TexasPGB logo artwork
Blog Layout

Microsoft 365 Third Party Security Assessment

Patrick Boren • Jul 30, 2020

Microsoft 365 is the biggest target on the internet today. Microsoft handles infrastructure security of the platform, but not account specific security settings which can lead to vulnerabilities. Learn more about where you may be vulnerable and what to look out for when evaluating third-party security assessments on the market.



Learn more  about the TexasPGB Microsoft 365 Security Assessment HERE.

Many businesses, including us at TexasPGB, rely daily on Microsoft’s Office 365 products for several important capabilities like email, communication with Teams, using Share Point Online for document collaboration and OneDrive for file storage. We consume this as a cloud service because it’s worth it: it’s robust, reliable, and removes our burden of caring and feeding for these apps like would be required if they were installed on our own servers. When you think about it from an information security perspective, though, it’s important to realize a few things. 

Office 365 has an enormous amount of capability. While Exchange, Share Point, OneDrive, and Teams might be parts used by the greatest number of people, they’re just the tip of the iceberg: other services under the umbrella include Delve, Yammer, Sway, and Power Apps. All of these interrelated products provide lots of ways to interact with the data you keep in Office 365 – and the likelihood of you housing more and more of the information your business depends on in Office 365 as well. 

You get access to all of Office 365 with one logon – a username and password that gives you everything you need, from anywhere you have Internet access, on whatever device you care to use. It’s quite popular, too: according to research firm Gartner:

1 in 5 corporate employees use Office 365 Cloud Service

Office 365 is the single most widely used cloud service by user account

As of 2018 there were over 155 million Office 365 business users

Microsoft Office 365 Security Settings And Assessment

The flip side of that coin means that Office 365 may well be the single biggest target on the Internet for attacks, account compromise activity, and theft of information. Any business using Office 365 needs to seriously consider their security, and it’s not enough to have the attitude of “we pay Microsoft for that.” Microsoft handles the security of the overall platform and its supporting infrastructure, and tries to ensure reasonable default security controls, but it’s ultimately up to the user to safeguard themselves and their information appropriately. Put another way: modern cars are built with advanced features and much safer than at any time in the past – but it’s still up to you to not drive recklessly and crash into a pole. 


What this means for Office 365 Administrators is to start by following best practices and Microsoft recommendations when it comes to fine-tuning your Office 365 settings. It is your responsibility to make sure when you manipulate these settings to fit you, your business, and how your people interact with it achieves a balance between functionality and productivity with effective protection.  

As with most things, there are automated security tools available to scan and assess your Office 365 tenant. Earlier this month, RapidFire Tools (part of Kaseya) released their new Network Detective Microsoft Cloud Assessment Module. Calling it “the fastest and most comprehensive Microsoft Cloud assessment solution on the market” and “the first and only automated system that gathers this critical information” it seems an especially great fit for Managed Service Providers (MSPs) who are charged with Office 365 maintenance for multiple customers. Certainly, the reputation of RapidFire Tools is well known and well deserved among MSPs. 



How does it work? Being the first and only automated system, does it do the “most comprehensive” job promised? Let’s take a look at an example Microsoft Cloud Security Assessment Report it generates, one of several reports and the one which RapidFire Tools says “brings together all of the security aspects of Microsoft Cloud under one umbrella.” 



The PDF document cover page has the MSP’s logo, company name, and the name of the customer assessed is automatically populated. It looks and feels like a form letter, because it is. The first section is the current Microsoft Security Score for the Office 365 tenant (which is a free tool available to everyone within Office 365 itself) and a red/yellow/green graphic showing the customer’s current score. While the theoretical maximum score changes, the RapidFire Tools report centers the chart on the average score of similar organizations using Office 365. In their example, the customer achieved a security score of 81, and it’s well in the green on the right, and indicates that this customer’s score is awesome, and they don’t need to worry about this security stuff. 

RapidFire Microsoft Office 365 Security Score Example

One problem with this – it only means the customer is doing better when compared with similar sized Office 365 organizations. The actual score based on the customer’s specific maximum is 81 out of 238 or just 34% - hardly an end zone achievement. 



