Security & Identity policies

Description

This policy identifies the total number of admins in the organization.

Impact on your tenant

Having an excessively high number of administrators in the organization significantly increases the risk of potential security breaches.

Remediation action

Schedule and send the report to a custom recipient.

What you can configure

• Type the recipient of the email (custom address)
• Send email when the report is empty, not empty, or always
• Send as an Excel, CSV, or PDF file
• Schedule the recurrence of the remediation action

Description

This policy identifies cloud administrators who do not have a strong password policy enforced on their accounts. 

It displays the user's principal name, confirms their administrative role status, shows the account type as a cloud user, and crucially highlights when a strong password is not required for that account. 

This tool promotes robust password security practices by pinpointing admin accounts potentially lacking stringent password requirements within the cloud environment.

Impact on your tenant

Admins without strong passwords pose a significant security risk to the entire organization.

Remediation action

Execute the action "Set password required"

What you can configure

• Schedule the recurrence of the remediation action
• Enable/disable the email alert if the workflow fails

Description

This policy helps you quickly spot cloud admins who haven't turned on extra security with multi-factor authentication (MFA). 

It shows their name, role, and who they report to, making it easy to reach out and encourage a security upgrade.

Impact on your tenant

Admins without MFA are at higher risk of account compromise, which could lead to unauthorized access to sensitive company data and systems.

Remediation action

1. Send attestation to the manager (or a custom address)
2. Execute the action “Manage MFA”

What you can configure

• Change the recipient of the attestation
• Set time-out days (min: 1 day – max: 180 days)
• Schedule the recurrence of the remediation action
• Enable/disable the email alert if the workflow fails

Description

This filter displays active admins whose accounts are not blocked and have passwords set to never expire.

Impact on your tenant

Having too many admins with passwords set to never expire can pose a security risk, as it makes accounts more susceptible to being compromised over time without regular password changes.

Remediation action

Disable Password never expires.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This filter displays a list of users within the organization who meet the following criteria: they have at least one admin role, have not been blocked from signing in (BlockCredential is false), and do not have a default strong authentication method set up.

Impact on your tenant

A large number of admins fitting these criteria increases security risks due to weak authentication, potentially bypassing conditional access policies meant to safeguard your system, thus exposing your organization to higher vulnerability and compliance issues.

Remediation action

Schedule and send the report to a custom recipient.

What you can configure

• Type the recipient of the email (custom address)
• Send email when the report is empty, not empty, or always
• Send as an Excel, CSV, or PDF file
• Schedule the recurrence of the remediation action

Description

This policy outlines a procedure for identifying cloud administrators whose passwords have not been updated within the past 90 days. 

It lists essential information such as the user's identifier, full name, admin status, and manager's name, ensuring a professional approach to maintaining password security among cloud service users.

Impact on your tenant

Microsoft suggests ensuring the passwords of admin accounts and shared accounts change on a regular basis. Ensure all admin and shared accounts have signed in and changed their passwords at least once in the last 90 days.

Remediation action

1. Send attestation to the manager (or a custom address)
2. Execute the action “Manage password”

What you can configure

• Select the recipient (manager or custom address)
• Insert an additional message
• Set time-out days (min: 1 day – max: 180 days)
• Schedule the recurrence of the remediation action
• Enable/disable the email alert if the workflow fails

Description

This policy identifies the distribution groups that have no members.

Impact on your tenant

Empty distribution groups in your tenant can lead to unnecessary clutter and confusion, complicating management and potentially masking misconfigurations that could be exploited. Best practices include regularly auditing and cleaning up these groups to ensure a streamlined, secure environment and to maintain clear, effective access control policies.

Remediation action

Remove empty distribution group.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This policy identifies the M365 groups that have no members.

Impact on your tenant

Empty MS 365 groups in your tenant can lead to unnecessary clutter and confusion, complicating management and potentially masking misconfigurations that could be exploited. Best practices include regularly auditing and cleaning up these groups to ensure a streamlined, secure environment and to maintain clear, effective access control policies.

Remediation action

Remove Microsoft 365 group.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This policy identifies the security groups that have no members.

Impact on your tenant

Empty security groups in your tenant can lead to unnecessary clutter and confusion, complicating management and potentially masking misconfigurations that could be exploited. Best practices include regularly auditing and cleaning up these groups to ensure a streamlined, secure environment and to maintain clear, effective access control policies.

Remediation action

Remove Empty security group.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

These policy identifies external members in distribution groups.

Impact on your tenant

Having too many external members in distribution groups can increase the risk of data leakage, as sensitive information may inadvertently be shared with unauthorized parties. It also expands the attack surface for phishing and social engineering attacks targeted at external members to gain access to the organization's network.

Remediation action

Remove Distribution group member.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This policy provides a clear view of external users in your Microsoft 365 groups. 

It lists their principal name, display name, and group details including the unique group ID and group name. It also indicates whether the user is marked as a guest, subscriber, member, or owner within the group. 

This is a straightforward way to audit external access to your Microsoft 365 collaborative spaces.

Impact on your tenant

External users that have access to resources and data due to their membership in M365 groups need periodic attestation to ensure they are not forgotten, and they have the least possible access.

