Your Environment At a Glance

Start here: who this tenant is, what is in scope, and what the current operating baseline looks like.

Customer Environment

Contoso Corporation

Tenant ID a1b2c3d4-e5f6-7890-abcd-ef1234567890 3 verified domains Evidence confidence Strong
Verified domains: contoso.onmicrosoft.com, contoso.com, contoso.mail.onmicrosoft.com
Collected Mar 08, 2026 05:26
Assessment Ref 20260308
Assessment Period March 1, 2026 to March 8, 2026
Endpoint Checks 49/49
Environment Scope

What was assessed, what data landed, and where coverage stops in this run.

Platforms in scope
Microsoft Entra IDMicrosoft 365 CollaborationIntune / EndpointDefender SecurityAzure Resource Manager
Collections landed
Verified domains3 active
Endpoint checks49/49 returned
Permission scopes11/11 granted
Payload families21/21 landed
Identity17 checks
Security8 checks
Coverage limits
  • On-prem Active Directory not included in this run.
  • No major permission or consent gaps detected.
  • Collected surfaces with missing data will appear later as not assessed.
This assessment reflects the current cloud and endpoint collection window; hybrid and non-connected systems require a separate expansion path.
Security Posture
Secure Score 56.7%
Grade F
Secure Score
56.7%
Target 80%
MFA (Users)
94.0%
Target 95%
MFA (Admins)
100.0%
Target 100%
Device Compliance
96.7%
Target 95%
Endpoint Coverage
100.0%
Target 100%
Assessment Coverage

Strong collection confidence

Endpoint checks 49/49 Scopes with data 11/11 Permission gaps 0

This snapshot is backed by broad collection coverage with no major permission gaps in the current run.

Endpoint collection
100.0%
49/49 checks returned
Permission scopes
100.0%
11/11 scopes returned data
Payload coverage
100.0%
21/21 endpoints produced payloads
Technical Evidence Full Backlog
Users150
Privileged Admins7
Devices150
Endpoint Coverage100.0%
Evidence ConfidenceStrong
Current Risks

Core posture metrics for immediate leadership triage.

Critical Risks
2
High Risks
54
Total Risks
129
Secure Score
56.7%
MFA (Users / Admins)
94.0% / 100.0%
Device Compliance
96.7%
Top 5 Action Items

Condensed owner-ready actions ranked by urgency and impact.

01

NSG Rules Allow All Inbound Traffic

Critical
Owner: Cloud/Network TeamDue: Mar 15, 2026Effort: 4 hours

NSG Rules Allow All Inbound Traffic indicates a measurable identity governance risk that should be remediated.

02

Critical Security Configuration Gaps Require Action

Critical
Owner: Security OperationsDue: Mar 15, 2026Effort: 4 hours
03

Legacy Authentication Not Blocked

High
Owner: Identity TeamDue: Mar 15, 2026Effort: 4 hours

Legacy authentication protocols (like IMAP, POP3, and SMTP) bypass modern security controls including MFA, making them a prime ta...

04

Legacy Authentication Sign-Ins Detected

High
Owner: Identity TeamDue: Mar 15, 2026Effort: 4 hours

Legacy Authentication Sign-Ins Detected indicates a measurable identity governance risk that should be remediated.

05

40 Users Not Covered by MFA Policy

High
Owner: Identity TeamDue: Mar 15, 2026Effort: 2 hours

40 users (26.7% of your workforce) are not targeted by any Conditional Access policy that requires MFA.

Open full backlog
On-Prem Expansion Path

Cloud risk is incomplete without AD path telemetry. This is the fastest route to full hybrid coverage.

What You Unlock

  • Tier-0 privilege exposure and delegated abuse paths
  • LDAP/NTLM/Kerberos misconfiguration telemetry
  • Trust-path and lateral movement risk chains

Immediate Next Step

Download the collector and run it on a domain-joined host to generate the on-prem Active Directory extension pack.

