Entra ID CIS Assessment with SmartProfiler-SecID
About SmartProfiler SmartProfiler for Entra ID is designed to mitigate security risks in the Azure
Read MoreAlmost all CIS tests are automated with SmartProfiler for Microsoft 365 CIS Assessment.
Detailed reporting includes information about each CIS Test and Step-By-Step Recommendations to fix the issues.
Other than CIS, SmartProfiler for Microsoft 365 includes other tests. We offer 234 tests that cover every facet of Microsoft 365.
SmartProfiler for Microsoft 365 Assessment is an automated Health & Risk assessment solution to help you significantly improve your Microsoft 365 ecosystem health & security posture. SmartProfiler for Microsoft 365 Assessment follows CIS-Workbench controls (Version 3.1.0) and other tests designed by our Microsoft 365 experts. Services covered: MSOnline, EXO, Teams, SharePoint, OneDrive, and Azure AD.
The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model. SmartProfiler is designed to support CIS Standards designed for Microsoft 365 and Azure Assessments.
SmartProfiler for Microsoft 365 requires a Global Reader or Global Admin Account to perform all tests.
SmartProfiler needs a Global Admin or Reader Account in order to gather the information needed for analysis. An Azure Application does not need to be registered in order to collect data. Note that Global Reader Account will not have permissions to execute SharePoint tests.
PowerShell modules are already included in the product, so installing them is not necessary before running the assessment. Before beginning the assessment, the product automatically imports PowerShell modules.
SmartProfiler is a read-only product, and no write operation is ever made to the target while it is being assessed.
SmartProfiler for Microsoft 365 CIS Assessment is simple to use and execute in four-steps.
SmartProfiler for Microsoft 365 supports all CIS Categories from V3.0 and some tests such as MDM that were excluded from V3.0.
Performs several tests related to Office 365 users. There are more than 13 tests performed for all Office 365 Users.
Performs tests related to Exchange Online and Email. Policies, Email Forwarding, Mailboxes on Litigation hold, and several other tests are performed. Exchange Online category includes 30 tests.
All tests related to Azure Active Directory authentication, ensuring all MFA users and Office roles are using MFA. There are 23 tests performed.
There are 12 tests performed for Office 365 configuration. The tests range from License Consumption to Directory Synchronization configuration.
In the Data Management category tests related to DLP, external sharing, SharePoint Online protection and other relevant tests are performed. 7 Tests are available in Data Management Category.
Auditing tests include checking AD-Risky Sign-In reports, ensure mail-forwarding rules are reviewed and other relevant auditing tests are executed. However, some auditing items need to be checked weekly and require manual intervention. There are a total of 16 tests available in Auditing Category.
Tests such as Ensure document sharing is being controlled by domains with whitelist or blacklist, Block OneDrive for Business sync from unmanaged devices and other storage tests are checked and reported.
Mobile Device Management category includes more than 22 tests which are performed to ensure mobile devices have necessary policies configured.
There are more than 119 SmartProfiler Tests performed which are designed by our Microsoft 365 Expert Team.
It depends on the number of users and mailboxes in the Microsoft 365 Tenant. It typically takes 1-2 hours to perform CIS Assessment for a Tenant having 8000 mailboxes.
SmartProfiler for M365 CIS Assessment is a read-only product.
Since SmartProfiler generates reports in Microsoft Word format, you can re-brand reports.
SmartProfiler is designed to support multiple Microsoft 365 Tenants. You can add unlimited M365 Tenants in the tool. However, each M365 Tenant requires a license before the assessment can be done.
In these circumstances, we advise utilizing a Global Reader Account to run the assessment initially. This account will be able to run 90% of the tests automatically and will also produce a report. Please notify the Security Team that a Global Admin account is required in order to run SharePoint tests. If Security Team agrees to run the assessment using a Global Admin account, then select just “SharePoint Tests” in the execution console and then execute.
Here is the list of tests included with SmartProfiler for M365. SmartProfiler offers additional tests which are not included in CIS V3.1.0 list.
