Skip to content

laythchebbi/M365SPAT

BranchesTags

Repository files navigation

πŸ›‘οΈ Microsoft 365 Security Posture Assessment Tool (M365SPAT)

Comprehensive security posture analysis for Microsoft 365 environments

PowerShell 5.1+ | Azure AD Premium | Microsoft Graph API | MIT License

πŸš€ Quick Start β€’ πŸ“‹ Features β€’ πŸ“– Documentation β€’ 🀝 Contributing

🎯 Overview

M365SPAT is an advanced PowerShell-based security assessment tool designed specifically for Microsoft 365 environments. It evaluates your organization's security posture across 22+ critical security controls, providing both technical insights for security professionals and plain-English explanations for business stakeholders.

πŸ“Έ Screenshots

Interactive Security Assessment Report

M365SPAT Security Assessment Report Comprehensive security posture analysis with interactive spider chart showing domain-specific compliance scores

🌟 Why M365SPAT?

  • πŸ” Comprehensive Coverage: 22+ security controls across all major M365 security domains
  • πŸ‘₯ Dual Audience: Technical details for security engineers, simple explanations for executives
  • πŸ“Š Beautiful Reports: Interactive HTML reports with evidence collection and remediation guidance
  • πŸš€ Easy to Use: One-command execution with certificate or client secret authentication
  • πŸ”„ Actionable Results: Detailed remediation steps with PowerShell commands and API examples

πŸš€ Quick Start

Prerequisites

  • PowerShell 5.1 or later
  • Azure AD app registration with appropriate permissions
  • Microsoft 365 E3/E5 or equivalent licensing

πŸ”§ Installation

  1. Clone the repository

    git clone https://github.com/laythchebbi/M365SPAT.git
cd M365SPAT

  2. Set up Azure AD App Registration

    # Required permissions (add to your Azure AD app):
# - Policy.Read.All
# - Directory.Read.All
# - Reports.Read.All
# - DeviceManagementConfiguration.Read.All
# - And more... (see documentation)

  3. Run the assessment

    # Using certificate authentication (recommended)
.\M365SecurityAssessment.ps1 -TenantId "your-tenant-id" -ClientId "your-client-id" -CertificateThumbprint "cert-thumbprint"

# Using client secret
.\M365SecurityAssessment.ps1 -TenantId "your-tenant-id" -ClientId "your-client-id" -ClientSecret "your-secret"

  4. View the results

    Open the generated HTML report in your browser to view the interactive dashboard with:

    • Overall compliance scoring and statistics
    • Interactive spider chart showing domain-specific security posture
    • Detailed control analysis with simple and technical explanations
    • Actionable remediation guidance with PowerShell commands and API examples

πŸ“Š Sample Output

=== Microsoft 365 Security Assessment Tool ===
Tenant ID: contoso.onmicrosoft.com
Authentication Method: Certificate
βœ“ Authentication successful
βœ“ Loaded 22 security controls
βœ“ Assessment completed
βœ“ Reports generated

=== Assessment Summary ===
Total Controls: 22
Passed: 16
Failed: 4
Errors: 2
Compliance Score: 72.7%

πŸ“ Reports saved to:
   JSON: .\reports\AssessmentResults_20250623_143052.json
   HTML: .\reports\AssessmentReport_20250623_143052.html

πŸ“‹ Features

πŸ”’ Security Domains Covered

Domain Controls Description
πŸ” Identity & Authentication 5 MFA, Legacy Auth, Passwordless
🎯 Conditional Access 4 Location-based, Device compliance, Risk-based
πŸ‘₯ Role Management 3 Privileged access, Emergency accounts
πŸ“± Device Management 1 Compliance policies, MDM integration
πŸ›‘οΈ Data Protection 3 DLP, Sensitivity labels, External sharing
πŸ“§ Email Security 1 Anti-phishing, Safe attachments/links
πŸ‘₯ Collaboration Security 1 Teams security, Guest access
πŸ“Š Monitoring & Compliance 4 Audit logs, Alerts, Governance

🎨 Report Features

  • πŸ“ˆ Interactive Dashboards: Visual compliance scoring and trend analysis
  • πŸ” Detailed Evidence: Complete API responses and analysis logic
  • πŸ“ Simple Explanations: Business-friendly explanations for each control
  • πŸ”§ Technical Details: PowerShell commands, API examples, documentation links
  • πŸ“‹ Remediation Guidance: Step-by-step instructions with time estimates
  • πŸ“Š Compliance Mapping: CIS and NIST framework alignment

πŸš€ Advanced Features

  • Certificate-based Authentication: Secure, automated execution
  • Modular Architecture: Easy to extend with custom controls
  • Evidence Collection: Complete audit trail for compliance
  • Risk-based Prioritization: Focus on critical security gaps
  • Export Capabilities: JSON, HTML, and CSV output formats

