forked from mondoohq/cnspec-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mondoo-ms365-security.mql.yaml
670 lines (527 loc) · 31.3 KB
/
mondoo-ms365-security.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-ms365-security
name: Microsoft 365 Security
version: 2.0.0
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: microsoft365,saas
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |-
## Overview
Microsoft 365 Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for Microsoft 365.
## Remote scan
Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.
For a complete list of providers run:
```bash
cnspec scan --help
```
### Installation
Remote scans of Microsoft 365 require API credentials with access to the subscription. Please follow the setup guide to create a Application registration and grant access to it:
[MS365 Setup Guide](https://mondoo.com/docs/platform/infra/saas/ms365/ms365-auto/)
### Scan a Microsoft 365 subscription
```bash
cnspec scan ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id> --policy-bundle mondoo-ms365-security.mql.yaml>
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Microsoft365
filters: |
asset.platform == "microsoft365"
checks:
- uid: mondoo-m365-security-enable-azure-ad-identity-protection-sign-in-risk-policies
- uid: mondoo-m365-security-enable-azure-ad-identity-protection-user-risk-policies
- uid: mondoo-m365-security-enable-conditional-access-policies-to-block-legacy-authentication
- uid: mondoo-m365-security-ensure-multifactor-authentication-is-enabled-for-all-users-in-administrative-roles
- uid: mondoo-m365-security-ensure-multifactor-authentication-is-enabled-for-all-users-in-all-roles
- uid: mondoo-m365-security-ensure-security-defaults-is-disabled-on-azure-active-directory
- uid: mondoo-m365-security-ensure-that-between-two-and-four-global-admins-are-designated
- uid: mondoo-m365-security-ensure-that-mobile-device-encryption-is-enabled-to-prevent-unauthorized-access-to-mobile-data
- uid: mondoo-m365-security-ensure-that-mobile-devices-require-a-minimum-password-length-to-prevent-brute-force-attacks
- uid: mondoo-m365-security-ensure-that-office-365-passwords-are-not-set-to-expire
- uid: mondoo-m365-security-ensure-that-spf-records-are-published-for-all-exchange-domains
- uid: mondoo-m365-security-ensure-third-party-integrated-applications-are-not-allowed
scoring_system: highest impact
queries:
- uid: mondoo-m365-security-enable-azure-ad-identity-protection-sign-in-risk-policies
title: Enable Azure AD Identity Protection sign-in risk policies
impact: 80
mql: |
microsoft.security.latestSecureScores.controlScores.where(controlName == 'SigninRiskPolicy').all(_['score'] == 7)
docs:
desc: |
This check ensures that there are some policies in place which can detect risky sign-in in real-time and offline. A risky sign-in mainly means a sign-in attempt which might be performed by illegitimate owner of a user account.
audit: |
__cnspec run__
To audit Microsoft 365 with `cnspec run`:
Run this query:
```mql
cnspec run ms365 -c "microsoft.security.latestSecureScores.controlScores.where(_['controlName'] == 'SigninRiskPolicy') {*}" --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
__cnspec shell__
To audit Microsoft 365 with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
2. Run this query:
```mql
microsoft.security.latestSecureScores.controlScores.where(_['controlName'] == 'SigninRiskPolicy') {*}
```
remediation:
- desc: |-
**To configure a Sign-In risk policy, use the following steps:**
1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.
2. Select expand `Protection` > `Conditional Access` select `Policies`.
3. Create a new policy by selecting `New policy`.
4. Set the following conditions within the policy.
- Under `Users or workload identities` choose `All users`
- Under `Cloud apps or actions` choose `All cloud apps`
- Under `Conditions` choose `Sign-in risk` then `Yes` and check the risk level boxes `High` and `Medium`
- Under `Access Controls` select `Grant` then in the right pane select `Grant access` then select `Require multifactor authentication`.
- Under `Session` select `Sign-in Frequency` and set to `Every time`.