Below tests are part of CIS Version 3.1.0 Microsoft 365 Foundation.
| Category | CISProfile | Test |
| M365 Admin Center-Users | E3 Level 1 | Ensure Administrative accounts are separate and cloud-only |
| M365 Admin Center-Users | E3 Level 1 | Ensure two emergency access accounts have been defined |
| M365 Admin Center-Users | E3 Level 1 | Ensure that between two and four global admins are designated |
| M365 Admin Center-Users | E3 Level 1 | Ensure Guest Users are reviewed at least biweekly |
| M365 Admin Center-Teams and Groups | E3 Level 2 | Ensure that only organizationally managed-approved public groups exist |
| M365 Admin Center-Teams and Groups | E3 Level 1 | Ensure sign-in to shared mailboxes is blocked |
| M365 Admin Center-Settings | E3 Level 1 | Ensure the Password expiration policy is set to Set passwords to never expire (recommended) |
| M365 Admin Center-Settings | E3 Level 1 | Ensure Idle session timeout is set to 3 hours (or less) for unmanaged devices |
| M365 Admin Center-Settings | E3 Level 2 | Ensure calendar details sharing with external users is disabled |
| M365 Admin Center-Settings | E3 Level 1 | Ensure User owned apps and services is restricted |
| M365 Admin Center-Settings | E3 Level 1 | Ensure internal phishing protection for Forms is enabled |
| M365 Admin Center-Settings | E5 Level 2 | Ensure the customer lockbox feature is enabled |
| M365 Admin Center-Settings | E3 Level 2 | Ensure third-party storage services are restricted in Microsoft 365 on the web |
| M365 Admin Center-Settings | E3 Level 2 | Ensure that Sways cannot be shared with people outside of your organization |
| Microsoft 365 Defender-Email and Collaboration | E5 Level 2 | Ensure Safe Links for Office Applications is Enabled |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure the Common Attachment Types Filter is enabled |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure notifications for internal users sending malware is Enabled |
| Microsoft 365 Defender-Email and Collaboration | E5 Level 2 | Ensure Safe Attachments policy is enabled |
| Microsoft 365 Defender-Email and Collaboration | E5 Level 2 | Ensure Safe Attachments for SharePoint-OneDrive-Microsoft Teams is Enabled |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure Exchange Online Spam Policies are set correctly |
| Microsoft 365 Defender-Email and Collaboration | E5 Level 1 | Ensure that an anti-phishing policy has been created |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure that SPF records are published for all Exchange Domains |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure that DKIM is enabled for all Exchange Online Domains |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure DMARC Records for all Exchange Online domains are published |
| Microsoft 365 Defender-Email and Collaboration | E5 Level 1 | Ensure the spoofed domains report is review weekly |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure the Restricted entities report is reviewed weekly |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure all security threats in the Threat protection status report are reviewed at least weekly |
| Microsoft 365 Defender-Audit | E3 Level 1 | Ensure the Account Provisioning Activity report is reviewed at least weekly |
| Microsoft 365 Defender-Audit | E3 Level 1 | Ensure non-global administrator role group assignments are reviewed at least weekly |
| Microsoft 365 Defender-Settings | E5 Level 1 | Ensure Priority account protection is enabled and configured |
| Microsoft 365 Defender-Settings | E5 Level 1 | Ensure Priority accounts have Strict protection presets applied |
| Microsoft 365 Defender-Settings | E5 Level 2 | Ensure Microsoft Defender for Cloud Apps is Enabled |
| Microsoft Purview-Audit | E3 Level 1 | Ensure Microsoft 365 audit log search is Enabled |
| Microsoft Purview-Audit | E3 Level 1 | Ensure user role group changes are reviewed at least weekly |
| Microsoft Purview-Data Loss Protection | E3 Level 1 | Ensure DLP policies are enabled |
| Microsoft Purview-Data Loss Protection | E5 Level 1 | Ensure DLP policies are enabled for Microsoft Teams |
| Microsoft Purview-Information Protection | E3 Level 1 | Ensure SharePoint Online Information Protection policies are set up and used |
| Microsoft Entra admin center-Identity-Overview | E3 Level 1 | Ensure Security Defaults is disabled on Azure Active Directory |
| Microsoft Entra admin center-Identity-Users | E3 Level 1 | Ensure Per-user MFA is disabled |
| Microsoft Entra admin center-Identity-Users | E3 Level 2 | Ensure third party integrated applications are not allowed |
