Frequently asked questions and requirements regarding the technical processes related to PRW® Compliance Set: M365
PRW® Compliance Set: M365-SCAN
Process of a scan
To perform a full scan of Microsoft 365, the software solution developed by Cloud Business Group will first connect to your tenant through a secure connection. For this purpose, an Azure Active Directory user is created in advance of the scan, which must have sufficient privileges (Global Administrator) - for more information regarding the privileges, please check the "Necessary roles and permissions" section.
Microsoft 365 compliance consultants will connect with your Microsoft 365 tenant to perform the assessment of your environment in a collaborative session. Your IT department and, if possible, a data protection officer (internal/external) attend the entire process. After the analysis, a detailed review of the results and comprehensive instructions on how to handle recommendations and risks are provided to your organization.
Prior to the end of the session, all the data recorded will be destroyed fully and securely. The results of the assessment will be sent to you encrypted in the format of a confidential PDF file.
For a complete and insightful check, we use a wide range of Microsoft 365 interfaces (also known as „APIs“). The list of APIs used increases regularly due to the evolution of Microsoft 365 itself:
For a full scan performed on your Microsoft 365 tenant, the Azure Active Directory role „Global Administrator“ is required. In order to ensure that the scan results is meaningful, it is necessary to perform scans related to OneDrive, SharePoint Online, Compliance Center or, in particular, Microsoft Teams, and other solutions. For all these solutions it is not yet possible to use lower permissions than the Global Administrator. For more details, please also see the Microsoft documentation below:
To exactly identify the service endpoints used by your Microsoft 365 services as well as their exact data location (Microsoft data center), we use a number of technologies, including measurements to determine the data stream used by your solutions. To identify the Microsoft data centers, we perform the measurements from outside the Microsoft ecosystem and thereby get, among other factors, exact location information:
The data location of the data center used for performing this operation:
Am Datacenter-Park 1
08223 Falkenstein (Germany)
PRW® Compliance Set: M365 adopts the rating method, based on the NIST 800-30 standard (OWASP Risk Rating Methodology), and classifies risks ( threats) according the following types
- Very Low
- Very High
For further information on „NIST 800-30 – Guide for Conducting Risk Assessments“, go to this page.
The main advantage of the PRW® Compliance Set: M365 includes the legal risk assessment of each finding within the scan.
A sample assessment (after an initial assessment of the Microsoft 365 environment) with a sample rating of individual factors for the tenant „Mustermann GmbH“ is available here:
For further assessments and information on the entire scope of the PRW® Compliance Set: M365 and/or for report versions in german language, please contact us.