Skip to content

The 165 Microsoft 365 security checks Black Cat runs

Black Cat SSPM evaluates 165 security policies against your Microsoft 365 configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

highGuest User Permissions Not Restricted

Restrict M365 guest user permissions to Most Restrictive in External Identities settings

mediumGuest Invitation Not Restricted

Restrict M365 guest invitations to only users assigned to specific admin roles

mediumUsers Can Create Security Groups

Prevent non-admin M365 users from creating security groups in Azure portals

mediumUsers Can Register Applications

Prevent non-admin M365 users from registering applications in Entra ID

highUser Consent to Apps Not Restricted

Disable M365 user consent to apps and require admin approval for OAuth grants

mediumGuest Group Privileges Not Restricted

Restrict M365 guest user access to limited directory properties and memberships

mediumAdmin Consent Requests Disabled

Enable M365 admin consent workflow so users can request app access

lowUsers Can Create Tenants

Prevent M365 users from creating new Azure AD tenants

mediumM365 Group Creation Not Restricted

Restrict M365 group creation to a specific security group of approved users

mediumMSOL PowerShell Not Blocked

Block legacy MSOL PowerShell access in M365 using Conditional Access policies

mediumSelf-Service Sign Up Enabled

Disable guest self-service sign-up flows in M365 External Identities settings

mediumGuest Access to Groups Not Restricted

Restrict M365 guest user access to group properties and memberships

highGlobal Admin Redundancy Missing

Ensure at least two M365 Global Administrator accounts exist for redundancy

mediumExcessive Global Administrators

Reduce M365 Global Admin count to 2-4 accounts by demoting unnecessary admins

highGlobal Admin Not Cloud-Only

Replace synced M365 Global Admin accounts with cloud-only admin accounts

highExternal Users With Admin Role

Remove admin roles from external M365 guest users and create internal accounts

mediumGuest Users Present

Review and remove M365 guest accounts that no longer require access

mediumCopilot License on Guest User

Remove Copilot licenses from M365 guest accounts to prevent data exposure

highCA Block High Risk Users Missing

Create an M365 Conditional Access policy to block high-risk users from signing in

highCA Block Risky Sign-ins Missing

Create an M365 Conditional Access policy to block or require MFA for risky sign-ins

mediumCA Legacy Auth Not Blocked

Create an M365 Conditional Access policy to block legacy authentication protocols

mediumCA Session Duration Not Set

Configure M365 Conditional Access sign-in frequency to a maximum of 12 hours

mediumCA Compliant Devices Not Required

Create an M365 Conditional Access policy to require compliant devices for all cloud apps

mediumCA Device Code Flow Not Blocked

Create an M365 Conditional Access policy to block the device code authentication flow

mediumAuth Methods Migration Incomplete

Complete the M365 migration from legacy MFA to the unified Authentication Methods policy

highTAP Enabled for All Users

Restrict M365 Temporary Access Pass to specific admin groups rather than all users

highTAP Not One-Time Use

Configure M365 Temporary Access Pass to be usable only once

mediumTAP Global Policy Enabled

Disable the M365 global TAP policy and use targeted group assignments instead

mediumTAP Maximum Lifetime Too Long

Set M365 Temporary Access Pass maximum lifetime to 1 hour or less

mediumTAP Character Length Too Short

Set M365 Temporary Access Pass minimum character length to at least 8 characters

highPassword Expiration Policy Enabled

Disable M365 password expiration policy per NIST guidance and rely on MFA instead

mediumPassword Lockout Threshold Too High

Set M365 password lockout threshold to 10 or fewer failed attempts

mediumLockout Duration Too Short

Set M365 password lockout duration to at least 60 seconds

mediumCustom Banned Passwords Not Enforced

Enable M365 custom banned password list enforcement to block organization-specific terms

mediumPassword Protection On-Prem Disabled

Enable M365 password protection for on-premises Windows Server Active Directory

lowPassword Protection Mode Audit Only

Switch M365 on-premises password protection mode from Audit to Enforced

highSP Using Password Credentials

Replace M365 service principal password credentials with certificate-based authentication

lowSP Expired Password Credentials

Delete expired password credentials from M365 service principals

lowSP Expired Certificate Credentials

Replace expired M365 service principal certificate credentials with a new certificate

mediumSP Long-Lived Password Credentials

Rotate M365 service principal secrets that exceed 90 days and set shorter expiry

mediumSP Long-Lived Certificate Credentials

Rotate M365 service principal certificates exceeding 1 year and set shorter validity

lowSP Password Credentials Expiring Soon

Renew M365 service principal secrets expiring soon and update the application configuration

