User Account Security Assessment


Information below is in relation to the dashboard generated by running the Voleer User Account Security Assessment available at

Click on the sections of the image below to understand more about the different sections of the assessment.

mceclip2.png mceclip6.png  
mceclip8.png mceclip7.png
  mceclip9.png mceclip10.png  


Compromised Accounts

Accounts that have been identified as compromised means that either the username and/or password has been leaked on the internet and is available within the public domain.


Why is this a problem

It is reported* that over 65% of people use the same username and password for multiple or all accounts. As a result, it is highly likely that the same compromised account username/password combination has access to the Organization’s Office 365 account.

Remediation actions

Short term

Follow Microsoft’s instructions on How to recover a hacked or compromised Microsoft account

Long term

  1. Provide user education around passwords including
    • Using strong, long passwords / passphrases
    • Using different passwords for every account
    • Using password managers
  2. Making users aware of phishing techniques
  3. Implement MFA throughout the organization

* 2019 online survey by Google

back to top

Administrative Roles

Graph showing the administrative roles and the number of accounts allocated per role.


Why is this important

Having full visibility into the number of accounts with administrative roles is important as these roles have access to sensitive data and files.


Administrative accounts

  • Have 2 and no more than 4 accounts with global administrator privileges
  • Accounts with administrative roles should be secured with MFA and/or use Azure AD Privileged Identity Management
  • Create a separate administrative account rather than associate an administrative role with a standard user account
  • Avoid using shared accounts as this will cause a problem with auditing
  • Review and assign the least permissive role to get the job done
  • Regularly audit accounts with administrative roles, including removing accounts that are no longer used and adjusting roles

Service accounts with administrative roles

  • Restrict access by service accounts to known IP ranges and/or known access times
  • Provide the least permissive role
  • Ensure passwords are not hardcoded in application/script files

back to top

Days Since Last Login

Identify accounts which may be no longer in use (inactive)


Why is this important

Inactive accounts

  1. Adds to the attack surface for people with malicious intent. This is especially risky if there is an administrative role assigned to it
  2. Be an unnecessary cost if there is a paid license associated with it

Remediation actions

Remove the account or block access

Additional actions

  • Ensure appropriate offboarding processes (for employees) and deactivation processes (for applications/scripts) are in place

back to top

External Forwarding

Identify the number of user accounts that have inbox rules forwarding emails outside of the organization.


Why is this important

With an estimated 4% of users likely to click on any given phishing email, threat actors enable auto forwarding to an external account so they can

  • Craft extremely convincing spear phishing messages to other users in the aim to compromise those accounts
  • Spoof emails
  • Get access to confidential information


  1. Review existing external forwarding rules with the mailbox owner to ensure legitimacy
  2. Audit external forwarding rules on a regular basis

back to top

Full Access Permissions

Identifies accounts that has full access to another account or has granted full access to another account.


Why is this important

Once an account has been breached, bad actors may seek to get access to other accounts with the aim to reach their target account, i.e. Executive or Admin accounts. Providing unnecessary full access between accounts may make it easier for bad actors to achieve this.

Also, a spike in the number of accounts given or granted may also indicate activity from bad actors moving their way through the organization.


  1. Review and audit Full Access permissions to ensure their legitimacy with the mailbox owner
  2. Scale back Full Access permissions to Send-As or Send-On-Behalf if possible

back to top

Successful and Failed Logins

Shows the number of successful and failed logins into an account by country.


Why is this important

Successful logins from locations not associated with where users reside may indicate a breached account.


Short term

  1. If there was a successful login from an unknown country, review the account activity and follow Microsoft’s Responding to a Compromised Email Account in Office 365 if necessary.
  2. Potentially limit access to Office 365 by country using Conditional Access

Long term

  1. Implement MFA through the organization

back to top

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.