In-depth M365 tenant assessment
Microsoft 365 Security Check
Microsoft 365 is the productivity core of most organisations and a frequent entry point for identity and data compromise. We assess your tenant configuration along the relevant pillars and deliver a prioritised report with concrete configuration recommendations.
Why the check is worthwhile
The default Microsoft 365 configuration is optimised for functionality, not for security. Drift tends to accumulate quietly, even in mature environments.
- Conditional Access policies whose effective behaviour nobody fully understands
- Service accounts without MFA
- OAuth applications that have accumulated broad permissions over time
- Defender for Office policies that have not kept pace with the current feature set
What we assess
Entra ID and authentication — MFA coverage, privileged roles, PIM configuration, authentication methods.
Conditional Access — paths, gaps, ordering, token lifetime, effectiveness per use case.
Defender for Office — Safe Attachments and Links, anti-phishing policies, quarantine strategy.
Exchange Online — mailflow rules, external sender banners, auditing setup.
Purview — DLP rules, Information Protection, Insider Risk.
OAuth consent model — inventory and evaluation of consent permissions granted to third-party applications.
Methodology and tooling
Data collection — automated collection via Microsoft Graph, strictly read-only. We provide the scripts; preparation on your side is limited to a small set of read-only roles.
Evaluation basis — Microsoft Secure Score, the CIS Microsoft 365 Benchmark and our operational baseline from regulated environments.
Contextual evaluation — findings are interpreted relative to your actual usage paths, not in the abstract.
What you receive after the check
The report is written so that the security function can act and the executive sponsor can understand the situation.
- A written report (PDF) with executive summary and a full finding list
- Risk-based prioritisation per finding
- Concrete configuration recommendations
- A 30/60/90-day proposal for remediation
- A walkthrough workshop
Phases
Scoping
Tenant overview, read-only roles, schedule
Data collection
Script-based collection via Graph, manual review
Analysis
Benchmark evaluation, contextualisation
Report & walkthrough
Delivery + workshop
Report typically within 10 business days after data collection is complete.
Pricing
Tier selected by tenant complexity.
Compact
Single tenant, compact setup
from €3,900
Standard
Complex tenant configuration, possibly hybrid AD
from €8,900
Enterprise
Multi-tenant structures, regulated industry
from €14,500
Indicative figures; final fixed price after scoping call.
Frequently asked questions
We are on E3 (not E5). Is the check still worthwhile?
Yes. The check evaluates what is actually activated under your current licence and whether the E3 protections are configured effectively. A common outcome is a substantiated upgrade recommendation – or confirmation that E3 is sufficient for your risk profile.
What permissions do you need in our tenant?
Read-only roles such as Global Reader, Security Reader and Exchange Recipient Administrator. Write permissions are not required. The full role specification is included in the scoping document.
Will the check disrupt our operations?
No. The check is strictly read-only. Scripts retrieve configuration data via Microsoft Graph without affecting policies or user sessions.
Will you access our email content?
No. We do not access mailbox content. We assess configurations, policies and auditing setup.
How does the check relate to NIS2?
Directly. M365 is the primary identity and collaboration platform in many in-scope organisations. The findings support the technical and organisational measures under Art. 21 (2) NIS2.
Will we receive a vulnerability list to escalate to Microsoft?
The check identifies misconfigurations in your tenant, not Microsoft platform vulnerabilities. Any item that requires a vendor escalation is documented in the report.
Kontakt aufnehmen
Does the check fit your M365 environment?
A scoping call is enough to align on tier and timing. No commitment up front.