πŸ“– Documentation

πŸ—οΈ Architecture

M365SPAT/
β”œβ”€β”€ πŸ“ reports/                    # Generated assessment reports
β”œβ”€β”€ πŸ“ docs/                       # Documentation and screenshots
β”‚   └── πŸ“ images/                 # Screenshots and diagrams
β”œβ”€β”€ πŸ“„ M365SecurityAssessment.ps1  # Main execution script
β”œβ”€β”€ πŸ“„ AuthenticationModule.ps1    # Azure AD authentication
β”œβ”€β”€ πŸ“„ AssessmentEngine.ps1        # Core assessment logic
β”œβ”€β”€ πŸ“„ HtmlReportGenerator.ps1     # Report generation
β”œβ”€β”€ πŸ“„ SecurityControls.json       # Control definitions
β”œβ”€β”€ πŸ“„ styles.css                  # Report styling
β”œβ”€β”€ πŸ“„ scripts.js                  # Interactive features
β”œβ”€β”€ πŸ“„ .gitignore                  # Git ignore rules
└── πŸ“„ README.md                   # This file

πŸ”‘ Security Controls

Identity & Authentication Controls
  • IAM-AUTH-001: Multi-Factor Authentication Enforcement
  • IAM-AUTH-002: Privileged User MFA Enforcement
  • IAM-AUTH-003: MFA Registration Campaign
  • IAM-AUTH-004: Legacy Authentication Blocking
  • IAM-AUTH-005: Passwordless Authentication Configuration
Conditional Access Controls
  • IAM-CA-001: Policy Coverage Analysis
  • IAM-CA-002: Location-Based Access Control
  • IAM-CA-003: Device Compliance Integration
  • IAM-CA-004: Risk-Based Conditional Access
Role Management Controls
  • IAM-ROL-001: Global Administrator Count Verification
  • IAM-ROL-002: Privileged Role Assignment Review
  • IAM-ROL-003: Emergency Access Account Configuration
Data Protection Controls
  • DLP-001: Data Loss Prevention Policy Configuration
  • APP-001: Application Registration Security Review
  • SHA-001: External Sharing Configuration Review

πŸ”§ Configuration

Azure AD App Permissions

{
  "requiredResourceAccess": [
    {
      "resourceAppId": "00000003-0000-0000-c000-000000000000",
      "resourceAccess": [
        { "id": "Policy.Read.All", "type": "Role" },
        { "id": "Directory.Read.All", "type": "Role" },
        { "id": "Reports.Read.All", "type": "Role" },
        { "id": "AuditLog.Read.All", "type": "Role" },
        { "id": "RoleManagement.Read.Directory", "type": "Role" },
        { "id": "Application.Read.All", "type": "Role" },
        { "id": "DeviceManagementConfiguration.Read.All", "type": "Role" }
      ]
    }
  ]
}

Custom Control Development

Add your own security controls by extending SecurityControls.json:

{
  "id": "CUSTOM-001",
  "name": "Custom Security Control",
  "description": "Your custom control description",
  "category": "Custom Category",
  "severity": "High",
  "type": "graph_api",
  "endpoint": "https://graph.microsoft.com/v1.0/your-endpoint",
  "evaluation": "$data.value.Count -gt 0",
  "simple_explanation": {
    "what_was_checked": "Plain English explanation",
    "why_it_matters": "Business impact explanation"
  }
}

🎯 Use Cases

🏒 For Organizations

  • Security Posture Assessment: Comprehensive evaluation of M365 security controls
  • Compliance Reporting: Generate reports for auditors and stakeholders
  • Risk Management: Identify and prioritize security gaps
  • Continuous Monitoring: Regular assessment to maintain security posture

πŸ‘¨β€πŸ’Ό For Security Teams

  • Technical Deep Dive: Detailed control analysis with remediation steps
  • Evidence Collection: Complete audit trail for security assessments
  • Automation: Integrate into CI/CD pipelines for continuous assessment
  • Knowledge Transfer: Training tool for junior security analysts

πŸŽ“ For Consultants

  • Client Assessments: Professional security posture reports
  • Baseline Establishment: Document current state before improvements
  • Progress Tracking: Before/after comparison reports
  • Proposal Support: Technical evidence for security recommendations

πŸ›‘οΈ Security & Privacy

M365SPAT is designed with security and privacy in mind:

  • πŸ”’ Read-Only Access: Only requires read permissions, no write operations
  • πŸ” Certificate Authentication: Supports secure certificate-based auth
  • πŸ“Š Local Processing: All analysis performed locally, no data sent to third parties
  • πŸ—‚οΈ Evidence Retention: Complete audit trail for compliance requirements

🀝 Contributing

We welcome contributions! Please see our Contributing Guidelines for details.

πŸ› Reporting Issues

  • Use GitHub Issues for bug reports and feature requests
  • Include PowerShell version, M365 licensing, and error details
  • Check existing issues before creating new ones

πŸ’» Development

  1. Fork the repository
  2. Create a feature branch: git checkout -b feature/amazing-feature
  3. Commit changes: git commit -m 'Add amazing feature'
  4. Push to branch: git push origin feature/amazing-feature
  5. Open a Pull Request

πŸ“ž Support

πŸ“œ License

This project is licensed under the MIT License - see the LICENSE file for details.

πŸ™ Acknowledgments

  • Microsoft Graph API team for excellent documentation
  • PowerShell community for modules and best practices
  • Security community for feedback and contributions
  • CIS and NIST for security control frameworks

Made with ❀️ by the Security Team

Securing Microsoft 365 environments, one assessment at a time

⭐ Star this project if you find it useful! β€’ 🍴 Fork it to contribute!

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages