Metrics Library

This is helpful to someone who's trying to obtain/maintain visibility into the admin users in an organization's M365 instance. This is a good Metric for QBRs, recurring site reviews, and an onboarding report. Also, this Metric could be used to build a user audit with the intention of an end customer confirming that all looks as expected. This Metric can also be used to create a pointed Actionable Alert that helps to maintain visibility into changes to this list. Roles[? contains(displayName, dmin ) && displayName != Company Administrator && Members[] != null && Members[] != [] ].join( , [join( , [ , to_string(displayName)]), join( , [ : , to_string(Members[].displayName)])])

This is helpful to someone who's trying to obtain/maintain visibility into the non-admin users in an organization's M365 instance. This is a good Metric for QBRs, recurring site reviews, and an onboarding report. Also, this Metric could be used to build a user audit with the intention of an end customer confirming that all looks as expected. This Metric can also be used to create a pointed Actionable Alert that helps to maintain visibility into changes to the list of Admin users with MFA disabled. Users[? Privileged == Yes && isMfaRegistered_r == Enabled ].displayName

Category: Storage Insights MetricsDescription:This metric generates a comprehensive summary of Microsoft 365 drive storage details. It includes key information such as site name, drive name, creator, creation date, and the remaining storage percentage for each drive.Purpose:To provide IT organizations with a clear and concise overview of storage utilization across Microsoft 365 environments, enabling better management, planning, and resolution of storage-related issues.Use Cases:Resource Monitoring: Keep track of storage utilization across all drives to ensure sufficient capacity is available.Capacity Planning: Use remaining storage data to plan for upgrades or archival actions, ensuring continued system performance.Accountability: Identify the owner (Created By) of drives to facilitate follow-ups for cleaning or optimizing storage.Auditing: Document drive creation dates and usage trends to support audits and compliance efforts.Optimization Opportunities: Highlight drives with very high or very low usage for potential cleanup or reallocation.How it Works:The metric utilizes Liongard’s Microsoft 365 Inspector to extract and summarize storage-related data for each drive. The JMESPath query outputs the following details for every drive:Site NameDrive NameCreated By (Owner)Created On (Date of Creation)Remaining Storage in PercentageBeneficiaries:IT Teams: Gain insights into storage usage across all sites and drives.Organizations: Plan for future storage needs and maintain efficient operations.Decision-Makers: Access actionable summaries to guide resource allocation and policy adjustments.Notes for Customization:Additional Enhancements:Add Usage Details: Include fields like Used Storage or Total Capacity to provide a fuller picture of the drive’s storage status.Highlight Critical Drives: Apply conditional formatting or flags for drives with less than a specified threshold of remaining storage (e.g., 10%).Aggregate Data: Create summary statistics, such as total remaining storage or average usage across all drives.Why Modify:Tailored Reporting: Customize the fields and output to align with organizational needs, such as compliance with specific storage policies.Enhanced Usability: Expand data points to allow quicker decision-making, such as identifying which drives to prioritize for cleanup or migration.Automation Opportunities: Tie the metric to workflows that notify teams of critical storage issues or trigger cleanup operations. drives[].[['Site Name:'siteName_r],['Name:'name],['Created By:' createdBy.user.displayName],['Created On:'createdDateTime],['Remaining Storage in %:'quota.percentOfQuotaRemaining_r],['--']][]

Metric Name: Microsoft 365: Security Score Average (Sharp)Category: SecurityDescription: This metric monitors the average Microsoft 365 security score for comparative analysis. It provides insight into the organization’s security score, helping gauge security performance in relation to peers.Purpose: The purpose of this metric is to track how well the organization's Microsoft 365 security posture aligns with or exceeds the average security score of other Microsoft 365 tenants when put into a Liongard report. It enables benchmarking against other customer tenants and identifies areas where security can be improved relative to the average.How it works:The metric uses the query (SecureScores.averageComparativeScores[?basis=='AllTenants'].averageScore) to pull the average security score for all tenants from Microsoft 365's Secure Score comparative data.This provides an average of the organization's current security score.Beneficiaries:IT Administrators: Gain insights into how a tenant's security setup compares to other Microsoft 365 tenants, helping to make informed decisions about where improvements may be needed.Security Teams: Can use this information to identify gaps in their security posture that may fall below industry averages and focus on areas to boost the organization’s score.Managed Service Providers (MSPs): This information is critical for MSPs responsible for multiple clients. They can use it to benchmark their clients’ security standings against the broader tenant base and identify clients who may need targeted security improvements.Additional Notes:Why this is valuable: Benchmarking using the average security score helps organizations understand their relative security performance and guides them in improving areas where they may be lagging behind. SecureScores.averageComparativeScores[?basis=='AllTenants'].averageScore

