I built a free, open-source M365 security assessment tool - looking for feedback
I work as an IT consultant, and a good chunk of my time is spent assessing Microsoft 365 environments for small and mid-sized businesses. Every engagement started the same way: connect to five different PowerShell modules, run dozens of commands across Entra ID, Exchange Online, Defender, SharePoint, and Teams, manually compare each setting against CIS benchmarks, then spend hours assembling everything into a report the client could actually read. The tools that automate this either cost thousands per year, require standing up Azure infrastructure just to run, or only cover one service area. I wanted something simpler: one command that connects, assesses, and produces a client-ready deliverable. So I built it. What M365 Assess does https://github.com/Daren9m/M365-Assess is a PowerShell-based security assessment tool that runs against a Microsoft 365 tenant and produces a comprehensive set of reports. Here is what you get from a single run: 57 automated security checks aligned to the CIS Microsoft 365 Foundations Benchmark v6.0.1, covering Entra ID, Exchange Online, Defender for Office 365, SharePoint Online, and Teams 12 compliance frameworks mapped simultaneously -- every finding is cross-referenced against NIST 800-53, NIST CSF 2.0, ISO 27001:2022, SOC 2, HIPAA, PCI DSS v4.0.1, CMMC 2.0, CISA SCuBA, and DISA STIG (plus CIS profiles for E3 L1/L2 and E5 L1/L2) 20+ CSV exports covering users, mailboxes, MFA status, admin roles, conditional access policies, mail flow rules, device compliance, and more A self-contained HTML report with an executive summary, severity badges, sortable tables, and a compliance overview dashboard -- no external dependencies, fully base64-encoded, just open it in any browser or email it directly The entire assessment is read-only. It never modifies tenant settings. Only Get-* cmdlets are used. A few things I'm proud of Real-time progress in the console. As the assessment runs, you see each check complete with live status indicators and timing. No staring at a blank terminal wondering if it hung. The HTML report is a single file. Logos, backgrounds, fonts -- everything is embedded. You can email the report as an attachment and it renders perfectly. It supports dark mode (auto-detects system preference), and all tables are sortable by clicking column headers. Compliance framework mapping. This was the feature that took the most work. The compliance overview shows coverage percentages across all 12 frameworks, with drill-down to individual controls. Each finding links back to its CIS control ID and maps to every applicable framework control. Pass/Fail detail tables. Each security check shows the CIS control reference, what was checked, what the expected value is, what the actual value is, and a clear Pass/Fail/Warning status. Findings include remediation descriptions to help prioritize fixes. Quick start If you want to try it out, it takes about 5 minutes to get running: # Install prerequisites (if you don't have them already) Install-Module Microsoft.Graph, ExchangeOnlineManagement -Scope CurrentUser Clone and run git clone https://github.com/Daren9m/M365-Assess.git cd M365-Assess .\Invoke-M365Assessment.ps1 The interactive wizard walks you through selecting assessment sections, entering your tenant ID, and choosing an authentication method (interactive browser login, certificate-based, or pre-existing connections). Results land in a timestamped folder with all CSVs and the HTML report. Requires PowerShell 7.x and runs on Windows (macOS and Linux are experimental -- I would love help testing those platforms). Cloud support M365 Assess works with: Commercial (global) tenants GCC, GCC High, and DoD environments If you work in government cloud, the tool handles the different endpoint URIs automatically. What is next This is actively maintained and I have a roadmap of improvements: More automated checks -- 140 CIS v6.0.1 controls are tracked in the registry, with 57 automated today. Expanding coverage is the top priority. Remediation commands -- PowerShell snippets and portal steps for each finding, so you can fix issues directly from the report. XLSX compliance matrix -- A spreadsheet export for audit teams who need to work in Excel. Standalone report regeneration -- Re-run the report from existing CSV data without re-assessing the tenant. I would love your feedback I have been building this for my own consulting work, but I think it could be useful to the broader community. If you try it, I would genuinely appreciate hearing: What checks should I prioritize next? Which security controls matter most in your environment? What compliance frameworks are most requested by your clients or auditors? How does the report land with non-technical stakeholders? Is the executive summary useful, or does it need work? macOS/Linux users -- does it run? What breaks? I have tested it on macOS, but not extensively. Bug reports, feature requests, and contributions are all welcome on GitHub. Repository: https://github.com/Daren9m/M365-Assess License: MIT (free for commercial and personal use) Runtime: PowerShell 7.x Thanks for reading. Happy to answer any questions in the comments.
Disable incessant nagware popups
I don't know about everyone else, but I am sick and tired of the nagware pop ups in Word, Excel, PowerPoint, Outlook, etc. Every single product harasses me with pop ups trying to tell me "hey, did you know this feature was here?", "you can do this if you click that", "let me hold your hand through using products you've used for decades even though you don't want daddy Microslop to do that". This is a prime example. I keep getting the same ones again and again and again and everything I've read indicates they should only appear once. But they don't. They keep coming back like a psychotic stalker ex who wants alimony even though you were never married. How do I get this nagware to stop?!