lowSP Certificate Credentials Expiring Soon

Renew M365 service principal certificates expiring soon and update the application

mediumApp Using Password Credentials

Replace M365 app registration password credentials with certificate-based authentication

mediumApp Long-Lived Password Credentials

Rotate M365 app registration secrets that exceed 90 days and set shorter expiry

mediumApp Long-Lived Certificate Credentials

Rotate M365 app registration certificates exceeding 1 year and set shorter validity

lowApp Expired Password Credentials

Delete expired password credentials from M365 app registrations

lowApp Expired Certificate Credentials

Replace expired M365 app registration certificates with a new certificate

lowApp Password Credentials Expiring Soon

Renew M365 app registration secrets expiring soon and update the application configuration

lowApp Certificate Credentials Expiring Soon

Renew M365 app registration certificates expiring soon and update the application

mediumOAuth App AI With Data Scopes

Revoke sensitive Microsoft Graph API scopes from AI OAuth apps in Microsoft Entra

mediumOWA Session Timeout Disabled

Enable activity-based session timeout for M365 Outlook Web Access with a 30-minute limit

highShared Mailbox Sign-In Enabled

Block direct sign-in for M365 shared mailbox accounts and enforce delegation-only access

highUsers Can Install Outlook Add-ins

Prevent M365 users from installing Outlook add-ins by disabling user install in OWA policy

mediumDirect File Access on Public Computers

Disable direct file access from public computers in M365 OWA mailbox policy

mediumWAC Viewing on Public Computers

Disable Office document viewing on public computers in M365 OWA mailbox policy

mediumMobile Device Allows Non-Provisionable

Configure M365 mobile device policies to block non-provisionable devices

mediumActiveSync Does Not Block Unmanaged Devices

Configure M365 ActiveSync to block unmanaged devices from accessing Exchange

audit

highGlobal Mailbox Auditing Disabled

Enable global mailbox auditing in M365 Exchange Online via PowerShell

highMailbox Audit Bypass Configured

Remove mailbox audit bypass configuration from M365 accounts to restore full audit trail

mediumMailbox Auditing Disabled

Enable mailbox auditing for M365 users with comprehensive audit actions

lowShared Mailbox Sent-As Not Audited

Enable sent-as message copy for M365 shared mailboxes to preserve audit trail

lowShared Mailbox Sent-On-Behalf Not Audited

Enable sent-on-behalf message copy for M365 shared mailboxes to preserve audit trail

lowNon-Shared Mailbox Audit Bypass

Remove audit bypass configuration from M365 non-shared mailboxes

mediumUser Mailbox Auditing Disabled

Enable auditing for M365 user mailboxes with comprehensive admin and delegate audit actions

highUnified Audit Log Not Enabled

Enable the M365 Unified Audit Log to capture all tenant activity for compliance and forensics

autonomy

lowCopilot Agent Generative Orchestration

Review if generative orchestration is appropriate for this agent's risk profile

criticalCopilot Agent No Authentication

Enable Microsoft Entra authentication on this agent

lowCopilot Agent Multi-Channel Exposure

Review channel exposure and remove unnecessary channels

mediumCopilot Agent Unconstrained Tool Use

Add usage constraints to tool operations instead of allowing anytime use

mediumCopilot Agent Unreviewed (14+ days)

Review the agent and update its approval status

highCopilot Agent High Risk Unblocked

Block or restrict high-risk agents with scores above 70

configuration

lowSelf-Service Subscriptions Enabled

Disable self-service trial and subscription purchases in M365

highRisk-Based Consent Not Configured

Enable M365 risk-based step-up consent to block risky app consent requests

lowGroup Naming Convention Not Configured

Configure a group naming prefix or suffix policy in M365 Entra ID

highCustomer Lockbox Not Enabled

Enable M365 Customer Lockbox to require admin approval before Microsoft accesses data

lowCopilot License Assigned

Review M365 Copilot license assignments to ensure they align with data governance policies

highUnverified Domain

Complete domain verification for M365 unverified domains by adding the required DNS records

highUnverified Federated Domain

Verify the federated M365 domain before establishing federation trust

mediumSPF Record Missing

Add an SPF TXT record to the M365 domain DNS to prevent email spoofing

mediumDMARC Record Missing

Add a DMARC TXT record to the M365 domain DNS to prevent email spoofing

mediumMulti-Tenant App Without Verified Publisher

Verify the publisher of multi-tenant M365 apps or restrict consent to verified publishers

highSMTP Auth Not Disabled Globally

Disable SMTP client authentication globally in M365 Exchange Online

mediumExternal Recipient Mail Tips Disabled

Enable external recipient mail tips in M365 to warn users before sending to external addresses

