SmartProfiler is a Desktop Application designed to perform security, health and risk assessment of Microsoft 365, Active Directory and Azure Virtual Desktop tenants. When performing an assessment of technologies, the SmartProfiler requires necessary permissions to the Assessment target. SmartProfiler can also be used for executing M365 CIS Assessment. There are various options/tools available with SmartProfiler Microsoft 365 as shown in the screenshot below:
Note: It is recommended that Global Admin Account is part of all Microsoft 365 Reader Roles.
To use Microsoft 365 CIS Assessment with SmartProfiler, please log on to SmartProfiler using a Microsoft 365 Tenant which is already registered. If the Microsoft 365 Tenant is not registered, then you are required to register the Tenant.
If you are registering the first Tenant in the SmartProfiler, then click on the “Register Tenant” button on the login screen. The Managed Tenants screen will be shown:
Click on the “Add New Tenant” button as shown in the red circle in the screenshot above, which, in turn, will show registration screen:
To register M365 Tenant, click M365 Tenant Tab. Registering M365 Tenant in SmartProfiler requires below inputs:
Client ID, Certification Thumbprint and Tenant ID are optional unless you are using SmartProfiler Scheduler for Microsoft 365.
Note that the registration process for a Microsoft 365 Tenant will actually check the status of the Microsoft 365 domain entered and global admin account to ensure domain is verified and global admin account has access to the tenant.
Once done, click on “Update/Register” button to add tenant under the management of SmartProfiler.
Once the Microsoft 365 Tenant is registered with SmartProfiler, apply the license file. To apply license file, click on the Microsoft 365 Tenant name that you just registered in the list of registered tenants.
And then click on “Browse” button to browse the license file. After selecting the current license file, you will see a message asking if the license file needs to be applied to the select Microsoft 365 Tenant:
Click “Yes” to apply for the licenses to selected Microsoft 365 Tenant. If the license file is applied successfully, you will see “REGISTERED” in green color in front of the Microsoft 365 Tenant in the list.
Once the Tenant has been registered with SmartProfiler, you need to open the M365 Tenant. After opening Microsoft 365 Tenant, click on “Execute Assessment” button found under Microsoft 365 Security section in left pane.
Note that SmartProfiler for Microsoft 365 not just supports executing CIS Tests, it also supports executing various tests designed by our Microsoft 365 Expert Team. To give you an overview of the tests that we have included in the SmartProfiler are explained below:
Note that SmartProfiler execution console provides executing below tests:
Note that if the Admin Consent is not granted, the below screen will show “Not Granted” in red color.
It is important to grant admin consent to run some of the tests which require permissions to connect to Microsoft 365 Tenant.
There are three ways to grant Admin Consent so assessment can cover MDM category as well as listed below:
Note: Admin Consent process is one-time.
SmartProfiler supports granting Admin Consent for InTune by executing a series of PowerShell commands. To grant Admin Consent using SmartProfiler, click on Play icon shown below:
And then click on “Grant” button:
In the above window, click on “Grant”. When you click on the button, you will be presented with a Microsoft Login Prompt to enter Global Administrator credentials and then will be asked to grant “READ-ONLY” permissions to Microsoft.Graph app.
Connect-MSGraph
Update-MSGraphEnvironment -SchemaVersion Beta
You need to check the box “Consent on behalf of your organization” and then click on “Accept” button to continue.
Once the Admin Consent has been granted to Microsoft.Graph all tests including tests in Mobile Device Management category can be executed using a Global Reader Account.
Once the Microsoft 365 Tests have been loaded, you can click on “Execute Assessment” button to start the assessment. While the assessment is in progress, you can see the assessment progress in the top bar. After the assessment has been completed you will see a message indicating the assessment has been completed successfully.
As you can see in the screenshot above, SmartProfiler has reported high, medium, low and non-compliance issues. It has also reported the items that have been passed successfully. If you need to see data for a test, click on test.
Here are the columns that are displayed as part of the Microsoft 365 Assessment and their meaning:
Note: SmartProfiler for Microsoft 365 includes all CIS Control tests for Microsoft 365 foundation. However, some of the tests have been designed by our Microsoft 365 experts to ensure every aspect of Microsoft 365 Subscription is checked and reported as part of the report.
Note that SmartProfiler for Microsoft 365 is capable of generating a Microsoft Word Report and an excel summary which contains the affected objects list for each test.
Click on the Browse button to specify the report location and check/uncheck various other options as explained below:
Once you have checked/unchecked required options, please click on “Generate Report” button. The process will take some time and progress will be shown on the screen.
All CIS Tests that are covered by SmartProfiler can be found on CIS website. Note that SmartProfiler supports latest CIS Version 3.0.
Try SmartProfiler, a unified tool to help with security evaluation across many Microsoft technologies.