5. Select `Select`
6. You may opt to begin in a state of `Report Only` as you step through implementation however, the policy will need to be set to `On` to be in effect.
7. Select `Create`.
**NOTE:** for more information regarding risk levels refer to [Microsoft's Identity Protection & Risk Doc](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks)
- uid: mondoo-m365-security-enable-azure-ad-identity-protection-user-risk-policies
title: Enable Azure AD Identity Protection user risk policies
impact: 100
mql: |
microsoft.security.latestSecureScores.controlScores.where(controlName == 'UserRiskPolicy').all(_['score'] == 7)
docs:
desc: |
This check ensures that there are some policies in place which can detect risky sign-in in real-time and offline. A risky sign-in mainly means a sign-in attempt which might be performed by illegitimate owner of a user account.
audit: |
__cnspec run__
To audit Microsoft 365 with `cnspec run`:
Run this query:
```mql
cnspec run ms365 -c "microsoft.security.latestSecureScores.controlScores.where(_['controlName'] == 'UserRiskPolicy') {*}" --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
__cnspec shell__
To audit Microsoft 365 with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
2. Run this query:
```mql
microsoft.security.latestSecureScores.controlScores.where(_['controlName'] == 'UserRiskPolicy') {*}
```
remediation:
- desc: |-
**To configure a User risk policy, use the following steps:**
1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.
2. Select expand `Protection` > `Conditional Access` select `Policies`.
3. Create a new policy by selecting `New policy`.
4. Set the following conditions within the policy:
- Under `Users or workload identities` choose `All users`
- Under `Cloud apps or actions` choose `All cloud apps`
- Under `Conditions` choose `User risk` then `Yes` and select the user risk level `High`.
- Under `Access Controls` select `Grant` then in the right pane select `Grant access` then select `Require multifactor authentication` and `Require password change`.
- Under `Session` ensure `Sign-in frequency` is set to `Every time`.
5. Select `Select`.
6. You may opt to begin in a state of `Report Only` as you step through implementation however, the policy will need to be set to `On` to be in effect.
7. Select `Create`.
**NOTE:** for more information regarding risk levels refer to [Microsoft's Identity Protection & Risk Doc](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks)
- uid: mondoo-m365-security-enable-conditional-access-policies-to-block-legacy-authentication
title: Enable Conditional Access policies to block legacy authentication
impact: 80
mql: |
microsoft.security.latestSecureScores.controlScores.where(controlName == 'BlockLegacyAuthentication').all(_['score'] == 8)
docs:
desc: |
This check ensures that the legacy authentication protocols has been disabled in office 365.
To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of authentication protocols including legacy authentication. However, legacy authentication doesn't support things like multi-factor authentication (MFA). MFA is a common requirement to improve security posture in organizations.
audit: |
__cnspec run__
To audit Microsoft 365 with `cnspec run`:
Run this query:
```mql
cnspec run ms365 -c "microsoft.security.latestSecureScores.controlScores.where(_['controlName'] == 'BlockLegacyAuthentication') {*}" --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
__cnspec shell__
To audit Microsoft 365 with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
2. Run this query:
```mql
microsoft.security.latestSecureScores.controlScores.where(_['controlName'] == 'BlockLegacyAuthentication') {*}
```
remediation:
- desc: |-
**To setup a conditional access policy to block legacy authentication, use the following steps:**
1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.
2. Select expand `Protection` > `Conditional Access` select `Policies`.
3. Create a new policy by selecting `New policy`.
4. Set the following conditions within the policy.
- Select `Conditions` then `Client apps` enable the settings for and `Exchange ActiveSync clients` and `other clients`.
- Under `Access controls` set the `Grant` section to `Block access`
- Under `Assignments` enable `All users`
- Under `Assignments` and `Users and groups` set the `Exclude` to be at least one low risk account or directory role. This is required as a best practice.
