prowler-cloud · puchy22 · Dec 23, 2025 · Dec 23, 2025
@@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
 - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
 - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609)
+- Update M365 Admin Center service metadata to new format [(#9680)](https://github.com/prowler-cloud/prowler/pull/9680)
+
 
 ---
 

@@ -1,30 +1,38 @@
 {
   "Provider": "m365",
   "CheckID": "admincenter_external_calendar_sharing_disabled",
-  "CheckTitle": "Ensure external sharing of calendars is disabled",
+  "CheckTitle": "External calendar sharing is disabled at the organization level",
   "CheckType": [],
   "ServiceName": "admincenter",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "Sharing Policy",
-  "Description": "Restrict the ability for users to share their calendars externally in Microsoft 365. This prevents users from sending calendar sharing links to external recipients, reducing information exposure.",
-  "Risk": "Allowing calendar sharing outside the organization can help attackers build knowledge of personnel availability, relationships, and activity patterns, aiding social engineering or targeted attacks.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/share-calendars-with-external-users?view=o365-worldwide",
+  "Severity": "high",
+  "ResourceType": "",
+  "Description": "**Microsoft 365 calendar sharing** is evaluated at the organization level to determine if sharing with external recipients is disabled, including blocking anonymous access and links sent outside the tenant.",
+  "Risk": "Allowing **external calendar sharing** exposes meeting metadata (subjects, locations, attendees, patterns), weakening confidentiality. Adversaries can profile staff, craft convincing spear-phish or fake invites, time fraud attempts, and stage meeting hijacks, increasing **BEC** and social engineering success.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.infrassist.com/script-hub/disable-calendar-sharing-with-external-users/",
+    "https://admin.microsoft.com.",
+    "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/share-calendars-with-external-users?view=o365-worldwide",
+    "https://m365scripts.com/microsoft365/how-to-stop-users-from-sharing-their-own-calendars/",
+    "https://learn.microsoft.com/en-my/answers/questions/1165808/external-calendar-sharing-for-single-user-in-exo"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "Set-SharingPolicy -Identity \"Default Sharing Policy\" -Enabled $False",
+      "CLI": "Set-SharingPolicy -Identity \"Default Sharing Policy\" -Enabled $false",
       "NativeIaC": "",
-      "Other": "1. Navigate to https://admin.microsoft.com. 2. Click Settings > Org settings. 3. Select Calendar in the Services section. 4. Uncheck 'Let your users share their calendars with people outside of your organization who have Office 365 or Exchange'. 5. Click Save.",
+      "Other": "1. Go to https://admin.microsoft.com and sign in\n2. Navigate to Settings > Org settings > Services > Calendar\n3. Under External sharing, uncheck \"Let your users share their calendars with people outside of your organization who have Microsoft 365 or Exchange\"\n4. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Disable external calendar sharing by setting the Default Sharing Policy to disabled.",
-      "Url": "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/share-calendars-with-external-users?view=o365-worldwide"
+      "Text": "Apply **least privilege**: disable **external calendar sharing** tenant-wide. If business-needed, allow only approved domains, require authenticated recipients (no anonymous), and limit details to `Free/Busy (time only)`. Review sharing policies regularly under **zero trust** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/admincenter_external_calendar_sharing_disabled"
     }
   },
   "Categories": [
-    "e5"
+    "internet-exposed",
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,30 +1,35 @@
 {
   "Provider": "m365",
   "CheckID": "admincenter_groups_not_public_visibility",
-  "CheckTitle": "Ensure that only organizationally managed/approved public groups exist",
+  "CheckTitle": "Microsoft 365 group has Private visibility",
   "CheckType": [],
   "ServiceName": "admincenter",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Active teams & groups",
-  "Description": "Ensure that only organizationally managed and approved public groups exist to prevent unauthorized access to sensitive group resources like SharePoint, Teams, or other shared assets.",
