I built a free, open-source M365 security assessment tool - looking for feedback
I work as an IT consultant, and a good chunk of my time is spent assessing Microsoft 365 environments for small and mid-sized businesses. Every engagement started the same way: connect to five different PowerShell modules, run dozens of commands across Entra ID, Exchange Online, Defender, SharePoint, and Teams, manually compare each setting against CIS benchmarks, then spend hours assembling everything into a report the client could actually read. The tools that automate this either cost thousands per year, require standing up Azure infrastructure just to run, or only cover one service area. I wanted something simpler: one command that connects, assesses, and produces a client-ready deliverable. So I built it. What M365 Assess does https://github.com/Daren9m/M365-Assess is a PowerShell-based security assessment tool that runs against a Microsoft 365 tenant and produces a comprehensive set of reports. Here is what you get from a single run: 57 automated security checks aligned to the CIS Microsoft 365 Foundations Benchmark v6.0.1, covering Entra ID, Exchange Online, Defender for Office 365, SharePoint Online, and Teams 12 compliance frameworks mapped simultaneously -- every finding is cross-referenced against NIST 800-53, NIST CSF 2.0, ISO 27001:2022, SOC 2, HIPAA, PCI DSS v4.0.1, CMMC 2.0, CISA SCuBA, and DISA STIG (plus CIS profiles for E3 L1/L2 and E5 L1/L2) 20+ CSV exports covering users, mailboxes, MFA status, admin roles, conditional access policies, mail flow rules, device compliance, and more A self-contained HTML report with an executive summary, severity badges, sortable tables, and a compliance overview dashboard -- no external dependencies, fully base64-encoded, just open it in any browser or email it directly The entire assessment is read-only. It never modifies tenant settings. Only Get-* cmdlets are used. A few things I'm proud of Real-time progress in the console. As the assessment runs, you see each check complete with live status indicators and timing. No staring at a blank terminal wondering if it hung. The HTML report is a single file. Logos, backgrounds, fonts -- everything is embedded. You can email the report as an attachment and it renders perfectly. It supports dark mode (auto-detects system preference), and all tables are sortable by clicking column headers. Compliance framework mapping. This was the feature that took the most work. The compliance overview shows coverage percentages across all 12 frameworks, with drill-down to individual controls. Each finding links back to its CIS control ID and maps to every applicable framework control. Pass/Fail detail tables. Each security check shows the CIS control reference, what was checked, what the expected value is, what the actual value is, and a clear Pass/Fail/Warning status. Findings include remediation descriptions to help prioritize fixes. Quick start If you want to try it out, it takes about 5 minutes to get running: # Install prerequisites (if you don't have them already) Install-Module Microsoft.Graph, ExchangeOnlineManagement -Scope CurrentUser Clone and run git clone https://github.com/Daren9m/M365-Assess.git cd M365-Assess .\Invoke-M365Assessment.ps1 The interactive wizard walks you through selecting assessment sections, entering your tenant ID, and choosing an authentication method (interactive browser login, certificate-based, or pre-existing connections). Results land in a timestamped folder with all CSVs and the HTML report. Requires PowerShell 7.x and runs on Windows (macOS and Linux are experimental -- I would love help testing those platforms). Cloud support M365 Assess works with: Commercial (global) tenants GCC, GCC High, and DoD environments If you work in government cloud, the tool handles the different endpoint URIs automatically. What is next This is actively maintained and I have a roadmap of improvements: More automated checks -- 140 CIS v6.0.1 controls are tracked in the registry, with 57 automated today. Expanding coverage is the top priority. Remediation commands -- PowerShell snippets and portal steps for each finding, so you can fix issues directly from the report. XLSX compliance matrix -- A spreadsheet export for audit teams who need to work in Excel. Standalone report regeneration -- Re-run the report from existing CSV data without re-assessing the tenant. I would love your feedback I have been building this for my own consulting work, but I think it could be useful to the broader community. If you try it, I would genuinely appreciate hearing: What checks should I prioritize next? Which security controls matter most in your environment? What compliance frameworks are most requested by your clients or auditors? How does the report land with non-technical stakeholders? Is the executive summary useful, or does it need work? macOS/Linux users -- does it run? What breaks? I have tested it on macOS, but not extensively. Bug reports, feature requests, and contributions are all welcome on GitHub. Repository: https://github.com/Daren9m/M365-Assess License: MIT (free for commercial and personal use) Runtime: PowerShell 7.x Thanks for reading. Happy to answer any questions in the comments.
