Posture Checks Reference

This section gives you an at-a-glance overview of the compliance of your Secure checks for your tenants.

Description:  Verifies all admin accounts MFA requirement, including Security Defaults, Conditional Access Policies or Per-User MFA & DUO in its logic.

Why:  Requiring multi-factor authentication (MFA) for all Azure Active Directory accounts with privileged roles makes it harder for attackers to access accounts. If any of those accounts are compromised, critical devices and data will be open to attacks.

How it works:

Security Defaults

If enabled for a tenant, the configuration status will appear as Security Defaults and all users will be considered as Protected. Typically used by tenants that don't have AAD P1 licensing, we are unable to read the MFA registration status of these tenants, the API is behind the AAD P1 paywall. Due to this, we indicate all users as Protected so you, the MSP, can show that your part of the work has been completed by having Security Defaults and hence, MFA enabled.

Legacy (Per User) MFA

This MFA type is being deprecated by Microsoft. If using a direct integration, we can still read this MFA type and will display it as best effort.

This API/datapoint has been deprecated in the CSP API with GDAP.

Augmentt recommends moving your clients to Security Defaults or Conditional Access before Microsoft fully deprecates this feature.

Conditional Access

Augmentt will read all conditional access policies and identify which ones are applying a grant type of "Require MFA" or "Authentication Strength". The users/groups/roles will be extrapolated from these policies and the related users will be verified for their registration status.

Users having MFA enforcement via Conditional Access and completed successful registration will be considered as protected.

Conditional Access & DUO

Following similar logic to Conditional Access, we will extrapolate policies that have a grant type of "RequireDUOMFA". If the related users have a successful DUO registration and are not in bypassed mode, they will be considered protected.

Non registered and bypassed users will be Not protected.

Minimum Microsoft Licensing: Works with Basic licensing

Secure Score impact: YES

Description: Verifies all user (non-admin) accounts MFA requirement, including Security Defaults, Conditional Access Policies or Per-User MFA in its logic. 

Why: Requiring multi-factor authentication (MFA) for all user accounts helps protect devices and data that are accessible to these users. Adding more authentication methods, such as a phone token or a badge, increases the level of protection in the the event that one factor is compromised.

How it works:

Security Defaults

If enabled for a tenant, the configuration status will appear as Security Defaults and all users will be considered as Protected. Typically used by tenants that don't have AAD P1 licensing, we are unable to read the MFA registration status of these tenants, the API is behind the AAD P1 paywall. Due to this, we indicate all users as Protected so you, the MSP, can show that your part of the work has been completed by having Security Defaults and hence, MFA enabled.

Legacy (Per User) MFA

This MFA type is being deprecated by Microsoft. If using a direct integration, we can still read this MFA type and will display it as best effort.

This API/datapoint has been deprecated in the CSP API with GDAP.

Augmentt recommends moving your clients to Security Defaults or Conditional Access before Microsoft fully deprecates this feature.

Conditional Access

Augmentt will read all conditional access policies and identify which ones are applying a grant type of "Require MFA" or "Authentication Strength". The users/groups/roles will be extrapolated from these policies and the related users will be verified for their registration status.

Users having MFA enforcement via Conditional Access and completed successful registration will be considered as protected.

Conditional Access & DUO

Following similar logic to Conditional Access, we will extrapolate policies that have a grant type of "RequireDUOMFA". If the related users have a successful DUO registration and are not in bypassed mode, they will be considered protected.

Non registered and bypassed users will be Not protected.

Minimum Microsoft Licensing: Works with Basic licensing

Secure Score Impact: YES

Description: Verifies if Login Portal Logo and Banner are configured

Why: Use your organization's logo and custom color schemes to provide a consistent look-and-feel on your Azure Active Directory (Azure AD) sign-in pages. This allows users to more easily identify fake logins and phishing attempts.

Minimum Microsoft Licensing: Works with Basic licensing

Secure Score Impact: No

Description: Verifies if Self Service Password Reset feature is enabled

Why: The less people know a password, the better!  This feature works well with Azure AD dynamically banned passwords, which prevents easily guessable passwords from being used.