- uid: mondoo-m365-security-ensure-multifactor-authentication-is-enabled-for-all-users-in-administrative-roles
title: Ensure multifactor authentication is enabled for all users in administrative roles
impact: 100
mql: |
microsoft.security.latestSecureScores.controlScores.where(controlName == 'AdminMFAV2').all(_['score'] == 10)
docs:
desc: |
Enable multi-factor authentication for all users in administrative roles!
audit: |
__cnspec run__
To audit Microsoft 365 with `cnspec run`:
Run this query:
```mql
cnspec run ms365 -c "microsoft.security.latestSecureScores.controlScores.where(_['controlName'] == 'AdminMFAV2') {*}" --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
__cnspec shell__
To audit Microsoft 365 with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
2. Run this query:
```mql
microsoft.security.latestSecureScores.controlScores.where(_['controlName'] == 'AdminMFAV2') {*}
```
remediation:
- desc: |-
**To enable multifactor authentication for administrators:**
1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.
2. Select expand `Protection` > `Conditional Access` select `Policies`.
3. Select `New policy`.
4. Go to `Assignments` > `Users and groups` > `Include` > `Select users and groups` > check `Directory roles`.
5. At a minimum, select the `Directory roles listed` below in this section of the document.
6. Go to `Cloud apps or actions` > `Cloud apps` > `Include` > select `All cloud apps (and don't exclude any apps)`.
7. Under `Access controls` > `Grant` > select `Grant access` > check `Require multi-factor authentication` (and nothing else).
8. Leave all other conditions blank.
9. Make sure the policy is enabled.
10. Create.
**At minimum these directory roles should be included for MFA:**
- Application administrator
- Authentication administrator
- Billing administrator
- Cloud application administrator
- Conditional Access administrator
- Exchange administrator
- Global administrator
- Global reader
- Helpdesk administrator
- Password administrator
- Privileged authentication administrator
- Privileged role administrator
- Security administrator
- SharePoint administrator
- User administrator
- uid: mondoo-m365-security-ensure-multifactor-authentication-is-enabled-for-all-users-in-all-roles
title: Ensure multifactor authentication is enabled for all users
impact: 100
mql: |
microsoft.security.latestSecureScores.controlScores.where(controlName == 'MFARegistrationV2').all(_['score'] == 9)
docs:
desc: |
This check ensures that the MFA has been enabled for all users in the Microsoft 365 tenant.
audit: |
__cnspec run__
To audit Microsoft 365 with `cnspec run`:
Run this query:
```mql
cnspec run ms365 -c "microsoft.security.latestSecureScores.controlScores.where(_['controlName'] == 'MFARegistrationV2') {*}" --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
__cnspec shell__
To audit Microsoft 365 with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
2. Run this query:
```mql
microsoft.security.latestSecureScores.controlScores.where(_['controlName'] == 'MFARegistrationV2') {*}
```
remediation:
- desc: |-
**To enable multifactor authentication for all users:**
1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.
2. Select expand `Protection` > `Conditional Access` select `Policies`.
3. Select `New policy`.
4. Go to `Assignments` > `Users and groups` > `Include` > select `All users` (and do not exclude any user).
5. Select `Cloud apps or actions` > `All cloud apps` (and don't exclude any apps).
6. `Access Controls` > `Grant` > `Require multi-factor authentication` (and nothing else).
7. Leave all other conditions blank.
8. Make sure the policy is Enabled/On.
9. Create.
- uid: mondoo-m365-security-ensure-security-defaults-is-disabled-on-azure-active-directory
title: Ensure Security Defaults is disabled on Azure Active Directory
impact: 80
mql: |
microsoft.policies.identitySecurityDefaultsEnforcementPolicy.isEnabled == false
docs:
desc: |
This check ensures that the security defaults (which are enabled by default) are disabled in Azure Active Directory.