Shortcuts appearing when using Option+arrow in Outlook on Chrome in Mac
luse Outlook on Chrome in my MacBook Pro. While typing an email, though, if I use Option tarrow left or right (to go back or forth between words), after a few words, the shortcut letters for the menus pop up, and stop what I'm doing. (See image.) It doesn't happen in any other window on Chrome. So it's not a Chrome thing. It's only when Outlook 365 is loaded. (Don't know if it happens in other 365 apps, as I only use Outlook, really.) Anyone experienced that? And, if so, is there a solution? I tried Outlook 365's setting, but nothing there. Thanks!
IS EXCHANGE 2016 HYBRID STILL SUPPORTED?
IS EXCHANGE 2016 HYBRID STILL SUPPORTED as of January 2026? Pls advise if this statement is correct: Exchange Server 2016 was supported for hybrid deployments with Exchange Online, but as of October 14, 2025, it is no longer supported by Microsoft, meaning no security updates, bug fixes, or technical support are provided. While hybrid prerequisites still technically list Exchange 2016, running it now carries security and compliance risks, and Microsoft recommends upgrading to a supported version such as Exchange Server Subscription Edition or moving fully to Exchange Online. Continuing to use Exchange 2016 in hybrid is possible, but unsupported, so for a secure and compliant hybrid setup, an upgrade or migration is strongly advised.
Outlook Classic for M365 - File > Encrypt > 'Encrypt-Only' option applies 'Do Not Forward' label?
I recently joined a new company and am helping support their M365 tenant and admin duties. I'm running into a very weird issue where no recipients can actually read/view the message when we encrypt emails using only 1 specific method (our organization largely uses the Outlook Classic for Microsoft 365 desktop app). If a user follows this method, for some reason the 'Do Not Forward' label is applied to the encryption, despite specifically selecting 'Encrypt-Only' - it defaults to 'Do Not Forward' every single time: New Email > File > Encrypt > Encrypt-Only Sending emails with this method gives any/all recipients a "You don't have sufficient permissions to open the mail." regardless of where they try to open the email (OWA, Outlook Classic, New Outlook) Yet, if the user tries this other method below - the proper Encrypt-Only label is applied, and any Outlook client immediately and opens/views the email as you'd expect: New Email > Options ribbon > Encrypt properly applies the Encrypt-Only label I verified IRM (Identity Rights Management) is enabled for our tenant: And encryption tests pass with flying colors: Ultimately, I'm at a loss for what's going on here and specifically where to check to fix this issue for this 1 specific encryption method. Poking around in the Purview portal, I'm having a hard time figuring out where these encryption policies/settings lie and how to get this method to stop defaulting to 'Do Not Forward' even though 'Encrypt-Only' is checked.Does MC1189663 Impact Standard Power Automate Approvals?
Hi everyone After reviewing the change described in MC1189663 (retirement of external access tokens for actionable messages), I'm unsure wheter this also affect the out-of-the-box Standard Approval action in Power Automate. My question is specifically about the default "Start and wait for an approval" / "Standard Approval" action with no special configuration. Does this change impact approval emails or actionable messages generated by the Standard Approval action for internal usage (mails to internal accounts), or will those continue to work without modification? Thanks in advance for any clarification.Rules for Outlook (new) makes no sense.
I have tried now to use the new version of Outlook for both private and work use. Whenever I set up rules in classic Outlook, I always had to add a sound notification or for it to show me a desktop alert. Because if I have a rule that says "If I receive e-mail from person X, move to folder Y" I do not get a notification, and I risk missing them (which has happened a lot previously). Imagine my shock when I see that the new version of Outlook has dumbed down the rules significantly and restricted me to how I can use them. Is there a reason why we cannot add "show desktop alert" or for it to play a sound in the "actions" tab? I do not understand why this feature was removed, as well as removing auto archiving. I just don't understand why! Will the option for adding desktop alerts and for it to play sounds be added in the future?Outlook is sending duplicated mails
Hello dear Microsoft Community I've got following problem: With one of our clients there is an issue with Outlook/Mailing The mailbox is IMAP If he sends Mails to someone they'll recieve the sent message, for like 20 times. the only suspicous thing is, that we can see 3 duplicates of that mail in the 'sent' folder. but regardless it was recieved alot more than 3 times, either way. Do you have an idea ? I already updatet Microsoft Windows & Microsoft Office 365 made a new profile checked for Add-Ins or antivirus applications I also looked it up on our firewall we also checked the log on the mailserver greetings and im looking forward to recieve some help from YOU
Title: Expose SHA-256 or SHA-1 for Mail Attachments in Microsoft Graph
Problem Email attachments in Graph don’t include a content hash. To identify or match attachments, developers have to download the entire file first. That wastes bandwidth and time and increases exposure. OneDrive/SharePoint already return hashes, but mail does not, so experiences are inconsistent. Request Add a server-provided content hash to every mail attachment. Prefer SHA-256. If that’s not feasible initially, expose SHA-1 as a minimum to align with existing Drive item hashes. Benefits Faster and cheaper: avoid downloading large files just to tell if you already have them. Deduplication: detect repeated attachments across threads and mailboxes. Security operations: correlate attachments with threat intel by hash and triage suspicious emails without fetching payloads. eDiscovery and compliance: confidently match the same document across mail and files. Consistency: a predictable, uniform approach across Mail and OneDrive/SharePoint.
