Keeping Abreast of Changes in User Permissions, Configuration, and Access with Microsoft M365 E3

Today Detexian’s CTO Adrian Kitto dives into the risk of privilege creep in M365. He highlights the dangers and the reasons for continuous monitoring which is vital for the modern IT admin to get a handle on changes in user permissions, configuration and access.

In case you missed it last time, please check out:

1. Part 1: Who / What / Why does the mid-market all have Microsoft M365 E3 licenses

2. Part 2: How does Microsoft M365 E3 work with the non-Microsoft ecosystem applications?

3. Part 3: Discovering user consented apps with Microsoft M365 E3

4. Part 4: Identifying and removing inactive users with Microsoft M365 E3

5. Part 5: Calculating inferred or effective MFA for non-Microsoft applications

6. Part 6: Privileged Access Management in non-SCIM apps with Microsoft M365 E3

7. Part 7: Identifying, Evaluating, and Tracking Open Shares for External Users with Microsoft M365 E3
   
   
   

Introduction

In the modern digital workplace, the ability to collaborate efficiently and securely is crucial for businesses to thrive. Microsoft 365 (M365) has emerged as a powerful suite of cloud-based tools that empowers organizations to enhance productivity and streamline workflows. However, with the advantages of increased collaboration and flexibility come significant security challenges. One of the most critical aspects of ensuring data security is maintaining a close watch on changes in user permissions, configurations, and access rights within the M365 environment. In this blog post, we will explore the risks associated with privilege creep and the lack of monitoring, and demonstrate how Microsoft M365 E3 can help organizations stay vigilant through PowerShell examples to export all Azure AD roles and SharePoint rights for all users to CSV.

The Dangers of Privilege Creep

Privilege creep refers to the gradual accumulation of excessive permissions granted to users over time, often without regular review and adjustments. As employees change roles or leave the company, their access rights may not be promptly updated or revoked, leading to a situation where users retain unnecessary and potentially harmful privileges. The risks associated with privilege creep include:

1. Data Breaches and Unauthorized Access: When users have more permissions than necessary, they may be able to access sensitive data or perform actions beyond their job scope. Unauthorized access could lead to data breaches, intellectual property theft, and other security incidents.
   
   
   

2. Compliance and Regulatory Non-Compliance: In regulated industries, such as healthcare and finance, maintaining strict control over user permissions is essential for compliance with industry standards and government regulations. Privilege creep can lead to violations, resulting in substantial fines and legal consequences.
   
   
   

3. Increased Vulnerability to Insider Threats: Disgruntled or compromised employees with unnecessary privileges can intentionally or inadvertently cause significant damage to the organization. Privilege creep amplifies the potential for insider threats.
   
   
   

4. Difficulty in Identifying Security Incidents: When user permissions are not appropriately managed, it becomes challenging to detect abnormal or suspicious activities. Malicious actors can exploit this lack of oversight to carry out cyberattacks undetected.
   
   
   

5. Impact on System Performance: Users with excessive permissions might unintentionally impact system performance by modifying critical settings or making changes that affect the overall stability of the M365 environment.
   
   

   
   

The Importance of Continuous Monitoring

Continuous monitoring of user permissions, configurations, and access rights is vital for maintaining data security and mitigating risks effectively. It allows organizations to:

1. Detect Anomalies and Suspicious Activities: Monitoring user permissions and access helps identify unusual behavior, such as multiple login attempts, unauthorized access attempts, or changes to critical configurations.
   
   

2. Maintain Least Privilege Principle: The principle of least privilege advocates providing users with only the necessary permissions to perform their job duties. Regular monitoring ensures that permissions align with job roles and responsibilities.
   
   

3. Streamline User Onboarding and Offboarding: Monitoring access rights simplifies the user onboarding and offboarding process, ensuring new employees receive the required access promptly and departing employees have their access revoked promptly.
   
   

4. Support Auditing and Compliance Efforts: Regular monitoring facilitates auditing processes, allowing organizations to demonstrate compliance with industry regulations and internal policies.
   
   

PowerShell Example: Exporting Azure AD Roles and SharePoint Rights to CSV

Here is PowerShell script to export both Azure AD roles and SharePoint rights for all users into CSV files. If you schedule these you can perform delta checks to track for privilege creep. You will need to update the script and replace yourtenant-admin.sharepoint.com with your M365 tenant details.

# Connect to Azure AD

Connect-AzureAD

# Get all Azure AD roles

$roles = Get-AzureADDirectoryRole | Select-Object DisplayName, Description

# Export Azure AD roles to CSV

$roles | Export-Csv -Path "AzureADRoles.csv" -NoTypeInformation

# Connect to SharePoint Online

Connect-SPOService -Url https://yourtenant-admin.sharepoint.com

# Get all site collections

$siteCollections = Get-SPOSite -Limit All

# Initialize an array to store SharePoint rights

$sharePointRights = @()

# Loop through each site collection to get users and their rights

foreach ($site in $siteCollections) {

$siteUrl = $site.Url

$siteUsers = Get-SPOUser -Site $siteUrl -Limit All

foreach ($user in $siteUsers) {

     $userEmail = $user.Email

     $userRights = $user.Roles -join ', '

     $sharePointRights += New-Object PSObject -Property @{

         "SiteUrl" = $siteUrl

         "UserEmail" = $userEmail

         "SharePointRights" = $userRights

     }

}

}

# Export SharePoint rights to CSV

$sharePointRights | Export-Csv -Path "SharePointRights.csv" -NoTypeInformation

Remember!! to test the script in a non-production environment and thoroughly review before running it in production.

Conclusion

Maintaining a proactive approach to monitoring user permissions, configurations, and access with Microsoft M365 E3 is essential for data security and compliance. By addressing the risks of privilege creep and establishing continuous monitoring practices, organizations can significantly reduce the likelihood of data breaches, insider threats, and compliance violations. PowerShell provides valuable automation capabilities to help administrators export and analyze user permissions effectively, allowing for more informed decision-making and enhanced security measures. Embracing these best practices will help organizations make the most of their M365 investment while safeguarding their most valuable asset: their data.

Security thought for the week

The great wall of China is the biggest security boundary on the planet.

The Great Wall of China, one of the most iconic architectural wonders in the world, was originally built not just as a symbol of power and prestige but also as a massive physical security barrier. While the construction of various sections of the wall began as early as the 7th century BC, it was during the Ming Dynasty (1368-1644) that the wall was extensively rebuilt and expanded.

The primary purpose of the Great Wall was to protect the Chinese states and empires from invasions and raids by various nomadic groups and military incursions from the north, particularly by the Mongols and Xiongnu tribes. The wall's strategic location and imposing height served as a formidable deterrent to potential invaders, making it challenging for large armies to breach and traverse the vast expanse of the wall.

Till then, stay secure.

Adrian