I built a free, open-source M365 security assessment tool - looking for feedback
I work as an IT consultant, and a good chunk of my time is spent assessing Microsoft 365 environments for small and mid-sized businesses. Every engagement started the same way: connect to five different PowerShell modules, run dozens of commands across Entra ID, Exchange Online, Defender, SharePoint, and Teams, manually compare each setting against CIS benchmarks, then spend hours assembling everything into a report the client could actually read. The tools that automate this either cost thousands per year, require standing up Azure infrastructure just to run, or only cover one service area. I wanted something simpler: one command that connects, assesses, and produces a client-ready deliverable. So I built it. What M365 Assess does https://github.com/Daren9m/M365-Assess is a PowerShell-based security assessment tool that runs against a Microsoft 365 tenant and produces a comprehensive set of reports. Here is what you get from a single run: 57 automated security checks aligned to the CIS Microsoft 365 Foundations Benchmark v6.0.1, covering Entra ID, Exchange Online, Defender for Office 365, SharePoint Online, and Teams 12 compliance frameworks mapped simultaneously -- every finding is cross-referenced against NIST 800-53, NIST CSF 2.0, ISO 27001:2022, SOC 2, HIPAA, PCI DSS v4.0.1, CMMC 2.0, CISA SCuBA, and DISA STIG (plus CIS profiles for E3 L1/L2 and E5 L1/L2) 20+ CSV exports covering users, mailboxes, MFA status, admin roles, conditional access policies, mail flow rules, device compliance, and more A self-contained HTML report with an executive summary, severity badges, sortable tables, and a compliance overview dashboard -- no external dependencies, fully base64-encoded, just open it in any browser or email it directly The entire assessment is read-only. It never modifies tenant settings. Only Get-* cmdlets are used. A few things I'm proud of Real-time progress in the console. As the assessment runs, you see each check complete with live status indicators and timing. No staring at a blank terminal wondering if it hung. The HTML report is a single file. Logos, backgrounds, fonts -- everything is embedded. You can email the report as an attachment and it renders perfectly. It supports dark mode (auto-detects system preference), and all tables are sortable by clicking column headers. Compliance framework mapping. This was the feature that took the most work. The compliance overview shows coverage percentages across all 12 frameworks, with drill-down to individual controls. Each finding links back to its CIS control ID and maps to every applicable framework control. Pass/Fail detail tables. Each security check shows the CIS control reference, what was checked, what the expected value is, what the actual value is, and a clear Pass/Fail/Warning status. Findings include remediation descriptions to help prioritize fixes. Quick start If you want to try it out, it takes about 5 minutes to get running: # Install prerequisites (if you don't have them already) Install-Module Microsoft.Graph, ExchangeOnlineManagement -Scope CurrentUser Clone and run git clone https://github.com/Daren9m/M365-Assess.git cd M365-Assess .\Invoke-M365Assessment.ps1 The interactive wizard walks you through selecting assessment sections, entering your tenant ID, and choosing an authentication method (interactive browser login, certificate-based, or pre-existing connections). Results land in a timestamped folder with all CSVs and the HTML report. Requires PowerShell 7.x and runs on Windows (macOS and Linux are experimental -- I would love help testing those platforms). Cloud support M365 Assess works with: Commercial (global) tenants GCC, GCC High, and DoD environments If you work in government cloud, the tool handles the different endpoint URIs automatically. What is next This is actively maintained and I have a roadmap of improvements: More automated checks -- 140 CIS v6.0.1 controls are tracked in the registry, with 57 automated today. Expanding coverage is the top priority. Remediation commands -- PowerShell snippets and portal steps for each finding, so you can fix issues directly from the report. XLSX compliance matrix -- A spreadsheet export for audit teams who need to work in Excel. Standalone report regeneration -- Re-run the report from existing CSV data without re-assessing the tenant. I would love your feedback I have been building this for my own consulting work, but I think it could be useful to the broader community. If you try it, I would genuinely appreciate hearing: What checks should I prioritize next? Which security controls matter most in your environment? What compliance frameworks are most requested by your clients or auditors? How does the report land with non-technical stakeholders? Is the executive summary useful, or does it need work? macOS/Linux users -- does it run? What breaks? I have tested it on macOS, but not extensively. Bug reports, feature requests, and contributions are all welcome on GitHub. Repository: https://github.com/Daren9m/M365-Assess License: MIT (free for commercial and personal use) Runtime: PowerShell 7.x Thanks for reading. Happy to answer any questions in the comments.Securing the Modern Workplace: Transitioning from Legacy Authentication to Conditional Access
