Getting Started
This knowledge article helps you understand how we're processing compliance, and how it weighs towards your Posture Recommendations score.
Posture Recommendations
This section gives you an at-a-glance overview of the compliance of your Secure checks for your tenants.
Admin MFA
Description: Verifies all admin accounts MFA requirement, including Security Defaults, Conditional Access Policies or Per-User MFA & DUO in its logic.
Why: Requiring multi-factor authentication (MFA) for all Azure Active Directory accounts with privileged roles makes it harder for attackers to access accounts. If any of those accounts are compromised, critical devices and data will be open to attacks.
How it works:
Security Defaults
If enabled for a tenant, the configuration status will appear as Security Defaults and all users will be considered as Protected. Typically used by tenants that don't have AAD P1 licensing, we are unable to read the MFA registration status of these tenants, the API is behind the AAD P1 paywall. Due to this, we indicate all users as Protected so you, the MSP, can show that your part of the work has been completed by having Security Defaults and hence, MFA enabled.
Legacy (Per User) MFA
This MFA type is being deprecated by Microsoft. If using a direct integration, we can still read this MFA type and will display it as best effort.
This API/datapoint has been deprecated in the CSP API with GDAP.
Augmentt recommends moving your clients to Security Defaults or Conditional Access before Microsoft fully deprecates this feature.
Conditional Access
Augmentt will read all conditional access policies and identify which ones are applying a grant type of "Require MFA" or "Authentication Strength". The users/groups/roles will be extrapolated from these policies and the related users will be verified for their registration status.
Users having MFA enforcement via Conditional Access and completed successful registration will be considered as protected.
Conditional Access & DUO
Following similar logic to Conditional Access, we will extrapolate policies that have a grant type of "RequireDUOMFA". If the related users have a successful DUO registration and are not in bypassed mode, they will be considered protected.
Non registered and bypassed users will be Not protected.
Minimum Microsoft Licensing: Works with Basic licensing
Secure Score impact: YES
User MFA
Description: Verifies all user (non-admin) accounts MFA requirement, including Security Defaults, Conditional Access Policies or Per-User MFA in its logic.
Why: Requiring multi-factor authentication (MFA) for all user accounts helps protect devices and data that are accessible to these users. Adding more authentication methods, such as a phone token or a badge, increases the level of protection in the the event that one factor is compromised.
How it works:
Security Defaults
If enabled for a tenant, the configuration status will appear as Security Defaults and all users will be considered as Protected. Typically used by tenants that don't have AAD P1 licensing, we are unable to read the MFA registration status of these tenants, the API is behind the AAD P1 paywall. Due to this, we indicate all users as Protected so you, the MSP, can show that your part of the work has been completed by having Security Defaults and hence, MFA enabled.
Legacy (Per User) MFA
This MFA type is being deprecated by Microsoft. If using a direct integration, we can still read this MFA type and will display it as best effort.
This API/datapoint has been deprecated in the CSP API with GDAP.
Augmentt recommends moving your clients to Security Defaults or Conditional Access before Microsoft fully deprecates this feature.
Conditional Access
Augmentt will read all conditional access policies and identify which ones are applying a grant type of "Require MFA" or "Authentication Strength". The users/groups/roles will be extrapolated from these policies and the related users will be verified for their registration status.
Users having MFA enforcement via Conditional Access and completed successful registration will be considered as protected.
Conditional Access & DUO
Following similar logic to Conditional Access, we will extrapolate policies that have a grant type of "RequireDUOMFA". If the related users have a successful DUO registration and are not in bypassed mode, they will be considered protected.
Non registered and bypassed users will be Not protected.
Minimum Microsoft Licensing: Works with Basic licensing
Secure Score Impact: YES
Login Portal Branding
Description: Verifies if Login Portal Logo and Banner are configured
Why: Use your organization's logo and custom color schemes to provide a consistent look-and-feel on your Azure Active Directory (Azure AD) sign-in pages. This allows users to more easily identify fake logins and phishing attempts.
Minimum Microsoft Licensing: Works with Basic licensing
Secure Score Impact: No
Self Service Password Reset
Description: Verifies if Self Service Password Reset feature is enabled
Why: The less people know a password, the better! This feature works well with Azure AD dynamically banned passwords, which prevents easily guessable passwords from being used.
Minimum Microsoft Licensing: Requires Premium (P1) licensing
Secure Score Impact: YES
Block Legacy Authentication
Description: Verifies if a Block Legacy Authentication protocol is applied.
