The 165 Microsoft 365 security checks Black Cat runs
Black Cat SSPM evaluates 165 security policies against your Microsoft 365 configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Restrict M365 guest user permissions to Most Restrictive in External Identities settings
Restrict M365 guest invitations to only users assigned to specific admin roles
Prevent non-admin M365 users from creating security groups in Azure portals
Prevent non-admin M365 users from registering applications in Entra ID
Disable M365 user consent to apps and require admin approval for OAuth grants
Restrict M365 guest user access to limited directory properties and memberships
Enable M365 admin consent workflow so users can request app access
Prevent M365 users from creating new Azure AD tenants
Restrict M365 group creation to a specific security group of approved users
Block legacy MSOL PowerShell access in M365 using Conditional Access policies
Disable guest self-service sign-up flows in M365 External Identities settings
Restrict M365 guest user access to group properties and memberships
Ensure at least two M365 Global Administrator accounts exist for redundancy
Reduce M365 Global Admin count to 2-4 accounts by demoting unnecessary admins
Replace synced M365 Global Admin accounts with cloud-only admin accounts
Remove admin roles from external M365 guest users and create internal accounts
Review and remove M365 guest accounts that no longer require access
Remove Copilot licenses from M365 guest accounts to prevent data exposure
Create an M365 Conditional Access policy to block high-risk users from signing in
Create an M365 Conditional Access policy to block or require MFA for risky sign-ins
Create an M365 Conditional Access policy to block legacy authentication protocols
Configure M365 Conditional Access sign-in frequency to a maximum of 12 hours
Create an M365 Conditional Access policy to require compliant devices for all cloud apps
Create an M365 Conditional Access policy to block the device code authentication flow
Complete the M365 migration from legacy MFA to the unified Authentication Methods policy
Restrict M365 Temporary Access Pass to specific admin groups rather than all users
Configure M365 Temporary Access Pass to be usable only once
Disable the M365 global TAP policy and use targeted group assignments instead
Set M365 Temporary Access Pass maximum lifetime to 1 hour or less
Set M365 Temporary Access Pass minimum character length to at least 8 characters
Disable M365 password expiration policy per NIST guidance and rely on MFA instead
Set M365 password lockout threshold to 10 or fewer failed attempts
Set M365 password lockout duration to at least 60 seconds
Enable M365 custom banned password list enforcement to block organization-specific terms
Enable M365 password protection for on-premises Windows Server Active Directory
Switch M365 on-premises password protection mode from Audit to Enforced
Replace M365 service principal password credentials with certificate-based authentication
Delete expired password credentials from M365 service principals
Replace expired M365 service principal certificate credentials with a new certificate
Rotate M365 service principal secrets that exceed 90 days and set shorter expiry
Rotate M365 service principal certificates exceeding 1 year and set shorter validity
Renew M365 service principal secrets expiring soon and update the application configuration
Renew M365 service principal certificates expiring soon and update the application
Replace M365 app registration password credentials with certificate-based authentication
Rotate M365 app registration secrets that exceed 90 days and set shorter expiry
Rotate M365 app registration certificates exceeding 1 year and set shorter validity
Delete expired password credentials from M365 app registrations
Replace expired M365 app registration certificates with a new certificate
Renew M365 app registration secrets expiring soon and update the application configuration
Renew M365 app registration certificates expiring soon and update the application
Revoke sensitive Microsoft Graph API scopes from AI OAuth apps in Microsoft Entra
Enable activity-based session timeout for M365 Outlook Web Access with a 30-minute limit
Block direct sign-in for M365 shared mailbox accounts and enforce delegation-only access
Prevent M365 users from installing Outlook add-ins by disabling user install in OWA policy
Disable direct file access from public computers in M365 OWA mailbox policy
Disable Office document viewing on public computers in M365 OWA mailbox policy
Configure M365 mobile device policies to block non-provisionable devices
Configure M365 ActiveSync to block unmanaged devices from accessing Exchange
audit
Enable global mailbox auditing in M365 Exchange Online via PowerShell
Remove mailbox audit bypass configuration from M365 accounts to restore full audit trail
Enable mailbox auditing for M365 users with comprehensive audit actions
Enable sent-as message copy for M365 shared mailboxes to preserve audit trail
Enable sent-on-behalf message copy for M365 shared mailboxes to preserve audit trail
Remove audit bypass configuration from M365 non-shared mailboxes
Enable auditing for M365 user mailboxes with comprehensive admin and delegate audit actions
Enable the M365 Unified Audit Log to capture all tenant activity for compliance and forensics
autonomy
Review if generative orchestration is appropriate for this agent's risk profile
Enable Microsoft Entra authentication on this agent
Review channel exposure and remove unnecessary channels
Add usage constraints to tool operations instead of allowing anytime use
Review the agent and update its approval status
Block or restrict high-risk agents with scores above 70
configuration
Disable self-service trial and subscription purchases in M365
Enable M365 risk-based step-up consent to block risky app consent requests
Configure a group naming prefix or suffix policy in M365 Entra ID
Enable M365 Customer Lockbox to require admin approval before Microsoft accesses data
Review M365 Copilot license assignments to ensure they align with data governance policies
Complete domain verification for M365 unverified domains by adding the required DNS records
Verify the federated M365 domain before establishing federation trust
Add an SPF TXT record to the M365 domain DNS to prevent email spoofing
Add a DMARC TXT record to the M365 domain DNS to prevent email spoofing
Verify the publisher of multi-tenant M365 apps or restrict consent to verified publishers