Disable incessant nagware popups
I don't know about everyone else, but I am sick and tired of the nagware pop ups in Word, Excel, PowerPoint, Outlook, etc. Every single product harasses me with pop ups trying to tell me "hey, did you know this feature was here?", "you can do this if you click that", "let me hold your hand through using products you've used for decades even though you don't want daddy Microslop to do that". This is a prime example. I keep getting the same ones again and again and again and everything I've read indicates they should only appear once. But they don't. They keep coming back like a psychotic stalker ex who wants alimony even though you were never married. How do I get this nagware to stop?!How to Remove Sensitivity Labels from SharePoint Files at Scale
It’s easy to remove sensitivity labels from SharePoint Online files when only a few files are involved. Doing the same task at scale requires automation. In this article, we explain how to use the Microsoft Graph PowerShell SDK to find and remove sensitivity labels from files stored in SharePoint Online and OneDrive for Business. https://office365itpros.com/2026/03/10/remove-sensitivity-labels-from-file/How to Test a File Against DLP Sensitive Information Types
Sensitive Information types (SITs) are definitions of data like credit card numbers used by DLP rules to detect potential external sharing violations. Knowing what SIT to use in a DLP rule is often difficult, which is why the Purview developers have added a test option to allow tenants to test files against individual SITs or all SITs to see what happens. https://office365itpros.com/2026/03/04/sensitive-information-type-test/Securing the Modern Workplace: Transitioning from Legacy Authentication to Conditional Access
Authored by: Gonzalo Brown Ruiz, Senior Microsoft 365 Engineer & Cloud Security Specialist Date: July 2025 Introduction In today’s threat landscape, legacy authentication is one of the weakest links in enterprise security. Protocols like POP, IMAP, SMTP Basic, and MAPI are inherently vulnerable — they don’t support modern authentication methods like MFA and are frequently targeted in credential stuffing and password spray attacks. Despite the known risks, many organizations still allow legacy authentication to persist for “just one app” or “just a few users.” This article outlines a real-world, enterprise-tested strategy for eliminating legacy authentication and implementing a Zero Trust-aligned Conditional Access model using Microsoft Entra ID. Why Legacy Authentication Must Die No support for MFA: Enables attackers to bypass the most critical security control Password spray heaven: Common vector for brute-force and scripted login attempts Audit blind spots: Limited logging and correlation in modern SIEM tools Blocks Zero Trust progress: Hinders enforcement of identity- and device-based policies Removing legacy auth isn’t a nice-to-have — it’s a prerequisite for a modern security strategy. Phase 1: Auditing Your Environment A successful transition starts with visibility. Before blocking anything, I led an environment-wide audit to identify: All sign-ins using legacy protocols (POP, IMAP, SMTP AUTH, MAPI) App IDs and service principals requesting basic auth Users with outdated clients (Office 2010/2013) Devices and applications integrated via PowerShell, Azure Sign-In Logs, and Workbooks Tools used: Microsoft 365 Sign-In Logs Conditional Access insights workbook PowerShell (Get-SignInLogs, Get-CASMailbox, etc.) Phase 2: Policy Design and Strategy The goal is not just to block — it’s to transform authentication securely and gradually. My Conditional Access strategy included: Blocking legacy authentication protocols while allowing scoped exceptions Report-only mode to assess potential impact Role-based access rules (admins, execs, vendors, apps) Geo-aware policies and MFA enforcement Service account handling and migration to Graph or Modern Auth-compatible apps Key considerations: Apps that support legacy auth only Delegates and shared mailbox access scenarios BYOD and conditional registration enforcement Phase 3: Staged Rollout and Enforcement A phased approach reduced friction: Pilot group enforcement (IT, InfoSec, willing users) Report-only monitoring across business units Clear communications to stakeholders and impacted users User education campaigns on legacy app retirement Gradual enforcement by department, geography, or risk tier We used Microsoft Entra’s built-in messaging and Service Health alerts to notify users of policy triggers. Phase 4: Monitoring, Tuning, and Incident Readiness Once policies were in place: Monitored Sign-in logs for policy match rates and unexpected denials Used Microsoft Defender for Identity to correlate legacy sign-in attempts Created alerts and response playbooks for blocked sign-in anomalies Results: 100% of all user and app traffic transitioned to Modern Auth Drastic reduction in brute force traffic from foreign IPs Fewer support tickets around password lockouts and MFA prompts Lessons Learned Report-only mode is your best friend. Avoids surprise outages. Communication beats configuration. Even a perfect policy fails if users are caught off guard. Legacy mail clients still exist in vendor tools and old mobile apps. Service accounts can break silently. Replace or modernize them early. CA exclusions are dangerous. Every exception must be time-bound and documented. Conclusion Eliminating legacy authentication is not just a policy update — it’s a cultural shift toward Zero Trust. By combining deep visibility, staged enforcement, and a user-centric approach, organizations can securely modernize their identity perimeter. Microsoft Entra Conditional Access is more than a policy engine — it is the architectural pillar of enterprise-grade identity security. Author’s Note: This article is based on my real-world experience designing and enforcing Conditional Access strategies across global hybrid environments with Microsoft 365 and Azure AD/Entra ID. Copyright © 2025 Gonzalo Brown Ruiz. All rights reserved.Building Enterprise-Grade DLP with Microsoft Purview in Hybrid & Multi-Cloud Environments
Authored by: Gonzalo Brown Ruiz, Senior Microsoft 365 Engineer & Cloud Security Specialist Date: July 2025 Introduction Data is the lifeblood of every modern organization, yet it remains one of the most exposed assets. As organizations embrace hybrid and multi-cloud models, traditional endpoint or email-only DLP solutions no longer provide sufficient protection. The explosion of data across Exchange, SharePoint, Teams, OneDrive, and third-party SaaS applications introduces new risks and compliance challenges. Microsoft Purview Data Loss Prevention (DLP) provides a powerful solution that unifies data governance, sensitivity labeling, and policy enforcement across your cloud ecosystem. However, building an enterprise-grade DLP strategy goes far beyond enabling policies. Why Traditional DLP Fails in Modern Environments Traditional DLP approaches often: Protect only endpoints or email without covering cloud services Lack integration with data classification and labeling frameworks Generate excessive false positives due to generic rule sets Create operational friction for end users In hybrid environments with Teams, SharePoint, and OneDrive, these limitations lead to fragmented coverage, compliance blind spots, and user workarounds that expose sensitive data. The Microsoft Purview Advantage Microsoft Purview DLP offers: Unified policy management across Exchange Online, SharePoint, Teams, and OneDrive Integration with Sensitivity Labels for data classification and encryption Real-time policy tips that educate users without blocking productivity Built-in compliance manager integration for audit readiness When architected properly, Purview becomes a strategic enabler of data governance and compliance rather than just a security checkbox. Key Components of an Enterprise-Grade DLP Strategy 1. Data Classification and Labeling Implement Sensitivity Labels with auto-labeling policies to classify and protect sensitive data at scale. 2. Policy Scoping and Exceptions Handling Design DLP policies that balance security with operational needs, incorporating exceptions for justified business processes. 3. Insider Risk Management Integration Correlate DLP events with insider risk signals to identify intentional or accidental data misuse. 4. Audit, Reporting, and Compliance Evidence Configure alerting, detailed reporting, and data residency mapping to fulfill regulatory and internal audit requirements. Implementation Framework: Your Step-by-Step Guide 1. Preparation Conduct a data inventory and sensitivity assessment Identify regulatory and contractual compliance obligations Engage business stakeholders for adoption readiness 2. Pilot Deployment Roll out policies to a controlled user group Review policy matches and refine rules to minimize false positives Provide targeted user training on policy tips and data handling expectations 3. Full Deployment Scale DLP policies across workloads (Exchange, SharePoint, Teams, OneDrive) Implement automated remediation actions with user notifications and audit logs 4. Optimization and Continuous Improvement Review policy match reports regularly to fine-tune thresholds and rules Incorporate feedback from security, compliance, and end users Integrate with eDiscovery workflows for legal readiness Best Practices and Lessons Learned Start with monitor-only policies to baseline activity before enforcing blocks Combine DLP with Sensitivity Labels and encryption policies for holistic protection Regularly educate users on data classification and handling standards Create clear governance structures for DLP ownership and policy management Balance security controls with user productivity to avoid shadow IT workarounds Conclusion Data Loss Prevention is no longer optional – it is a critical enabler of trust, compliance, and operational excellence. By architecting Microsoft Purview DLP as part of an enterprise data governance strategy, organizations can protect their most valuable asset – data – while empowering users to work securely and efficiently. Author’s Note: This article is based on my extensive professional experience designing and implementing Microsoft Purview DLP solutions for global enterprises across hybrid and multi-cloud environments. Copyright © 2025 Gonzalo Brown Ruiz. All rights reserved.How to Report Adaptive Scope Membership
The Get-AdaptiveScopeMembers cmdlet reveals details of adaptive scope membership to make it possible to report this information programmatically. The task is not as simple as you might imagine. Summary records must be separated from member records, which can reflect add or remove operations. And there’s the question of pagination for large adaptive scope. All explained here with a PowerShell script to help. https://office365itpros.com/2026/02/09/adaptive-scope-membership/PAYG Services Like Purview DSI Can Rack Up Large Charges
Microsoft offers several PAYG services to Microsoft 365 tenants. Data Security Investigations (DSI) is the newest. These services can rack up compute charges to perform processing (in the case of DSI, AI processing of items found in Microsoft 365 sources). If tenants don’t take care, they might end up with big Azure bills. Be aware, prepare, measure, and minimize processing to avoid large charges. https://office365itpros.com/2026/02/04/dsi-costs-compute/
Purview eDiscovery Simplifies Content Searches in February 2026
As part of the modernization of the Purview eDiscovery solution, Microsoft will simplify the content searches UX in February 2026 to remove features that are inappropriate for the way that content searches are intended to be used. The change is logical and reasonable because you should use a full eDiscovery case to access all the eDiscovery functionality. https://office365itpros.com/2026/01/15/content-searches-change/
