Microsoft 365 Security Audit

Instant audit of your
M365 tenant

50 controls across 5 categories, mapped to the CIS Microsoft 365 Foundations Benchmark v6.0.0. Read-only. No passwords. No agents installed.

Read-only permissions Revocable in 30 seconds No credentials exchanged Standard OAuth2 consent

What we scan

Identity & Access

MFA, PIM, admins, risky users, guest hygiene, group governance

Conditional Access

MFA enforcement, legacy auth, risk policies, session controls, named locations

Email Security

SPF, DKIM, DMARC, MX routing, reporting, external forwarding

Security Posture

Secure Score, audit logging, OAuth grants, consent policy, app credentials

Sharing & Collaboration

SharePoint, OneDrive, link expiry, guest resharing, Teams, cross-tenant

Mapped to CIS M365 Foundations Benchmark v6.0.0 and Microsoft Zero Trust. All checks are read-only and require no agents.

What we request access to

Directory.Read.All

Users, groups, roles, and domain information. No ability to read emails, files, or make any changes.
AuditLog.Read.All & Reports.Read.All

Audit log availability and MFA registration status across all users.
Policy.Read.All

Conditional Access policies, authentication methods, and authorization settings. Read-only, no changes possible.
RoleManagement.Read.All

Privileged role assignments and PIM eligibility schedules. Used to audit Global Admin count, standing vs just-in-time access, and whether admin accounts are cloud-only.
SecurityEvents.Read.All

Microsoft Secure Score: your tenant's security posture as rated by Microsoft itself.
IdentityRiskyUser.Read.All

Users flagged at risk by Microsoft Identity Protection. Requires Entra ID P2 licence. Detects accounts with signs of active compromise.
MailboxSettings.Read

Detects inbox rules that silently forward email to external addresses - a primary indicator of compromised accounts.
SharePointTenantSettings.Read.All

SharePoint external sharing level and anonymous link configuration - detects overly permissive file sharing policies.
TeamworkAppSettings.Read.All

Teams meeting policies and external access settings. Used to check whether anonymous users can join or start meetings.

Step 1: Enter your Tenant ID

Microsoft 365 Tenant ID

Find your Tenant ID: Azure portal → Entra ID → Overview

Step 3: Run Security Scan

Admin consent has been granted. EXEO can now scan your tenant. The scan takes approximately 60–90 seconds and runs 50 controls across identity, Conditional Access, email security, security posture, and sharing and collaboration. Mapped to CIS M365 v6.0.0.

Permissions changed? Re-send consent link to admin

Scanning your tenant…

Initialising…

Step 4: Get your full report

—

Security Grade

Your data is processed in accordance with GDPR. We will only use it to send you your report.

✉️

Check your inbox

We've sent a confirmation link to your email.
Click it to access your full M365 security report.

Instant audit of yourM365 tenant

Check your inbox

Instant audit of your
M365 tenant