Security Options for the M365 Management Pack for SCOM

We recently spoke with a customer who was planning to deploy the Microsoft 365 management pack for SCOM. They were asking about best practices for security.

The M365 MP provides for 3 options to access Microsoft resources: Secret, Delegated or Certificate.

Certificate is probably the best for pure security. It’s “something you have and something you know” (have the certificate and know the password to import the certificate).

Secret is just “something you know” (client secret).

Delegated is also “something you know” (user name and password), but overall might be the best thing to use.

The reason that delegated is probably better is that since individual user accounts are used, it is possible to control very tightly what they have access to, so even if the user name and password are compromised, the attacker would still only have limited access. Secret and Certificate both use Application permissions and basically have access to anything.

Of course, the permissions granted do limit what can be done, but the permissions are often too granular. For example, with Secret or Certificate, the M365 MP has basically been grated permission to read or write to anyone in the organizations mailbox. With Delegated, the application can only read/write the specific users mailbox. So if a dedicated test user is used, then even if compromised they can only access a single mailbox.