The Microsoft 365 User Account Security Power BI report allows IT Administrators an easy to way to identify changes on their Microsoft 365 tenant that may indicate possible compromised activity.
The Power BI report pulls data from the Microsoft 365 User Account Data and Activity Dataset and shows a snapshot of differences between 2 selected dates. Information being shown includes
- Compromised third party accounts
- Login locations
- Bulk emails sent
- Granted and received mailbox permissions
- Granted full access permissions
- Added and delete devices
- Changes to account authentication policies
- Account inactivity
To use this Power BI Report, you will need to
- configure the Microsoft 365 User Account and Activity dataset
- download and install Power BI Desktop
- download the User Account Security Power BI Report file
- connect the Microsoft 365 User Account and Activity dataset to the User Account Security Power BI report
- Sign into Voleer and navigate to Workspaces, select the workspace that contains the Microsoft 365 User Account and Activity dataset, then Datasets, the select the name of the dataset
- Click on Get Connection String
- Click on the Copy button
- Open up a text editor and paste the clipboard contents. The strings to note are Data Source, Initial Catalog, User ID, and Password
- Download and Open the User Account Security Power BI file
- Along the navigation bar, click on Transform data > Data source settings
- Click on Change Source…
- In the Server box, type in the Data Source value from step 4 (i.e. the text after the ‘=’ character and before the ‘;’ character)
- In the Database box, type in the Initial Catalog value. Click on OK
- Click on Edit Permissions…, then Edit
- Click on Database, then enter in the User ID and password for the boxes User name and password. Click Save.
- Close all open dialogs by click on Ok then Close
- Click on Apply Changes
- Wait for Power BI to process all data from your dataset
The User Account Security Report shows the changes to the tenant between selected dates.
Changing the dates will update the contents of the report. The dashboard is constructed in such a way that allows the reader to identify quickly if action is required on the tenant. For example, a number in box Accounts Compromised would prompt immediate action to identify which account needs to be blocked.
Or a spike in failed logins would also be subject to further investigation
Further confirmation of activity can then be completed by reviewing the detailed information within the associated pages