Microsoft 365 Security Assessment
Northwind Traders sample · March 14, 2025 · scan #27
Executive summary
- 1.High7 standing Global Administrators (recommend 2–4 permanent; make the rest PIM-eligible)
- 2.Critical118 critical + 742 high software vulnerabilities across managed devices
- 3.HighSuccessful legacy-auth sign-ins seen: Authenticated SMTP
- 4.HighApp "Northwind Backup Connector" holds tenant-wide write permissions
- 5.MediumMFA registered for only 78% of users (243/312) — registration, not enforcement
Highest-exposure items: 73 of 184 devices without EDR, 31 unmanaged (Defender-only), 7 standing Global Admins, 1 Critical finding. The unmanaged / no-EDR gaps are surfaced only by correlating Entra, Intune, and Defender into one inventory — no single Microsoft console shows them.
Not assessed: Identity Protection risky sign-ins (P2 license not detected). The absence of findings for an unassessed area does not imply it is secure.
Posture by area
| Area | High | Medium | Low | Total |
|---|---|---|---|---|
| Privileged roles | 1 | – | – | 1 |
| Defender for Endpoint | 1 | – | – | 1 |
| Sign-in logs | 1 | – | – | 1 |
| App registrations | 1 | – | – | 1 |
| MFA | – | 1 | – | 1 |
| Intune | 1 | – | – | 1 |
| Defender for O365 | – | 1 | – | 1 |
| Identity | – | – | 1 | 1 |
Sample findings (8)
Remediation commands are display-only — nothing is applied automatically. EachTenant-exactcommand is pre-filled with your real object IDs; AI-suggested items must be verified first. (A full assessment lists every finding; this sample shows 8.)
7 standing Global Administrators (recommend 2–4 permanent; make the rest PIM-eligible)
ROLE-GA-MANY · 4 entities · first detected 3mo ago
Every standing Global Administrator is a full-tenant compromise if its credentials are phished. Microsoft recommends 2–4 permanent break-glass admins and Privileged Identity Management (just-in-time elevation) for the rest, shrinking the always-on attack surface.
# 7 standing Global Administrators. Nothing is auto-applied — review EACH line below.
# ⚠ Do NOT remove your emergency-access ("break-glass") accounts. Confirm every removal first.
Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId 62e90394-69f5-4237-9190-012177145e10 -DirectoryObjectId 4f1a9c20-... # j.harper@northwind.example
Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId 62e90394-69f5-4237-9190-012177145e10 -DirectoryObjectId 8b3d77e1-... # it.contractor@northwind.example
Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId 62e90394-69f5-4237-9190-012177145e10 -DirectoryObjectId d92f1ab4-... # legacy-sync@northwind.exampleRollback: Add-MgDirectoryRoleMemberByRef -DirectoryRoleId 62e90394-69f5-4237-9190-012177145e10 -DirectoryObjectId <UserObjectId>
Maps to: CIS M365 1.1.3
118 critical + 742 high software vulnerabilities across managed devices
MDE-CVE · 3 entities · first detected 12d ago
Defender Vulnerability Management surfaced exploitable CVEs on internet-facing and email-handling software. The top items are weaponized and used in real intrusions — patching them removes the highest-likelihood initial-access paths.
Deploy the missing security updates via Intune / WSUS, prioritizing the CVEs below by exposed-device count. Reboot to complete servicing-stack updates.
- [Critical] CVE-2024-21413 · 41 devices
- [Critical] CVE-2023-23397 · 38 devices
- [High] CVE-2024-30103 · 33 devices
- [High] CVE-2023-36884 · 27 devices
- [High] CVE-2024-38021 · 22 devices
Maps to: Defender Vulnerability Management
Successful legacy-auth sign-ins seen: Authenticated SMTP
LEGACY-AUTH · 2 entities · first detected 2mo ago
Legacy authentication protocols bypass Conditional Access and MFA. Successful sign-ins over Authenticated SMTP mean an attacker with a stolen password can log in without ever facing MFA — the most common foothold in M365 account takeover.
# Block legacy authentication tenant-wide via a Conditional Access policy (report-only first).
New-MgIdentityConditionalAccessPolicy -BodyParameter @{
displayName = "Block legacy authentication"; state = "enabledForReportingButNotEnforced"
conditions = @{ clientAppTypes = @("exchangeActiveSync","other") ; users = @{ includeUsers = @("All") } }
grantControls = @{ operator = "OR"; builtInControls = @("block") } }Rollback: Set the policy state to 'disabled' in Entra → Security → Conditional Access.
Block in report-only mode first to catch service accounts before enforcing.
Authenticated SMTP: 14 · IMAP4: 3
Maps to: CIS M365 1.1 / Entra
App "Northwind Backup Connector" holds tenant-wide write permissions
APP-PRIV · 1 entity · first detected 4mo ago
This service principal was granted Directory.ReadWrite.All — it can modify any user, group, or role in the tenant. A compromised secret on this app is equivalent to Global Admin. Least-privilege the grant down to only what the integration needs.
Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId 7c2e9f3a-… -AppRoleAssignmentId q1W2e3R4-… # Directory.ReadWrite.All
Granted permissions: Directory.ReadWrite.All, Group.ReadWrite.All
Maps to: CIS M365 / least privilege
MFA registered for only 78% of users (243/312) — registration, not enforcement
MFA-COVER · first detected 2mo ago
Roughly one in five accounts has no MFA method registered, so a stolen password is all an attacker needs. Note this measures registration — enforcement is governed by your Conditional Access policies, reviewed separately.
Target the 69 unregistered users with an Authentication Methods registration campaign (Entra → Authentication methods → Registration campaign), then enforce via Conditional Access.
registration ≠ enforcement; see Conditional Access findings
Maps to: CIS M365 1.1
3 of 141 managed devices have no disk encryption
INTUNE-ENCRYPT · 3 entities · first detected 1mo ago
An unencrypted laptop is a full data breach the moment it's lost or stolen — disk contents are readable without the user's password. BitLocker/FileVault closes this for data-at-rest.
Assign a Disk encryption policy (Intune → Endpoint security → Disk encryption) targeting these devices; confirm a TPM is present and the recovery key escrows to Entra.
Maps to: CIS M365 / Intune
2 domains send email without DKIM signing
MDO-DKIM · 2 domains · first detected 6mo ago
Without DKIM, recipients can't cryptographically verify your mail wasn't forged — raising spoofing/phishing risk against your brand and weakening DMARC enforcement.
Set-DkimSigningConfig -Identity northwind.example -Enabled $true Set-DkimSigningConfig -Identity mail.northwind-traders.example -Enabled $true
Maps to: Defender for O365 / DMARC
9 guest accounts present — review external access
GUEST-INV · first detected 7mo ago
Guest accounts are valid identities in your tenant. Stale or over-permissioned guests are a quiet lateral-movement path; review access quarterly and remove the unused.
Run an Entra access review (Identity Governance → Access reviews) over all guests; remove those with no sign-in in 90 days.
Maps to: CIS M365 / Identity
This is a sample. Your assessment covers your tenant.
Read-only across 12+ Microsoft 365 / Entra security domains, BYOK, delivered as this report plus an authenticated console — with the exact, human-approved fix for every finding.
Get your Discovery Assessment