All features Identity

Harden Microsoft 365 and Entra ID — read continuously

126 checks on MFA coverage, conditional access, legacy auth, risky sign-ins, external sharing, tenant hardening and identity hygiene (inactive users, stale guests, unused license seats), straight from the tenant.

Get started Run a free scan
126M365 checks
Entra+ Exchange
Livefrom tenant
microsoft-365-entra-assessment 126
MFAMFA coveragePASS
CONDConditional accessCHECK
LEGALegacy authFAIL
SHARSharingPASS
What we assess

The whole tenant, straight from Microsoft Graph

Connect once with a read-only app registration and SBCMSP runs 126 checks across identity, access, collaboration and tenant configuration — no agent, no mailbox content access, no standing admin.

Identity & MFA

MFA registration and enforcement, passwordless and self-service password reset adoption, weak SMS- and voice-only methods, and admins still missing phishing-resistant sign-in.

Conditional Access

Coverage gaps, sign-in- and user-risk policies, named locations, device-compliance requirements, report-only policies and risky exclusions — down to session token protection.

Legacy auth & risky sign-ins

Basic Auth, IMAP, POP and SMTP AUTH left open, plus risky sign-ins, risky users and leaked-credential detections surfaced by Entra ID Protection.

External sharing

Guest account sprawl and permissions, SharePoint and Teams external-sharing scope, anonymous links and their expiry, and guest-invitation restrictions.

Attack vectors — BEC & OAuth

Mailbox auto-forwarding and suspicious inbox rules, over-privileged OAuth consent grants, and dormant enabled accounts attackers quietly reuse.

Partner access — GDAP / DAP

Which Microsoft CSP partner holds delegated admin into the tenant, whether it uses least-privilege GDAP or legacy DAP, and credentials reused across the tenants you manage.

Beyond identity

Tenant hardening, end to end

The assessment reaches past sign-in into the settings that decide how far a compromise can travel — pulled live from Exchange, SharePoint, Teams, Defender, Purview and Intune.

Secure Score & benchmarks

Microsoft Secure Score alongside the specific control profiles pulling the number down — so the gap reads as a task list, not a grade.

Privileged access

Excessive Global Administrators, missing Privileged Identity Management, and privileged roles that were never reviewed for recent activity.

Defender for Office 365

Safe Links and Safe Attachments coverage, anti-phishing impersonation protection, Zero-hour Auto Purge, and an active attack-simulation program.

Microsoft Purview

Data Loss Prevention policy coverage, retention, published sensitivity labels, and insider-risk and communication-compliance posture.

Intune & app protection

Device-compliance policies, app-protection (MAM) policies for iOS and Android, and Conditional Access that actually requires a compliant device.

Audit & mailbox logging

Unified audit log status, per-mailbox auditing, and the admin-consent workflow that keeps shadow-IT app grants from slipping through.

How it connects

Connect once. Reassessed continuously.

Read-only Graph app

You grant a least-privilege, read-only app registration — Directory, Application, RoleManagement, Groups and read-only Mail, Files and Sites scopes. No agent to deploy, no password, no standing admin and no write access to the tenant.

Continuous assessment

Every scan re-reads the live tenant through Microsoft Graph and re-runs all 126 checks, so drift — a new risky app grant, a disabled policy, a fresh Global Admin — surfaces on the next pass instead of the next audit.

Prioritized findings

Findings land in the same queue as your external, endpoint and cloud results — ranked by real-world risk, paired with AI remediation guidance and mapped to your compliance frameworks.

Part of one platform

One finding, one fix, one report

Microsoft 365 / Entra Assessment is one piece of SBCMSP’s unified loop — every finding is prioritized by real-world risk, paired with AI remediation guidance, mapped to your frameworks and re-verified on the next scan.

  • KEV / EPSS-ranked severity
  • AI remediation guidance
  • Mapped to 10 frameworks
  • White-label client reporting
See the full platform
82
+27 pts
projected after top fixes

Run your first scan free

See a client’s real posture in minutes — then unlock all 1,658 checks.