Support Center

Welcome
Login  Sign up

Posture Checks Reference

This knowledge article helps you understand how we're processing compliance, and how it weighs towards your Posture Recommendations score.

Posture Recommendations

This section gives you an at-a-glance overview of the compliance of your Secure checks for your tenants.

Admin MFA

Description:  Verifies all admin accounts MFA requirement, including Security Defaults, Conditional Access Policies or Per-User MFA in its logic.

Why:  Requiring multi-factor authentication (MFA) for all Azure Active Directory accounts with privileged roles makes it harder for attackers to access accounts. If any of those accounts are compromised, critical devices and data will be open to attacks.

  • Configured: All admin accounts have MFA required; Scores 2 points
  • Partially Configured: At least 1 admin account has MFA required; Scores 1 point
  • Not Configured: No admin accounts have MFA required; Scores 0 points

 

User MFA

Description: Verifies all user (non-admin) accounts MFA requirement, including Security Defaults, Conditional Access Policies or Per-User MFA in its logic. 

Why: Requiring multi-factor authentication (MFA) for all user accounts helps protect devices and data that are accessible to these users. Adding more authentication methods, such as a phone token or a badge, increases the level of protection in the the event that one factor is compromised.

  • Configured: All user accounts have MFA required; Scores 2 points
  • Partially Configured: At least 1 user account has MFA required; Scores 1 point
  • Not Configured: No user accounts have MFA required; Scores 0 points

 

Login Portal Branding

Description: Verifies if Login Portal Logo and Banner are configured

Why: Use your organization's logo and custom color schemes to provide a consistent look-and-feel on your Azure Active Directory (Azure AD) sign-in pages. This allows users to more easily identify fake logins and phishing attempts.

  • Configured: Logo and Banner are configured; Scores 2 points
  • Partially Configured: Logo or Banner are configured; Scores 1 point
  • Not Configured: Neither Logo or Banner are configured; Scores 0 points

 

Self Service Password Reset

Description: Verifies if Self Service Password Reset feature is enabled

Why: The less people know a password, the better!  This feature works well with Azure AD dynamically banned passwords, which prevents easily guessable passwords from being used.

  • Configured: Feature is enabled; Scores 1 point
  • Not Configured: Feature is not enabled; Scores 0 points

 

Password Reset Notification

Description: Verifies if Password Reset Notification setting is enabled

Why: Enabling password reset notifications are recommended to alert users of any un-requested attempts to change their password.

  • Configured: Feature is enabled; Scores 1 point
  • Not Configured: Feature is not enabled; Scores 0 points

 

Admin Password Reset Notification

Description: Verifies if Admin Password Reset Notification setting is enabled

Why: Enabling password reset notifications for admins in Azure Active Directory Admin Center is recommended to alert all other admin users whenever an administrator resets their own password.

  • Configured: Feature is enabled; Scores 1 point
  • Not Configured: Feature is not enabled; Scores 0 points

 

Block Legacy Authentication

Description: Verifies if users have access to authenticate via Legacy Authentication methods

Why: Blocking legacy authentication makes it harder for attackers to gain access.  Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication, not supporting MFA.

  • Configured: All users are blocked from legacy authentication methods; Scores 2 points
  • Partially Configured: At least 1 user is blocked from legacy authentication methods; Scores 1 point
  • Not Configured: No users are blocked from legacy authentication methods; Scores 0 points

 

Inactive Accounts

Description: Identifies accounts that have not had any activity for 30 days.

Why: Deleting or blocking accounts that haven't been used in the last 30 days, after checking with owners, helps prevent unauthorized use of inactive accounts. These accounts can be targets for attackers who are looking to find ways to access your data without being noticed.

  • Configured: 0 accounts are identified as inactive; Scores 1 points
  • Not Configured: at least 1 account is identified as inactive; Scores 0 points

 

Teams Default External/Guest Options

Description: Verifies if Teams is configured to allow external communication by default on 3 settings:

  • “Users can communicate with other Skype for Business and Teams users” is compliant when disabled
  • “Users can communicate with Skype users” is compliant when disabled
  • “Allow guest access in Teams” is compliant when disabled

Why: External collaboration through Teams can leave your organization open to security risks such as uncontrolled file sharing and sensitive data leakage.  Employees should be making a conscious decision and assessing the risks when collaborating externally, rather than being the default.

  • Configured: All 3 settings are disabled by default; Scores 2 points
  • Partially Configured: At least 1 setting is disabled by default; Scores 1 point
  • Not Configured: None of the settings are disabled by default; Scores 0 points

 

SharePoint External/Guest Sharing

Description: Verifies if SharePoint is configured to allow external collaboration by default on 5 settings:

  • “SharePoint content can be shared with” is considered compliant when it is not set to “anyone”
  • “Guests must sign in using the same account to which sharing invitations are sent” is compliant when enabled
  • “Allow guests to share items they don’t own” is considered compliant when it is disabled
  • “Default sharing for file and folder links” is compliant when set to “Specific people” or “Only people in your organization” and non-compliant when set to “anyone with the link”
  • “Default permissions for file and folder links” is compliant when set to “view”

Why: External collaboration through SharePoint can leave your organization open to security risks such as uncontrolled file sharing and sensitive data leakage.  Employees should be making a conscious decision and assessing the risks when collaborating, rather than being the default.

  • Configured: All 5 settings are compliant; Scores 2 points
  • Partially Configured: At least 1 setting is compliant; Scores 1 point
  • Not Configured: None of the settings are compliant; Scores 0 points

 

OneDrive External/Guest Sharing

Description: Verifies OneDrive default content sharing settings:

  • “OneDrive content can be shared with” is compliant when it is not set to “anyone”

Why: External collaboration through OneDrive can leave your organization open to security risks such as uncontrolled file sharing and sensitive data leakage.  Employees should be making a conscious decision and assessing the risks when collaborating, rather than being the default.

  • Configured: Setting is compliant; Scores 1 point
  • Not Configured: Setting is not compliant; Scores 0 points

 

Risky IP Address Policy

Description: Verifies if a Conditional Access Policy is in place that blocks access based on IP address

Why: Having a risky IP address conditional access policy defined reduces the number of attacks users are exposed to. This can be done through requiring additional steps to grant access from certain IP addresses or blocking access completely.

  • Configured: A conditional access policy blocking access based on IP address exists; Scores 1 point
  • Not Configured: A conditional access policy blocking access based on IP address does not exist; Scores 0 points

 

Risky Country Policy

Description: Verifies if a Conditional Access Policy is in place that blocks access based on Countries

Why: Having a risky country conditional access policy defined reduces the number of attacks users are exposed to. This can be done through requiring additional steps to grant access from certain countries or blocking access completely.

  • Configured: A conditional access policy blocking access based on Countries exists; Scores 1 point
  • Not Configured: A conditional access policy blocking access based on Countries does not exist; Scores 0 points

 

DLP Policies

Description: Verifies if DLP policies are in place.  Augmentt makes the assumption that if at least one policy has been implemented, you’ve put some thought into the Data Loss Prevention needs of your customers.

Why: Data Loss Prevention (DLP) policies can be used to comply with business standards and industry regulations that mandate the protection of sensitive information to prevent accidental or malicious disclosure. DLP sends alerts after it scans for potentially sensitive data, such as social security and credit card numbers, in Exchange Online and SharePoint Online. Setting up DLP policies will let you identify, monitor, and automatically protect sensitive information.

  • Configured: At least 1 DLP policy exists; Scores 1 point
  • Not Configured: No DLP policies exist; Scores 0 points

 

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.