Minimum Microsoft Licensing: Requires Premium (P1) licensing

Secure Score Impact: YES

Description: Verifies if a Block Legacy Authentication protocol is applied.

Augmentt will locate protocols blocking Legacy Authentication Clients and extrapolate the users of the conditional access policy to determine which users are successfully blocked.

The protocols can be applied via one of the following options:

• Organizations with Basic licensing: Blocking via Security Defaults (Security Defaults | Microsoft Learn)

• Organizations with Microsoft Entra ID P1 or P2 licenses: Blocking via Conditional Access Policy

Why: Blocking legacy authentication makes it harder for attackers to gain access.  Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication, not supporting MFA.

Minimum Microsoft Licensing: Works with Basic licensing

Secure Score Impact: YES

Description: Identifies accounts that have not had any activity for 30 days by looking at the Azure AD sign-in logs as well as the actual app usage of Outlook, Sharepoint, OneDrive and Teams from the Microsoft App Usage Report.

Why: Deleting or blocking accounts that haven't been used in the last 30 days, after checking with owners, helps prevent unauthorized use of inactive accounts. These accounts can be targets for attackers who are looking to find ways to access your data without being noticed.

• Configured: 0 accounts are identified as inactive; Scores 1 points

• Not Configured: at least 1 account is identified as inactive; Scores 0 points

Microsoft Licensing: Requires Premium (P1) licensing

Secure Score Impact: No

Description: Verifies if Teams is configured to allow external communication by default on 3 settings:

• “Users can communicate with other Skype for Business and Teams users” is compliant when disabled

• “Users can communicate with Skype users” is compliant when disabled

• “Allow guest access in Teams” is compliant when disabled

Why: External collaboration through Teams can leave your organization open to security risks such as uncontrolled file sharing and sensitive data leakage.  Employees should be making a conscious decision and assessing the risks when collaborating externally, rather than being the default.

• Configured: All 3 settings are disabled by default; Scores 2 points

• Partially Configured: At least 1 setting is disabled by default; Scores 1 point

• Not Configured: None of the settings are disabled by default; Scores 0 points

Microsoft Licensing: Works with Basic licensing

Description: Verifies if SharePoint is configured to allow external collaboration by default on 5 settings:

• “SharePoint content can be shared with” is considered compliant when it is not set to “anyone”

• “Guests must sign in using the same account to which sharing invitations are sent” is compliant when enabled

• “Allow guests to share items they don’t own” is considered compliant when it is disabled

• “Default sharing for file and folder links” is compliant when set to “Specific people” or “Only people in your organization” and non-compliant when set to “anyone with the link”

• “Default permissions for file and folder links” is compliant when set to “view”

Why: External collaboration through SharePoint can leave your organization open to security risks such as uncontrolled file sharing and sensitive data leakage.  Employees should be making a conscious decision and assessing the risks when collaborating, rather than being the default.

• Configured: All 5 settings are compliant; Scores 2 points

• Partially Configured: At least 1 setting is compliant; Scores 1 point

• Not Configured: None of the settings are compliant; Scores 0 points

Microsoft Licensing: Works with Basic licensing

Description: Verifies OneDrive default content sharing settings:

• “OneDrive content can be shared with” is compliant when it is not set to “anyone”

Why: External collaboration through OneDrive can leave your organization open to security risks such as uncontrolled file sharing and sensitive data leakage.  Employees should be making a conscious decision and assessing the risks when collaborating, rather than being the default.

• Configured: Setting is compliant; Scores 1 point

• Not Configured: Setting is not compliant; Scores 0 points

Microsoft Licensing: Works with Basic licensing

Description: Verifies if a Conditional Access Policy is in place that blocks access based on IP address

Why: Having a risky IP address conditional access policy defined reduces the number of attacks users are exposed to. This can be done through requiring additional steps to grant access from certain IP addresses or blocking access completely.

• Configured: A conditional access policy blocking access based on IP address exists; Scores 1 point

• Not Configured: A conditional access policy blocking access based on IP address does not exist; Scores 0 points

Microsoft Licensing: Requires Premium (P1) licensing