Note: Using security defaults prohibits custom settings. Many best security practices require custom settings.
audit: |
__cnspec run__
To audit Microsoft 365 with `cnspec run`:
Run this query:
```mql
cnspec run ms365 -c "microsoft.policies.identitySecurityDefaultsEnforcementPolicy" --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
__cnspec shell__
To audit Microsoft 365 with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
2. Run this query:
```mql
microsoft.policies.identitySecurityDefaultsEnforcementPolicy
```
remediation:
- desc: |-
**To disable security defaults:**
1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.
2. Select to expand `Identity` select `Overview`
3. Select `Properties`.
4. Select `Manage security defaults`.
5. Set the `Security defaults` dropdown to `Disabled`.
6. Select Save.
**To configure security defaults using Microsoft Graph PowerShell:**
1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"`.
2. Run the following Microsoft Graph PowerShell command:
```
$params = @{ IsEnabled = $false }
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $params
```
**WARNING:** It is recommended not to disable security defaults until you are ready to implement conditional access rules in the benchmark. Rules such as requiring MFA for all users and blocking legacy protocols are required in CA in order to make up the gap by disabling defaults. Plan accordingly. See the reference section for more details on what coverage Security Defaults provide.
- uid: mondoo-m365-security-ensure-that-between-two-and-four-global-admins-are-designated
title: Ensure that between two and four global admins are designated
impact: 80
mql: |
microsoft.rolemanagement.roleDefinitions.where(displayName == "Global Administrator").all(assignments.length.inRange(1,4))
docs:
desc: |
This check ensures that there are enough Global Admins in a single tenant.
When it comes to designating global admins, it's important to consider the size and complexity of the organization, as well as the level of responsibility and authority required for the role. As a general rule, it's a good idea to have at least three global admins to ensure that there is redundancy and coverage in case one admin is unavailable or leaves the organization.
At the same time, having too many global admins can lead to confusion and inefficiency, as multiple people may be making decisions or taking actions without proper coordination. Therefore, it's recommended to keep the number of global admins to no more than four, unless the organization is particularly large or complex and requires more administrators to properly manage its operations.
audit: |
__cnspec run__
To audit Microsoft 365 with `cnspec run`:
Run this query:
```mql
cnspec run ms365 -c "microsoft.rolemanagement.roleDefinitions.where(displayName == "Global Administrator") {*}" --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
__cnspec shell__
To audit Microsoft 365 with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
2. Run this query:
```mql
microsoft.rolemanagement.roleDefinitions.where(displayName == "Global Administrator") {*}
```
remediation:
