December 9, 2022
min read
The CoreView Team
Female CEO using laptop.

The development and maturity of various cloud computing models have resulted in a major shift in the way enterprise IT organizations think, plan, and operate.  

Gone are the days when implementing a major new business application, such as enterprise resource planning (ERP) or customer relationship management (CRM), meant an expensive sub-project for procuring, deploying, configuring, and maintaining hardware servers in a local data center. 

These days, cloud server resources can be provisioned, configured, and ready to use in mere hours, and they can be scaled up (or down) as performance requirements change. 

By now, most of those security concerns have been overcome, in no small part because of the compelling reduction in operational costs compared with maintaining a local data center. It is therefore somewhat ironic that the pendulum has swung too far in the other direction: IT organizations relying on cloud services often become too complacent regarding security. 

It’s easy to see why one would fall into a false sense of cloud security: The hardware is someone else’s problem, so security is too, right? 

Well, no. 

Even for software-as-a-service (SaaS) offerings such as Microsoft 365, the security of your company’s data and applications is still your problem. Moreover, because cloud computing architecture is different from–and much more complex than–that in a traditional data center, security requires new tools and new skills. 

The Microsoft 365 ecosystem offers several powerful tools to configure security parameters and monitor for potential issues, although using them is not always intuitive or straightforward. 

In this article, we discuss the top 10 security events that you should be watching for in your Microsoft 365 environment. We categorize these into areas including Active Directory, Email, Microsoft Teams, and Applications. 

Active Directory 

Changes to AD Groups 

Active Directory (AD) groups are the heart of resource security; a user’s group memberships determine what applications and resources (such as file shares) the user has access to. Thus, changes in group attributes can have serious security consequences. 

AD groups are much more complex in Microsoft 365 than in a typical local implementation, so monitoring for important changes is even more important. 

Changes in Roles 

Just as important as groups are roles, which determine what a user can do within each application or resource. 

Over time, a given user may accumulate different roles; many organizations are good at adding roles as needed but not at removing roles that are no longer necessary for the user’s job function. 

If a hacker compromises an account with more roles than needed, it can result in a serious security breach. 

Furthermore, changes to the roles themselves must be monitored. An ordinary user role that suddenly has elevated administrative privileges is a clear indication that something is amiss. 

Failed Login Attempts 

Users mistype their passwords all the time, but it’s unlikely for one to do so hundreds of times in a row. 

Failed login attempts are recorded and should be monitored for signs that an adversary is attempting to brute-force guess an account password. 


Accessing Non-Owned Email Accounts 

As a rule, no user should access another user’s email account. 

System administrators often have elevated privileges that enable them to access email accounts other than their own if needed. 

Because doing so could expose confidential information to the wrong  personnel, these accesses should be performed only using named administrative accounts, and their activities must be closely monitored. 

Inbound Message Forwarding 

A common hacking tactic is to set up auto-forwarding on a compromised email account. 

It is rare for a user to set up auto-forwarding of all incoming emails to another email address, in particular an external address. 

Thus, it is important to monitor for changes to user email accounts that implement this kind of forwarding. 

Microsoft Teams 

Creating or Deleting Teams 

Creating a new team in Microsoft Teams automatically creates new AD groups that control user access to that team site. 

It’s important to know how these team sites are being used and what changes are made to the associated groups. 

Groups that are accidentally modified or deleted can have crippling effects on users’ ability to collaborate. 

Guest Access 

An important feature of Microsoft Teams is the ability to share content with people outside the organization, such as customers, suppliers, government agencies, shareholders, and others.

Often, there are compelling business reasons for enabling outside access to a team site, but the creation of guest access accounts should be monitored to prevent external access to confidential information. 

Want to learn how to get external user management under control? 


Sharing Files and Anonymous Links 

Microsoft OneDrive and SharePoint enable the sharing of files and folders to both internal and external users. 

Although there might be good business reasons for doing so, users must be careful to avoid making these resources available to anonymous external users, in particular, if the files or data are at all sensitive. 

Administrators can block anonymous access to specific (or all) content and should implement well-defined rules around allowing any anonymous access. 

Resource Creation 

Several applications in the Microsoft 365 ecosystem create resources automatically. 

For example, creating a Microsoft Teams site creates a group calendar and mailbox, a SharePoint site for storing and collaborating on files, and more. 

Monitoring automatic and manual resource creation is critical for both resource management and security reasons. 

Application Changes 

Changes to applications, such as changing services, adding or changing application role assignments, and adding or changing application user passwords, can compromise security or even stop an application from functioning altogether. 

It is therefore important to be able to monitor these changes. 

Monitoring Made Easier 

As mentioned earlier, numerous tools are available in Microsoft 365 to perform these monitoring activities. However, there is no single tool for all of them, and in some cases, you have to export report data into Excel to filter what you’re looking for. 

There is an easier way. CoreView takes the guesswork and manual tasks out of Microsoft 365 security monitoring, helping you identify and manage security and compliance gaps with real-time visibility into everything from breach attempts to policy violations. 

CoreView also provides tools that help manage your Microsoft 365 licenses and give you complete visibility and control over your Microsoft 365 environment. 

To learn more about how CoreView can help with your Microsoft 365 security monitoring, or to request a demo, contact CoreView today.

For regular email updates on our most recent blogs!

Ready to make Microsoft 365 work for you? Let us show you how.

Get a demo