-  "Risk": "Unmanaged public groups can allow unauthorized access to organizational resources, posing a risk of data leakage or misuse through easily guessable SharePoint URLs or self-adding to groups via the Azure portal.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-groups?view=o365-worldwide",
+  "ResourceType": "",
+  "Description": "**Microsoft 365 groups** are assessed for their visibility setting.\n\nThe finding highlights groups configured as `Public`; groups set to `Private` align with the intended privacy posture.",
+  "Risk": "**Public visibility** lets any authenticated tenant user discover and self-join, accessing group files, conversations, SharePoint sites, and calendars.\n\nThis weakens **confidentiality** and can enable unauthorized changes that affect **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://admin.microsoft.com.",
+    "https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-groups?view=o365-worldwide",
+    "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/microsoft-365-groups-governance"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "Set-UnifiedGroup -Identity <GROUP_NAME_OR_ID> -AccessType Private",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft 365 admin center https://admin.microsoft.com. 2. Click to expand Teams & groups select Active teams & groups. 3. On the Active teams and groups page, select the group's name that is public. 4. On the popup groups name page, select Settings. 5. Under Privacy, select Private.",
-      "Terraform": ""
+      "Other": "1. Sign in to https://admin.microsoft.com\n2. Go to Teams & groups > Active teams & groups\n3. Select the group with visibility Public\n4. Open Settings\n5. Under Privacy, select Private\n6. Click Save",
+      "Terraform": "```hcl\nresource \"azuread_group\" \"<example_resource_name>\" {\n  display_name     = \"<example_resource_name>\"\n  mail_enabled     = true\n  security_enabled = false\n  types            = [\"Unified\"]\n  visibility       = \"Private\" # Critical: sets the group visibility to Private to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Review and adjust the privacy settings of Microsoft 365 Groups to ensure only organizationally managed and approved public groups exist.",
-      "Url": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/microsoft-365-groups-governance"
+      "Text": "Set groups to `Private` by default and allow `Public` only for clearly non-sensitive communities.\n\nApply **least privilege**: restrict who can create or change visibility, require owner approval for membership, review access regularly, and use **sensitivity labels** to reinforce classification.",
+      "Url": "https://hub.prowler.com/check/admincenter_groups_not_public_visibility"
     }
   },
   "Categories": [
-    "e3"
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,29 +1,40 @@
 {
   "Provider": "m365",
   "CheckID": "admincenter_organization_customer_lockbox_enabled",
-  "CheckTitle": "Ensure that customer lockbox is enabled for the organization",
+  "CheckTitle": "Customer Lockbox is enabled at the organization level",
   "CheckType": [],
   "ServiceName": "admincenter",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Exchange Organization Configuration",
-  "Description": "Customer Lockbox ensures that Microsoft support engineers cannot access content in your tenant to perform a service operation without explicit approval. This feature provides an additional layer of control and transparency over data access requests.",
-  "Risk": "If Customer Lockbox is not enabled, Microsoft support personnel can access your organization's data for troubleshooting without explicit approval, potentially increasing the risk of unauthorized access or data exfiltration.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview",
+  "Severity": "medium",
+  "ResourceType": "",
+  "Description": "**Microsoft 365 organization** setting indicates whether **Customer Lockbox** is enabled to require explicit approval for Microsoft support access to customer content",
+  "Risk": "Without **Customer Lockbox**, Microsoft engineers may access tenant content during support without your approval, undermining **confidentiality** and **accountability**. This increases risks of targeted data exposure, insider misuse, and weakens auditability of access during troubleshooting.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://blog.ciaops.com/2016/08/31/enable-customer-lockbox-from-classic-office-365-admin-portal/",
+    "https://www.gitbit.org/course/ms-500/learn/locking-down-your-microsoft-365-tenant-from-microsoft-engineers-fldnualgc",
