Monkey365 v0.96.6

What's Fixed

• Multiple false positives due to incorrect conversion of JSON rules into PowerShell expressions #171
• Added new exceptions

Upcoming deprecation

• List of all ongoing deprecations and breaking changes #132

Upcoming changes

• Review Microsoft Entra Checks Across Azure and Microsoft 365 Benchmarks #172
• Create Separate Benchmarks for Azure Compute and Azure Database #173
• Update to latest CIS Benchmarks #164

The following benchmarks are now deprecated, and will be retired soon:

• CIS Microsoft Azure Foundations 3.0
• CIS Microsoft 365 Foundations 3.0
• CIS Microsoft 365 Foundations 4.0

Full Changelog: v0.96...v0.96.6

Monkey365 v0.96.5

What's Added

• You can now use the Microsoft's tenant‑owned Microsoft Graph Client ID 14d82eec-204b-4c2f-b7e8-296a70dab67e to connect to Entra ID. This client ID allows Monkey365 to request additional Microsoft Graph scopes that are not available through the default Azure PowerShell client ID, providing broader visibility into privileged roles, access policies or directory‑wide configuration.

To switch from the default Azure PowerShell client ID to the Microsoft‑owned Graph Client ID, set the useMgGraph property to true in your monkey365.config configuration file:

"mgGraph": {
    "useMgGraph": "true"
    ...
}

• Monkey365 now supports direct authentication using access tokens, enabling fully non‑interactive execution for automation, CI/CD pipelines, and service‑principal–based workflows. Users can provide one or more access tokens, and Monkey365 will automatically route each token to the appropriate API based on its aud (audience) claim.

$azureRM = az account get-access-token --query accessToken -o tsv
$graph = az account get-access-token --resource https://graph.microsoft.com/ --query accessToken -o tsv
$storage = az account get-access-token --resource https://storage.azure.com/ --query accessToken -o tsv
$vault = az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv

$accessTokens = [System.Collections.Generic.List[System.String]]::new()
[void]$accessTokens.Add($azureRM);
[void]$accessTokens.Add($graph);
[void]$accessTokens.Add($storage);
[void]$accessTokens.Add($vault);

$p = @{
    Instance = "Azure";
    Collect = "All";
    AccessToken = $accessTokens;
    IncludeEntraId = $true;
    TenantId = "00000000-0000-0000-0000-000000000000";
    ExportTo = "HTML";
    Verbose = $true;
    InformationAction = "Continue"
}
Invoke-Monkey365 @p

Upcoming deprecation

• List of all ongoing deprecations and breaking changes #132

The following benchmarks are now deprecated, and will be retired soon:

• CIS Microsoft Azure Foundations 3.0
• CIS Microsoft 365 Foundations 3.0
• CIS Microsoft 365 Foundations 4.0

Full Changelog: v0.95.8...v0.96.5

Monkey365 v0.96

What's Added

• Support for serving static HTML-related assets (CSS, JS, images, fonts, etc.) through a dedicated local web server endpoint. More information about this can be seen here. #162
• Full support for the CIS Microsoft 365 Foundations Benchmark v5.0.0. All controls included.

What's Fixed

• Automated Monkey365 Runs May Introduce A Confirmation Prompt In PowerShell 5.1 after installing KB5074204 #163
• Added new exceptions
• Better classification for findings #159 .Since the CIS Benchmarks do not assign risk severity levels, the risk ratings for all rulesets are based on my own interpretation.

As always, you can override any rule at different levels, such as severity, enabled/disabled and so on. More details are available in the in the Overrides section.

The following rules were automated:

• 1.1.4 Ensure administrative accounts use licenses with a reduced application footprint
• 1.2.1 Ensure that only organizationally managed/approved public groups exist
• 1.2.2 Ensure sign-in to shared mailboxes is blocked
• 1.3.4 Ensure 'User owned apps and services' is restricted
• 2.1.1 Ensure Safe Links for Office Applications is Enabled
• 2.1.2 Ensure the Common Attachment Types Filter is enabled
• 2.1.4 Ensure Safe Attachments policy is enabled
• 2.1.5 Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
• 2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators
• 2.1.7 Ensure that an anti-phishing policy has been created
• 2.1.11 Ensure comprehensive attachment filtering is applied
• 2.1.12 Ensure the connection filter IP allow list is not used
• 2.1.13 Ensure the connection filter safe list is off
• 2.1.14 Ensure inbound anti-spam policies do not contain allowed domains
• 2.4.1 Ensure Priority account protection is enabled and configured
• 2.4.2 Ensure Priority accounts have 'Strict protection' presets applied
• 2.4.4 Ensure Zero-hour auto purge for Microsoft Teams is on
• 3.2.1 Ensure DLP policies are enabled
• 3.2.2 Ensure DLP policies are enabled for Microsoft Teams
• 3.3.1 Ensure Information Protection sensitivity label policies are published
• 5.1.3.1 Ensure a dynamic group for guest users is created
• 5.2.2.1 Ensure multifactor authentication is enabled for all users in administrative roles
• 5.2.2.2 Ensure multifactor authentication is enabled for all users
• 5.2.2.4 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
• 5.2.2.5 Ensure 'Phishing-resistant MFA strength' is required for Administrators
• 5.2.2.8 Ensure 'sign-in risk' is blocked for medium and high risk
• 5.2.2.9 Ensure a managed device is required for authentication
• 5.2.2.10 Ensure a managed device is required to register security information
• 5.2.2.11 Ensure sign-in frequency for Intune Enrollment is set to 'Every time'
• 5.2.2.12 Ensure the device code sign-in flow is blocked
• 5.2.3.1 Ensure Microsoft Authenticator is configured to protect against MFA fatigue
• 5.2.3.5 Ensure weak authentication methods are disabled
• 5.3.2 Ensure 'Access reviews' for Guest Users are configured
• 5.3.4 Ensure approval is required for Global Administrator role activation
• 5.3.5 Ensure approval is required for Privileged Role Administrator activation
• 6.1.1 Ensure 'AuditDisabled' organizationally is set to 'False'
• 6.1.2 Ensure mailbox audit actions are configured
• 6.1.3 Ensure 'AuditBypassEnabled' is not enabled on mailboxes
• 6.2.2 Ensure mail transport rules do not whitelist specific domains
• 6.5.1 Ensure modern authentication for Exchange Online is enabled
• 6.5.4 Ensure SMTP AUTH is disabled
• 7.2.1 Ensure modern authentication for SharePoint applications is required
• 7.2.3 Ensure external content sharing is restricted
• 7.2.4 Ensure OneDrive content sharing is restricted
• 7.2.8 Ensure external sharing is restricted by security group

Upcoming deprecation

The following benchmarks will be deprecated, and will be retired soon:

• CIS Microsoft Azure Foundations 3.0
• CIS Microsoft 365 Foundations 3.0
• CIS Microsoft 365 Foundations 4.0

Upcoming breaking changes

• List of all ongoing deprecations and breaking changes #132

Full Changelog: v0.95.7...v0.96

Monkey365 v0.95.8

What's Changed

• Small fix by @GoldraK in #157
• Improved documentation and examples (https://silverhack.github.io/monkey365/)
  • Detailed documentation about authentication options available here
• Updated internal modules

What's Added

• Client credentials support for Microsoft Fabric. You can now use Monkey365 using the following command as a example:

$param = @{
    ClientId = '00000000-0000-0000-0000-000000000000';
    certificate = 'C:\monkey365\testapp.pfx';
    CertFilePassword = ("MySuperCertSecret" | ConvertTo-SecureString -AsPlainText -Force);
    Instance = 'Microsoft365';
    Collect = 'SharePointOnline','MicrosoftFabric';
    TenantID = '00000000-0000-0000-0000-000000000000';
    PowerBIClientId = '00000000-0000-0000-0000-000000000000';
    PowerBICertificateFile = 'C:\monkey365\powerBi.pfx';
    PowerBICertificatePassword = ("MySuperPassword" | ConvertTo-SecureString -AsPlainText -Force);
    ExportTo = @("HTML");
}
Invoke-Monkey365 @param

Please, note that unlike other services, Microsoft Fabric requires that the application must not have any delegated or application permissions assigned. See docs here and official documentation from Microsoft here

New features

Listing rules

The -ListRule flag is used to display a list of available rules within the Monkey365 framework. Try it now with the following examples:

• The following example will list all rules available for the Azure instance.

$p = @{
    Instance = "Azure";
    ListRule = $true
}
Invoke-Monkey365 @p

The following example will list all rules available for the Microsoft 365 instance.

$p = @{
    Instance = "Microsoft365";
    ListRule = $true
}
Invoke-Monkey365 @p

Automatic application setup with Monkey365

Monkey365 now includes a built-in utility that streamlines the creation and configuration of Entra ID applications for the following Microsoft services:

• Microsoft Graph
• Microsoft Teams
• Exchange Online
• SharePoint Online

The utility automates the creation of an Entra ID application, configures permissions based on the selected services, and generates a certificate for authentication, which it then uploaded.

