M365 Posture Monitoring
M365 Posture monitors connected Microsoft 365 tenants for suspicious events and policy violations. It surfaces the top 10 categories of M365 security events that signal account compromise, insider threat, or misconfiguration.
M365 Posture is included in the User Protection package at $3/managed user/month.
Connecting an M365 Tenant
Navigate to SecOps → SaaS Posture → Connected Tenants and click + Connect M365 Tenant.
This initiates the Microsoft OAuth consent flow. You will be redirected to Microsoft to grant the following Microsoft Graph API permissions:
AuditLog.Read.All— Read audit log dataDirectory.Read.All— Read user and group dataPolicy.Read.All— Read conditional access and security policiesSecurityEvents.Read.All— Read security event data
After consent, the connection is established and scanning begins on the next scheduled run.
Connection Status
| Status | Description |
|---|---|
| Active | Connected and scanning successfully |
| Error | Last scan failed — check the error message |
| Expired | OAuth token has expired; reconnect required |
| Pending | Connection in progress |
Use the Test button to verify a connection without waiting for the next scheduled scan.
Monitored Event Types
The posture scanner checks for 10 event categories across connected tenants:
| Event Type | Severity | What It Detects |
|---|---|---|
| Suspicious Sign-in | High/Critical | Logins from unexpected locations, impossible travel, or anomalous behavior |
| OAuth App Consent | High | New OAuth application granted consent to tenant data |
| Email Forwarding | High | New external email forwarding rule created |
| Admin Role Change | High | Privileged role (Global Admin, etc.) assigned or removed |
| MFA Failure Spike | High | Unusual volume of MFA failures — possible MFA fatigue attack |
| Bulk Download | Medium | User downloaded an unusually large volume of files |
| Sharing Policy Change | Medium | External sharing settings modified |
| New Admin Added | High | New administrator account created |
| Suspicious Inbox Rule | Critical | Inbox rule that deletes messages or forwards to external address |
| Guest User Added | Medium | New guest/external user invited to the tenant |
Events Tab
The Events tab lists all posture events with filters for status, severity, and event type.
Event Actions
| Action | Description |
|---|---|
| Investigate | Moves status from New to Investigating — assign to an analyst |
| Resolve | Closes the event as remediated |
| FP (False Positive) | Marks the event as a false positive |
Expand any event to see the connection ID, status history, resolution timestamp, and resolution notes.
User Risk Tab
The User Risk tab aggregates events by user to identify the highest-risk individuals across connected tenants. Users are ranked by a composite risk score based on event count and highest severity.
| Column | Description |
|---|---|
| User | Display name and UPN |
| Events | Total posture events for this user |
| Risk Score | Composite score; higher = more events/higher severity |
| Highest Severity | The worst single event severity for this user |
Summary Metrics
| Metric | Description |
|---|---|
| New Events | Unreviewed posture events across all tenants |
| Critical | Events rated Critical |
| High | Events rated High |
| Connected Tenants | Number of active M365 connections |
Scanning Schedule
The posture scanner runs automatically on a schedule defined by the posture-scanner background function. The last scan timestamp is visible in the Connected Tenants tab.