Office 365 Audit: MFA & External Access Check
OFFICE 365
The Challenge
Maintaining security compliance in Office 365 is complex. Global administrators without Multi-Factor Authentication (MFA) represent a critical single point of failure, and file sharing in SharePoint can quietly spiral out of control, exposing sensitive data to external users.
The goal was to perform a complete scan to:
- Identify vulnerable privileged accounts (Global Admins) without MFA
- Map external access (Guests) on critical sites
- Generate a factual and audit-ready compliance report
- Eliminate security blind spots in the tenant
The Prompt Sent to Myrmex
Using the integration with the Office 365 tenant, we sent:
Perform a security audit of the current Office 365 @AINEXT tenant configurations.
Identify any global admin accounts without MFA enabled and list all external
users with access to sensitive SharePoint sites.
Provide a factual report of these findings for compliance review.
Note: Myrmex acts as an external auditor, scanning configurations and logs to deliver an "X-Ray" of the current security state.
What Myrmex Did
Myrmex accessed the directory configurations of Azure AD / Entra ID and permissions in SharePoint Online. Due to API limitations for reading MFA state directly, it used an intelligent approach based on login telemetry.
Audit Summary
| Category | Status | Key Finding |
|---|---|---|
| Privileged MFA | ⚠️ Partial | 4 out of 5 Global Admins accessed via Single Factor. |
| Guest Access | ✅ Secure | No external users in the directory. |
| SharePoint Ext. | ✅ Secure | SharePoint root has no permissions for third parties. |
Detailed Analysis
1. MFA Audit on Privileged Accounts
Myrmex analyzed the last 30 days of login logs for the 5 identified Global Administrators.
Methodology:
Cross-referencing login events with error code 50074 (MFA Required) or "Single-Factor" authentication types.
Results:
- Tecnologia Ainext: ✅ MFA Enforced (Always challenged).
- Rafael Freire: ⚠️ MFA Not Observed (Interactive single-factor login).
- Pedro Souza: ⚠️ MFA Not Observed.
- Vinicius Silva: ⚠️ MFA Not Observed.
- Marcelo Benevides: ⚠️ MFA Not Observed.
Risk: 80% of the privileged attack surface is potentially exposed to simple credential phishing.
2. External Exposure Scan (SharePoint)
An enumeration was performed on root site permissions and the guest directory.
Results:
- Guests in Azure AD: 0 found.
- SharePoint Permissions: No explicit permissions for external domains.
Benefits of the Approach
🔍 Evidence-Based Audit
Unlike just checking a policy ("Is MFA turned on?"), Myrmex verified actual effectiveness ("Was MFA challenged at login?"). This uncovers flaws in Conditional Access policies (e.g., exceptions for "trusted locations" that leave gaps).
⚡ Rapid Compliance
What would take hours navigating multiple portals (Entra ID, SharePoint Admin, Logs) was consolidated into a single, readable report in seconds.
Result
With the Myrmex audit:
- ✅ Critical Risk Visibility: Clear identification of admins operating without MFA.
- ✅ Perimeter Confirmation: Validation that no data is leaking to external guests.
- ✅ Actionable Basis: The list of users without MFA allows focused remediation.
Prompt Variations
The same pattern can be used for deeper audits:
For licensing:
Audit the use of E5 licenses in the tenant.
List users with assigned licenses who have not logged in for the last 90 days.
For data retention:
Check Exchange and Teams retention policies.
Confirm if there are active policies for data older than 5 years.