Authored by: Gonzalo Brown Ruiz, Senior Microsoft 365 Engineer & Cloud Security Specialist Date: July 2025 Introduction In today’s threat landscape, legacy authentication is one of the weakest links in enterprise security. Protocols like POP, IMAP, SMTP Basic, and MAPI are inherently vulnerable — they don’t support modern authentication methods like MFA and are frequently targeted in credential stuffing and password spray attacks. Despite the known risks, many organizations still allow legacy authentication to persist for “just one app” or “just a few users.” This article outlines a real-world, enterprise-tested strategy for eliminating legacy authentication and implementing a Zero Trust-aligned Conditional Access model using Microsoft Entra ID. Why Legacy Authentication Must Die No support for MFA: Enables attackers to bypass the most critical security control Password spray heaven: Common vector for brute-force and scripted login attempts Audit blind spots: Limited logging and correlation in modern SIEM tools Blocks Zero Trust progress: Hinders enforcement of identity- and device-based policies Removing legacy auth isn’t a nice-to-have — it’s a prerequisite for a modern security strategy. Phase 1: Auditing Your Environment A successful transition starts with visibility. Before blocking anything, I led an environment-wide audit to identify: All sign-ins using legacy protocols (POP, IMAP, SMTP AUTH, MAPI) App IDs and service principals requesting basic auth Users with outdated clients (Office 2010/2013) Devices and applications integrated via PowerShell, Azure Sign-In Logs, and Workbooks Tools used: Microsoft 365 Sign-In Logs Conditional Access insights workbook PowerShell (Get-SignInLogs, Get-CASMailbox, etc.) Phase 2: Policy Design and Strategy The goal is not just to block — it’s to transform authentication securely and gradually. My Conditional Access strategy included: Blocking legacy authentication protocols while allowing scoped exceptions Report-only mode to assess potential impact Role-based access rules (admins, execs, vendors, apps) Geo-aware policies and MFA enforcement Service account handling and migration to Graph or Modern Auth-compatible apps Key considerations: Apps that support legacy auth only Delegates and shared mailbox access scenarios BYOD and conditional registration enforcement Phase 3: Staged Rollout and Enforcement A phased approach reduced friction: Pilot group enforcement (IT, InfoSec, willing users) Report-only monitoring across business units Clear communications to stakeholders and impacted users User education campaigns on legacy app retirement Gradual enforcement by department, geography, or risk tier We used Microsoft Entra’s built-in messaging and Service Health alerts to notify users of policy triggers. Phase 4: Monitoring, Tuning, and Incident Readiness Once policies were in place: Monitored Sign-in logs for policy match rates and unexpected denials Used Microsoft Defender for Identity to correlate legacy sign-in attempts Created alerts and response playbooks for blocked sign-in anomalies Results: 100% of all user and app traffic transitioned to Modern Auth Drastic reduction in brute force traffic from foreign IPs Fewer support tickets around password lockouts and MFA prompts Lessons Learned Report-only mode is your best friend. Avoids surprise outages. Communication beats configuration. Even a perfect policy fails if users are caught off guard. Legacy mail clients still exist in vendor tools and old mobile apps. Service accounts can break silently. Replace or modernize them early. CA exclusions are dangerous. Every exception must be time-bound and documented. Conclusion Eliminating legacy authentication is not just a policy update — it’s a cultural shift toward Zero Trust. By combining deep visibility, staged enforcement, and a user-centric approach, organizations can securely modernize their identity perimeter. Microsoft Entra Conditional Access is more than a policy engine — it is the architectural pillar of enterprise-grade identity security. Author’s Note: This article is based on my real-world experience designing and enforcing Conditional Access strategies across global hybrid environments with Microsoft 365 and Azure AD/Entra ID. Copyright © 2025 Gonzalo Brown Ruiz. All rights reserved.
