26 KiB
26 KiB
M365 + AD Engagement Checklist
Not a benchmark. Not scored. A structured inspection list for consultants on active engagements.
Last updated: June 2026 Companion to: Field Guide 2026 · Books I–VI Next review: January 2027
How to use this
Work through the relevant sections during the Brownhat Diagnostic or at the start of a module engagement. Each item is a control area — something to inspect and a question to answer honestly. Mark items that surface findings. Mark items that are verified clean. If an item is not applicable, note why.
This is not a scoring tool. "Found" and "clean" are the only states that matter. A clean item with no evidence of testing is the same as not checked.
Notation used below:
[LOOK AT]— inspect and document current state[TEST]— verify by observation, not by reading the config[ASK]— a question that requires a conversation, not just a portal check
Nothing here replaces the governing question from Book I:
If this is owned tonight, what is the largest thing an attacker reaches before hitting a wall — and can I draw that wall?
Section A — Hybrid Identity
A1. Authentication Method
[LOOK AT]Which authentication method is actually in use: PHS, PTA, or Federation (AD FS)?[LOOK AT]Does the method shown in the Entra portal match what is documented and what IT staff believe to be true?[TEST]If on-prem AD is simulated as unavailable (pull the sync server), does cloud authentication survive? Which auth method does this actually prove?[LOOK AT]Is PHS running alongside PTA as a failover? (Optionality — cheap insurance)[LOOK AT]If on PTA: how many PTA agents are deployed, and what host/network tier are they on?
A2. Sync Engine (Entra Connect / Cloud Sync)
[LOOK AT]Which sync engine is running: Entra Connect Sync or Entra Cloud Sync?[LOOK AT]What server hosts the sync engine, and what domain/tier is it joined to?[LOOK AT]What account runs the on-prem connector service, and does it haveReplicate Directory Changes All(DCSync capability)?[LOOK AT]What is the patch / update level of the sync server (OS and sync software)?[LOOK AT]Who has local administrator rights on the sync server?[LOOK AT]What does the Entra connector account (Directory Synchronization Accounts role) have permission to do in the cloud?[TEST]If the connector account is monitored: does an alert fire when it authenticates from an unexpected host?[LOOK AT]Are there active alerts or errors in the sync engine health dashboard?
A3. AD FS
[LOOK AT]Is AD FS deployed and active?[ASK]If yes: why is it still running? What relying party trusts require it, and is there a migration plan?[LOOK AT]When was the token-signing certificate last rotated? Where is the private key stored?[LOOK AT]Is the rollover certificate about to expire?[LOOK AT]Which servers host AD FS, and what network tier and patching cadence do they have?[TEST]Golden SAML tabletop: if the token-signing key were obtained, what would detection see, and how fast could the cert be rotated? Is the procedure written and tested?[ASK]Is there a Entra staged rollout in progress or planned to migrate away from federation?
A4. Privileged Account Sync
[LOOK AT]Are any Domain Admins, Enterprise Admins, or other Tier 0 accounts synced to Entra ID (i.e., present as cloud objects)?[LOOK AT]Are Global Admins or other Entra privileged role holders cloud-only accounts, or synced from on-prem?[LOOK AT]Are admin accounts (on-prem or cloud) using the same device for privileged work as for daily tasks (email, browsing)?
A5. Writebacks
[LOOK AT]Which writebacks are enabled: password writeback, group writeback, device writeback?[ASK]For each: who owns the decision, and is the reverse blast radius (cloud compromise → on-prem impact) documented?[LOOK AT]Is group writeback (v2) enabled? If so, which cloud groups write into AD, and what on-prem resources do they gate?
A6. Seamless SSO
[LOOK AT]Is Seamless SSO enabled?[LOOK AT]When was theAZUREADSSOACCKerberos key last rotated? (Get-ADComputer AZUREADSSOACC -Properties PasswordLastSet)[ASK]Is Seamless SSO actually needed, or can it be removed (Entra-joined devices + modern auth typically do not require it)?
