Exposure Scans
Maintained by: Aether365 Team Audience: IT administrators and security teams Scope: Exposure scan execution and finding categories
Exposure scans analyze your Microsoft 365 tenant for risky or misconfigured settings. Unlike compliance scans, which test against a fixed benchmark checklist, exposure scans evaluate whether specific configurations create meaningful security risk in your environment.
Results are mapped using the OCSF (Open Cybersecurity Schema Framework) format and grouped by M365 service area.
Services Analyzed
Entra ID (Azure Active Directory)
Entra ID checks focus on identity and access risk:
- MFA enforcement gaps - users or groups excluded from MFA
- Conditional access policy coverage - sign-in risk not covered
- Privileged role assignments - permanent assignments instead of PIM
- Guest and external identity access
- Legacy authentication protocol exposure
- Self-service password reset (SSPR) configuration
- Password protection settings
Exchange Online
Exchange checks identify email security risk:
- Mail forwarding rules that exfiltrate data externally
- Client access rules permitting legacy protocols (IMAP, POP3, Basic Auth)
- Anti-phishing and anti-spoofing policy gaps
- DKIM, DMARC, and SPF configuration
- Automatic external forwarding settings
- Safe Attachments and Safe Links policy coverage
SharePoint Online and OneDrive
SharePoint checks analyze data sharing risk:
- External sharing settings (Anyone links, guest access)
- Default sharing link type
- Site-level sharing overrides
- Legacy authentication access
Microsoft Teams
Teams checks cover collaboration and external access:
- External federation settings (who can initiate contact)
- Guest access policies
- Meeting join settings (anonymous join, external participants)
- Meeting recording storage and retention
Microsoft Defender
Defender checks review protection coverage:
- Defender for Office 365 policy status
- Safe Attachments and Safe Links coverage
- Zero-hour Auto Purge (ZAP) settings
- Attack simulation training enablement
Microsoft Intune
Intune checks evaluate device management coverage:
- Device compliance policy enrollment
- Conditional access enforcing compliance
- Encryption requirements on managed devices
- Mobile app management (MAM) policy coverage
Severity Levels
Each finding is assigned one of four severity levels:
| Severity | Description |
|---|---|
| Critical | High-impact misconfiguration, commonly exploited, immediate risk |
| High | Significant exposure, should be addressed promptly |
| Medium | Moderate risk, often mitigated by other controls in place |
| Low | Best practice gap, lower direct risk |
Reading Exposure Results
Exposure scan results in the dashboard show:
- Service - The M365 service area (e.g., Entra ID, Exchange)
- Finding - A plain-language description of the misconfiguration
- Severity - Critical / High / Medium / Low
- Status - Pass / Fail / Manual (manual checks require human verification)
- Remediation - Step-by-step fix instructions
Findings marked Manual cannot be automatically evaluated and require a human to review the referenced settings.
Scope and Limitations
Exposure scans use read-only access and cannot detect:
- Configuration that requires elevated permissions beyond those granted during consent
- Third-party application settings within M365
- On-premises Active Directory configuration (cloud-only)
- Historical changes or audit trail analysis (use compliance scans for audit logging checks)