To run the utility with default settings from the Monkey365 installation directory, use the following:

$p = @{
    TenantId = '00000000-0000-0000-0000-000000000000';
    Services = 'ExchangeOnline','MicrosoftGraph','MicrosoftTeams','SharePointOnline';
}
Register-Monkey365Application @p

If you want to specify a custom certificate, use the following:

$p = @{
    TenantId = '00000000-0000-0000-0000-000000000000';
    Services = 'ExchangeOnline','MicrosoftGraph','MicrosoftTeams','SharePointOnline';
    Certificate = 'C:\Monkey365.cer'
}
Register-Monkey365Application @p

More information and examples can been seen here

New Contributors

• @GoldraK made their first contribution in #157

Full Changelog: v0.95.6...v0.95.8

Monkey365 v0.95.7

What's Changed

• Small fix by @GoldraK in #157

What's Fixed

• Fix authentication logic when external user is used to authenticate #156
• Added new exceptions

The following rules were automated:

• CIS 5.0 9.1.1 Ensure guest user access is restricted
• CIS 5.0 9.1.2 Ensure external user invitations are restricted
• CIS 5.0 9.1.3 Ensure guest access to content is restricted
• CIS 5.0 9.1.4 Ensure 'Publish to web' is restricted
• CIS 5.0 9.1.5 Ensure 'Interact with and share R and Python' visuals is 'Disabled'
• CIS 5.0 9.1.6 Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled'
• CIS 5.0 9.1.7 Ensure shareable links are restricted
• CIS 5.0 9.1.8 Ensure enabling of external data sharing is restricted
• CIS 5.0 9.1.9 Ensure 'Block ResourceKey Authentication' is 'Enabled'
• CIS 5.0 9.1.10 Ensure access to APIs by Service Principals is restricted
• CIS 5.0 9.1.11 Ensure Service Principals cannot create and use profiles

New Contributors

• @GoldraK made their first contribution in #157

Full Changelog: v0.95.6...v0.95.7

Monkey365 v0.95.6

What's Fixed

• Fix profilephoto render with MSGraph API #155
• Fix Tenant logic. Using Select-Object instead of direct access to tenant name property #156

Enjoy!

Full Changelog: v0.95.5...v0.95.6

Monkey365 v0.95.5

What's Added

The following benchmark was added:

• CIS Microsoft 365 Foundations Benchmark v5.0.0

What's Fixed

• Fix authentication logic when authenticating against a tenant without a P1 or P2 license #151
• Fix Azure and Microsoft 365 import logic when running in custom docker container #150
• Added a new exception when monkey365 is unable to establish connection to desired tenant #146

What's Changed

• fix: updated filepath to sample-report by @picccard in #148
• feat: automatically format copyright string in footer with current year by @picccard and @kamilkrzyskow in #147
• Cis m365 5.0 by @rfernandezdo in #149

What's Removed

• Collectors and internal functions used to fetch data using the legacy MS Graph API were removed #152

New Contributors

• @picccard and @kamilkrzyskow made their first contribution in #148
• @rfernandezdo made their first contribution in #149

Full Changelog: 0.95.2...v0.95.5

Monkey365 v0.95.2

What's Fixed

• VerbosePreference was not propagated through different tasks #145

Full Changelog: 0.95.1...0.95.2

Monkey365 v0.95.1

What's Changed

• Improved documentation and examples (https://silverhack.github.io/monkey365/)
• Internal modules were rewritten to add support to CDN (jsDelivr)

What's New

• I have significantly enhanced the HTML option to make the report more intuitive:

• You can see additional information in docs

• Now you can install Monkey365 using the built-in Install-Module command. The examples below will install Monkey365 in your installation scope depending on your PowerShell version. You can control this using the -Scope <AllUsers/CurrentUser> parameter.

Install-Module -Name monkey365 -Scope CurrentUser

To install a beta version, you can use the following command:

Install-Module -Name monkey365 -Scope CurrentUser -AllowPrerelease

To update monkey365:

Update-Module -Name monkey365 -Scope CurrentUser

• More information is available here

Full Changelog: v0.94.6-beta...0.95.1

Monkey365 v0.94.6-beta

What's Changed

The following benchmark was added:

• CIS Microsoft 365 Foundations Benchmark v4.0.0

What's Changed

The following rules were updated:

• CIS 3.0 2.6 Ensure that account 'Lockout Threshold' is less than or equal to '10'
• CIS 3.0 2.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
• CIS 3.0 9.12 Ensure that 'Remote debugging' is set to 'Off'

Upcoming breaking changes

• Redesign HTML output #114
• Move all rules and rulesets to its own repo #133
• List of all ongoing deprecations and breaking changes #132

Full Changelog: v0.94.5-beta...v0.94.6-beta