| Microsoft Entra admin center-Identity-Users | E3 Level 1 | Ensure Restrict non-admin users from creating tenants is set to Yes |
| Microsoft Entra admin center-Identity-Users | E3 Level 1 | Ensure Restrict access to the Azure AD administration portal is set to Yes |
| Microsoft Entra admin center-Identity-Users | E3 Level 2 | Ensure the option to remain signed in is hidden |
| Microsoft Entra admin center-Identity-Users | E3 Level 2 | Ensure LinkedIn account connections is disabled |
| Microsoft Entra admin center-Identity-Groups | E3 Level 1 | Ensure a dynamic group for guest users is created |
| Microsoft Entra admin center-Identity-Applications | E3 Level 1 | Ensure the Application Usage report is reviewed at least weekly |
| Microsoft Entra admin center-Identity-Applications | E3 Level 2 | Ensure user consent to apps accessing company data on their behalf is not allowed |
| Microsoft Entra admin center-Identity-Applications | E3 Level 1 | Ensure the admin consent workflow is enabled |
| Microsoft Entra admin center-Identity-External Identities | E3 Level 2 | Ensure that collaboration invitations are sent to allowed domains only |
| Microsoft Entra admin center-Identity-Hybrid Management | E3 Level 1 | Ensure that password hash sync is enabled for hybrid deployments |
| Microsoft Entra admin center-Protection-Conditional Access | E3 Level 1 | Ensure multifactor authentication is enabled for all users in administrative roles |
| Microsoft Entra admin center-Protection-Conditional Access | E3 Level 1 | Ensure multifactor authentication is enabled for all users |
| Microsoft Entra admin center-Protection-Conditional Access | E3 Level 1 | Enable Conditional Access policies to block legacy authentication |
| Microsoft Entra admin center-Protection-Conditional Access | E3 Level 1 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users |
| Microsoft Entra admin center-Protection-Conditional Access | E3 Level 2 | Ensure Phishing-resistant MFA strength is required for Administrators |
| Microsoft Entra admin center-Protection-Conditional Access | E5 Level 2 | Enable Azure AD Identity Protection user risk policies |
| Microsoft Entra admin center-Protection-Conditional Access | E5 Level 2 | Enable Azure AD Identity Protection sign-in risk policies |
| Microsoft Entra admin center-Protection-Conditional Access | E3 Level 1 | Ensure Microsoft Azure Management is limited to administrative roles |
| Microsoft Entra admin center-Protection-Authentication Methods | E3 Level 1 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue |
| Microsoft Entra admin center-Protection-Authentication Methods | E3 Level 1 | Ensure custom banned passwords lists are used |
| Microsoft Entra admin center-Protection-Authentication Methods | E3 Level 1 | Ensure that password protection is enabled for Active Directory |
| Microsoft Entra admin center-Protection-Password Reset | E3 Level 1 | Ensure Self service password reset enabled is set to All |
| Microsoft Entra admin center-Protection-Password Reset | E3 Level 1 | Ensure the self-service password reset activity report is reviewed at least weekly |
| Microsoft Entra admin center-Protection-Risk Activities | E3 Level 1 | Ensure the Azure AD Risky sign-ins report is reviewed at least weekly |
| Microsoft Entra admin center-Identity Governance | E5 Level 2 | Ensure Privileged Identity Management is used to manage roles |
| Microsoft Entra admin center-Identity Governance | E5 Level 2 | Ensure Access reviews for Guest Users are configured |
| Microsoft Entra admin center-Identity Governance | E5 Level 1 | Ensure Access reviews for high privileged Azure AD roles are configured |
| Microsoft Exchange admin center-Audit | E3 Level 1 | Ensure AuditDisabled organizationally is set to False |
| Microsoft Exchange admin center-Audit | E3 Level 1 | Ensure mailbox auditing for E3 users is Enabled |
| Microsoft Exchange admin center-Audit | E5 Level 1 | Ensure mailbox auditing for E5 users is Enabled |
| Microsoft Exchange admin center-Audit | E3 Level 1 | Ensure AuditBypassEnabled is not enabled on mailboxes |
| Microsoft Exchange admin center-Mailflow | E3 Level 1 | Ensure all forms of mail forwarding are blocked and-or disabled |
| Microsoft Exchange admin center-Mailflow | E3 Level 1 | Ensure mail transport rules do not whitelist specific domains |
| Microsoft Exchange admin center-Mailflow | E3 Level 1 | Ensure Tagging is enabled for External Emails |
| Microsoft Exchange admin center-Mailflow | E3 Level 1 | Ensure Tagging does not allow specific domains |