- desc: |-
**To correct the number of global tenant administrators:**
1. Navigate to the `Microsoft 365 admin center` https://admin.microsoft.com
2. Select `Users` > `Active Users`.
3. In the `Search` field enter the name of the user to be made a Global Administrator.
4. To create a new Global Admin:
1. Select the user's name.
2. A window will appear to the right.
3. Select `Manage roles`.
4. Select `Admin center access`.
4. Check `Global Administrator`.
5. Select `Save changes`.
5. To remove Global Admins:
1. Select User.
2. Under `Roles` select `Manage roles`
3. De-Select the appropriate role.
4. Select `Save changes`.
- uid: mondoo-m365-security-ensure-that-mobile-device-encryption-is-enabled-to-prevent-unauthorized-access-to-mobile-data
title: Ensure that Android mobile device encryption is enabled
impact: 80
mql: |
microsoft.devicemanagement.deviceConfigurations.where( properties['@odata.type'] == "#microsoft.graph.androidGeneralDeviceConfiguration").all(properties.storageRequireDeviceEncryption == true)
docs:
desc: |
This check ensures that encryption in android mobile devices has been enabled to prevent any unauthorized access to the data
audit: |
__cnspec run__
To audit Microsoft 365 with `cnspec run`:
Run this query:
```mql
cnspec run ms365 -c "microsoft.devicemanagement.deviceConfigurations.where( properties['@odata.type'] == "#microsoft.graph.androidGeneralDeviceConfiguration") {*}" --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
__cnspec shell__
To audit Microsoft 365 with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
2. Run this query:
```mql
microsoft.devicemanagement.deviceConfigurations.where( properties['@odata.type'] == "#microsoft.graph.androidGeneralDeviceConfiguration") {*}
```
remediation: |
### Microsoft 365 Console
To update via the Microsoft 365 portal:
1. Log in to the Microsoft 365 portal at https://admin.microsoft.com
2. Endpoint Manager --> Devices --> Policy --> Configuration profiles
3. Ensure that a profile exists for Android with following conditions:
* Password section --> Device restrictions --> Encryption is set to require
- uid: mondoo-m365-security-ensure-that-mobile-devices-require-a-minimum-password-length-to-prevent-brute-force-attacks
title: Ensure that minimum password length has been set in order to prevent any brute force attack
impact: 80
mql: |
microsoft.devicemanagement.deviceConfigurations.where( properties["@odata.type"] == "#microsoft.graph.windows10GeneralConfiguration").all(properties.passwordMinimumLength >= 8)
microsoft.devicemanagement.deviceConfigurations.where( properties["@odata.type"] == "#microsoft.graph.macOSGeneralDeviceConfiguration").all(properties.passwordMinimumLength >= 8)
microsoft.devicemanagement.deviceConfigurations.where( properties["@odata.type"] == "#microsoft.graph.iosGeneralDeviceConfiguration").all(properties.passcodeMinimumLength >= 8)
microsoft.devicemanagement.deviceConfigurations.where( properties["@odata.type"] == "#microsoft.graph.androidGeneralDeviceConfiguration").all(properties.passwordMinimumLength >= 8)
microsoft.devicemanagement.deviceConfigurations.where( properties["@odata.type"] == "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration").all(properties['passwordMinimumLength'] >= 8)
docs:
desc: |
This check ensures that there is minimum password length - at least eight characters - for mobile devices
According to NIST (SP 800-63-2), permitted the use of randomly generated PINs with 6 or more digits while requiring user-chosen memorized secrets to be a minimum of 8 characters long.
audit: |
__cnspec run__
To audit Microsoft 365 with `cnspec run`:
Run this query:
```mql
cnspec run ms365 -c " microsoft.devicemanagement.deviceConfigurations.where( properties["@odata.type"] == "#microsoft.graph.windows10GeneralConfiguration") {*}" --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
__cnspec shell__
To audit Microsoft 365 with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
2. Run this query:
```mql
microsoft.devicemanagement.deviceConfigurations.where( properties["@odata.type"] == "#microsoft.graph.windows10GeneralConfiguration")
microsoft.devicemanagement.deviceConfigurations.where( properties["@odata.type"] == "#microsoft.graph.macOSGeneralDeviceConfiguration")
microsoft.devicemanagement.deviceConfigurations.where( properties["@odata.type"] == "#microsoft.graph.iosGeneralDeviceConfiguration")
microsoft.devicemanagement.deviceConfigurations.where( properties["@odata.type"] == "#microsoft.graph.androidGeneralDeviceConfiguration")
microsoft.devicemanagement.deviceConfigurations.where( properties["@odata.type"] == "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration")
```
remediation: |
### Microsoft 365 Console
To update via the Microsoft 365 portal:
1. Log in as to the Microsoft 365 portal at https://admin.microsoft.com
2. Endpoint Manager --> Devices --> Policy --> Configuration profiles
3. Ensure that a profile exists for each Platform with following conditions:
* Password section --> Device restrictions --> Minimum password length is set to 8
- uid: mondoo-m365-security-ensure-that-office-365-passwords-are-not-set-to-expire
title: Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
impact: 60
mql: |
microsoft.domains.all(passwordValidityPeriodInDays == 2147483647)
docs:
desc: |
This check ensures to make sure the Office 365 passwords never expires. Based on the new research from several Organizations, it has been confirmed that forcing users to change their password, make the password less secure!
audit: |
__cnspec run__
To audit Microsoft 365 with `cnspec run`:
Run this query:
```mql
cnspec run ms365 -c "microsoft.domains.all(passwordValidityPeriodInDays == 2147483647)" --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
__cnspec shell__
To audit Microsoft 365 with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
2. Run this query:
```mql
microsoft.domains {*}
```
remediation:
- desc: |-
**To set Office 365 passwords are set to never expire:**
1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.