A Method to track current and upcoming changes to M365 Products
Good evening (from Ireland at least), I've spent most of today traipsing down a variety of dead-ends and soon-to-be-discontinued features looking to create a useful location where I can find/send all new updates to products that I can peruse and ultimately highlight ones that may be of particular importance in my organisation. I've had a long chat with Copilot today and while I've made significant progress in some areas (had upwards of 30 great questions according to Copilot! ;P), when it comes to the final product, there's always some missing connector, or some RSS feed that is no longer supported. What I'm looking for here is any input on how you manage to stay ahead of changes and I'll share everything I'm doing and have learned as well, in the hope that the discussion is somewhat mutually beneficial. What I do: Message Centre: Manually check the Message Center (under Service Health in M365 Admin Center). You can sort by product here and by relevance which is quite handy. Link: https://admin.cloud.microsoft/?#/MessageCenter (Access to the M365 Admin Center on your tenant is required for this). Today I found out you can also send emails to yourself (and Teams channels) here so awaiting the next message to see if this has worked. Unfortunately, there doesn't seem to be a way of migrating past messages over so I'll have to go through these myself first. Road Maps: These have been the bane of my day. Currently, I actively check the road maps of the products I manage but going forward, I'd like to be able to track major changes to products used in my organisation so I can give users a heads up. I initially tried Power Automate to send updates to myself, however, it's not a feature widely used in our org yet and isn't well supported, so I wasn't too surprised when my efforts were blocked by existing policy. Not long after, I found RSS feeds, which seemed to be the answer to my problems. I created RSS Feeds for each of the Road Maps that I found useful, assured by Copilot that these would work. The assurance wasn't fell founded however as, true to form, once I showed Copilot by errors, they remembered that they were there all along! :') I'm yet to find a useful solution here beyond my current efforts so any assistance would be greatly appreciated. Community Blogs The final recommendation was these Community Blog posts which, to be fair, I've had immense success with to date. However, there is a slight issue with filtering. While I did finally get the RSS Feed to work on something (the Tech Comm M365 RSS Feed), it did then proceed to send me a mass of emails on every topic under the Sun & Moon. I've decided to return to the drawing board tomorrow with this, but I'm content in knowing that RSS isn't just a myth at least. I think what I'd like here is just to receive notifications when approved Blogs are posted (i.e., Monthly OneDrive Updates and the equivalent for other products). OneDrive Office Hours: This is a fansastic resource I do use every month as it gives you the opportunity to get in contact with the people who know the most about the product and the issues you're facing. I've spent weeks in a ticket before, only to raise it in one of these meetings and get a solution that took half an hour to set up. You'll get a yes or a no, but at least you'll have an answer. Copilot Chat: I don't have the full Copilot license because I haven't had a need for it yet. Everything I've wanted to do, I've been able to do in Copilot Chat. We haven't yet looked too much into Agents, and as a Public body, aren't going to rush into it until we know it's viable and can be supported. In the interim, I'm happy to test the waters with Copilot Chat asking it for Monthly Summaries on a variety of products, time frames, etc. It isn't perfect but it's faster than I am. It can find the sources for me and I can take it from there. As an organisation, we'll be pushing out all users on the most recent version (-1) on the Monthly Enterprise Channel. This means that they'll be supported whilst also being shielded from any brand new features. Our team will be on the most recent version and will be able to note any upcoming changes ahead of time. These are what I'm using so far but would be very grateful for any further input. Thanks in advance, Chris Martin
Migrating from Google Workspace with Multiple Domains
I am interested in switching from Google Workspace to Microsoft 365 for Business. For context, I just use this personally, but enjoy the custom email and control over my account. I want to switch over because the only product that I use is Gmail, and pay for an additional Microsoft 365 subscription. While I won't be saving any money, or the savings will be negligible, it would be nice to have everything in one ecosystem. I've looked over how to migrate just one domain, and that seems fairly straight forward. However, I am wondering how feasible it would be to transfer multiple domains, and to switch my primary domain. Below is the structure of my current Google Workspace domains: - domain1.com | This is used as my primary domain that I log into. Also serves as my primary email. - domain2.com | Used as an additional email alias for different purposes. Not used for logging in. - domain3.com | Used as an additional email alias for different purposes. Not used for logging in. If I wanted to keep domain1.com as my primary domain, I assume that I would do the standard migration and then add domain2.com and domain3.com as additional email aliases. However, I want to switch my primary domain in Microsoft 365 to domain2.com. Is there any way to migrate emails from Google Workspace that's on domain1.com --> domain2.com via Microsoft 365 and make domain2.com the primary domain? I know that this is a lot, so please ask for clarification if needed. Thanks!
No labs for MB-500 in skillable and xtreme labs (for all MB series)
Hi, From past few months, we are unable to find the labs for MB-500. It's causing us trouble to do the trainings. Skillable and Xtreme labs providers are saying there is a problem from Microsoft end only. Kindly advise us when can we get the labs available.
What is the best way to collaborate between two organizations with Teams?
Hello, I have a Microsoft 365 Business Standard account, and I am the administrator (currently, my Microsoft 365 organization only has one account, mine). I want to configure my Teams account to collaborate with members of another organization who also use Microsoft 365 Business. I have tried several solutions, without success. My goal is to be able to chat online, schedule and organize virtual meetings, and share documents online with members of the other organization via Teams. What is the best way to set up simple and intuitive collaboration between two organizations using Microsoft 365 Business? Thank you in advance for your help.
