Cloudflare Docs
Cloudflare Zero Trust
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
View GitHub RSS feed
Set theme to dark (⇧+D)

Microsoft 365

The Microsoft 365 (M365) integration detects a variety of data loss prevention, account misconfiguration, and user security risks in an integrated Microsoft 365 account that could leave you and your organization vulnerable.

This integration covers the following Microsoft 365 products:

​​ Integration prerequisites

​​ Integration permissions

For the Microsoft 365 integration to function, Cloudflare CASB requires the following delegated Microsoft Graph API permissions:

  • Application.Read.All
  • Calendars.Read
  • Domain.Read.All
  • Group.Read.All
  • InformationProtectionPolicy.Read.All
  • MailboxSettings.Read
  • offline_access
  • RoleManagement.Read.All
  • User.Read.All
  • UserAuthenticationMethod.Read.All
  • Files.Read.All
  • AuditLog.Read.All

These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the Microsoft Graph permissions documentation.

​​ Security findings

The Microsoft 365 integration currently scans for the following findings, or security risks. Findings are grouped by category and then ordered by severity level.

To stay up-to-date with new CASB findings as they are added, bookmark this page or subscribe to its RSS feed.

​​ User account settings

Keep user accounts safe by ensuring the following settings are maintained. Review password configurations and password strengths to ensure alignment to your organization’s security policies and best practices.

FIDO2 authentication method unattestedLow
Provisioning error for on-prem userLow
Password expiration disabled for userLow
Password not changed in last 90 daysLow
Strong password disabled for userLow
Cloud sync disabled for on-prem userLow
Weak Windows Hello for Business key strengthLow
On-prem user not synced in 7 days.Low
User is not a legal adultLow
User configured proxy addressesLow
User account disabledLow

​​ File sharing

Get alerted when files in your Microsoft 365 account have their permissions changed to a less secure setting.

To access some file findings, you may need to review shared links. For more information, refer to View shared files.

Microsoft File Publicly Accessible Read and WriteCritical
Microsoft Folder Publicly Accessible Read and WriteCritical
Microsoft File Publicly Accessible Read OnlyHigh
Microsoft Folder Publicly Accessible Read OnlyHigh
Microsoft File Shared Company Wide Read and WriteMedium
Microsoft File Shared Company Wide Read OnlyMedium
Microsoft Folder Shared Company Wide Read and WriteMedium
Microsoft Folder Shared Company Wide Read OnlyMedium
Calendar shared externallyLow

​​ Data Loss Prevention (optional)

These findings will only appear if you added DLP profiles to your CASB integration.

Microsoft File Publicly Accessible Read and Write with DLP Profile matchCritical
Microsoft File Publicly Accessible Read Only with DLP Profile matchCritical

​​ Third-party apps

Identify and get alerted about the third-party apps that have access to at least one service in your Microsoft 365 domain. Additionally, receive information about which services are being accessed and by whom to get full visibility into shadow IT.

App Not Certified By MicrosoftLow
App Not Attested By PublishedLow
App Disabled By MicrosoftLow

​​ Email administrator settings

Discover suspicious or insecure email configurations in your Microsoft domain. Missing SPF and DMARC records make it easier for bad actors to spoof email, while SPF records configured to another domain can be a potential warning sign of malicious activity.

Microsoft Domain SPF Record Allows Any IP AddressHigh
Microsoft Domain SPF Record Not PresentMedium
Microsoft Domain DMARC Record Not PresentMedium
Microsoft Domain DMARC Not EnforcedMedium
Microsoft Domain DMARC Not Enforced for SubdomainsMedium
Microsoft Domain DMARC Only Partially EnforcedMedium
Microsoft Domain Not VerifiedMedium
App Certification Expires in 90 Days or SoonerLow

​​ Email forwarding

Get alerted when users set their email to be forwarded externally. This can either be a sign of unauthorized activity, or an employee unknowingly sending potentially sensitive information to a personal email.

Active Message Rule Forwards Externally As AttachmentLow
Active Message Rule Forwards ExternallyLow
Active Message Rule Redirects ExternallyLow

​​ Microsoft Information Protection (MIP) sensitivity labels

Microsoft provides MIP sensitivity labels to classify and protect sensitive data. When you add the CASB Microsoft 365 integration, Cloudflare will automatically retrieve the labels from your Microsoft account and populate them in a DLP Profile.