The remediation action for Security & Identity policies is NOT available in the Essentials solution.
These policies allow you to implement components to develop a comprehensive security strategy.
They are a simple and effective solution for enhancing security, particularly in protecting sensitive information against attacks such as phishing, brute force, and other forms of unauthorized access, preventing account takeovers, and increasing security for cloud-based services.
The list below provides an overview of the Security & Identity out-of-the-box policies, the type of remediation action they are to execute, and which remediation settings you can configure.
Admin users
Show more
Description
This policy identifies the total number of admins in the organization.
Impact on your tenant
Having an excessively high number of administrators in the organization significantly increases the risk of potential security breaches.
Remediation action
Schedule and send the report to a custom recipient.
What you can configure
- Type the recipient of the email (custom address)
- Send email when the report is empty, not empty, or always
- Send as an Excel, CSV, or PDF file
- Schedule the recurrence of the remediation action
Admin on cloud without strong password
Show more
Description
This policy identifies cloud administrators who do not have a strong password policy enforced on their accounts.
It displays the user's principal name, confirms their administrative role status, shows the account type as a cloud user, and crucially highlights when a strong password is not required for that account.
This tool promotes robust password security practices by pinpointing admin accounts potentially lacking stringent password requirements within the cloud environment.
Impact on your tenant
Admins without strong passwords pose a significant security risk to the entire organization.
Remediation action
Execute the action "Set password required"
What you can configure
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Admin without MFA
Show more
Description
This policy helps you quickly spot cloud admins who haven't turned on extra security with multi-factor authentication (MFA).
It shows their name, role, and who they report to, making it easy to reach out and encourage a security upgrade.
Impact on your tenant
Admins without MFA are at higher risk of account compromise, which could lead to unauthorized access to sensitive company data and systems.
Remediation action
- Send attestation to the manager (or a custom address)
- Execute the action “Manage MFA”
What you can configure
- Change the recipient of the attestation
- Set time-out days (min: 1 day – max: 180 days)
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Admins with a password that never expires
Show more
Description
This filter displays active admins whose accounts are not blocked and have passwords set to never expire.
Impact on your tenant
Having too many admins with passwords set to never expire can pose a security risk, as it makes accounts more susceptible to being compromised over time without regular password changes.
Remediation action
Disable Password never expires.
What you can configure
- Enable/disable the email alert if the workflow fails
- Schedule the recurrence of the remediation action
Admins without MFA default method for strong authentication
Show more
Description
This filter displays a list of users within the organization who meet the following criteria: they have at least one admin role, have not been blocked from signing in (BlockCredential is false), and do not have a default strong authentication method set up.
Impact on your tenant
A large number of admins fitting these criteria increases security risks due to weak authentication, potentially bypassing conditional access policies meant to safeguard your system, thus exposing your organization to higher vulnerability and compliance issues.
Remediation action
Schedule and send the report to a custom recipient.
What you can configure
- Type the recipient of the email (custom address)
- Send email when the report is empty, not empty, or always
- Send as an Excel, CSV, or PDF file
- Schedule the recurrence of the remediation action
Admin with password not changed in the last 90 days
Show more
Description
This policy outlines a procedure for identifying cloud administrators whose passwords have not been updated within the past 90 days.
It lists essential information such as the user's identifier, full name, admin status, and manager's name, ensuring a professional approach to maintaining password security among cloud service users.
Impact on your tenant
Microsoft suggests ensuring the passwords of admin accounts and shared accounts change on a regular basis. Ensure all admin and shared accounts have signed in and changed their passwords at least once in the last 90 days.
Remediation action
- Send attestation to the manager (or a custom address)
- Execute the action “Manage password”
What you can configure
- Select the recipient (manager or custom address)
- Insert an additional message
- Set time-out days (min: 1 day – max: 180 days)
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Empty distribution groups
Show more
Description
This policy identifies the distribution groups that have no members.
Impact on your tenant
Empty distribution groups in your tenant can lead to unnecessary clutter and confusion, complicating management and potentially masking misconfigurations that could be exploited. Best practices include regularly auditing and cleaning up these groups to ensure a streamlined, secure environment and to maintain clear, effective access control policies.
Remediation action
Remove empty distribution group.
What you can configure
- Enable/disable the email alert if the workflow fails
- Schedule the recurrence of the remediation action
Empty Microsoft 365 groups
Show more
Description
This policy identifies the M365 groups that have no members.
Impact on your tenant
Empty MS 365 groups in your tenant can lead to unnecessary clutter and confusion, complicating management and potentially masking misconfigurations that could be exploited. Best practices include regularly auditing and cleaning up these groups to ensure a streamlined, secure environment and to maintain clear, effective access control policies.
Remediation action
Remove Microsoft 365 group.
What you can configure
- Enable/disable the email alert if the workflow fails
- Schedule the recurrence of the remediation action
Empty security groups
Show more
Description
This policy identifies the security groups that have no members.
Impact on your tenant
Empty security groups in your tenant can lead to unnecessary clutter and confusion, complicating management and potentially masking misconfigurations that could be exploited. Best practices include regularly auditing and cleaning up these groups to ensure a streamlined, secure environment and to maintain clear, effective access control policies.
Remediation action
Remove Empty security group.
What you can configure
- Enable/disable the email alert if the workflow fails
- Schedule the recurrence of the remediation action
External members in distribution groups
Show more
Description
These policy identifies external members in distribution groups.
Impact on your tenant
Having too many external members in distribution groups can increase the risk of data leakage, as sensitive information may inadvertently be shared with unauthorized parties. It also expands the attack surface for phishing and social engineering attacks targeted at external members to gain access to the organization's network.
Remediation action
Remove Distribution group member.