+    "https://microsoft365junction.com/2024/01/08/power-platform-implementing-security-customer-loxbox-how-to-enable-customer-lockbox-policy/",
+    "https://learn.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview",
+    "https://learn.microsoft.com/en-us/microsoft-365/compliance/customer-lockbox-requests?redirectSourcePath=%2flv-lv%2farticle%2fOffice-365-klientu-lockbox-piepras%25C4%25ABjumu-36f9cdd1-e64c-421b-a7e4-4a54d16440a2&view=o365-worldwide",
+    "https://petri.com/windows-365-customer-lockbox/",
+    "https://admin.microsoft.com.",
+    "https://learnthecontent.com/exam/microsoft-365/ms-700-managing-microsoft-teams/s/enable-customer-lockbox-for-data-security"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "Set-OrganizationConfig -CustomerLockBoxEnabled $true",
+      "CLI": "Set-OrganizationConfig -CustomerLockboxEnabled $true",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft 365 admin center https://admin.microsoft.com. 2. Click Settings > Org settings. 3. Select the Security & privacy tab. 4. Click Customer lockbox. 5. Check the box 'Require approval for all data access requests'. 6. Click Save.",
+      "Other": "1. Go to https://admin.microsoft.com and sign in\n2. Navigate to Settings > Org settings\n3. Select Security & privacy\n4. Click Customer Lockbox\n5. Check \"Require approval for all data access requests\"\n6. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Enable the Customer Lockbox feature to ensure explicit approval is required before Microsoft engineers can access your data during support operations.",
-      "Url": "https://learn.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview"
+      "Text": "Enable **Customer Lockbox** to enforce tenant approval for data access (`Require approval for all data access requests`).\n- Limit approvers per **least privilege**\n- Establish an on-call review workflow\n- Audit requests and engineer actions\n- Layer with **defense in depth** (MFA, RBAC, logging) to strengthen control",
+      "Url": "https://hub.prowler.com/check/admincenter_organization_customer_lockbox_enabled"
     }
   },
   "Categories": [
+    "identity-access",
     "e5"
   ],
   "DependsOn": [],

@@ -1,30 +1,35 @@
 {
   "Provider": "m365",
   "CheckID": "admincenter_settings_password_never_expire",
-  "CheckTitle": "Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'",
+  "CheckTitle": "Tenant password policy is set to never expire",
   "CheckType": [],
   "ServiceName": "admincenter",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "Security & privacy settings",
-  "Description": "This control ensures that the password expiration policy is set to 'Set passwords to never expire (recommended)'. This aligns with modern recommendations to enhance security by avoiding arbitrary password changes and focusing on supplementary controls like MFA.",
-  "Risk": "Arbitrary password expiration policies can lead to weaker passwords due to frequent changes. Users may adopt insecure habits such as using simple, memorable passwords.",
-  "RelatedUrl": "https://www.cisecurity.org/insights/white-papers/cis-password-policy-guide",
+  "Severity": "low",
+  "ResourceType": "",
+  "Description": "**Microsoft 365 tenant password policy** is configured so user passwords **do not expire** (`never expire`), meaning no time-based rotation is enforced across accounts.",
+  "Risk": "Forced password expiration degrades security: users adopt predictable patterns and reuse credentials, reducing **confidentiality** and **integrity**. It boosts success of **password spraying** and **credential stuffing**, encourages insecure storage and helpdesk resets, and can disrupt service accounts, impacting **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.cisecurity.org/insights/white-papers/cis-password-policy-guide",
+    "https://admin.microsoft.com.",
+    "https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "Set-MsolUser -UserPrincipalName <user> -PasswordNeverExpires $true",
+      "CLI": "Set-MsolPasswordPolicy -DomainName <DOMAIN_NAME> -ValidityPeriod 2147483647",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft 365 admin center https://admin.microsoft.com. 2. Click to expand Settings select Org Settings. 3. Click on Security & privacy. 4. Check the Set passwords to never expire (recommended) box. 5. Click Save.",
+      "Other": "1. Sign in to the Microsoft 365 admin center: https://admin.microsoft.com\n2. Go to Settings > Org settings > Security & privacy\n3. Open Password expiration policy and check Set passwords to never expire\n4. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Enable the 'Never Expire Passwords' option in Microsoft 365 Admin Center.",
