Microsoft 365 Discovery
Discover and audit Microsoft 365 tenant configurations.
Overviewβ
Microsoft 365 Discovery provides visibility into your identity, email, and collaboration security configurations. Connect your M365 tenant to discover Entra ID, Exchange Online, SharePoint, and Teams configurationsβthen assess them against the CIS Microsoft 365 Foundations Benchmark.
What's Discoveredβ
Entra ID (Azure AD)β
- Users β Account status, MFA enrollment status
- Groups β Security groups, M365 groups, distribution lists
- App Registrations β Third-party apps with their permissions
- Service Principals β Enterprise applications
- Conditional Access β Policies and MFA requirements
- Directory Roles β Privileged role assignments
- Guest Users β External collaboration access
Privileged Accessβ
- PIM Assignments β Eligible and active privileged roles
- Risky Users β Users flagged by Identity Protection
- Security Alerts β Identity-related security alerts
Exchange Onlineβ
- Mailboxes β Configuration and settings
- External Forwarding β Mailboxes forwarding to external addresses
- Audit Status β Mailbox audit logging enablement
SharePoint Onlineβ
- Sites β Site collections across the tenant
- Sharing Settings β External sharing configurations
Microsoft Teamsβ
- Teams β Team configurations
- Guest Access β External collaboration settings
Security Postureβ
- Microsoft Secure Score β Your tenant's security score
Setupβ
Prerequisitesβ
- Azure AD App Registration
- Required Microsoft Graph API permissions (see below)
- Admin consent for the permissions
Required Permissionsβ
Grant these Microsoft Graph API permissions to your App Registration:
| Permission | Type | Purpose |
|---|---|---|
| User.Read.All | Application | Discover users |
| Group.Read.All | Application | Discover groups |
| Directory.Read.All | Application | Directory roles, guest users |
| Policy.Read.All | Application | Conditional Access policies |
| RoleManagement.Read.All | Application | PIM assignments |
| IdentityRiskyUser.Read.All | Application | Risky user detection |
| SecurityEvents.Read.All | Application | Security alerts |
| Mail.Read | Application | Mailbox discovery |
| Sites.Read.All | Application | SharePoint sites |
Configuration Stepsβ
- Go to Operations β Agentless Discovery
- Select Microsoft 365 tab
- Click Configure M365
- Enter:
- Tenant ID β Your Azure AD tenant GUID
- Client ID β App Registration application ID
- Client Secret β App Registration client secret
- Click Test Connection
- Click Start Discovery
Compliance Assessmentβ
CIS Microsoft 365 Foundations Benchmarkβ
Infracast includes 23 automated rules covering:
Identity & Access
- MFA enforcement for all users
- MFA for administrators
- Conditional Access policy configuration
- Privileged role limits
- Guest user review
- PIM for privileged access
Application Security
- App consent restrictions
- Admin consent workflow
- High-privilege app permission review
Data Protection
- SharePoint external sharing
- DLP policy configuration
- Safe Attachments enabled
- Safe Links enabled
Audit & Monitoring
- Unified audit log enabled
- Mailbox auditing enabled
- Security alert monitoring
Exchange Security
- External forwarding restrictions
- Anti-spam policy configuration
Teams Security
- External domain access
- Guest access controls
- Meeting recording policies
Security Posture
- Microsoft Secure Score monitoring
Viewing Resultsβ
Asset Graphβ
Discovered M365 resources appear in the Asset Graph:
- Filter by
m365.*node types - View relationships between users, groups, and apps
- See Conditional Access policy assignments
Compliance Findingsβ
View M365-specific findings:
- Go to Compliance β Findings
- Filter by framework: CIS M365
- Review findings by severity
Microsoft Secure Scoreβ
Your tenant's Secure Score appears on:
- M365 tenant node properties
- Dashboard security metrics
Best Practicesβ
Identity Securityβ
- Enable MFA for all users β Start with administrators, then expand
- Use Conditional Access β Require MFA for risky sign-ins
- Implement PIM β Use just-in-time access for privileged roles
- Review guest access β Audit external users quarterly
Data Protectionβ
- Restrict external sharing β Limit SharePoint anonymous links
- Enable DLP β Protect sensitive data from accidental exposure
- Configure Safe Attachments/Links β Enable Microsoft Defender features
Monitoringβ
- Enable unified audit log β Required for security investigations
- Monitor Secure Score β Track and improve your security posture
- Review security alerts β Investigate Identity Protection alerts promptly
Troubleshootingβ
Authentication Failedβ
- Verify Tenant ID, Client ID, and Client Secret
- Ensure the App Registration hasn't expired
- Check that admin consent was granted for all permissions
Missing Resourcesβ
- Verify the App Registration has the required permissions
- Some resources require specific licenses (e.g., PIM requires Azure AD P2)
Incomplete Discoveryβ
- Large tenants may take longer to discover
- Check for Graph API rate limiting
- Retry discovery if results seem incomplete