A7. Sync Scope
[LOOK AT]Is sync scoped to specific OUs, or is "sync everything" the default?[LOOK AT]Are there synced objects that serve no cloud purpose (decommissioned systems, service accounts, administrative accounts)?
A8. Breach Optionality
[ASK]Is there a written, accessible runbook for severing the AD↔Entra bridge under breach conditions?[TEST]Is the runbook stored somewhere accessible when both AD and SharePoint are unavailable?[ASK]Has anyone walked through the "kill the sync" procedure, and does the team know what breaks per auth method?[LOOK AT]Does the cloud admin path (break-glass Global Admin) work with zero on-prem dependency?
Section B — Privileged Access
B1. Standing Privilege Inventory
[LOOK AT]How many identities hold standing (permanent, active) privilege: Global Admin, Privileged Role Admin, Domain Admin, Enterprise Admin?[LOOK AT]Are there any standing Global Admin assignments that are not break-glass accounts? (Should be zero)[LOOK AT]How many Domain Admins and Enterprise Admins exist, and are they all justified with named owners?[ASK]When was the privileged account list last reviewed, and by whom?
B2. Admin workstations and management plane
[ASK]What do admins use to reach a domain controller remotely? Is that path independent of the AD it manages, or does it depend on AD for authentication?[LOOK AT]Do admins use the same device for privileged work (DC management, PIM activation) and daily tasks (email, browsing)?[ASK]Is there a dedicated admin workstation — physical PAW or cloud admin VM (Windows 365 / AVD) — that is used only for privileged tasks?[LOOK AT]If a cloud admin VM exists: is it enrolled in Intune with a hardened profile? Is it excluded from email and general browsing? Is it the device scoped in the CA policy restricting privileged role access?[LOOK AT]Is there a management overlay (Nebula, Tailscale, Headscale) providing the admin access path to on-prem Tier 0 systems?[ASK]If a Nebula T0 overlay exists: where is the CA key stored? Who can sign new node certificates? When was the last signing ceremony?[ASK]If a Tailscale T1 overlay exists: is key expiry configured? Does re-authentication require phishing-resistant MFA via Entra?[LOOK AT]For multi-cloud clients without a physical data centre: is the management plane explicitly designed, or is access to cloud management consoles and on-prem servers done ad hoc (VPN, direct RDP, per-cloud bastion, no unified plane)?
B3. PIM / JIT
[LOOK AT]Is Entra PIM deployed and enforced for Entra administrative roles?[LOOK AT]Are Entra roles set to eligible (not active) by default?[LOOK AT]Does PIM activation require phishing-resistant MFA (FIDO2 / certificate), or just push-approve?[LOOK AT]Do crown roles (Privileged Role Administrator, Global Administrator) require approval workflow on PIM activation?[LOOK AT]What is the maximum activation time-box configured? (Should be justified and bounded — 8 hours maximum for a working day)[LOOK AT]Is PIM alert configuration enabled (Roles activated without MFA, Redundant assignments, etc.)?[ASK]For on-prem DA/EA: is there any JIT or time-limited elevation mechanism in place?
B4. Service Accounts (On-Prem)
[LOOK AT]Are there service accounts with SPNs and static passwords older than 12 months? (Kerberoastable)[LOOK AT]Which service accounts are over-permissioned (e.g., Domain Admin, local admin on all servers)?[LOOK AT]Which service accounts have been migrated to gMSA?[LOOK AT]Are there service accounts nobody can identify a current owner for?[TEST]Run a Kerberoast simulation: do ticket requests for service account SPNs generate any detection?
B5. Service Principals & App Registrations (Cloud)
[LOOK AT]Which app registrations hold escalation-grade Graph permissions (application permissions):RoleManagement.ReadWrite.Directory,AppRoleAssignment.ReadWrite.All,Application.ReadWrite.All,Directory.ReadWrite.All?[LOOK AT]Which app registrations have non-expiring client secrets?[LOOK AT]Are there orphaned app registrations with no current owner?[LOOK AT]Which apps have tenant-wide admin consent, and is each justified and reviewed?[LOOK AT]Which Azure workloads use client secrets instead of managed identities where managed identities are available?
