Microsoft 365

28 November 2018

Secure Microsoft 365: the Flash Audit explained by an expert

Audit for Microsoft 365

For the majority of IDECSI customers, the Flash Audit is the starting point for email or Office 365 protection. In order to better understand how this Flash Audit works and especially what it can bring in terms of security, we spoke to one of our experts: Giovanni Chitano.

Hello Giovanni. In a few words, can you tell us what is a Flash Audit? 

If I had to summarise it in one sentence, I would say that a Flash Audit is a vulnerability assessment which provides a complete summary of security status, over a specific timeframe, for a set of email boxes and SharePoint or OneDrive libraries. More concretely, the audit relies on the use of IDECSI technology to automatically analyse the access logs, permissions and configurations associated with mailboxes and audited resources. IDECSI produces a global report, as well as reports for each resource. These reports are immediately actionable. IDECSI uses these results to define an overall level of risk and make remediation recommendations that are presented and discussed at a feedback meeting.

In practice, IDECSI will analyse Office 365 logs, or Exchange/SharePoint on-premise logs, to check the following:  

  • Access: who accesses each mailbox or library, for what, how, when and where?
  • Permissions and delegations for all audited resources
  • Configuration objects linked to the user: synchronised devices (tablets, smartphones, …), permissions, redirection rules for emails, and more
  • Configuration objects related to the global configuration: distribution lists, logging, mapping of all mobile devices (“Activesync”) 

What are the risks that you most often encounter during audits? 

On the one hand, there are the problems that we consistently find during audits, such as rules to redirect emails externally or full access rights that are no longer legitimate, perhaps due to changes in roles, or simply because these rights are no longer used.  

On the other hand, we regularly identify situations that are a particular risk, such as:  

  • Redirection of a complete email box to outside of the organisation
  • The existence of service accounts that allow third parties to access mailboxes 
  • The existence of admin accounts with access to all mailboxes
  • The export of a complete mailbox by an admin
  • Simultaneous connections from multiple countries with rules to prevent emails appearing the “Sent Items” folder 

If a company wants to do an audit, what resources does it need to commit? 

Flash Audits are highly automated and require minimal resources. The company simply needs to provide access to the logs of the audited platform as well as the list of accounts to be analysed.  Crucially, the audit does not require access to email or library content or any other confidential information. 

In more detail, a Flash Audit requires:  

  • At the beginning: the list of resources to audit and a low-privileged service account. The installation takes just a few minutes and does not require access to sensitive data.
  • Collection phase (usually 3 weeks): minimal or no operational follow-up during the audit
  • A review meeting to understand the output, risks and remediation

To end this interview, in your opinion, when should a company do a Flash Audit? 

In a somewhat provocative way, I would say that the Flash Audit is essential to any company which understands that email is a serious security problem. A check-up of this type, providing a snapshot of the integrity of the audited messaging and Exchange infrastructure, is required at least once or twice a year. In addition, with SharePoint (and OneDrive) increasingly the platform of choice for storing critical information, including PII, this environment must also be checked regularly. 

There are also moments in the life of the company where a Flash Audit makes particular sense, for example, when it is necessary to ensure even greater confidentiality of information (during acquisitions, close to critical strategic announcements, etc.). We may also engage after a security incident to identify residual risks.  

Obviously, the Flash Audit is very useful before the migration to Office 365 to map the system usage and ensure a clean configuration is migrated, or even after the migration to ensure the cloud deployment is secure.  


A few words about Giovanni Chitano 

Prior to joining IDECSI, Giovanni was, as he puts it, “on the other side of the fence” as an infrastructure manager, in charge of security, at the accounting firm Dixon-Wilson. Having been responsible for their Office 365 migration, he has an excellent knowledge of on-premise and cloud infrastructures, as well as security challenges associated with migration to the cloud. 

Our articles

These articles may
interest you

Risks in Microsoft 365
Microsoft 365
Expert Advice

4 risks to watch out for in Microsoft 365 collaboration tools

Lire l'article
Classification with MIP
Microsoft 365

Classify and protect sensitive data: focus on MIP

Lire l'article
Best practices on Microsoft 365
Microsoft 365
Expert Advice

Best practices to improve security in Microsoft 365

Lire l'article
Data protection, let's discuss your project?