These policies allow you to implement components to develop a comprehensive security strategy.
They are a simple and effective solution for enhancing security, particularly in protecting sensitive information against attacks such as phishing, brute force, and other forms of unauthorized access, preventing account takeovers, and increasing security for cloud-based services.
The list below provides an overview of the Security & Identity Out-of-the-Box policies, the type of remediation action they are to execute, and which remediation settings you can configure.
Users without MFA
Show more
Description
This playbook is designed to identify users who have not enabled Multi-Factor Authentication (MFA).
It lists the user principal name, display name, the state of their multi-factor authentication, their manager, and whether they have administrative roles.
This tool is crucial for IT security teams to ensure that MFA is enforced across the organization to enhance account security.
Remediation action
- Execute the Action “Manage MFA”
What you can configure
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Admin without MFA
Show more
Description
This playbook helps you quickly spot cloud admins who haven't turned on extra security with multi-factor authentication (MFA).
It shows their name, role, and who they report to, making it easy to reach out and encourage a security upgrade.
Remediation action
- Send attestation to the manager (or a custom address)
- Execute the action “Manage MFA”
What you can configure
- Change the recipient of the attestation
- Set time-out days (min: 1 day – max: 180 days)
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Admin on cloud without strong password
Show more
Description
This playbook identifies cloud administrators who do not have a strong password policy enforced on their accounts.
It displays the user's principal name, confirms their administrative role status, shows the account type as a cloud user, and crucially highlights when a strong password is not required for that account.
This tool promotes robust password security practices by pinpointing admin accounts potentially lacking stringent password requirements within the cloud environment.
Remediation action
- Execute the action "Set password required"
What you can configure
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Admin with password not changed in the last 90 days
Show more
Description
This playbook outlines a procedure for identifying cloud administrators whose passwords have not been updated within the past 90 days.
It lists essential information such as the user's identifier, full name, admin status, and manager's name, ensuring a professional approach to maintaining password security among cloud service users.
Remediation action
- Send attestation to the manager (or a custom address)
- Execute the action “Manage password”
What you can configure
- Select the recipient (manager or custom address)
- Insert an additional message
- Set time-out days (min: 1 day – max: 180 days)
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Users without default MFA method
Show more
Description
This playbook helps you quickly spot cloud admins who haven't turned on extra security with multi-factor authentication (MFA).
It shows their name, role, and who they report to, making it easy to reach out and encourage a security upgrade.
Remediation action
- Send alert to the user without MFA enabled
What you can configure
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Inactive last 60 days but not blocked users
Show more
Description
This playbook highlights users who have been inactive for the last 60 days but have not had their accounts blocked.
It shows their principal name, the last login attempt, and their manager's information.
Additionally, it confirms that their account credentials are not blocked, making it useful for reviewing user activity and account status within your system.
Remediation action
- Send attestation to the manager (or a custom address)
- Execute the action “Block sign-in status”
What you can configure
- Select the recipient (manager or custom address)
- Insert an additional message
- Set time-out days (min: 1 day – max: 180 days)
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Inactive Guests in the last 90 days
Show more
Description
This playbook helps you identify guest users who have been inactive in Microsoft 365 for the past 90 days.
It shows their principal name and includes a column for the manager, although that might not be applicable to guests.
It also indicates the last activity date and confirms their status as a guest user. This is useful for auditing and cleaning up inactive external users in your system.
Remediation action
- Execute the action “Remove guest user”
What you can configure
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
External user in MS365 group
Show more
Description
This playbook provides a clear view of external users in your Microsoft 365 groups.
It lists their principal name, display name, and group details including the unique group ID and group name. It also indicates whether the user is marked as a guest, subscriber, member, or owner within the group.
This is a straightforward way to audit external access to your Microsoft 365 collaborative spaces.
Remediation action
- Send attestation to the manager (or a custom address)
- Execute the action “Remove M365 group member”
What you can configure
- Select the recipient (group owners or custom address)
- Insert an additional message
- Set time-out days (min: 1 day – max: 180 days)
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
External Users in security groups
Show more
Description
This playbook shows a list of external users in your security groups. It details their principal name, display name, the type of group member they are, the name of the security group they're in, and their guest status.
It also indicates if they're an owner and provides the unique identifier for the security group (GUID).
This is useful for managing and reviewing external access to sensitive areas within your organization.
Remediation action
- Send attestation to the manager (or a custom address)
- Execute the action “Remove security group member”
What you can configure
- Select the recipient (group owners or custom address)
- Insert an additional message
- Set time-out days (min: 1 day – max: 180 days)
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails
Microsoft 365 Groups without Owners
Show more
Description
This playbook is designed to identify Microsoft 365 Groups that currently have no assigned owners.
It displays the name of each group and confirms the total number of owners as zero. Additionally, it provides the primary SMTP address for each group, which can be useful for administrative purposes.
This tool aids in governance and ensures that every group has appropriate oversight.
Remediation action
- Send attestation to the primary SMTP address (or a custom address)
- No action will be executed - the attestation serves only an informative purpose
What you can configure
- Select the recipient (group owners or custom address)
- Insert an additional message
- Set time-out days (min: 1 day – max: 180 days)
- Schedule the recurrence of the remediation action
- Enable/disable the email alert if the workflow fails