Investigate M365 Security Posture: Secure Score, Risky Users, and Admin MFA

Microsoft 365 tenants drift toward insecurity over time: new admin accounts get added, apps accumulate privileged Graph permissions, Secure Score controls fall behind defaults, and MFA coverage gaps appear on the highest-value accounts. A quarterly (or incident-driven) posture review lets you catch these issues before an attacker does.

This recipe walks through the four highest-leverage checks for a standard M365 / Entra ID tenant:

• Secure Score — Microsoft's aggregate rating of your identity, app, device, and data controls, compared against tenants of similar size.
• Privileged role membership — who currently holds Global Administrator and other Tier-0 directory roles.
• Admin MFA registration — confirmation that every privileged account has a phishing-resistant authentication method registered (Microsoft Authenticator, FIDO2, or Windows Hello) rather than just SMS or password.
• App registration permissions — third-party and internal applications that hold sensitive Microsoft Graph application roles, which represent a major supply-chain and lateral-movement risk.

Run it when onboarding a new tenant, after a suspected incident, on a recurring schedule (monthly/quarterly), or any time leadership asks for a security readout.

What you will have after completing this recipe

• A captured current Secure Score value, max score, and comparative benchmark against similar tenants.
• A list of the lowest-scoring Secure Score controls ranked by remediation impact.
• A complete roster of Global Administrators (and optionally all directory role holders) with account-enabled status.
• A per-admin MFA method inventory identifying any privileged account relying only on password or SMS.
• An app registration report flagging applications with excessive Microsoft Graph application permissions.
• A prioritized remediation list (Critical / High / Medium) you can hand to leadership or execute directly.

Warnings and gotchas

• Premium license dependency. Risky user, risky sign-in, and some authentication-methods-report endpoints require Entra ID P1 or P2. On Entra ID Free tenants these calls return 403 Permission denied with a message about premium licensing — fall back to Secure Score, directory role enumeration, and per-user authentication methods.
• Read-only investigation. This recipe only reads data. Do not remediate findings (disable accounts, remove role holders, revoke app consents) without a change ticket and stakeholder sign-off — removing a legitimate service account can cause outages.
• App registration permissions are the #1 sleeper risk. An app with RoleManagement.ReadWrite.Directory or broad Directory.ReadWrite.All roles is effectively Global Admin. Treat every high-privilege app as a privileged identity.
• Don't leak user data in reports. The outputs contain UPNs, phone numbers, and device identifiers. Store them only in approved secure locations (e.g., encrypted SharePoint site with restricted access).
• Secure Score lag. Control implementation status can take up to 48 hours to reflect recent changes; re-check the next day after remediations.