Skip to content
English
Contact AgileBlue Support Customer portal
AgileBlue Portal
  • There are no suggestions because the search field is empty.

Utilizing Self-Service M365 Security Assessments

AgileBlue enables customers to access deep visibility into their M365 Security configuration through on-demand and scheduled assessments.


Overview

AgileBlue securely connects your M365 tenant to run on-demand and scheduled security assessments using M365 modules and CISA’s ScubaGear. Results are then processed by our reporting engine and presented as clear summaries and risk scores, along with actionable remediation guidance to help improve your M365 security posture.

Prerequisites

  • Access to the Microsoft Entra Admin Console 
  • Sufficient administrative privileges to grant API permissions and assign directory roles 
  • ScubaGear Certificate File 
  • Permissions to create application registrations 

Download ScubaGear Certificate

  1. Log in to the AgileBlue SecOps Portal
  2. In the left-hand column, navigate to Office365 Assessment
  3. Toggle the switch to Enabled
  4. Click Download Certificate

Please note, this certificate will be valid for 365 days. When that timeframe has passed, the download certificate button will become available and the cert will need to be refreshed.

Register A New Azure Application

  1. Log in to the Microsoft Entra Admin Console
  2. Navigate to Entra ID
  3. Select App registrations
  4. Click New registration
  5. Provide a name for the application (use any name that can be easily referenced, ex. AgileBlueScuba)
  6. Click Accounts in this organizational directory only (Single tenant)


  7. Select Register
  8. After registering the application, copy the Application (client) ID, which will be needed for the Assessment Configuration Form in our portal

    Group 1, Grouped object
  9. Next, collect your Primary Domain, which can be located on the landing page of Azure on the Overview page; this will be used for the Organization field later on


Configure Microsoft Graph API Permissions

  1. From the app created in the previous section, select API permissions
  2. Click Add a permission
  3. Choose Microsoft Graph
  4. Select Application permissions
  5. Add the following permissions:
    1. Directory.Read.All
    2. GroupMember.Read.All
    3. Organization.Read.All
    4. Policy.Read.All
    5. RoleManagement.Read.Directory
    6. RoleManagementPolicy.Read.AzureADGroup
    7. PrivilegedAccess.Read.AzureAD
    8. PrivilegedEligibilitySchedule.Read.AzureADGroup
    9. User.Read.All
  6. Click Add permissions

Configure Additional API Permissions

Exchange Online Permissions

  1. Click Add a permission

  2. Choose APIs my organization uses
  3. Search for Office 365 Exchange Online and select in, then choose Application permissions
  4. Add the following permission:
    1. Exchange.ManageAsApp
  5. Click Add permissions

SharePoint Permissions

  1. Once again, click Add a permission

  2. Choose Microsoft APIs
  3. Search for and select SharePoint
  4. Choose Application permissions
  5. Add the following permission:
    1. Sites.FullControl.All
  6. Select Add permissions

Once all permissions have been added, the full list should look like the image below:

Grant Admin Consent

  1. Confirm the permissions listed above are present
  2. Select Grant admin consent
  3. Click yes on the popup

  4. Confirm the green check mark under Status is present as in the image below

Assign the Global Reader Role

  1. Navigate to Roles & Administrators
  2. Click here as indicated in the image below

  3. Search for Global Reader
  4. Click the Global Reader role text; DO NOT click on the checkbox

  5. Select Add assignments


  6. Click No Members Selected


  7. Search for the application name created earlier
  8. Check box to attach Global Reader role
  9. Verify that the correct application has been chosen, then click Select


  10. Verify all values are correct and click Next


  11. Provide justification for access and maintaining permeance then click Assign


  12. Click refresh

Power Platform Permissions

  1. Open a PowerShell session with administrative permissions
  2. Check if PowerApps has been installed
  3. Run the command below: 
    Get-Module -Name *PowerApps* | Format-List Name

  4. If you do not see any results, use the following command to install the PowerApps library: 
    Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Scope CurrentUser –Force

  5. Allow the command to complete and accept any confirmations presented
  6. Execute the below command: 
    Add-PowerAppsAccount -Endpoint prod -TenantId (insert Tenant ID)

    Be sure to insert your Tenant ID, which can be gathered from the Entra ID Administrative Page by selecting Overview

    When prompted to authenticate, ensure you are using an account that has either Power Platform Admin or Global admin permissions.

    NOTE: If this is a government organization in a GCC tenant, replace "-Endpoint prod" with "-Endpoint usgov"

  7. Execute the following command (be sure to include the Application ID from the app created earlier in this guide) 
    New-PowerAppManagementApp -ApplicationId (Insert App Id)

     

  8. Close the PowerShell window

Upload the O365 Assessment Certificate

  1. Return to your created Application and select Certificates & Secrets
  2. Click Certificates
  3. Select Upload certificate
  4. Navigate to the location to which the certificate downloaded in the first section of this guide (Download ScubaGear Certificate) is saved
  5. Upload the certificate
  6. Click Add
  7. Copy the Thumbprint value found on the ensuing page, which will be needed later on

Complete Application Fields In AgileBlue Portal

  1. Return to the AgileBlue portal and navigate back to Office365 Assessment
  2. Fill in the information gathered in the previous sections:
    1. Application ID
    2. Organization
    3. Certificate Thumbprint
  3. Under Products to Assess, select each of the Microsoft products to be included in the scan
  4. Select the Environment Sensitivity appropriate for your organization:
    1. Non-government tenant
    2. Government cloud tenant
    3. Government cloud tenant (high)
    4. Department of Defense tenant
  5. Click Save Configuration

Scanning Cadence

On-Demand

Once the configuration has been saved, you can use the Scan Now button any time to execute an on-demand scan. Once a scan is completed, it will appear in the Assessment Scan History section and will include the start and finish times, the user who initiated the scan, and a summary of the findings. Full reports can be downloaded as a CSV file from the right-hand column.

Scheduled

To schedule recurring scans, click the + icon under Current Assessment Schedules. You can then choose specific dates or set scans to run automatically at regular intervals. Scans can occur multiple times per day, week, or month, or on a specific day of the week, month, or year.

These options are geared toward providing flexibility to automate your scanning workflow and ensure your products are assessed on a consistent, predictable schedule.

Need Help? 

AgileBlue is always here to support you and ensure you are 100% successful. If there are any issues with the installation or if you have any questions, please reach out to AgileBlue Support

Email: support@agileblue.com  
Phone: (216) 606-9400🚨