Microsoft 365 User Account Security Assessment [Template]

Overview

Microsoft 365 provides user account information across a variety of subsystems including Office 365, Azure AD and Exchange Online. To get a snapshot of settings and permissions on user accounts that may potentially pose a security risk requires hours of manual work.

By using the Voleer Microsoft 365 User Account Security Assessment, user account information can be extracted on an adhoc basis or scheduled to run periodically for review by security information workers to prevent unauthorized access and malicious activity to your Microsoft 365 tenant.

How it works

This template will retrieve data across Microsoft 365 and third-party security provider HaveIBeenPwned to generate a report detailing information including

  • Identifying potentially compromised accounts and suspicious login activity

  • Mailbox permissions and settings that may pose a security threat

  • Providing an overview of authentication methods and active vs inactive users

Read article User Account Security Assessment for more information.

Requirements

Tenant Prerequisites

The Microsoft 365 tenant needs to be subscribed to a SKU or license pack that contains Azure Active Directory Premium (P1 or P2).

To find out which SKU also includes Azure Active Directory P1 or P2, search for Azure Active Directory Premium within Microsoft article Product names and service plan identifiers for licensing - Azure AD | Microsoft Docs

Permission Requirements

To run this report, you will require an Azure account with the rights to

  • Create an application registration
  • Assign admin-consent application permissions

The inbuilt Global Administrator role has these rights enabled

The App Registration created by Voleer will be assigned the following permissions:

  • Read directory data
  • Read users’ full profiles
  • Read audit log data
  • Read usage reports
  • Read and write applications and service principals
  • Read and write directory RBAC settings
  • Read and write memberships
  • Manage app permissions and role assignments
  • Manage Exchange as an Application

Getting started

To start using this template, perform the following:

  1. Sign in to your Voleer account or sign up for a new account

  2. Find and click on the tile labelled Microsoft 365 User Account Security Assessment template from the list of templates within the library

  3. Select a workspace from the dropdown and click on Launch
    image

  4. When presented with the authorization form, copy the device code and then visit the link Sign in to your account. Note - you will have to complete the authorization steps within 15 minutes. If you take longer than 15 minutes, you will have to click on the Validate button to retrieve a new device code

  5. Paste the device code into the form and then click on Next
    image

  6. When presented with the sign-in dialog, there are 2 options available, each causing the template to behave differently.

  • Providing Partner Center credentials - this will allow you to select from a list of customer tenants associated with your Partner Center account. Continue to step 7 for instructions on how to proceed with Partner Center credentials
  • Providing M365 credentials - this will generate a report against the tenant associated with the M365 credentials. Continue to step 10 for instructions on how to proceed with M365 credentials
  1. Provide your Partner Center credentials and then click on Sign in, then close the browser tab / window
    image
    image
    image

  2. Click on the Validate button

  3. When presented with a list of customers, choose the customer to run the report on and then click on Submit. Continue to step 13.
    image
    Alternatively, selecting Run On Non-Customer Tenant [Varies] will allow you to enter in M365 credentials associated with a non-customer tenant.
    image

  4. Provide M365 credentials and then click on Sign in, then close the browser tab / window
    image
    image
    image

  5. Click on the Validate button

  6. Select if you would like to enable the Simple Replay Option, then click on Submit
    image

  7. Configure the template options, then click on Validate Template Configuration

  8. Validate the details of the configuration and then click on Execute. Note - if the configuration is incorrect, cancel the run and start a new instance

  9. Once completed, you can save the template configuration and schedule the template as a recurring job

Sign in or sign up to use this template