| Microsoft Exchange admin center-Roles | E3 Level 2 | Ensure users installing Outlook add-ins is not allowed |
| Microsoft Exchange admin center-Reports | E3 Level 1 | Ensure mail forwarding rules are reviewed at least weekly |
| Microsoft Exchange admin center-Settings | E3 Level 1 | Ensure modern authentication for Exchange Online is enabled |
| Microsoft Exchange admin center-Settings | E3 Level 2 | Ensure MailTips are enabled for end users |
| Microsoft Exchange admin center-Settings | E3 Level 2 | Ensure external storage providers available in Outlook on the Web are restricted |
| Microsoft SharePoint Admin Center-Policies | E3 Level 1 | Ensure modern authentication for SharePoint applications is required |
| Microsoft SharePoint Admin Center-Policies | E3 Level 1 | Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled |
| Microsoft SharePoint Admin Center-Policies | E3 Level 1 | Ensure external content sharing is restricted |
| Microsoft SharePoint Admin Center-Policies | E3 Level 2 | Ensure OneDrive content sharing is restricted |
| Microsoft SharePoint Admin Center-Policies | E3 Level 2 | Ensure that SharePoint guest users cannot share items they dont own |
| Microsoft SharePoint Admin Center-Policies | E3 Level 1 | Ensure link sharing is restricted in SharePoint and OneDrive |
| Microsoft SharePoint Admin Center-Policies | E3 Level 2 | Ensure external sharing is restricted by security group |
| Microsoft SharePoint Admin Center-Policies | E3 Level 1 | Ensure expiration time for external sharing links is set |
| Microsoft SharePoint Admin Center-Policies | E3 Level 1 | Ensure reauthentication with verification code is restricted |
| Microsoft SharePoint Admin Center-Settings | E5 Level 2 | Ensure Microsoft 365 SharePoint infected files are disallowed for download |
| Microsoft SharePoint Admin Center-Settings | E3 Level 2 | Block OneDrive for Business sync from unmanaged devices |
| Microsoft SharePoint Admin Center-Settings | E3 Level 1 | Ensure custom script execution is restricted on personal sites |
| Microsoft SharePoint Admin Center-Settings | E3 Level 1 | Ensure custom script execution is restricted on site collections |
| Microsoft Teams Admin Center-Teams | E3 Level 2 | Ensure external file sharing in Teams is enabled for only approved cloud storage services |
| Microsoft Teams Admin Center-Teams | E3 Level 1 | Ensure users cant send emails to a channel email address |
| Microsoft Teams Admin Center-Users | E3 Level 2 | Ensure external access is restricted in the Teams admin center |
| Microsoft Teams Admin Center-Teams Apps | E3 Level 1 | Ensure app permission policies are configured |
| Microsoft Teams Admin Center-Meetings | E3 Level 2 | Ensure anonymous users cant join a meeting |
| Microsoft Teams Admin Center-Meetings | E3 Level 1 | Ensure anonymous users and dial-in callers cant start a meeting |
| Microsoft Teams Admin Center-Meetings | E3 Level 1 | Ensure only people in my org can bypass the lobby |
| Microsoft Teams Admin Center-Meetings | E3 Level 1 | Ensure users dialing in cant bypass the lobby |
| Microsoft Teams Admin Center-Meetings | E3 Level 1 | Ensure meeting chat does not allow anonymous users |
| Microsoft Teams Admin Center-Meetings | E3 Level 1 | Ensure only organizers and co-organizers can present |
| Microsoft Teams Admin Center-Meetings | E3 Level 1 | Ensure external participants cant give or request control |
| Microsoft Teams Admin Center-Messaging | E3 Level 1 | Ensure users can report security concerns in Teams |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure guest user access is restricted |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure external user invitations are restricted |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure guest access to content is restricted |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure Publish to web is restricted |
| Microsoft Fabric-Tenant Settings | E3 Level 2 | Ensure Interact with and share R and Python visuals is Disabled |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure Allow users to apply sensitivity labels for content is Enabled |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure shareable links are restricted |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure enabling of external data sharing is restricted |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure Block ResourceKey Authentication is Enabled |
Below tests, as recommended by Microsoft 365 Experts globally, are not included in the CIS Version 3.1.0 tests list. We recommend executing below tests as part of Microsoft 365 security & Compliance Assessment.
