365 infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your Microsoft 365 security posture.
  • To run ad hoc checks against your Microsoft 365 environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.

Assess Microsoft 365 security with policy-based scanning

The Microsoft 365 Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental Microsoft 365 security best practices. It checks for misconfigurations across your entire Microsoft 365 infrastructure.

To scan using the Microsoft 365 Security by Mondoo policy, run:

cnspec scan ms365

cnspec finds the default policy for Microsoft 365 and runs a scan based on that policy. It returns a report summarizing the scan results.

You can also create your own policies to meet your specific needs. To learn more about policies, read Policies.

Test Microsoft 365 with the cnspec shell

The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.

To launch a shell into your Microsoft 365 environment, enter:

cnspec shell ms365

Discover capabilities with the help command

Once inside the shell, use the help command to learn what Microsoft 365 resources you can test. This command lists all the Microsoft 365 resources:

help ms365

To list all general Microsoft resources (not specific to Microsoft 365), enter:

help microsoft

From the resulting list, you can drill down further. For example, enter this command to list all the Microsoft group resources you can test:


From the resulting list, you can drill down even further. You can also learn about available Microsoft 365 resources in the Mondoo Microsoft 365 (MS365) Resource Pack Reference.

Example checks in cnspec shell

Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.

This test assures that auditing security defaults are disabled:

microsoft.policies.identitySecurityDefaultsEnforcementPolicy["isEnabled"] == false

This test checks that no third party integrated applications can connect to your services:

microsoft.policies.authorizationPolicy {
_['defaultUserRolePermissions']['allowedToCreateApps'] == false

Exit the cnspec shell

To exit the cnspec shell, either press Ctrl + D or type exit.

Learn more about querying Microsoft 365