What you can configure
- Enable/disable the email alert if the workflow fails
- Schedule the recurrence of the remediation action
External user in Microsoft 365 group
Show more
Description
This policy provides a clear view of external users in your Microsoft 365 groups.
It lists their principal name, display name, and group details including the unique group ID and group name. It also indicates whether the user is marked as a guest, subscriber, member, or owner within the group.
This is a straightforward way to audit external access to your Microsoft 365 collaborative spaces.
Impact on your tenant
External users that have access to resources and data due to their membership in M365 groups need periodic attestation to ensure they are not forgotten, and they have the least possible access.
Remediation action
- Send attestation to the manager (or a custom address)
- Execute the action “Remove M365 group member”
What you can configure
- Select the recipient (group owners or custom address)
- Insert an additional message
- Set time-out days (min: 1 day – max: 180 days)
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
External users in security groups
Show more
Description
This policy shows a list of external users in your security groups. It details their principal name, display name, the type of group member they are, the name of the security group they're in, and their guest status.
It also indicates if they're an owner and provides the unique identifier for the security group (GUID).
This is useful for managing and reviewing external access to sensitive areas within your organization.
Impact on your tenant
External users that have access to resources and data due to their membership in security groups need periodic attestation to ensure they are not forgotten, and they have the least possible privileges.
Remediation action
- Send attestation to the manager (or a custom address)
- Execute the action “Remove security group member”
What you can configure
- Select the recipient (group owners or custom address)
- Insert an additional message
- Set time-out days (min: 1 day – max: 180 days)
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Inactive guests in the last 180 days
Show more
Description
This policy helps you identify guest users who have been inactive in Microsoft 365 for the past 180 days.
It shows their principal name and includes a column for the manager, although that might not apply to guests.
It also indicates the last activity date and confirms their status as a guest user. This is useful for auditing and cleaning up inactive external users in your system.
Impact on your tenant
Guest users who have been inactive for 180 days or more can lead to security risks and unnecessary clutter in user management. Identifying and managing these accounts is critical for maintaining an efficient and secure environment.
Remediation action
Execute the action “Remove guest user”
What you can configure
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Inactive last 60 days but not blocked users
Show more
Description
This policy highlights users who have been inactive for the last 60 days but have not had their accounts blocked.
It shows their principal name, the last login attempt, and their manager's information.
Additionally, it confirms that their account credentials are not blocked, making it useful for reviewing user activity and account status within your system.
Impact on your tenant
Teams groups with guest users can introduce security challenges. Ensuring that these guests are necessary and properly managed helps maintain a secure environment.
Remediation action
- Send attestation to the manager (or a custom address)
- Execute the action “Block sign-in status”
What you can configure
- Select the recipient (manager or custom address)
- Insert an additional message
- Set time-out days (min: 1 day – max: 180 days)
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Microsoft 365 groups without owners
Show more
Description
This policy is designed to identify Microsoft 365 Groups that currently have no assigned owners.
It displays the name of each group and confirms the total number of owners as zero. Additionally, it provides the primary SMTP address for each group, which can be useful for administrative purposes.
This tool aids in governance and ensures that every group has appropriate oversight.
Impact on your tenant
Microsoft 365 Groups without owners can lead to unmanaged and potentially orphaned resources. Ensuring that each group has a designated owner is vital for effective management and governance.
Remediation action
- Send attestation to the primary SMTP address (or a custom address)
- No action will be executed - the attestation serves only an informative purpose
What you can configure
- Select the recipient (group owners or custom address)
- Insert an additional message
- Set time-out days (min: 1 day – max: 180 days)
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Users without default MFA method
Show more
Description
This policy helps you quickly spot cloud admins who haven't turned on extra security with multi-factor authentication (MFA).
It shows their name, role, and who they report to, making it easy to reach out and encourage a security upgrade.
Impact on your tenant
Users without a default MFA method are more vulnerable to security breaches. Enforcing MFA for all users helps protect against unauthorized access.
Remediation action
Send an alert to the user without MFA enabled
What you can configure
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Users without MFA
Show more
Description
This policy is designed to identify users who have not enabled Multi-Factor Authentication (MFA).
It lists the UPN, display name, the state of their multi-factor authentication, their manager, and whether they have administrative roles.
This tool is crucial for IT security teams to ensure that MFA is enforced across the organization to enhance account security.
Impact on your tenant
Users without an MFA method are more vulnerable to security breaches. Enforcing MFA for all users helps protect against unauthorized access.
Remediation action
Execute the Action “Manage MFA”
What you can configure
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Users without MFA default method for strong authentication
Show more
Description
This filter displays a list of users within the organization who meet the following criteria: they have either a UserMailbox or a User account type, have not been blocked from signing in (BlockCredential is false), possess at least one license (indicating they are authorized for certain services or features), and do not have a default strong authentication method set up. Essentially, it identifies active, licensed users without enhanced security authentication methods configured.
Impact on your tenant
A large number of users fitting these criteria increases security risks due to weak authentication, potentially bypassing conditional access policies meant to safeguard your system, thus exposing your organization to higher vulnerability and compliance issues.
Remediation action
Schedule and send the report to a custom recipient.
What you can configure
- Type the recipient of the email (custom address)
- Send email when the report is empty, not empty, or always
- Send as an Excel, CSV, or PDF file
- Schedule the recurrence of the remediation action
Users with a password that never expires
Show more
Description
This filter displays active, licensed users in your organization with either User or UserMailbox roles, whose accounts are not blocked, have at least one license, and have passwords set to never expire.
Impact on your tenant
Having too many users with passwords set to never expire can pose a security risk, as it makes accounts more susceptible to being compromised over time without regular password changes.
Remediation action
Disable Password never expires.
What you can configure
- Enable/disable the email alert if the workflow fails
- Schedule the recurrence of the remediation action