Risk Metrics List
This topic provides a list of all risk metrics included in a risk profile. This list may differ for certain profiles if they have been modified.
| Risk Metric | Description |
|---|---|
| User accounts with "Password never expires" (Enumerated) | Enabled user accounts whose passwords never expire might be in violation of your organization's security policy. |
| User accounts with "Password not required" (Enumerated) | Accounts that can be used to log on without a password are a high risk and require immediate attention. |
| Disabled computer accounts (Enumerated) | Disabled computers often lack current patches and antivirus software, making them easy targets for cyberattacks if they are re-enabled. Periodically identifying and deleting these accounts will reduce this risk. |
| Inactive user accounts (Enumerated) | Inactive user accounts can be taken over and misused, so you should periodically identify and disable them, and then remove them. |
| Inactive computer accounts (Enumerated) | Inactive computer accounts can be misused, so you should periodically identify and disable them, and then remove them. |
| User accounts with administrative permissions (Enumerated) | Minimizing the number of users with administrative privileges reduces security risks and is required by many compliance mandates. |
| Administrative groups (Enumerated) | Minimizing the number of administrative groups helps you understand and control the assignment of powerful permissions, as required for security and compliance. |
| Empty security groups (Enumerated) | Empty security groups with administrative privileges are a potential back door for attackers. Regularly identify and delete empty groups. |
| Stale Guest Accounts (Enumerated) | Any guest users that have not logged in for "X" days. By default, the accounts that have not logged in for 35 days are shown. You can filter this data. |
| User Accounts Created via Email Verified Self-Service Creation (Enumerated) | User accounts created with self-service account creation. Self-service account creation when not strictly verified, can allow unauthorized individuals to gain access to an organization's systems. This can lead to unauthorized data access, leakage of sensitive information, and the establishment of footholds for further attacks within the network. |
| User accounts with "No MFA Configured" (Enumerated) | User accounts which MFA is not configured with the admins of the organizations in Microsoft Entra ID. Without MFA, compromised credentials can lead directly to unauthorized entry, bypassing what is now considered a basic security standard. In the absence of MFA, even a strong password policy may not be sufficient to protect against phishing attacks and credential stuffing, which can lead to data breaches and system compromises. |
| Improper Number of Global Administrators (Binary) | Maintain strict control over the number of global administrators to minimize the risk of internal and external threats. Elevated privileges associated with such roles can lead to significant breaches if misused or compromised, disrupting business operations and potentially leading to substantial data loss or compliance violations. |
| Self-Serve Password Reset is Not Enabled (Binary) | Office 365's Self-Serve Password Reset feature enables users to reset their own password. It is recommended to allow users to reset their own passwords for the purpose of recovering their account in the event of accidental lockout or a security incident. |
| Unified Audit Log Search is Not Enabled (Binary) | Unified Audit Log Search allows for the centralized ingestion and searching of audit logs generated by Office 365 and can be a vital source of data for the investigation and detection of security incidents. It is recommended to enable unified audit log searching. |
| Conditional Access Policies (Binary) | Insufficient Conditional Access and Security Defaults Configuration: The absence of Conditional Access policies coupled with disabled Microsoft Security Defaults creates a significant security vulnerability. This condition exposes the tenant to a variety of attacks due to inadequate protective measures. It is required for the organization to either enable Microsoft Security Defaults for common security features or establish fine-grained Conditional Access policies tailored to the organization’s specific security needs. Ensuring these security configurations are active and correctly set up is crucial to safeguard the tenant environment and user accounts from potential cyber threats. |
| Conditional Access Policy Disables Admin Token Persistence (Binary) | Looks for Conditional Access policies that disable token persistence for users with admin roles and have a sign-in frequency that is less than or equal to nine hours. When an admin login has their token cached on the client, they are vulnerable for a Primary Refresh Token related attack. |
| Dangerous Default Permissions (Binary) | By default, Azure tenants allow all users to access the Microsoft Entra ID blade, to read all other users’ accounts, create groups, and invite guests. These default settings extend to guest accounts as well, allowing guests to perform these same actions. Other default configurations allow for Self-Service creation of accounts from accepted mail domains. Amend dangerous default permissions, mitigating the risk of unauthorized data access and ensuring that only the necessary personnel have the appropriate level of access to sensitive systems and information. |
| Expired Domain Registrations Found (Binary) | Expired domains can be used for any attack vector that exploits an organization’s identity, such as account takeovers or phishing campaigns. Monitoring domain registration for the organization can help detect and alert on attempts to exploit this attack path. |
| MS Graph Powershell Service Principal Assignment Not Enforced (Binary) | Checks if the assignment for MsGraph Powershell is required. By default, Azure tenants allow all users to access Microsoft Graph PowerShell Module. This allows any authenticated user or guest the ability to abuse Dangerous Default Permissions, as well as enumerate the entire tenant. |
| Third-Party Applications Allowed (Binary) | Third-party integrated applications are allowed to run in the organization's Office 365 environment if you authorize them to do so. This configuration is considered insecure because a user may grant permissions to a malicious application without fully understanding the security implications. A user who installs a malicious third-party application is in effect compromised. Additionally, there are documented cases of a malicious actor gaining access to sensitive information by enticing a user to allow a third-party integrated application to run within their O365 Tenant. |