Disable SMTP client authentication globally in M365 Exchange Online
Enable external recipient mail tips in M365 to warn users before sending to external addresses
Enable all mail tip types in M365 Exchange Online including large audience thresholds
Disable SMTP client authentication on M365 individual mailboxes that do not require it
Configure X-Frame-Options SAMEORIGIN in M365 OWA to prevent clickjacking attacks
Disable ActiveSync integration in M365 OWA to reduce attack surface
Disable on-send add-ins in M365 OWA mailbox policy to prevent unauthorized processing
Configure M365 OWA to block dangerous file types including .exe, .bat, .cmd, .vbs, and .ps1
Configure M365 OWA to block dangerous MIME types including executable application types
Configure M365 OWA to block unknown file and MIME types instead of allowing them
Review and remove M365 transport rules that include BCC to external recipients
Restrict M365 transport rules that process external sender addresses to internal senders only
Replace message-deleting M365 transport rules with quarantine or redirect actions
Remove or re-enable disabled M365 transport rules to reduce configuration confusion
Disable trusted inbound mail setting for the M365 default remote domain
Disable trusted outbound mail setting for the M365 default remote domain
Disable auto-reply to external domains in M365 remote domain settings
Disable external delivery reports in M365 remote domain settings
Disable non-delivery reports to external domains in M365 remote domain settings
Disable TNEF encoding for M365 remote domain to improve compatibility and reduce attack surface
Make hidden M365 distribution lists visible in the Global Address List
Disable mailbox move for M365 organization relationships to prevent unauthorized migrations
Enable the Common Attachment Types Filter in M365 Defender anti-malware policy
Add all recommended dangerous file types to the M365 Defender anti-malware block list
Enable Zero-Hour Auto Purge in M365 Defender anti-malware, anti-spam, and anti-phishing policies
Enable M365 Defender admin notifications for malware detections
Set M365 Defender blocked file type action to quarantine instead of delete
Configure M365 Defender anti-phishing policy to enable strict spoof intelligence and DMARC enforcement
Enable first contact safety tip in M365 Defender anti-phishing policies
Configure M365 Defender outbound spam thresholds to limit bulk email
Lower the M365 Defender inbound spam bulk complaint level threshold to 6 or less
Configure M365 Defender anti-spam to mark SPF hard fail messages as spam
Configure M365 Defender to quarantine high-confidence spam instead of delivering it
Configure the M365 Defender connection filter IP allow/deny list to block known malicious senders
Enable M365 Defender outbound spam notifications to alert security team of sending account issues
Enable suspicious outbound email copy in M365 Defender to monitor potential data exfiltration
Enable all M365 Defender spam marking options for improved phishing and spoofing detection
Configure M365 sensitivity labels and publish them to classify and protect organizational data
data access
Restrict agent sharing to specific users or groups instead of entire tenant
Reduce the number of shared viewers to under 10 users / 3 groups
Disable web search for knowledge if not required
encryption
Enforce S/MIME encryption for all outgoing M365 OWA emails
Enforce S/MIME signing for all outgoing M365 OWA emails
Enable S/MIME clear-text signing in M365 OWA for interoperability with non-S/MIME clients
Include the certificate chain without root in M365 OWA S/MIME configuration
Include the complete certificate chain including root in M365 OWA S/MIME configuration
Enable S/MIME triple-wrap in M365 OWA for enhanced message security
Reduce the M365 OWA S/MIME CRL retrieval timeout to 10 seconds
Set M365 OWA S/MIME encryption algorithms to AES-128 or stronger
Enable S/MIME buffer encryption in M365 OWA to protect temporary data
lifecycle
Assign an owner to the Copilot agent
Publish or delete unused draft agents older than 30 days
Investigate and resolve the quarantine on this agent
Review and disable or delete agents inactive for over 90 days
Reassign the agent to an active owner
mfa
Enable email one-time passcode for M365 guest users who lack Microsoft accounts
Create an M365 Conditional Access policy to require MFA for all users and cloud apps
Disable weak M365 authentication methods such as SMS and voice call, and enable FIDO2
Create an M365 Conditional Access policy requiring MFA or trusted location to register security info
Enable M365 suspicious activity reporting to automatically block users who report fake MFA prompts
permission
Reduce the number of connector operations below 5
Remove write access to sensitive connectors or restrict to read-only
Switch from maker-provided credentials to per-user authentication
Enable end-user consent for connector operations
sharing
Limit M365 guest visibility to group content and directory objects
Review and restrict M365 organization sharing relationships that are not business-required
Restrict M365 default calendar sharing policy to Free/Busy time information only
Set M365 default group access type to Private via Exchange Online PowerShell
Remove external forwarding configuration from M365 mailboxes to prevent data exfiltration
Disable dual delivery on M365 mailboxes and deliver only to the primary mailbox
Remove external SMTP forwarding from M365 mailboxes and create a transport rule to block it
Remove the forwarding address from M365 mailboxes to prevent unauthorized email redirection
Disable LinkedIn integration in M365 Outlook Web Access to prevent data sharing
Disable mobile contact sync in M365 OWA to prevent contact data leakage
Remove or modify M365 transport rules that redirect mail to external SMTP addresses
Remove or modify M365 transport rules that forward mail outside the organization
Disable auto-forwarding to external domains in M365 remote domain settings
Restrict M365 default sharing policy to Free/Busy information only
Restrict M365 sharing policies to specific trusted domains or disable external sharing
Restrict M365 distribution list delivery to internal senders only
Change M365 distribution group join policy to Closed or Owner Approval required
Change public M365 groups to Private to restrict membership visibility
Block automatic external forwarding in M365 Defender outbound spam policy