The whole tenant, straight from Microsoft Graph
Connect once with a read-only app registration and SBCMSP runs 126 checks across identity, access, collaboration and tenant configuration — no agent, no mailbox content access, no standing admin.
Identity & MFA
MFA registration and enforcement, passwordless and self-service password reset adoption, weak SMS- and voice-only methods, and admins still missing phishing-resistant sign-in.
Conditional Access
Coverage gaps, sign-in- and user-risk policies, named locations, device-compliance requirements, report-only policies and risky exclusions — down to session token protection.
Legacy auth & risky sign-ins
Basic Auth, IMAP, POP and SMTP AUTH left open, plus risky sign-ins, risky users and leaked-credential detections surfaced by Entra ID Protection.
External sharing
Guest account sprawl and permissions, SharePoint and Teams external-sharing scope, anonymous links and their expiry, and guest-invitation restrictions.
Attack vectors — BEC & OAuth
Mailbox auto-forwarding and suspicious inbox rules, over-privileged OAuth consent grants, and dormant enabled accounts attackers quietly reuse.
Partner access — GDAP / DAP
Which Microsoft CSP partner holds delegated admin into the tenant, whether it uses least-privilege GDAP or legacy DAP, and credentials reused across the tenants you manage.