FAQ (english)

Technical processes

Frequently asked questions and requirements regarding the technical processes related to PRW® Compliance Set: M365

Process of a Microsoft 365 scan

Frequently asked questions about the process of a full Microsoft 365 scan performed on your tenant.


Implemented advanced security features to ensure secure scanning of your Microsoft 365 tenant.

Data locations and data in motion

Precise identification of data locations and data in motion within the Microsoft 365 tenant.

PRW® Compliance Set: M365-SCAN

Process of a scan

To perform a full scan of Microsoft 365, the software solution developed by Cloud Business Group will first connect to your tenant through a secure connection. For this purpose, an Azure Active Directory user is created in advance of the scan, which must have sufficient privileges (Global Administrator) - for more information regarding the privileges, please check the "Necessary roles and permissions" section.

Microsoft 365 compliance consultants will connect with your Microsoft 365 tenant to perform the assessment of your environment in a collaborative session. Your IT department and, if possible, a data protection officer (internal/external) attend the entire process. After the analysis, a detailed review of the results and comprehensive instructions on how to handle recommendations and risks are provided to your organization.

Prior to the end of the session, all the data recorded will be destroyed fully and securely. The results of the assessment will be sent to you encrypted in the format of a confidential PDF file.

Microsoft Protection Analysis_Seite_02

For a complete and insightful check, we use a wide range of Microsoft 365 interfaces (also known as „APIs“). The list of APIs used increases regularly due to the evolution of Microsoft 365 itself:

  • Az
  • Az.Accounts
  • Azure
  • AzureADPreview
  • ExchangeOnlineManagement
  • ExchangePowerShell
  • Microsoft.Graph
  • Microsoft.Graph.Applications
  • Microsoft.Graph.Authentication
  • Microsoft.Graph.Bookings
  • Microsoft.Graph.Calendar
  • Microsoft.Graph.ChangeNotifications
  • Microsoft.Graph.CloudCommunications
  • Microsoft.Graph.Compliance
  • Microsoft.Graph.CrossDeviceExperiences
  • Microsoft.Graph.DeviceManagement
  • Microsoft.Graph.DeviceManagement.Actions
  • Microsoft.Graph.DeviceManagement.Administration
  • Microsoft.Graph.DeviceManagement.Enrolment
  • Microsoft.Graph.DeviceManagement.Functions
  • Microsoft.Graph.Devices.CloudPrint
  • Microsoft.Graph.Devices.CorporateManagement
  • Microsoft.Graph.DirectoryObjects
  • Microsoft.Graph.Education
  • Microsoft.Graph.Files
  • Microsoft.Graph.Financials
  • Microsoft.Graph.Groups
  • Microsoft.Graph.Identity.DirectoryManagement
  • Microsoft.Graph.Identity.Governance
  • Microsoft.Graph.Identity.SignIns
  • Microsoft.Graph.Mail
  • Microsoft.Graph.Notes
  • Microsoft.Graph.People
  • Microsoft.Graph.PersonalContacts
  • Microsoft.Graph.Planner
  • Microsoft.Graph.Reports
  • Microsoft.Graph.SchemaExtensions
  • Microsoft.Graph.Search
  • Microsoft.Graph.Security
  • Microsoft.Graph.Sites
  • Microsoft.Graph.Teams
  • Microsoft.Graph.Users
  • Microsoft.Graph.Users.Actions
  • Microsoft.Graph.Users.Functions
  • Microsoft.Graph.WindowsUpdates
  • Microsoft.Online.SharePoint.PowerShell
  • MicrosoftTeams
  • MSOnline

For a full scan performed on your Microsoft 365 tenant, the Azure Active Directory role „Global Administrator“ is required. In order to ensure that the scan results is meaningful, it is necessary to perform scans related to OneDrive, SharePoint Online, Compliance Center or, in particular, Microsoft Teams, and other solutions. For all these solutions it is not yet possible to use lower permissions than the Global Administrator. For more details, please also see the Microsoft documentation below:

To exactly identify the service endpoints used by your Microsoft 365 services as well as their exact data location (Microsoft data center), we use a number of technologies, including measurements to determine the data stream used by your solutions. To identify the Microsoft data centers, we perform the measurements from outside the Microsoft ecosystem and thereby get, among other factors, exact location information:

The data location of the data center used for performing this operation:

Am Datacenter-Park 1
08223 Falkenstein (Germany)

PRW® Compliance Set: M365 adopts the rating method, based on the NIST 800-30 standard (OWASP Risk Rating Methodology), and classifies risks ( threats) according the following types

  • Very Low
  • Low
  • Moderate
  • High
  • Very High

For further information on „NIST 800-30 – Guide for Conducting Risk Assessments“, go to this page.

The main advantage of the PRW® Compliance Set: M365 includes the legal risk assessment of each finding within the scan.

A sample assessment (after an initial assessment of the Microsoft 365 environment) with a sample rating of individual factors for the tenant „Mustermann GmbH“ is available here:

Microsoft Protection Analysis_Seite_01

For further assessments and information on the entire scope of the PRW® Compliance Set: M365 and/or for report versions in german language, please contact us.

Security while scanning process

Methods for performing a scan securely

In order to perform a scan, high privileges are required during the process, see "Necessary roles and permissions" above. To ensure a maximum level of security during the scan process, we recommend the following actions:
Identification of your data in motion and data at rest

How to identify data at rest and data in motion for Microsoft 365?

One of the most complex features of the PRW® Compliance Set: M365 software solution is the accurate identification of data in motion and data at rest. Using multiple technologies (data stream measurement, endpoint discovery of Microsoft-specified service registry of your tenant, per-user database information - and more), we are able to identify functional-level information related to data at rest and data in motion. We can also provide a transparent overview of risks due to the use of third-party apps after a scan. This enables you to parameterize Microsoft 365 solutions in such a way that they can be used in a compliant way. From scans that have already been performed, we have been able to identify data streams to the Microsoft data centers listed below until now:
Process of PRW® Compliance Set: M365 - from the scan to the review

Process flow

Scan of the tenant

We perform a full scan of your entire Microsoft 365 tenant along with the solutions you are using.

Encrypted data processing

For visual presentation of results in the shape of a report, we temporarily process the scan results in an encrypted database. The captured data is securely destroyed after the report has been prepared.

Results review

A Microsoft 365 compliance expert will lead you through a qualified review of the results and provide recommendations for action and possible risks.

Handling the recommendations regarding action

Important recommendations for actions or risk assessments are handled through you, a dedicated IT service provider, and/or with guidance of the Cloud Business Group.

Second scan of the tenant

A second scan is performed, resulting in the documentation of the effectiveness of the handled recommendations made.

Legal report

Upon a handover of the outcome of the second scan to PRW Lawyers by Cloud Business Group, you will receive a qualified legal report based on your Microsoft 365 compliance.