Skip to main content

Assess Microsoft 365 Security with cnspec

cnspec assesses your Microsoft 365 environment for misconfigurations that put your organization at risk. You can scan your Microsoft 365 organization for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.

cnspec can test any aspect of your Microsoft 365 configuration. For a list of Microsoft 365 resources you can test, read Mondoo Microsoft 365 (MS365) Resource Pack Reference and Mondoo Core Resource Pack Reference.

Connect cnspec with your Microsoft 365 environment


To test your Microsoft 365 environment with cnspec, you must have:

Log into Microsoft 365

cnspec relies on the Microsoft Graph API to collect the data it needs. To give cnspec permission to access this data, you must create a registered app in Azure. To learn how to register and configure the app, read [Secure Microsoft 365 with Mondoo](Register an Azure app: /platform/infra/saas/ms365/ms365-auto/).

After registering the App, the method you choose for scanning depends on your goals:

  • For widescale assessment of your Microsoft 365 infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your Microsoft 365 security posture.
  • To run ad hoc checks against your Microsoft 365 environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.

Assess Microsoft 365 security with policy-based scanning

The Microsoft 365 Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental Microsoft 365 security best practices. It checks for misconfigurations across your entire Microsoft 365 infrastructure.


In all commands, if you have a secret key but not a certificate, you can just provide the client secret:

--client-secret 'SECRET'

instead of providing a PEM certificate.

To scan your infrastructure based on a single policy:

cnspec run ms365 -c 'microsoft.policies.identitySecurityDefaultsEnforcementPolicy["isEnabled"] == false' --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID

To scan the entire directory using the available default policies:

cnspec scan ms365 --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID

cnspec follows these steps to load policies on which it bases the scan:

  • cnspec tries to read a config file, mondoo.yml, which includes the certificate and private key for authenticating with Mondoo Platform. If it finds the config, it loads the policies enabled for the Microsoft 365 integration in the Mondoo space this environment belongs to. You can enter cnspec status to see if the config file exists and cnspec is registered.

  • If there is no config file (you have not registered cnspec or you've removed the mondoo.yml file), then cnspec loads Mondoo's open source policies and scans based on those.


If cnspec is registered but you want to use the open source policies (and not share results with Mondoo Platform), you can scan in incognito mode:

cnspec scan ms365 --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --incognito

You can also specify a particular policy bundle. cnspec uses only the bundle you specify:

cnspec scan ms365 --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --policy-bundle mondoo-ms365-security.mql.yaml

You can also create your own policies to meet your specific needs. To learn more about policies, read Policies.

Test Microsoft 365 with the cnspec shell

The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.

To launch a shell into your Microsoft 365 environment, enter:

cnspec shell ms365 --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID

Discover capabilities with the help command

Once inside the shell, use the help command to learn what Microsoft 365 resources you can test. This command lists all the Microsoft 365 resources:

help ms365

To list all general Microsoft resources (not specific to Microsoft 365), enter:

help microsoft

From the resulting list, you can drill down further. For example, enter this command to list all the Microsoft group resources you can test:


From the resulting list, you can drill down even further. You can also learn about available Microsoft 365 resources in the Mondoo Microsoft 365 (MS365) Resource Pack Reference.

Example checks in cnspec shell

Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.

This test assures that auditing security defaults are disabled:

microsoft.policies.identitySecurityDefaultsEnforcementPolicy["isEnabled"] == false

This test checks that no third party integrated applications can connect to your services:

microsoft.policies.authorizationPolicy {
_['defaultUserRolePermissions']['allowedToCreateApps'] == false

Exit the cnspec shell

To exit the cnspec shell, either press Ctrl + D or type exit.

Learn more about querying Microsoft 365