| Category | Test |
| M365 Admin Center-Accounts and Authentication | Ensure Azure Information Protection-AIP is enabled at Global Level |
| M365 Admin Center-Accounts and Authentication | Ensure Microsoft 365 User Roles have less than 10 Admins |
| M365 Admin Center-Accounts and Authentication | Ensure Microsoft 365 Users Have Strong Password Requirements Configured |
| M365 Admin Center-Accounts and Authentication | Ensure self-service password reset is enabled |
| M365 Admin Center-Accounts and Authentication | Ensure that Microsoft 365 Passwords Are Not Set to Expire |
| M365 Admin Center-Accounts and Authentication | Ensure modern authentication for Teams Online is enabled |
| M365 Admin Center-Accounts and Authentication | Ensure Microsoft 365 Exchange Online Modern Authentication is Used |
| M365 Admin Center-Accounts and Authentication | Ensure Microsoft 365 Exchange Online Privileged Access Management is Used |
| M365 Admin Center-Auditing | Ensure Enterprise Applications Role Assignments are reviewed weekly |
| Microsoft 365 Defender-Email and Collaboration | Ensure No Domains with SPF Soft Fail are Configured |
| Microsoft Purview-Data Loss Protection | Ensure DLP Policy is enabled for OneDrive |
| Microsoft Purview-Data Loss Protection | Ensure DLP Policy is configured for SharePoint |
| Microsoft Purview-Data Loss Protection | Ensure Custom Anti-Malware Policy is Present |
| Microsoft Purview-Data Loss Protection | Ensure Custom Anti-Phishing Policy is Present |
| Microsoft Purview-Data Loss Protection | Ensure Custom DLP Policies are Present |
| Microsoft Purview-Data Loss Protection | Ensure Custom DLP Sensitive Information Types are Defined |
| Microsoft Entra admin center-Identity Governance | Use Just In Time privileged access to Microsoft 365 roles |
| Microsoft Exchange admin center-Audit | Ensure Microsoft 365 Exchange Online Admin Auditing Is Enabled |
| Microsoft Exchange admin center-Audit | Ensure Microsoft 365 Exchange Online Unified Auditing Is Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Transport Rules to Block Exchange Auto-Forwarding is configured |
| Microsoft Exchange admin center-Mailflow | Ensure Do Not Bypass the Safe Attachments Filter is not configured |
| Microsoft Exchange admin center-Mailflow | Ensure Do Not Bypass the Safe Links Feature is not configured |
| Microsoft Exchange admin center-Mailflow | Ensure Exchange Modern Authentication is Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Transport Rules to Block Executable Attachments are configured |
| Microsoft Exchange admin center-Mailflow | Ensure Dangerous Attachment Extensions are Filtered is configured |
| Microsoft Exchange admin center-Mailflow | Ensure Malware Filter Policies Alert for Internal Users Sending Malware is configured |
| Microsoft Exchange admin center-Mailflow | Ensure Transport Rules to Block Large Attachments are configured |
| Microsoft Exchange admin center-Mailflow | Ensure Mailbox Auditing is Enabled at Tenant Level |
| Microsoft Exchange admin center-Mailflow | Ensure Mailboxes without Mailbox Auditing are not present |
| Microsoft Exchange admin center-Mailflow | Ensure Exchange Mailboxes with IMAP is not Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Exchange Mailboxes with POP is not Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Exchange Online Mailboxes with SMTP Authentication is not Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Common Malicious Attachment Extensions are Filtered |
| Microsoft Exchange admin center-Mailflow | Ensure Safe Attachments is Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Safe Links is Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Safe Links Click-Through is Not Allowed |
| Microsoft Exchange admin center-Mailflow | Ensure Safe Links Flags Links in Real Time |
| Microsoft Exchange admin center-Mailflow | Ensure SMTP Authentication is disabled Globally |
| Microsoft Exchange admin center-Mailflow | Ensure mail transport rules do not forward email to external domains |
| Microsoft Exchange admin center-Mailflow | Ensure automatic forwarding options are disabled |
| Microsoft Exchange admin center-Mailflow | Ensure the Client Rules Forwarding Block is enabled |
| Microsoft Exchange admin center-Mailflow | Ensure the Advanced Threat Protection Safe Links policy is enabled |
| Microsoft Exchange admin center-Mailflow | Ensure the Advanced Threat Protection SafeAttachments policy is enabled |
| Microsoft Exchange admin center-Mailflow | Ensure that an anti-phishing policy has been created |
| Microsoft Exchange admin center-Mailflow | Ensure mailbox auditing for all users is Enabled |
| Microsoft Exchange admin center-Reports | Ensure the Mailbox Access by Non-Owners Report is reviewed at least biweekly |
| Microsoft Exchange admin center-Reports | Ensure the Malware Detections report is reviewed at least weekly |