B6. Tier Model / Clean Source
[LOOK AT]Do Domain Admins / Enterprise Admins authenticate from standard workstations used for email and browsing?[LOOK AT]Is ADCS (Active Directory Certificate Services) deployed? If so, is it on a Tier 0 or hardened host, or on a standard server?[LOOK AT]Are there shared administrative jump boxes that cross tier boundaries (used for both Tier 0 and Tier 1 work)?[LOOK AT]Do cloud admins use the same device for privileged Entra work as for daily activity?
B7. Escalation Paths
[LOOK AT]Are there accounts withGenericAll,WriteDACL, orWriteOwneron high-value AD objects (domain root, DCs, admin groups) that are not themselves Tier 0?[LOOK AT]Are there computers with unconstrained delegation enabled (excluding DCs)?[LOOK AT]When was KRBTGT last rotated? (Get-ADUser krbtgt -Properties PasswordLastSet)[LOOK AT]Is LAPS (Windows LAPS preferred) deployed across all workstations and servers? What is the coverage percentage?[TEST]Run BloodHound (or equivalent) and count attack paths to Domain Admin. Note the number as a baseline. Is it going up or down over time?
B8. Break-Glass
[LOOK AT]Do cloud-only break-glass Global Admin accounts exist?[LOOK AT]Is phishing-resistant authentication (FIDO2 or certificate) configured on break-glass accounts?[LOOK AT]Are break-glass accounts excluded from the CA policies that would otherwise enforce device compliance or block sign-in?[LOOK AT]Does any use of the break-glass account trigger an immediate, monitored alert?[TEST]Sign in to the break-glass account in a controlled drill. Does it work? Does the alert fire? Does someone respond?[ASK]Where are the break-glass credentials stored, and can they be retrieved without the systems they recover?
B9. Phishing-Resistant MFA for Admins
[LOOK AT]What MFA method is enforced for Global Admins: FIDO2, certificate-based auth, or push/SMS?[LOOK AT]Push-approve and SMS are not acceptable for administrative accounts. If they are in use, that is a P0.[LOOK AT]Is there a CA policy restricting privileged role activation to compliant/managed devices or named PAWs?
Section C — Devices & Endpoint
C1. Fleet Reality
[LOOK AT]Reconcile: Intune enrolled devices vs. Entra registered devices vs. sign-in log device population. What is the gap?[LOOK AT]How many sign-in events in the last 30 days came from non-compliant or unmanaged devices (device compliance state = unknown or non-compliant in sign-in logs)?[LOOK AT]Are there legacy-protocol sign-ins (Basic Auth) that bypass Conditional Access entirely? (Sign-in logs, filter Client App = "Exchange ActiveSync," "Other clients")[LOOK AT]How many BYOD / personal devices are accessing corporate data through the web client or OWA (known-unmanaged population)?
C2. Join State and Management Mode
[LOOK AT]Are devices Entra-joined, hybrid Entra-joined, or Entra-registered (BYOD)?[LOOK AT]Is hybrid Entra join still in use? If so, which on-prem dependencies actually require it?[LOOK AT]Is there a roadmap to go cloud-native (Entra join + Intune) for devices currently on hybrid join?[LOOK AT]Are there GPO and Intune co-management conflicts producing inconsistent configuration?
C3. Conditional Access Enforcement
[TEST]For every CA policy that enforces device compliance or blocks legacy auth: run real sign-ins with expected outcomes written down beforehand. Does the observed result match?[TEST]If a policy looks correct but does not enforce: recreate from scratch, re-test. Document ghost policy findings.[LOOK AT]Is there a CA policy blocking legacy authentication protocols across all apps? (This is the single highest-leverage CA policy — if not in place, that is P0)[LOOK AT]Is there a CA policy requiring MFA for all admin role activations?[LOOK AT]Is there a CA policy requiring compliant or managed device for access to sensitive workloads?[LOOK AT]Are break-glass accounts and emergency service accounts correctly excluded from blocking CA policies?[TEST]Lock yourself out in report-only mode (simulate a compliance failure on an admin account). Confirm break-glass bypasses the policy. Confirm a legitimate admin gets the expected failure and knows the escalation path.
