A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services.
| Property |
Value |
| ISM Control |
ISM-1698 |
| Revision |
1 |
| Updated |
Sep-23 |
| Guideline |
Not provided |
| Section |
System patching |
| Topic |
Scanning for unmitigated vulnerabilities |
| Essential Eight |
ML1, ML2, ML3 |
| PSPF Levels |
NC, OS, P, S, TS |
Summary
A vulnerability scanner is used on a daily basis to identify missing patches and vulnerabilities across online services. Monitor the Microsoft 365 Admin Portal “Service Health” to watch for service vulnerability announcements.
Justification
Daily vulnerability scanning for online services is required because:
- Online services update continuously — SaaS platforms like Microsoft 365 receive feature and security updates without traditional patching schedules, so point-in-time monthly scans miss newly introduced exposures.
- Misconfiguration is as dangerous as unpatched software — Defender for Cloud and Secure Score continuously evaluate configuration drift that creates exploitable conditions even if software versions are current.
- Regulator and PSPF expectations — government entities must demonstrate continuous assurance over their cloud service attack surface, not just periodic snapshots.
Microsoft Defender for Cloud / Defender Vulnerability Management provides automated, continuous scanning with daily refresh of recommendations, satisfying the daily frequency requirement without manual intervention. For Microsoft 365 specifically, the Service Health dashboard surfaces Microsoft-disclosed vulnerabilities and service advisories that may require immediate tenant-side action (configuration changes, temporary workarounds) before a vendor patch is available.
Design Decision
[!NOTE]
The Microsoft 365 Admin Portal Service Health monitoring will be deployed to monitor for service vulnerability announcements. Alerts will be surfaced for any such announcements.
Prerequisites
Licensing
- Defender vulnerability scanning requires the appropriate Defender licensing:
- Agentless vulnerability scanning requires Defender for Servers Plan 2 or the Defender for Cloud CSPM plan.
- Agent-based vulnerability scanning requires Defender for Servers Plan 1 or Plan 2.
Permissions/Roles
- Deploying the vulnerability scanner requires Owner permissions at the resource group level.
- Viewing vulnerability findings requires Security Reader permissions.
Dependencies
- Endpoints must be onboarded to Microsoft Defender for Endpoint before using Defender Vulnerability Management.
- Ensure Defender Vulnerability Management is enabled as part of Microsoft Defender for Cloud and that the appropriate Defender for Servers plan is active.
- Target machines must be within the supported operating systems set for vulnerability scanning.
Implementation Steps
Monitor the Microsoft 365 Admin Portal Service Health
- Sign in to the Microsoft 365 admin center with at least the Service Support Administrator role.
- In the left navigation, select Health > Service health to view current service status and any active advisories.
- Select Preferences to configure email notifications for service incidents, advisories, and message center posts.
- Enable the Send me email notifications about service health option and add the security team distribution list as a recipient.
- In the Microsoft Defender portal (security.microsoft.com), navigate to Threat & vulnerability management > Recommendations and review the daily-refreshed list of cloud service recommendations.
- Filter by Category: Online services or Platform: Azure AD / Microsoft 365 to focus on online service vulnerabilities.
- For any critical recommendations, use the Remediation workflow to create Intune remediation tasks or assign manual remediation to the responsible team with a due date matching the two-week SLA for non-critical vulnerabilities.
- Optionally, configure a Logic App or Power Automate flow to push Service Health notifications into Microsoft Teams or the organisation’s ITSM system for automated ticketing.