The next section of the report is the Control Scores section, where specific security controls are assessed, described, and the results are scored. This is where a fully automated assessment falls short – the API scan only knows if you have a given control enabled or not, there’s no way for a computer to understand the context of that security control, or if certain best practices are implemented

Microsoft Office 365 Multi-Factor Authentication MFA Security Asessment

Example 1: The report (screenshot above) shows that control MFARegistrationV2, or Multi-factor Authentication is enabled, but the customer only has 10 out of 2056 users registered and protected, flags this finding for review and action, and recommends adding more MFA authentication methods to increase protection. 



Why it isn’t enough: It’s a best practice that MFA be enforced for accounts with administrative access, at minimum, and best if it’s enforced for all users. With this report, we don’t know what admin roles the 10 users who require MFA for logon might or might not have. It is too broad to evaluate MFA enforcement status without correlating it to account roles. Suggesting additional MFA methods isn’t wrong, but the report doesn’t enumerate which methods are currently enabled, or account for best practices known within the security community – that you should disable the Microsoft Authenticator app as a method for Self Service Password Reset (under certain conditions, Microsoft Authenticator allows approval of a login from a locked phone) or that using SMS text messages or automated phone calls as MFA methods are sub-optimal choices. 

Microsoft Office 365 Alert Analysis and Security Report

Example 2: In its Alerts Analysis section, the auto-generated report collects all the alerts from within the customer’s Office 365 environment and makes a pretty pie chart of percentage by alert type. 


Why it isn’t enough: The report suggests “A review of alerts should be performed on a periodic basis” and that “If no alerts are found, it may be that alerting and auditing are turned off in your particular environment.”  A common axiom in security is that you can’t secure what you can’t see – so a thorough assessment should go find out the configuration status of alerting and auditing, not just couch it with “well there’s nothing here so it might be turned off.” Additionally, it’s a best practice to not assign administrative roles to normal user accounts and instead assign them to dedicated accounts without Office 365 licenses or a mailbox so that when administrative access is required, a user has to deliberately login with the specific account which has it. The problem here is that alerts and notifications are sent to an email distribution list encompassing all users with Company Admin/Global Admin roles – which if you’re following the best practice…don’t have email mailboxes to receive it. 

In summary, I find the claims of RapidFire Tools’ Network Detective Cloud Assessment providing the “most comprehensive” job and that it “brings together all of the security aspects of Microsoft Cloud under one umbrella” to be specious bordering on disingenuous. That said, it’s the very first automated tool by its own admission, so perhaps future iterations will improve. As things currently stand it reinforces that there’s simply no substitute for having knowledge and expertise behind your security assessments. When you work with experts you fully understand the context for or against certain controls when applied specifically to your business and what functionality you need, as well as the “why” and “how” for best practices. 



The human expert will always do better at understanding the infinite shades of gray where humans interact with cybersecurity, and in this case, the just released automatic tool falls short and provides only a false sense of security, rather than real, actionable security findings



To connect with a Microsoft Gold Partner and Security Expert click here.

Get Your Custom Assessment
Share this post with others:

Finding Your Process Automation Sweet Spot

19 Aug, 2021
When it comes to automating processes around your business, it can simultaneously seem like everything can be automated, and absolutely nothing can be automated. As with many other things, the real answer is somewhere in the middle but can be a bit challenging to put your finger on. These projects usually start when someone at the strategic level of the organization has decreed that “we are going to automate!” and either they personally go on the hunt for what to automate or they hand it off to someone on their team to go do the leg work and come back with “automation” (maybe in a nice box with a bow on it). Sound familiar?