2. Expand `Settings` and select `Org Settings`.
3. Select `Security & privacy`.
4. Check the `Set passwords to never expire (recommended)` box.
5. Select `Save`.
**To set Office 365 Passwords Are Not Set to Expire, use the Microsoft Graph PowerShell module:**
1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes "Domain.ReadWrite.All"`.
2. Run the following Microsoft Graph PowerShell command:
```
Update-MgDomain -DomainId <Domain> -PasswordValidityPeriodInDays 2147483647 -PasswordNotificationWindowInDays 30
```
- uid: mondoo-m365-security-ensure-that-spf-records-are-published-for-all-exchange-domains
title: Ensure that SPF records are published for all Exchange Domains
impact: 60
mql: |
microsoft.domains.all(serviceConfigurationRecords.where(supportedService == "Email" && recordType == "Txt") != empty)
microsoft.domains.all(serviceConfigurationRecords.where(supportedService == "Email" && recordType == "Txt").all(properties.text == "v=spf1 include:spf.protection.outlook.com -all"))
docs:
desc: |
This check ensures that SPF records is created for each domain in Exchange.
audit: |
__cnspec run__
To audit Microsoft 365 with `cnspec run`:
Run this query:
```mql
cnspec run ms365 -c "microsoft.domains.all(serviceConfigurationRecords.where(supportedService == "Email" && recordType == "Txt" )" --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
__cnspec shell__
To audit Microsoft 365 with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
2. Run this query:
```mql
microsoft.domains.all(serviceConfigurationRecords.where(supportedService == "Email" && recordType == "Txt" )
```
remediation:
- desc: |-
**To setup SPF records for Exchange Online accepted domains, perform the following steps:**
1. If all email in your domain is sent from and received by Exchange Online, add the following TXT record for each Accepted Domain:
```
v=spf1 include:spf.protection.outlook.com -all
```
2. If there are other systems that send email in the environment, refer to this article for the proper SPF configuration: [https://docs.microsoft.com/en-us/office365/SecurityCompliance/set-up-spf-in-office-365-to-help-prevent-spoofing](https://docs.microsoft.com/en-us/office365/SecurityCompliance/set-up-spf-in-office-365-to-help-prevent-spoofing).
- uid: mondoo-m365-security-ensure-third-party-integrated-applications-are-not-allowed
title: Ensure that no third party integrated applications are allowed
impact: 80
mql: microsoft.policies.authorizationPolicy.defaultUserRolePermissions.allowedToCreateApps == false
docs:
desc: |
This check ensures that no third party integrated applications can connect to your services.
audit: |
__cnspec run__
To audit Microsoft 365 with `cnspec run`:
Run this query:
```mql
cnspec run ms365 -c "microsoft.policies.authorizationPolicy.defaultUserRolePermissions.allowedToCreateApps" --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
__cnspec shell__
To audit Microsoft 365 with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell ms365 --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id>
```
2. Run this query:
```mql
microsoft.policies.authorizationPolicy.defaultUserRolePermissions.allowedToCreateApps
```
remediation: |
### Microsoft 365 Console
To update via the Microsoft 365 portal:
1. Log in as Global Administrator to the Microsoft 365 portal at https://admin.microsoft.com
2. Select "Azure Active Directory" once in the "Admin Centers"
3. Users --> User settings --> App registrations set to NO
4. Save