C4. Compliance Signal Quality
[LOOK AT]What is the compliance check-in cadence? (The window where a fallen-out device still holds a "compliant" token)[LOOK AT]Is Continuous Access Evaluation (CAE) enabled for workloads that support it? (Narrows the stale-token window)[ASK]Is root/jailbreak detection in compliance policy, and how is it treated — as a hard block or a risk signal? Is it believed to be a wall or a tripwire?[TEST]Spoof compliance on a test device (root a test device). How long until the signal flips? Does CA revoke access?
C5. Endpoint Privilege
[LOOK AT]Do standard users have standing local admin on their endpoints?[LOOK AT]Is Endpoint Privilege Management (EPM) deployed, or is there a JIT elevation mechanism for tasks requiring admin rights?[LOOK AT]Is Windows LAPS deployed across the fleet? Is legacy LAPS still in use (to be migrated)?[LOOK AT]Are there shared local admin accounts with common passwords across multiple machines?
C6. Update and Patch Velocity
[LOOK AT]Is Windows Autopatch in use (for update ring management)?[LOOK AT]Are Intune update rings configured with pilot, broad, and deferral stages?[ASK]Is there a named person with the authority and procedure to halt a broad update ring push? Has this been tested?[LOOK AT]What is the current patch lag for the fleet (how many devices are 30+ days behind on OS updates)?
C7. MAM / App Protection (BYOD)
[TEST]On iOS: attempt copy/paste from managed Outlook/Teams to an unmanaged app. Does it block?[TEST]On Android: same test, separately — behavior is not symmetric with iOS.[TEST]Attempt to "Open in" from a managed attachment to an unmanaged app on each platform.[TEST]Attempt to save to local storage or sync to a personal cloud (iCloud, Google Drive).[LOOK AT]Are managed browsers enforced for SharePoint/OWA access on BYOD, or can users access via any browser?
C8. Autopilot and Enrollment Trust
[LOOK AT]Is the Autopilot device list audited? Are there stale or unknown device registrations?[LOOK AT]Are enrollment restrictions in place to prevent unauthorized device enrollment?[TEST]Time a wipe-and-reprovision on a corporate device via Autopilot. Is the "replaceable in an hour" claim accurate?[LOOK AT]Is the PRT (Primary Refresh Token) TPM-bound on Windows devices?
Section D — Data & Collaboration
D1. Sharing Posture
[LOOK AT]What is the tenant-level external sharing setting in SharePoint Admin Center?[LOOK AT]Are "Anyone with the link" anonymous shares enabled at the tenant level?[TEST]Enumerate existing anonymous links across the tenant. Can you produce the list? How large is it?[LOOK AT]Are per-site sharing settings more permissive than the tenant default? (Sites can override upward)[LOOK AT]Are sharing expiration policies configured for anonymous and external links?[TEST]Share a document to a test external guest and attempt to reshare onward. Can you track the second-hop share?
D2. Guest Access
[LOOK AT]How many active guests exist in the tenant?[LOOK AT]How many guests have not signed in for 90+ days?[LOOK AT]Are access reviews configured for guest accounts? What is the review cadence and the default action on non-response?[LOOK AT]Do guests have broader access than the project they were invited for (i.e., access to Teams/channels beyond their original scope)?[LOOK AT]Are external identities governed by specific B2B collaboration settings, or is the default (all external domains) allowed?
