Microsoft 365 Risky Settings: Detect and Fix Automatically
Microsoft 365 misconfigurations are one of the most common attack vectors in cloud environments. From mailbox forwarding rules to external sharing settings, attackers exploit configuration drift to exfiltrate data and maintain persistence. This guide covers how to detect risky M365 settings and automatically remediate them before they become breaches.
Why M365 Settings Matter for Security
Microsoft 365 is the backbone of most enterprise environments, handling email, file storage, collaboration, and identity. A single misconfiguration can expose sensitive data, enable account takeover, or create persistence mechanisms for attackers.
The Configuration Drift Problem
Settings change over time—users create forwarding rules, admins enable features for convenience, third-party apps request permissions. Without continuous monitoring, your secure baseline erodes silently. By the time you discover the drift, attackers may have already exploited it.
High-Risk M365 Settings to Monitor
Not all settings carry equal risk. Focus detection and automation on these critical areas:
Critical Risk Settings
External Mailbox Forwarding
Auto-forwarding to external addresses is the #1 indicator of BEC and data exfiltration.
Delegate Access to Mailboxes
Full access or send-as permissions granted to unexpected users often indicates compromise.
OAuth App Consent (High Privilege)
Illicit consent grants give attackers persistent access through malicious applications.
High Risk Settings
External Sharing in SharePoint/OneDrive
Anonymous links or sharing with external domains can expose sensitive documents.
Disabled Audit Logging
Attackers disable logging to cover tracks. Missing logs = missing visibility.
Transport Rules Bypassing Security
Rules that whitelist domains, skip spam filtering, or redirect mail to external addresses.
Legacy Authentication Enabled
Protocols like IMAP, POP3, and SMTP AUTH bypass MFA and are prime targets for password spray.
Medium Risk Settings
Guest User Access
Stale guest accounts or overly permissive guest policies expand the attack surface.
Teams External Access
Open federation allows any external user to message your employees directly.
PowerShell Remoting Enabled
Unrestricted PowerShell access can be used for reconnaissance and lateral movement.
Detection Signals and Data Sources
Effective detection requires the right data sources. Here is where to look for each setting category:
| Setting Category | Data Source | Key Operations |
|---|---|---|
| Mailbox Forwarding | Exchange Admin Audit | Set-Mailbox, New-InboxRule |
| Delegate Access | Exchange Admin Audit | Add-MailboxPermission |
| OAuth Consent | Azure AD Audit Logs | Consent to application |
| Sharing Settings | SharePoint Audit | SharingSet, AnonymousLink |
| Transport Rules | Exchange Admin Audit | New-TransportRule, Set-TransportRule |
| Audit Logging | Unified Audit Log | Set-AdminAuditLogConfig |
Automated Detection Logic
Build detection rules that trigger on risky configuration changes. Here are examples for critical settings:
Parameters contains: ForwardingAddress OR ForwardingSMTPAddress
Value: External domain (not in allowed list)
→ ALERT: High severity
Parameters contains: ForwardTo OR RedirectTo OR DeleteMessage
Target: External address OR all messages
→ ALERT: Critical severity
Permissions contains: Mail.Read OR Mail.ReadWrite OR Files.ReadWrite.All
Publisher: Not verified OR unknown
→ ALERT: Critical severity
Automated Remediation Actions
Once a risky setting is detected, automation can fix it immediately. Match each detection to the appropriate remediation:
| Detection | Auto-Remediation | Approval |
|---|---|---|
| External forwarding enabled | Remove forwarding address | Auto-approve |
| Suspicious inbox rule | Disable rule + alert user | Auto-approve |
| Risky OAuth app consent | Revoke consent + block app | Notify |
| Unexpected delegate access | Remove permission | Notify |
| Audit logging disabled | Re-enable logging | Auto-approve |
| Anonymous sharing link | Expire link + notify owner | Notify |
| Legacy auth protocol used | Block protocol + force modern auth | Review |
Graph API Remediation Commands
BitLyft AIR executes these remediations via Microsoft Graph API. Here are the key endpoints:
PATCH /users/{userId}/mailboxSettings
{ "forwardingSmtpAddress": null }PATCH /users/{userId}/mailFolders/inbox/messageRules/{ruleId}
{ "isEnabled": false }DELETE /servicePrincipals/{appId}/oauth2PermissionGrants/{grantId}DELETE /users/{userId}/mailboxPermissions/{permissionId}Automation Workflow
The end-to-end workflow for detecting and fixing risky settings:
Continuous Monitoring
Ingest M365 audit logs in real-time. Monitor for configuration changes across Exchange, SharePoint, Azure AD, and Teams.
Risk Assessment
Evaluate each change against risk criteria. Is the target external? Is the user high-value? Is this a known attack pattern?
Automated Response
Execute remediation via Graph API. Remove forwarding, disable rules, revoke permissions—all within milliseconds of detection.
Notification and Documentation
Alert the SOC, notify the affected user (if appropriate), and log all actions for compliance and audit purposes.
Best Practices
Establish Baselines
Know what normal looks like. Document approved forwarding addresses, authorized apps, and expected sharing policies before enabling automation.
Use Allowlists
Maintain allowlists for legitimate external domains, approved OAuth apps, and authorized delegates to reduce false positives.
Protect VIPs
Apply stricter policies to executives and privileged users. Any configuration change on these accounts should trigger immediate review.
Schedule Drift Checks
Run periodic configuration audits to catch drift that event-based detection might miss. Compare current state against your secure baseline weekly.
Common Mistakes
Automate M365 Security with BitLyft AIR
BitLyft AIR continuously monitors your Microsoft 365 environment for risky configurations and automatically remediates them in milliseconds. Stop configuration drift before it becomes a breach.