Office 360 Audit
Rob Foxx
By Rob Foxx, director – infosec and IT audit services for FIPCO
Have you recently moved — or are you considering a move — to Microsoft Office 365 or another major Software-as-a-Service (SaaS) application? If so, there may be more to consider than the migration itself.
A major SaaS transition introduces a host of new challenges. In the past, Microsoft and other providers offered bulk licensing, and updates were infrequent. For Office, these were typically pushed through Windows Server Update Services (WSUS). While bulk licenses are still available, Microsoft is now strongly promoting subscription-based services through Office 365.
This shift offers significant advantages: centralized management, the ability to enable or disable user accounts without direct access to individual machines, and — most critically from a security standpoint — tight integration with multifactor authentication (MFA). However, these benefits come with increased complexity. Office 365 now includes hundreds, if not thousands, of configurable security settings across more than 20 applications, including Copilot, as well as individual user profiles.
It is also important to understand the shared responsibility model. While Microsoft secures the underlying infrastructure, customers remain responsible for configuring and maintaining security controls within their Office 365 tenant. This distinction is often misunderstood and can lead to gaps in security oversight.
Some organizations choose to hire a third party to implement or audit their Office 365 environment, which is generally a sound approach from a security perspective. However, there are two notable drawbacks. First, these engagements can be costly, depending on the size and complexity of the environment. Second, like most audits, they represent a single point-in-time assessment.
This limitation is significant because Microsoft releases updates monthly. Without an internal subject matter expert dedicated to Office 365, it can be difficult to determine whether previously secure settings remain secure after each update. From a regulatory standpoint, misconfigured SaaS platforms can create control gaps that are increasingly scrutinized during IT and cybersecurity examinations, particularly around access management, logging, and change control.
Common misconfigurations include overly permissive file-sharing settings, disabled audit logging, MFA exclusions for privileged accounts, or unused administrative roles that remain active long after they are needed.
Software-as-a-Service Security Posture Management (SSPM) solutions have been available for several years and have proven effective in quickly and cost-efficiently assessing Office 365, as well as other widely used but complex SaaS platforms. These tools are typically affordable, updated frequently to reflect platform changes, easy to use, and often provide automated remediation options through a cloud-based interface.
SSPM solutions should be viewed as a complement to — not a replacement for — governance processes, and periodic risk assessments.
If you are considering implementing an SSPM solution, a good first step is to consult your information security audit firm or managed service provider, while also evaluating multiple vendors as part of a sound vendor management process.