D3. Email Security
[TEST]Enumerate external auto-forwarding rules at the transport level (Get-TransportRule). Are there any active rules forwarding externally without a documented business owner?[TEST]Enumerate Inbox rules on executive / privileged user mailboxes forwarding externally. (Get-InboxRule)[LOOK AT]Is the global "allow automatic forwarding" setting disabled in Remote Domains for the Default domain?[LOOK AT]Are anti-phishing policies configured? Is impersonation protection enabled for executives and key domains?[LOOK AT]Is DKIM signing enabled for all sending domains?[LOOK AT]Is DMARC configured (policyrejectorquarantine), and is the SPF record current?
D4. Crown Jewels
[ASK]Can the client name the five data sets that, if exfiltrated, would cause the most damage?[LOOK AT]Where do the crown jewels live (SharePoint sites, mailboxes, OneDrive, Teams channels)?[LOOK AT]Who has access to the crown-jewel locations? Is access reviewed periodically?[LOOK AT]Are the crown-jewel locations labeled with sensitivity labels that carry encryption?[LOOK AT]Are audit logs turned on and retained long enough to reconstruct access to crown-jewel locations?
D5. Sensitivity Labels and DLP
[LOOK AT]Are sensitivity labels deployed in the tenant? What is the coverage across the most-used content types (email, files)?[LOOK AT]Are labels configured with encryption for the highest sensitivity tiers?[LOOK AT]Is auto-labeling deployed for known crown-jewel content types (if licensed for M365 E5 Compliance)?[LOOK AT]Is DLP deployed? Is it scoped to specific known-value patterns (regulated data, PII, crown-jewel keywords) or applied as a broad dragnet generating noise?[TEST]Exfiltrate a labeled test document via email to an external address. Does DLP fire? Does the label encryption hold on the received document?
D6. Collaboration Sprawl
[LOOK AT]Is there ungoverned self-service creation of Teams and SharePoint sites?[LOOK AT]Are there orphaned or inactive Teams/sites that still hold data and have no active owner?[LOOK AT]Are there Teams channels or SharePoint sites with "Everyone" or broad internal membership grants on sensitive data?[LOOK AT]Is late-joiners' access to Team history governed (a user joining a Team today can read all prior messages by default)?
D7. OAuth App Consent
[LOOK AT]Is user consent for OAuth apps restricted (users cannot consent to app permission requests without admin approval)?[LOOK AT]Are there existing grants for apps holdingMail.Read,Files.ReadWrite.All, or equivalent sensitive scopes by non-first-party apps?[LOOK AT]Is Microsoft's app governance module (Purview) enabled? Are risky app alerts configured?
D8. Audit Logging
[LOOK AT]Is Unified Audit Logging enabled (confirm in Purview Compliance Center > Audit)?[LOOK AT]What is the audit retention period, given the client's licensing?[TEST]Run a sample audit query on a known recent activity and verify log entries are present. Do not assume the log is on without testing it.[LOOK AT]Are admin operations (role assignment changes, app consent, CA policy changes) captured in the audit log?
Section E — Recovery & Detection
E1. Backup and Recovery
[ASK]What is the recovery path if a Global Admin deletes all Exchange Online mailboxes and SharePoint sites? Be specific about process, tool, and time estimate.[LOOK AT]Is there a third-party M365 backup solution covering Exchange, SharePoint, OneDrive, and Teams?[LOOK AT]Are M365 backups isolated from the estate they protect (immutable, separate authentication domain)?[TEST]When was the last successful restore from backup, and how long did it take? Restore a test mailbox or a file share and time it. This is the MTTR.[LOOK AT]Are on-prem AD backups (System State) taken regularly, stored offline, and verified?[TEST]Can the current backup restore an AD domain if all DCs are destroyed? Has anyone run the forest recovery procedure, even in a lab?
E2. Configuration-as-Code (Known-Good Baseline)
[LOOK AT]Have CA policies been exported to code/JSON (e.g., using CAExporter)?[LOOK AT]Has the Entra role assignment state been captured as a document?[LOOK AT]Has the Intune baseline configuration been exported?[LOOK AT]Is there a diff between the opening state and current state for any changes made during the engagement?[ASK]If the tenant CA policies were silently modified by an attacker, would anyone know? Is there drift detection against the known-good?