lowMail Tips Not Fully Enabled

Enable all mail tip types in M365 Exchange Online including large audience thresholds

mediumMailbox SMTP Auth Not Disabled

Disable SMTP client authentication on M365 individual mailboxes that do not require it

highOWA Clickjacking Protection Not Set

Configure X-Frame-Options SAMEORIGIN in M365 OWA to prevent clickjacking attacks

mediumActiveSync Integration Enabled for OWA

Disable ActiveSync integration in M365 OWA to reduce attack surface

lowOn-Send Add-ins Enabled in OWA

Disable on-send add-ins in M365 OWA mailbox policy to prevent unauthorized processing

mediumNo File Types Blocked in OWA

Configure M365 OWA to block dangerous file types including .exe, .bat, .cmd, .vbs, and .ps1

mediumNo MIME Types Blocked in OWA

Configure M365 OWA to block dangerous MIME types including executable application types

mediumUnknown File Types Not Blocked

Configure M365 OWA to block unknown file and MIME types instead of allowing them

mediumTransport Rule Includes BCC

Review and remove M365 transport rules that include BCC to external recipients

mediumTransport Rule Processes External Sender

Restrict M365 transport rules that process external sender addresses to internal senders only

highTransport Rule Deletes Messages

Replace message-deleting M365 transport rules with quarantine or redirect actions

lowTransport Rule Disabled

Remove or re-enable disabled M365 transport rules to reduce configuration confusion

mediumRemote Domain Trusted Inbound Enabled

Disable trusted inbound mail setting for the M365 default remote domain

mediumRemote Domain Trusted Outbound Enabled

Disable trusted outbound mail setting for the M365 default remote domain

lowRemote Domain Auto-Reply Enabled

Disable auto-reply to external domains in M365 remote domain settings

lowRemote Domain Delivery Reports Enabled

Disable external delivery reports in M365 remote domain settings

lowRemote Domain NDR Enabled

Disable non-delivery reports to external domains in M365 remote domain settings

lowRemote Domain TNEF Enabled

Disable TNEF encoding for M365 remote domain to improve compatibility and reduce attack surface

lowDistribution List Hidden From GAL

Make hidden M365 distribution lists visible in the Global Address List

mediumMailbox Move Enabled for Org Relationships

Disable mailbox move for M365 organization relationships to prevent unauthorized migrations

highCommon Attachment Types Filter Disabled

Enable the Common Attachment Types Filter in M365 Defender anti-malware policy

highCommon Attachment Types Missing

Add all recommended dangerous file types to the M365 Defender anti-malware block list

mediumZero-Hour Auto Purge Disabled

Enable Zero-Hour Auto Purge in M365 Defender anti-malware, anti-spam, and anti-phishing policies

mediumAdmin Malware Notifications Disabled

Enable M365 Defender admin notifications for malware detections

lowBlocked File Type Action Not Quarantine

Set M365 Defender blocked file type action to quarantine instead of delete

mediumAnti-Phishing Spoof Detection Weak

Configure M365 Defender anti-phishing policy to enable strict spoof intelligence and DMARC enforcement

lowAnti-Phishing First Contact Tip Disabled

Enable first contact safety tip in M365 Defender anti-phishing policies

mediumOutbound Spam Thresholds Not Configured

Configure M365 Defender outbound spam thresholds to limit bulk email

mediumInbound Spam Bulk Threshold Too High

Lower the M365 Defender inbound spam bulk complaint level threshold to 6 or less

mediumSPF Hard Fail Not Enabled

Configure M365 Defender anti-spam to mark SPF hard fail messages as spam

lowHigh Confidence Spam Not Quarantined

Configure M365 Defender to quarantine high-confidence spam instead of delivering it

lowConnection Filter Not Configured

Configure the M365 Defender connection filter IP allow/deny list to block known malicious senders

lowOutbound Spam Notification Disabled

Enable M365 Defender outbound spam notifications to alert security team of sending account issues

lowSuspicious Outbound Copy Not Enabled

Enable suspicious outbound email copy in M365 Defender to monitor potential data exfiltration

lowComprehensive Spam Marking Disabled

Enable all M365 Defender spam marking options for improved phishing and spoofing detection

mediumSensitivity Labels Not Configured

Configure M365 sensitivity labels and publish them to classify and protect organizational data

data access

highCopilot Agent Tenant-Wide Sharing

Restrict agent sharing to specific users or groups instead of entire tenant

mediumCopilot Agent Broad Sharing

Reduce the number of shared viewers to under 10 users / 3 groups

mediumCopilot Agent Web Search Enabled

Disable web search for knowledge if not required

encryption

mediumS/MIME Encryption Not Enforced

Enforce S/MIME encryption for all outgoing M365 OWA emails

mediumS/MIME Signing Not Enforced

Enforce S/MIME signing for all outgoing M365 OWA emails

lowS/MIME Clear Signing Not Enabled

Enable S/MIME clear-text signing in M365 OWA for interoperability with non-S/MIME clients

lowS/MIME Cert Chain Without Root Not Included

Include the certificate chain without root in M365 OWA S/MIME configuration

lowS/MIME Cert Chain With Root Not Included

Include the complete certificate chain including root in M365 OWA S/MIME configuration

lowS/MIME Triple-Wrap Not Enabled

Enable S/MIME triple-wrap in M365 OWA for enhanced message security

lowS/MIME CRL Timeout Too Long

Reduce the M365 OWA S/MIME CRL retrieval timeout to 10 seconds

lowS/MIME Encryption Algorithms Not Configured

Set M365 OWA S/MIME encryption algorithms to AES-128 or stronger

lowS/MIME Buffer Encryption Not Enabled

Enable S/MIME buffer encryption in M365 OWA to protect temporary data

lifecycle

highCopilot Agent No Owner

Assign an owner to the Copilot agent

lowCopilot Agent Never Published (30+ days)

Publish or delete unused draft agents older than 30 days

criticalCopilot Agent Quarantined

Investigate and resolve the quarantine on this agent

lowCopilot Agent Stale (90+ days inactive)

Review and disable or delete agents inactive for over 90 days

highCopilot Agent Orphaned Owner

Reassign the agent to an active owner

mfa

mediumGuest Email OTP Not Enabled

Enable email one-time passcode for M365 guest users who lack Microsoft accounts

highCA MFA Not Enforced

Create an M365 Conditional Access policy to require MFA for all users and cloud apps

mediumWeak Authentication Factors Enabled

Disable weak M365 authentication methods such as SMS and voice call, and enable FIDO2

mediumMFA Registration Not Restricted

Create an M365 Conditional Access policy requiring MFA or trusted location to register security info

mediumMFA Suspicious Activity Reporting Disabled

Enable M365 suspicious activity reporting to automatically block users who report fake MFA prompts

permission

mediumCopilot Agent Excessive Connectors

Reduce the number of connector operations below 5

highCopilot Agent Sensitive Connector Write Access

Remove write access to sensitive connectors or restrict to read-only

highCopilot Agent Maker Provided Credentials

Switch from maker-provided credentials to per-user authentication

mediumCopilot Agent No User Consent Required

Enable end-user consent for connector operations

sharing

mediumGuest Access to Group Content Not Restricted

Limit M365 guest visibility to group content and directory objects

highOrganization Sharing Enabled

Review and restrict M365 organization sharing relationships that are not business-required

highDefault Calendar Sharing Too Permissive

Restrict M365 default calendar sharing policy to Free/Busy time information only

mediumDefault Group Access Public

Set M365 default group access type to Private via Exchange Online PowerShell

mediumExternal Forwarding on Mailbox

Remove external forwarding configuration from M365 mailboxes to prevent data exfiltration

mediumMailbox Delivers to Both Mailbox and Forward

Disable dual delivery on M365 mailboxes and deliver only to the primary mailbox

highForwarding SMTP to External

Remove external SMTP forwarding from M365 mailboxes and create a transport rule to block it

lowForwarding Address Configured

Remove the forwarding address from M365 mailboxes to prevent unauthorized email redirection

mediumLinkedIn Integration Enabled in OWA

Disable LinkedIn integration in M365 Outlook Web Access to prevent data sharing

mediumMobile Contact Sync Enabled in OWA

Disable mobile contact sync in M365 OWA to prevent contact data leakage

highTransport Rule Redirects Externally

Remove or modify M365 transport rules that redirect mail to external SMTP addresses

highTransport Rule Forwards Outside Org

Remove or modify M365 transport rules that forward mail outside the organization

highRemote Domain Auto-Forwarding Allowed

Disable auto-forwarding to external domains in M365 remote domain settings

mediumDefault Sharing Policy Allows External

Restrict M365 default sharing policy to Free/Busy information only

lowSharing Policy Allows External Domains

Restrict M365 sharing policies to specific trusted domains or disable external sharing

mediumDistribution List Allows External Senders

Restrict M365 distribution list delivery to internal senders only

mediumDistribution Group Open Join Policy

Change M365 distribution group join policy to Closed or Owner Approval required

mediumPublic Microsoft 365 Group

Change public M365 groups to Private to restrict membership visibility

mediumOutbound Spam External Forwarding Allowed

Block automatic external forwarding in M365 Defender outbound spam policy

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial