Cloud Security Posture Management for M365: A Guide for MSPs
Most M365 tenants have critical security misconfigurations. Here's how to find and fix them systematically.
Microsoft 365 is deployed in nearly every MSP client environment. And nearly every M365 tenant has security misconfigurations that create unnecessary risk. Cloud Security Posture Management (CSPM) for M365 gives you visibility into these misconfigurations and helps you remediate them systematically.
Common M365 Misconfigurations
MFA not enforced: You'd be shocked how many M365 tenants have admin accounts without MFA, or have MFA disabled for certain user groups. Every account needs MFA. No exceptions.
Legacy authentication enabled: Legacy auth protocols (POP3, IMAP, Basic Auth) don't support MFA. If they're enabled, an attacker with stolen credentials can bypass MFA entirely. These should be blocked via Conditional Access.
Overprivileged admin accounts: Global admins doing daily work. Service accounts with unnecessary permissions. Users with admin roles they don't need. Apply least privilege.
External sharing too permissive: SharePoint and OneDrive configured to allow sharing with "anyone" (anonymous links). External sharing should be restricted to specific domains or require authentication.
Audit logging not enabled: M365 Unified Audit Log isn't enabled by default on all plan tiers. Without it, you have no visibility into who did what in the tenant.
Mailbox forwarding rules: Attackers commonly set up hidden forwarding rules in compromised mailboxes to exfiltrate email. Regular scanning for unauthorized forwarding rules is essential.
CIS Microsoft 365 Benchmarks
The CIS Benchmarks for M365 provide a comprehensive checklist of recommended security configurations. Running a CIS benchmark scan against each client's M365 tenant gives you a clear picture of their configuration posture and specific remediation actions. Most CSPM tools can automate this scanning.
Secure Score
Microsoft Secure Score provides a built-in posture score for M365 tenants. While it's a useful starting point, it doesn't catch everything and its recommendations aren't always aligned with MSP operational realities. Use Secure Score as one input, not your only measure of M365 security.
Continuous Monitoring
M365 security isn't a one-time audit. Configurations drift: new users get provisioned without MFA, sharing settings get changed, new applications get authorized. Continuous CSPM monitoring alerts you when configurations change from your hardened baseline, catching drift before it becomes a vulnerability.