| Microsoft Exchange admin center-Reports | Ensure the report of users who have had their email privileges restricted due to spamming is reviewed |
| Microsoft Exchange admin center-Reports | Ensure Microsoft 365 Deleted Mailboxes are identified and Verified |
| Microsoft Exchange admin center-Reports | Ensure Microsoft 365 Hidden Mailboxes are Identified |
| Microsoft Exchange admin center-Reports | Ensure Mailboxes External Address Forwarding is not configured |
| Microsoft Exchange admin center-Reports | Ensure Exchange Online Mailboxes on Litigation Hold |
| Microsoft Exchange admin center-Reports | Ensure Exchange Online SPAM Domains are identified |
| Microsoft Exchange admin center-Reports | Ensure Exchange Online Mailbox Auditing is enabled |
| Microsoft Exchange admin center-Reports | Microsoft 365 Exchange Online Admin Success and Failure Attempts |
| Microsoft Exchange admin center-Reports | Microsoft 365 Exchange Online External Access Admin Success and Failure Attempts |
| Microsoft Exchange admin center-Settings | Ensure Email Security Checks are Bypassed Based on Sender Domain are not configured |
| Microsoft Exchange admin center-Settings | Ensure Email Security Checks are Bypassed Based on Sender IP are not configured |
| Microsoft Exchange admin center-Settings | Ensure No Exchange Mailboxes with FullAccess Delegates are present |
| Microsoft Exchange admin center-Settings | Ensure No Exchange Mailboxes with SendAs Delegates are present |
| Microsoft Exchange admin center-Settings | Ensure No Exchange Mailboxes with SendOnBehalfOf Delegates are present |
| Microsoft SharePoint Admin Center-Policies | Ensure document sharing is being controlled by domains with whitelist or blacklist |
| Microsoft SharePoint Admin Center-Settings | Ensure SharePoint sites are not enabled for both External and User Sharing |
| Microsoft SharePoint Admin Center-Settings | External user sharing-share by email-and guest link sharing are both disabled |
| Microsoft SharePoint Admin Center-Settings | Ensure that external users cannot share files folders and sites they do not own |
| Microsoft SharePoint Admin Center-Settings | SharePoint External Sharing is not Enabled at Global Level |
| Microsoft SharePoint Admin Center-Settings | SharePoint External User Resharing is not Permitted |
| Microsoft SharePoint Admin Center-Settings | SharePoint Legacy Authentication is not Enabled |
| Microsoft SharePoint Admin Center-Settings | SharePoint Anyone Shared Links Never Expire is not configured |
| Microsoft SharePoint Admin Center-Settings | SharePoint Online Modern Authentication is Enabled |
| Microsoft SharePoint Admin Center-Settings | Ensure Sign out inactive users in SharePoint Online is Configured |
| Microsoft Teams Admin Center-Teams | Ensure End-to-end encryption for Microsoft Teams is enabled |
| Microsoft Teams Admin Center-Teams | Ensure external domains are not allowed in Teams |
| Microsoft Teams Admin Center-Policies | Ensure Microsoft Teams External Domain Communication Policies are configured |
| Microsoft Teams Admin Center-Policies | Ensure Microsoft Teams Users Allowed to Invite Anonymous Users is disabled |
| Microsoft Teams Admin Center-Policies | Ensure Microsoft Teams Policies Allow Anonymous Members is disabled |
| Microsoft Teams Admin Center-Policies | Ensure Microsoft Teams Consumer Communication Policies are configured |
| Microsoft Teams Admin Center-Policies | Ensure Microsoft Teams External Access Policies are configured |
| Microsoft Teams Admin Center-Policies | Ensure Microsoft Teams Users Allowed to Preview Links in Messages is disabled |
| Microsoft Teams Admin Center-Policies | Ensure Safe Links for Teams is Enabled |
| Microsoft M365 Users-Users | Ensure All Microsoft 365 Users are licensed |
| Microsoft M365 Users-Users | Ensure Deleted Microsoft 365 Users are Identified |
| Microsoft M365 Users-Users | Ensure Disabled Microsoft 365 Users are Identified |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Users have no Reconciliation Errors |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Users Password Expires |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Users are Syncing and No Sync Errors |