Microsoft 365: Inactive Users with Assigned LicensesCategory: User Activity & LicensingDescription:Identifies Microsoft 365 users with assigned licenses who have not signed in (either interactively or non-interactively) for more than 30 days. It provides details about the user’s display name, assigned licenses, and the number of days since their last sign-in activity.Purpose:To ensure license optimization by identifying inactive users who are still consuming valuable licenses, enabling proactive management and cost reduction.How It Works:Filtering: Extracts user accounts where licenses are assigned, the account is enabled, and last sign-in activity (both interactive and non-interactive) exceeds 30 days.Output: Presents data as a table with columns for:User Display NameAssigned License (or "Not Assigned" if no licenses are allocated)Days since last non-interactive sign-inDays since last interactive sign-inSeparator row (--) for better readabilityBeneficiaries:IT Administrators: Gain visibility into inactive users with assigned licenses to optimize resource allocation.Finance Teams: Identify opportunities for cost-saving by reclaiming unused licenses.Operations Teams: Streamline licensing audits and compliance reporting.Notes:Making Changes:To adjust the inactivity threshold, change the 30 in the time_since conditions to a desired value (e.g., 60 for a 2-month threshold).Why Changes Are Valuable:Custom Thresholds: Different organizations may have varying definitions of inactivity based on their operational requirements.Granularity: Adding filters for user groups or roles allows targeted insights for specific teams or departments. Users[?Assigned_Products != null && Assigned_Products != '' && accountEnabled == true && (time_since(signInActivity.lastNonInteractiveSignInDateTime, 'days') > 30 || time_since(signInActivity.lastSignInDateTime, 'days') > 30 )] .[ ['User:' Display_Name], ['Assigned License:' Assigned_Products || 'Not Assigned'], ['Days Since Last Non-Interactive Sign In:' time_since(signInActivity.lastNonInteractiveSignInDateTime, 'days')],['Days Since Last Interactive Sign In:' time_since(signInActivity.lastSignInDateTime, 'days')], ['--'] ][]

Metric Name: Microsoft 365: Defender - Safe Documents EnabledCategory: SecurityDescription: This metric checks whether the Safe Documents feature is enabled in Microsoft 365 Defender. Safe Documents uses Microsoft Defender to scan documents that are opened in Protected View, ensuring that they are safe before users interact with them.Purpose: The purpose of this metric is to verify that Safe Documents is enabled, providing additional protection by automatically scanning documents for malicious content, especially in enterprise environments where document handling is frequent.How it works:This metric uses a query (SecureScores.controlScores[?controlName=='mdo_safedocuments'].on) to check the status of the Safe Documents control in the Secure Score of Microsoft 365.The result will indicate whether the Safe Documents feature is enabled ("true") or disabled, ensuring that documents are being automatically scanned for threats before they are opened fully.Beneficiaries:Security Teams: Gain insight into whether Safe Documents is enabled, ensuring that files opened in Protected View are automatically checked for malware.IT Administrators: Can use this metric to enforce policies ensuring that Safe Documents is enabled across the organization.End Users: Benefit from an additional layer of security, reducing the risk of downloading and opening malicious documents.Additional Notes:Customization: The query can be adapted to track other document security features or integrate with broader document protection policies within Microsoft 365. For example, extending the query to monitor Safe Attachments alongside Safe Documents would provide a more complete view of document handling security.Why this is valuable: Enabling Safe Documents reduces the risk of malicious document downloads and interactions, especially in environments that deal with high volumes of externally sourced files. SecureScores.controlScores[?controlName== 'mdo_safedocuments'].on

This is helpful to someone who's trying to obtain/maintain visibility into a part of an organzation's M365 licensing breakdown. This is a good Metric for QBRs or recurring site reviews. Users[?contains(userPrincipalName, helpdesk ) || contains(userPrincipalName, Helpdesk )].[userPrincipalName,Assigned_Products]

This is helpful to someone who's trying to obtain/maintain visibility into users without Advanced Threat Protection in an organization's M365 instance. This is a good Metric for QBRs, recurring site reviews, and an onboarding report. This Metric can also be used to create a pointed Actionable Alert that helps to maintain ATP as a security setting. Users[? !contains(Assigned_Products, hreat )].displayName

This is helpful to someone who's trying to obtain/maintain visibility into if the AdminMFAV2 control score is active in an organization's M365 instance. This is a good Metric for QBRs, recurring site reviews, and an onboarding report. This Metric can also be used to create a pointed Actionable Alert that helps to maintain the secure setup of an organization's M365 instance. SecureScores.controlScores[?controlName == AdminMFAV2 ].description

This is helpful to someone who's trying to obtain/maintain visibility into if the MFARegistrationV2 control score is active in an organization's M365 instance. This is a good Metric for QBRs, recurring site reviews, and an onboarding report. This Metric can also be used to create a pointed Actionable Alert that helps to maintain the secure setup of an organization's M365 instance. SecureScores.controlScores[?controlName == MFARegistrationV2 ].description