Augmentt will locate protocols blocking Legacy Authentication Clients and extrapolate the users of the conditional access policy to determine which users are successfully blocked.
The protocols can be applied via one of the following options:
Organizations with Basic licensing: Blocking via Security Defaults (Security Defaults | Microsoft Learn)
Organizations with Microsoft Entra ID P1 or P2 licenses: Blocking via Conditional Access Policy
Why: Blocking legacy authentication makes it harder for attackers to gain access. Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication, not supporting MFA.
Minimum Microsoft Licensing: Works with Basic licensing
Secure Score Impact: YES
Inactive Accounts
Description: Identifies accounts that have not had any activity for 30 days by looking at the Azure AD sign-in logs as well as the actual app usage of Outlook, Sharepoint, OneDrive and Teams from the Microsoft App Usage Report.
Why: Deleting or blocking accounts that haven't been used in the last 30 days, after checking with owners, helps prevent unauthorized use of inactive accounts. These accounts can be targets for attackers who are looking to find ways to access your data without being noticed.
Configured: 0 accounts are identified as inactive; Scores 1 points
Not Configured: at least 1 account is identified as inactive; Scores 0 points
Microsoft Licensing: Requires Premium (P1) licensing
Secure Score Impact: No
Teams Default External/Guest Options
Description: Verifies if Teams is configured to allow external communication by default on 3 settings:
“Users can communicate with other Skype for Business and Teams users” is compliant when disabled
“Users can communicate with Skype users” is compliant when disabled
“Allow guest access in Teams” is compliant when disabled
Why: External collaboration through Teams can leave your organization open to security risks such as uncontrolled file sharing and sensitive data leakage. Employees should be making a conscious decision and assessing the risks when collaborating externally, rather than being the default.
Configured: All 3 settings are disabled by default; Scores 2 points
Partially Configured: At least 1 setting is disabled by default; Scores 1 point
Not Configured: None of the settings are disabled by default; Scores 0 points
Microsoft Licensing: Works with Basic licensing
SharePoint External/Guest Sharing
Description: Verifies if SharePoint is configured to allow external collaboration by default on 5 settings:
“SharePoint content can be shared with” is considered compliant when it is not set to “anyone”
“Guests must sign in using the same account to which sharing invitations are sent” is compliant when enabled
“Allow guests to share items they don’t own” is considered compliant when it is disabled
“Default sharing for file and folder links” is compliant when set to “Specific people” or “Only people in your organization” and non-compliant when set to “anyone with the link”
“Default permissions for file and folder links” is compliant when set to “view”
Why: External collaboration through SharePoint can leave your organization open to security risks such as uncontrolled file sharing and sensitive data leakage. Employees should be making a conscious decision and assessing the risks when collaborating, rather than being the default.
Configured: All 5 settings are compliant; Scores 2 points
Partially Configured: At least 1 setting is compliant; Scores 1 point
Not Configured: None of the settings are compliant; Scores 0 points
Microsoft Licensing: Works with Basic licensing
OneDrive External/Guest Sharing
Description: Verifies OneDrive default content sharing settings:
“OneDrive content can be shared with” is compliant when it is not set to “anyone”
Why: External collaboration through OneDrive can leave your organization open to security risks such as uncontrolled file sharing and sensitive data leakage. Employees should be making a conscious decision and assessing the risks when collaborating, rather than being the default.
Configured: Setting is compliant; Scores 1 point
Not Configured: Setting is not compliant; Scores 0 points
Microsoft Licensing: Works with Basic licensing
Risky IP Address Policy
Description: Verifies if a Conditional Access Policy is in place that blocks access based on IP address
Why: Having a risky IP address conditional access policy defined reduces the number of attacks users are exposed to. This can be done through requiring additional steps to grant access from certain IP addresses or blocking access completely.
Configured: A conditional access policy blocking access based on IP address exists; Scores 1 point
Not Configured: A conditional access policy blocking access based on IP address does not exist; Scores 0 points
Microsoft Licensing: Requires Premium (P1) licensing
Risky Country Policy
Description: Verifies if a Conditional Access Policy is in place that blocks access based on Countries
Why: Having a risky country conditional access policy defined reduces the number of attacks users are exposed to. This can be done through requiring additional steps to grant access from certain countries or blocking access completely.
Configured: A conditional access policy blocking access based on Countries exists; Scores 1 point
Not Configured: A conditional access policy blocking access based on Countries does not exist; Scores 0 points
Microsoft Licensing: Requires Premium (P1) licensing