Three Ways To Accelerate Report Modernization

17 Aug, 2021
Data is everywhere. You’ve got a lot to focus on and it can be hard to stay on top of what’s going on with your business. Report creation in Excel is often time-consuming and can quickly become a nightmare. Modernizing your reports and streamlining your process with PowerBI to get more reliable and consistent reporting across all of your systems can be a game changer for your business. Read on to learn about three key acceleration tactics that our team uses on every implementation that we facilitate.
Infographic: How to Save time and Money with Microsoft Teams

INFORGRAPHIC: Microsoft Teams Time Savings

By Patrick Boren 08 Feb, 2021
83% of knowledge workers require technology to work together. Microsoft Teams is a cloud-based collaboration and communication tool that lets workers share the right information to the right people all through one integrated platform. According to a Forrester report, The Total Economic Impact of Microsoft Teams, there are a variety of ways using Teams saves organizations time and money. Read and download the infographic to share here .
Top Features of the Power Automate App for Teams by Microsoft

Top Features of the new Power Automate App for Teams by Microsoft

By Patrick Boren 22 Jan, 2021
How to Get Started with the Power Automate app for Teams You can get started with Power Automate app in just 3 quick steps:  Click on the … in the left-hand corner of your teams browser Search for “Power Automate” Click on the Power Automate app icon and pin it to your left-hand Teams navigation panel
What Are Your TOP 3 Processes To Automate In 2021

What are Your Top 3 Processes to Automate in 2021?

By Patrick Boren 18 Jan, 2021
As mentioned, there are several options available for automating your business. One of our favorite low-code/no-code options is the Microsoft Power Platform. As a suite of 4 different tools, the Power Platform can automate routine tasks, customer support, data visualization, and more. A few highlights on the effectiveness of the Power Platform are:
Top Microsoft Solutions to Watch in 2021

Top Microsoft Solutions to Watch in 2021

By Patrick Boren 06 Jan, 2021
It is no secret that 2020 and the coronavirus pandemic altered the reality of doing business. These changes are showing little signs of letting up and a lot of the adjustments made to respond to a remote workforce may very well become a permanent feature in daily business operations. As business decision makers (BDMs) and IT decision makers (ITDMs) head into a new year it is important to keep an eye out for technology solutions that can further support these operational changes while increasing efficiency. This post briefly highlights the top 3 digital solutions we have our eyes on for 2021 and our Microsoft-based clients.
Video Webinar Introducing Microsoft 365 Dynamics Project Operations

Intro Video to Microsoft Dynamics 365 Project Operations

By Patrick Boren 31 Dec, 2020
In our latest video series, Patrick Boren, Principal Consultant at TexasPGB, introduces the newest addition to the Microsoft Project family, Microsoft Project Operations. In this video Patrick discusses: What challenges Project Operations aims to solve What is Project Operations and common use cases for the tool Who uses Project Operations Upcoming "Day in the Life" Sessions Watch the video or read the condensed transcript below.
Top Tips on How to Use Microsoft PowerBI to Avoid Data Overload

Power BI: Top Tips to Avoid Data Overload

By Patrick Boren 19 Nov, 2020
Having a wealth of data at your fingertips is great, but what happens when your data is so vast that it takes you years to make a key discovery? A friend of mine told me a story recently about an experience he had. His first company conducted a VP meeting every quarter – everyone scrambling to put together their presentations and make their case based on the data from Excel spreadsheets. Departments and information tended to be segmented into silos. While much of the data could be shared across the company, rarely was it compiled in a way to show how one area of the business could affect another.
Solution Design SharePoint vs Common Data Service

Solution Design: SharePoint vs Common Data Service

By Patrick Boren 12 Nov, 2020
If you are looking to migrate your data to Microsoft 365 there are two common methods to funnel your data - SharePoint or Common Data Service (CDS). SharePoint solutions take advantage of lists and libraries. Data is housed, originated, and manipulated entirely within the SharePoint platform. CDS solutions use both standard and custom entities to collect and house data that is then integrated across the Microsoft 365 platform. Below we will review a few ways each method is different and what you should look for before making a final decision for your data migration plan.
How managed service providers and technology consultants are different and why you need both

How MSPs and Technology Consultants are Different - And Why You Need Both.

By Patrick Boren 15 Sep, 2020
When it comes to technology, do you have a one-size-fits-all vendor? In today’s world of cost cutting, we see more and more organizations that end up missing out on huge technology opportunities by assuming a single vendor can and will do it all.  As a technology consulting firm, we’re frequently asked “aren’t you the same as my managed service provider (MSP)?” Fortunately, for those that ask, we’re able to shed light on how a Technology Consulting Firm varies from an MSP.
More Posts
Share by: