I built a free, open-source M365 security assessment tool - looking for feedback
I work as an IT consultant, and a good chunk of my time is spent assessing Microsoft 365 environments for small and mid-sized businesses. Every engagement started the same way: connect to five different PowerShell modules, run dozens of commands across Entra ID, Exchange Online, Defender, SharePoint, and Teams, manually compare each setting against CIS benchmarks, then spend hours assembling everything into a report the client could actually read. The tools that automate this either cost thousands per year, require standing up Azure infrastructure just to run, or only cover one service area. I wanted something simpler: one command that connects, assesses, and produces a client-ready deliverable. So I built it. What M365 Assess does https://github.com/Daren9m/M365-Assess is a PowerShell-based security assessment tool that runs against a Microsoft 365 tenant and produces a comprehensive set of reports. Here is what you get from a single run: 57 automated security checks aligned to the CIS Microsoft 365 Foundations Benchmark v6.0.1, covering Entra ID, Exchange Online, Defender for Office 365, SharePoint Online, and Teams 12 compliance frameworks mapped simultaneously -- every finding is cross-referenced against NIST 800-53, NIST CSF 2.0, ISO 27001:2022, SOC 2, HIPAA, PCI DSS v4.0.1, CMMC 2.0, CISA SCuBA, and DISA STIG (plus CIS profiles for E3 L1/L2 and E5 L1/L2) 20+ CSV exports covering users, mailboxes, MFA status, admin roles, conditional access policies, mail flow rules, device compliance, and more A self-contained HTML report with an executive summary, severity badges, sortable tables, and a compliance overview dashboard -- no external dependencies, fully base64-encoded, just open it in any browser or email it directly The entire assessment is read-only. It never modifies tenant settings. Only Get-* cmdlets are used. A few things I'm proud of Real-time progress in the console. As the assessment runs, you see each check complete with live status indicators and timing. No staring at a blank terminal wondering if it hung. The HTML report is a single file. Logos, backgrounds, fonts -- everything is embedded. You can email the report as an attachment and it renders perfectly. It supports dark mode (auto-detects system preference), and all tables are sortable by clicking column headers. Compliance framework mapping. This was the feature that took the most work. The compliance overview shows coverage percentages across all 12 frameworks, with drill-down to individual controls. Each finding links back to its CIS control ID and maps to every applicable framework control. Pass/Fail detail tables. Each security check shows the CIS control reference, what was checked, what the expected value is, what the actual value is, and a clear Pass/Fail/Warning status. Findings include remediation descriptions to help prioritize fixes. Quick start If you want to try it out, it takes about 5 minutes to get running: # Install prerequisites (if you don't have them already) Install-Module Microsoft.Graph, ExchangeOnlineManagement -Scope CurrentUser Clone and run git clone https://github.com/Daren9m/M365-Assess.git cd M365-Assess .\Invoke-M365Assessment.ps1 The interactive wizard walks you through selecting assessment sections, entering your tenant ID, and choosing an authentication method (interactive browser login, certificate-based, or pre-existing connections). Results land in a timestamped folder with all CSVs and the HTML report. Requires PowerShell 7.x and runs on Windows (macOS and Linux are experimental -- I would love help testing those platforms). Cloud support M365 Assess works with: Commercial (global) tenants GCC, GCC High, and DoD environments If you work in government cloud, the tool handles the different endpoint URIs automatically. What is next This is actively maintained and I have a roadmap of improvements: More automated checks -- 140 CIS v6.0.1 controls are tracked in the registry, with 57 automated today. Expanding coverage is the top priority. Remediation commands -- PowerShell snippets and portal steps for each finding, so you can fix issues directly from the report. XLSX compliance matrix -- A spreadsheet export for audit teams who need to work in Excel. Standalone report regeneration -- Re-run the report from existing CSV data without re-assessing the tenant. I would love your feedback I have been building this for my own consulting work, but I think it could be useful to the broader community. If you try it, I would genuinely appreciate hearing: What checks should I prioritize next? Which security controls matter most in your environment? What compliance frameworks are most requested by your clients or auditors? How does the report land with non-technical stakeholders? Is the executive summary useful, or does it need work? macOS/Linux users -- does it run? What breaks? I have tested it on macOS, but not extensively. Bug reports, feature requests, and contributions are all welcome on GitHub. Repository: https://github.com/Daren9m/M365-Assess License: MIT (free for commercial and personal use) Runtime: PowerShell 7.x Thanks for reading. Happy to answer any questions in the comments.
Ugly Defender awareness training screen
I want to use the extensive training material available from the E5 licenses we just shelled out a boat load of $$ for. However, when someone gets an invite and they click the link to do the training they are taken to the Defender page. This might be fine for a technical person but its ugly as F for my users. Plus, there is extra rubbish like Threat Intelligence, Trials, Reports, settings etc they can access that I don't want them too. This is not a very polished interface for non-technical people. Is there a way to fix this? Can it send them the direct training URL, so it just opens the training and not the defender page from them to open the video? Can we do a custom landing page but put the assigned training URLs into that? This is ugly there has to be a way to make this more user friendly.How to Check if Shared Mailboxes Need MDO Licenses
Shared mailboxes might need Microsoft Defender for Office 365 licenses, but how do you identify how many licenses? We use PowerShell to do the job by analyzing external email sent to shared mailboxes. If a mailbox receives external email, then by definition the mailbox receives benefit from MDO, and that’s the test for requiring a license. https://office365itpros.com/2025/11/25/microsoft-defender-for-office-365-3/Microsoft Issues Updated Guidance for Defender for Office 365 Licensing
Some inconsistencies in the MDO P2 service description and licensing terms exposed a need for tenants to license every user and shared mailboxes. Microsoft has changed the service description and licensing terms to make them simpler. Mailboxes still need MDO licenses, but only if they benefit from MDO protection, including MDO P2 if that’s what they use. Tenant admins have some extra work to do to deploy policies. All explained here. https://office365itpros.com/2025/10/31/mdo-p2-licensing/
Compliance licenses at tenant level
Hi, We are a small organization of about 200 employees, and we have following requirements. DLP policies configuration at Exchange, OneDrive, SharePoint BYOD security Users should not be able to send files outside the org And so on as we evaluate We already have M365 Business Premium. However, after researching we figured out that M365 Business premium will alone not solve our requirements. May be compliance license will. We want to apply security policies at tenant level in our organization but definitely do not want every user to get licenses as this will be expensive for us and there is no requirement at all for our users. The question is, Is there a way to solve the above scenario?Poor reporting capability
I'm finding the flexibility of exchange online protection and reporting in general to be terrible. I'm trying to get a report of cases where people have clicked a link that was later determined to be malicious. Including links, we have manually determined to be malicious and later zapped those emails. I have kind of done this in threat hunting however I need to run a query that starts older than the 30 days in threat hunting. Of course I don't have these going into sentinel or anything, so the data is gone. Someone suggested reports but I can see how or if there even is a way to report clicks on malicious links (based on them being later determined to be malicious and zapped). Any suggestions?Extract user access to Cloud Apps categories.
I’m having some issues with getting report data out of Defender for Cloud App. Short version is I want to get a report (or at the very least an export) of all users accessing sites in the Generative AI category. I can do this manually by following these steps: Open Cloud Discovery Click Discovered apps Enter Gnerative AI in the browser by category I now get a list of discovered sites but to get a list of users who have accessed them I have to: Click each app one at a time In each click Cloud app usage Click Users And finally export all users Imagine how long with would take for a category that has a high amount of usage and how inefficient this would be to provide monthly reporting. I tried to find a way to see in one step user activity for one Cloud App category, but I cannot. Any idea?Cloud app conditional access exceptions
I have a lot of issues with attackers coming from VPN and anonymous IP's. Im trialing a Conditional Access policy to apply Conditional Access App Control. Ive created a Cloud App, Access Policy to blocks using IP address, Category, equals and listing a few categories like VPN and Risky. Then another Access policy to block IP address, Tag, equals Tor, Anonymous, Random, Botnet etc. Testing shows this works. But I've been asked what if we wanted to allow a specific service like NordVPN. How can I achieve this?
SPF, DKIM and DMARC bypassed for guest users
I manage a small non-profit using Microsoft 365 Business Basic. Most of the people on our board of directors are added as unlicensed guest users so that they can participate in Teams chats and meetings and to access our Sharepoint without using up a license. The problem: any email sent from an internal licensed user (or shared mailbox) to one of these guest users completely bypasses our domain's SPF, DKIM and DMARC configuration, resulting in bounced emails (particularly for recipients using gmail). Mail sent from an internal licensed user to any external address NOT registered as a guest user correctly passes SPF, DKIM and DMARC checks. I gather that this is because guest users are viewed as "internal" despite having external email addresses, but it seems like a serious limitation if I cannot reliably send email to anyone who is a guest user. Is there any extra configuration I can do to enable SPF, DKIM and DMARC for email to guest users?