| Microsoft M365 Users-Users | Ensure no Provisioning Errors for Microsoft 365 Users |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Blocked Users are Identified |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Users Have Changed Passwords |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Company Administrators have less than 5 Admins |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Deleted and Licensed Users are Identified |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Groups Without Members are Identified |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile device management policies are set to require advanced security configurations for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile device management policies are set to require advanced security configurations for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile device password reuse is prohibited for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile device password reuse is prohibited for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices are set to never expire passwords for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices are set to never expire passwords for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that users cannot connect from devices that are jail broken or rooted |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices require a minimum password length to prevent brute force attacks for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices require a minimum password length to prevent brute force attacks for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure devices lock after a period of inactivity to prevent unauthorized access for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure devices lock after a period of inactivity to prevent unauthorized access for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices require complex passwords (Type = Alphanumeric) for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices require complex passwords (Type = Alphanumeric) for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that devices connecting have AV and a local firewall enabled |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile device management policies are required for email profiles |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile devices require the use of a password for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile devices require the use of a password for iOS Devices |
| Microsoft M365 Dangerous Defaults | Ensure Users can read all attributes in Azure AD is disabled |
| Microsoft M365 Dangerous Defaults | Ensure Users can create security groups is disabled |
| Microsoft M365 Dangerous Defaults | Ensure Users are allowed to create and register applications is disabled |
| Microsoft M365 Dangerous Defaults | Ensure Users with a verified mail domain can join the tenant is disabled |
| Microsoft M365 Dangerous Defaults | Ensure Guests can invite other guests into the tenant is disabled |
| Microsoft M365 Dangerous Defaults | Ensure Users are allowed to create new Azure Active Directory Tenants is disabled |
| Microsoft M365 Dangerous Defaults | Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra |
| Microsoft M365 Configuration | Ensure Microsoft 365 Licenses are consumed in SKUs |
| Microsoft M365 Configuration | Ensure All Microsoft 365 Domains Have been verified |
| Microsoft M365 Configuration | Ensure Microsoft 365 Domain Services Have Services Assigned |
| Microsoft M365 Configuration | Ensure Microsoft 365 Notification Email is configured |
| Microsoft M365 Configuration | Ensure Microsoft 365 Organization Level Mailbox Auditing is configured |
| Microsoft M365 Configuration | Ensure Microsoft 365 Dir Sync Feature is Configured |
| Microsoft M365 Configuration | Ensure Microsoft 365 Dir Sync Features Are Used |
| Microsoft M365 Configuration | Ensure No Microsoft 365 Dir Sync Property Conflicts |
| Microsoft M365 Configuration | Ensure No Microsoft 365 Dir Sync Property Conflict with User Principal Name |
| Microsoft M365 Configuration | Ensure No Microsoft 365 Dir Sync Property Conflict with ProxyAddress |
Instead of manually gathering data, which could take a significant amount of time, SmartProfiler for M365 has automated all the tests to ensure that the assessment is completed in a matter of hours.
If you’re really looking for an Active Directory security assessment tool, download SmartProfiler and perform an assessment. This will assist you in identifying security, health, and configuration problems.
The health and misconfiguration assessment feature of SmartProfiler can be very useful in demonstrating that your environment does not use Microsoft’s suggested settings.
The best feature of SmartProfiler is that it can perform the assessment without a Global Admin account and without needing the registration of an Azure AD application. Because it only required a Global Reader Account, we were able to use the tool effectively for our clients and clients could allow us to conduct the assessment!
SmartProfiler's advanced assessment parameters really gives you insights about your Active Directory environment and make sure every risk is mitigated.
About SmartProfiler SmartProfiler for Entra ID is designed to mitigate security risks in the Azure
Read MoreAbout SmartProfiler SmartProfiler for Active Directory and ACTIVE DIRECTORY is designed to mitigate security risks
Read MoreOrganizations are increasingly reliant on cloud-based services to enhance productivity and collaboration. Microsoft 365, with
Read More