Microsoft 365 Security Assessment

Microsoft 365 Security Assessment FAQs

• What access is required?

  Minimum required permissions, confirmed during kickoff, following least privilege principles. 

• What is a Microsoft 365 Security Assessment?

  A read-only security review of your Microsoft 365 tenant that identifies configuration gaps, highlights risk areas, and provides a roadmap to improve security without changing anything. 

• Does the assessment make changes to our tenant?

  No. It uses read-only access and does not enforce policies, change settings, or impact users. You will authorize access through a Microsoft OAuth URL. 

• How does the assessment access our environment and is it secure?

  It connects using Microsoft's secure authentication model with limited, read-only permissions. No agents are installed. No credential are stored. No data leaves Microsoft 365. 

• What information does it review?

  Microsoft 365 security configuration including identity, access controls, email, and collaboration security settings. It does not read email content, files or user data. 

• What standards are used?

  Results are mapped to: 

  • CIS Controls
  • NIST Cybersecurity Framework
  • Microsoft security baselines

• Is this a penetration test or compliance audit?

  No. This is a security posture assessment focused on configuration and practical risk reduction. 

• Will this disrupt users or productivity?

  No. The assessment is automated and read-only. 

• What happens after the assessment?

  We review the results with you in an executive summary meeting and walk through findings and recommend next steps. You decide how and if you act.