E3. Recovery Path Independence
[LOOK AT]Does any part of the recovery runbook depend on the system it recovers (e.g., runbook stored in SharePoint, backup auth via the compromised AD)?[LOOK AT]Are recovery credentials (break-glass, backup admin accounts) accessible independently of the estate?[LOOK AT]Is the AD forest recovery runbook stored offline or in a location that survives domain destruction?[ASK]If both AD and M365 were simultaneously unavailable, what is the recovery sequencing? Is that decision documented?
E4. Detection: Signal Quality
[LOOK AT]Break-glass account use: is there an alert? Is it monitored by a named person?[LOOK AT]New Global Admin assignment: does an alert fire?[LOOK AT]DCSync from a non-DC host: is this detected (Defender for Identity or SIEM rule)?[LOOK AT]Impossible-travel sign-in for admin accounts: is Entra ID Protection user risk policy configured and alerting?[LOOK AT]External auto-forward rule creation: is this generating an alert?[LOOK AT]Mass download from SharePoint/OneDrive: is there a Defender for Cloud Apps or Purview policy detecting it?[LOOK AT]New OAuth consent grant to sensitive scopes: is this alerting?[LOOK AT]PIM activation outside business hours: is this logged and reviewed?[TEST]For each configured detection: simulate the event (in a controlled, authorized test context) and confirm the alert fires, is received by a named person, and generates a response within the expected SLA.
E5. Detection: Noise and Action
[ASK]How many alerts does the monitoring system generate per day? How many are triaged vs. suppressed vs. missed?[ASK]For the last three security incidents or notable alerts: what structural change resulted? If the answer is "we sent an awareness email" or "we noted it," the feedback loop is broken.[LOOK AT]Is there a named owner for each alert category? An alert without a named owner is an unread alert.[ASK]Is there a blameless post-incident process? Do people surface incidents, or do they bury them to avoid blame?
E6. Game-Days and Drills
[ASK]When was the last deliberate test of recovery or detection (a drill, tabletop, or game-day)?[TEST]Break-glass drill: sign in, confirm it works, confirm the alert fires. Document the test and the result.[TEST]CA policy enforcement drill: force a non-compliant state on a test user. Confirm the expected outcome and that break-glass bypasses the gate.[ASK]Has the client ever run a ransomware tabletop that assumes Tier 0 is owned? What did they find?
Section F — Quick-Win Inventory
Use this section to capture findings that can be addressed in the same session or within the engagement without additional scoping.
Each of the following, if found to be the case, is a fix that typically takes under an hour and has immediate blast-radius reduction. Do not leave these open for the next engagement.
| Control | Condition that makes it a quick win |
|---|---|
| Tenant-level anonymous sharing | "Anyone" links enabled at tenant level — one toggle |
| External auto-forwarding | Global block not set — one Exchange setting |
| Legacy auth CA policy | No policy blocking legacy auth — deploy baseline CA policy |
| Break-glass alert | Break-glass use not alerting — configure alert rule |
| Global admins audit | Standing synced GAs — identify and initiate migration |
| KRBTGT age | Password not set in 365+ days — document and schedule rotation |
| Stale admin accounts | Disabled or unchecked admin accounts — disable and document |
| Audit log | Not enabled — turn on (one click in Purview) |
| PIM not deployed | P2 licensed but PIM off — scope activation as P1 |
| No CA blocking admin sign-in from personal devices | Missing policy — create report-only immediately, test and enable |
Engagement Close — Structural Change Verification
At the close of each engagement or module, confirm:
- Which items above were found to be fragile?
- For each: what structural change was made (not documented, not accepted, but changed)?
- Which items were tested by observation (not just inspected)?
- Which items are open and in the risk register with a named owner and a timeline?
- Has the configuration-as-code baseline been exported and stored?
- Has the break-glass been tested?
- Is there a named date for the next review of this checklist?
The work is not complete when the list is walked. It is complete when fragility found has become structure changed.
Engagement Checklist. Updated June 2026. Review and update alongside the Field Guide — January 2027.