-      "Url": "https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide"
+      "Text": "Set passwords to `never expire` and enforce layered controls: **MFA** with risk-based challenges, banned-password checks, and strong length. Apply **least privilege** and monitor sign-ins. Rotate credentials only after compromise or risk, and favor managed non-human identities for automation instead of time-based password cycling.",
+      "Url": "https://hub.prowler.com/check/admincenter_settings_password_never_expire"
     }
   },
   "Categories": [
-    "e3"
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,30 +1,35 @@
 {
   "Provider": "m365",
   "CheckID": "admincenter_users_admins_reduced_license_footprint",
-  "CheckTitle": "Ensure administrative accounts use licenses with a reduced application footprint",
+  "CheckTitle": "Administrative user has no license or an allowed license (AAD_PREMIUM or AAD_PREMIUM_P2)",
   "CheckType": [],
   "ServiceName": "admincenter",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "Active users",
-  "Description": "Administrative accounts must use licenses with a reduced application footprint, such as Microsoft Entra ID P1 or P2, or avoid licenses entirely when possible. This minimizes the attack surface associated with privileged identities.",
-  "Risk": "Licensing administrative accounts with applications like email or collaborative tools increases their exposure to social engineering attacks and malicious content, putting privileged accounts at risk.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/microsoft-365/enterprise/protect-your-global-administrator-accounts?view=o365-worldwide",
+  "Severity": "high",
+  "ResourceType": "",
+  "Description": "Privileged users in Microsoft 365 are evaluated for a **reduced license footprint**: only `AAD_PREMIUM` (P1) or `AAD_PREMIUM_P2` (P2), or no license. Assignments that include productivity app suites indicate excess application entitlements on administrative accounts.",
+  "Risk": "Productivity licenses on **privileged identities** create mailboxes and collaboration surfaces that widen attack paths. Phishing, malicious content, or rogue OAuth apps can steal credentials/tokens, enabling tenant-wide role misuse, data exfiltration, and configuration tampering-compromising **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://admin.microsoft.com.",
+    "https://learn.microsoft.com/en-us/microsoft-365/enterprise/protect-your-global-administrator-accounts?view=o365-worldwide",
+    "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "Set-MgUserLicense -UserId <USER_PRINCIPAL_NAME_OR_ID> -AddLicenses @() -RemoveLicenses @(Get-MgUserLicenseDetail -UserId <USER_PRINCIPAL_NAME_OR_ID> | Select-Object -ExpandProperty SkuId)",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft 365 admin center https://admin.microsoft.com. 2. Click to expand Users select Active users. 3. Click Add a user. 4. Fill out the appropriate fields for Name, user, etc. 5. When prompted to assign licenses select as needed Microsoft Entra ID P1 or Microsoft Entra ID P2, then click Next. 6. Under the Option settings screen you may choose from several types of privileged roles. Choose Admin center access followed by the appropriate role then click Next. 7. Select Finish adding.",
+      "Other": "1. Sign in to https://admin.microsoft.com\n2. Go to Users > Active users\n3. Select the affected administrative user\n4. Open Licenses and apps\n5. To pass the check, do ONE of the following:\n   - Unassign all licenses (make the user unlicensed); or\n   - Assign only Microsoft Entra ID P1 or P2 and remove all other licenses\n6. Click Save changes",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Assign Microsoft Entra ID P1 or P2 licenses to administrative accounts to participate in essential security services without enabling access to vulnerable applications.",
-      "Url": "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide"
+      "Text": "Maintain **dedicated admin accounts** with a **least-privilege, reduced-license** model: assign only Microsoft Entra P1/P2 features needed for identity security, or keep them unlicensed for apps. Separate admin from daily-use accounts, enforce **MFA** and just-in-time elevation, and use **privileged access workstations** for administration.",
+      "Url": "https://hub.prowler.com/check/admincenter_users_admins_reduced_license_footprint"
     }
   },
   "Categories": [
-    "e3"
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],