Remediation action

1. Send attestation to the manager (or a custom address)
2. Execute the action “Remove M365 group member”

What you can configure

• Select the recipient (group owners or custom address)
• Insert an additional message
• Set time-out days (min: 1 day – max: 180 days)
• Schedule the recurrence of the remediation action
• Enable/disable the email alert if the workflow fails

Description

This policy shows a list of external users in your security groups. It details their principal name, display name, the type of group member they are, the name of the security group they're in, and their guest status. 

It also indicates if they're an owner and provides the unique identifier for the security group (GUID). 

This is useful for managing and reviewing external access to sensitive areas within your organization.

Impact on your tenant

External users that have access to resources and data due to their membership in security groups need periodic attestation to ensure they are not forgotten, and they have the least possible privileges.

Remediation action

1. Send attestation to the manager (or a custom address)
2. Execute the action “Remove security group member”

What you can configure

• Select the recipient (group owners or custom address)
• Insert an additional message
• Set time-out days (min: 1 day – max: 180 days)
• Schedule the recurrence of the remediation action
• Enable/disable the email alert if the workflow fails

Description

This policy helps you identify guest users who have been inactive in Microsoft 365 for the past 180 days. 

It shows their principal name and includes a column for the manager, although that might not apply to guests. 

It also indicates the last activity date and confirms their status as a guest user. This is useful for auditing and cleaning up inactive external users in your system.

Impact on your tenant

Guest users who have been inactive for 180 days or more can lead to security risks and unnecessary clutter in user management. Identifying and managing these accounts is critical for maintaining an efficient and secure environment.

Remediation action

Execute the action “Remove guest user”

What you can configure

• Schedule the recurrence of the remediation action
• Enable/disable the email alert if the workflow fails

Description

This policy highlights users who have been inactive for the last 60 days but have not had their accounts blocked. 

It shows their principal name, the last login attempt, and their manager's information. 

Additionally, it confirms that their account credentials are not blocked, making it useful for reviewing user activity and account status within your system.

Impact on your tenant

Teams groups with guest users can introduce security challenges. Ensuring that these guests are necessary and properly managed helps maintain a secure environment.

Remediation action

1. Send attestation to the manager (or a custom address)
2. Execute the action “Block sign-in status”

What you can configure

• Select the recipient (manager or custom address)
• Insert an additional message
• Set time-out days (min: 1 day – max: 180 days)
• Schedule the recurrence of the remediation action
• Enable/disable the email alert if the workflow fails

Description

This policy is designed to identify Microsoft 365 Groups that currently have no assigned owners. 

It displays the name of each group and confirms the total number of owners as zero. Additionally, it provides the primary SMTP address for each group, which can be useful for administrative purposes. 

This tool aids in governance and ensures that every group has appropriate oversight.

Impact on your tenant

Microsoft 365 Groups without owners can lead to unmanaged and potentially orphaned resources. Ensuring that each group has a designated owner is vital for effective management and governance.

Remediation action

1. Send attestation to the primary SMTP address (or a custom address)
2. No action will be executed - the attestation serves only an informative purpose

What you can configure

• Select the recipient (group owners or custom address)
• Insert an additional message
• Set time-out days (min: 1 day – max: 180 days)
• Schedule the recurrence of the remediation action
• Enable/disable the email alert if the workflow fails

Description

This policy helps you quickly spot cloud admins who haven't turned on extra security with multi-factor authentication (MFA).

It shows their name, role, and who they report to, making it easy to reach out and encourage a security upgrade.

Impact on your tenant

Users without a default MFA method are more vulnerable to security breaches. Enforcing MFA for all users helps protect against unauthorized access.

Remediation action

Send an alert to the user without MFA enabled

What you can configure

• Schedule the recurrence of the remediation action
• Enable/disable the email alert if the workflow fails

Description

This policy is designed to identify users who have not enabled Multi-Factor Authentication (MFA).

It lists the UPN, display name, the state of their multi-factor authentication, their manager, and whether they have administrative roles. 

This tool is crucial for IT security teams to ensure that MFA is enforced across the organization to enhance account security.

Impact on your tenant

Users without an MFA method are more vulnerable to security breaches. Enforcing MFA for all users helps protect against unauthorized access.

Remediation action

Execute the Action “Manage MFA”

What you can configure

• Schedule the recurrence of the remediation action
• Enable/disable the email alert if the workflow fails

Description

This filter displays a list of users within the organization who meet the following criteria: they have either a UserMailbox or a User account type, have not been blocked from signing in (BlockCredential is false), possess at least one license (indicating they are authorized for certain services or features), and do not have a default strong authentication method set up. Essentially, it identifies active, licensed users without enhanced security authentication methods configured.

Impact on your tenant

A large number of users fitting these criteria increases security risks due to weak authentication, potentially bypassing conditional access policies meant to safeguard your system, thus exposing your organization to higher vulnerability and compliance issues.

Remediation action

Schedule and send the report to a custom recipient.

What you can configure

• Type the recipient of the email (custom address)
• Send email when the report is empty, not empty, or always
• Send as an Excel, CSV, or PDF file
• Schedule the recurrence of the remediation action

Description

This filter displays active, licensed users in your organization with either User or UserMailbox roles, whose accounts are not blocked, have at least one license, and have passwords set to never expire.

Impact on your tenant

Having too many users with passwords set to never expire can pose a security risk, as it makes accounts more susceptible to being compromised over time without regular password changes.

Remediation action

Disable Password never expires.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action