Download Collector Script PS> .\Invoke-SecurityCollection.ps1 -OutputPath .\results
Cost Optimization Snapshot

Executive view of cloud cost reduction opportunity and immediate actions.

Potential Annual Savings
$0
Potential Monthly Savings
$0
Optimization Score
N/A
Target Reduction
N/A
Assessment Run Cost
$0.0098 (49 calls)

What This Means

Cost optimization dataset is limited; run FinOps collection for quantified savings opportunities.

Maturity tier: Not Assessed.

Top Cost Actions

  1. Cache ARM NSG queries between runs to reduce ARM costs.
  2. Review retry budgets and cache hot endpoints to reduce call volume.
Evidence Shortcuts

Jump directly to Findings, Compliance mapping, or the Technical Evidence appendix.

Findings Compliance Technical Evidence
Run Validation & Evidence

Simple breakdown: Consent scopes are app access grants, exercised scopes are scopes used by this run's active checks, endpoint payload checks confirm data returned, and collector checks are transport/execution checks.

Report Run
Mar 08, 2026 05:26
Local timezone
Consent Scopes
45
42 Graph + 3 Defender
Exercised Scopes
11/11
100%
Payload Checks
21/21
100%
Collector Checks
49/49
100%
Confidence
High
Scopes missing: 0Payload checks missing: 0Collector checks missing: 0Confidence: High
Permission Scope Matrix (11/11 fully granted + collected)
Permission Scope Endpoint Checks Access State Data State Detail
DeviceManagementManagedDevices.Read.All1GrantedCollectedDevice Compliance
IdentityRiskyUser.Read.All1GrantedCollectedRisky Users
Policy.Read.All1GrantedCollectedConditional Access
Reader (ARM)8GrantedCollectedNetwork Security Groups, Storage Accounts, Key Vaults (+5 more)
Reports.Read.All1GrantedCollectedMFA Coverage
RoleManagement.Read.All1GrantedCollectedPrivileged Accounts
SecurityEvents.Read.All4GrantedCollectedSecure Score, Security Alerts, Secure Score Controls (+1 more)
SecurityRecommendation.Read.All (WindowsDefenderATP)1GrantedCollectedDefender TVM Recommendations
Software.Read.All (WindowsDefenderATP)1GrantedCollectedDefender Software Inventory
User.Read.All1GrantedCollectedUser Summary
Vulnerability.Read.All (WindowsDefenderATP)1GrantedCollectedDefender TVM Vulnerabilities
Endpoint Payload Matrix (21/21 collected)
Endpoint Domain Source / Permission Status Detail
Device ComplianceEndpointDeviceManagementManagedDevices.Read.AllCollectedPermission granted and payload returned.
Conditional AccessIdentityPolicy.Read.AllCollectedPermission granted and payload returned.
MFA CoverageIdentityReports.Read.AllCollectedPermission granted and payload returned.
Privileged AccountsIdentityRoleManagement.Read.AllCollectedPermission granted and payload returned.
Risky UsersIdentityIdentityRiskyUser.Read.AllCollectedPermission granted and payload returned.
User SummaryIdentityUser.Read.AllCollectedPermission granted and payload returned.
Backup HealthInfrastructureReader (ARM)CollectedPermission granted and payload returned.
Backup JobsInfrastructureReader (ARM)CollectedPermission granted and payload returned.
Backup VaultsInfrastructureReader (ARM)CollectedPermission granted and payload returned.
Key VaultsInfrastructureReader (ARM)CollectedPermission granted and payload returned.
Recovery ReadinessInfrastructureReader (ARM)CollectedPermission granted and payload returned.
SQL ServersInfrastructureReader (ARM)CollectedPermission granted and payload returned.
Storage AccountsInfrastructureReader (ARM)CollectedPermission granted and payload returned.
Network Security GroupsNetworkReader (ARM)CollectedPermission granted and payload returned.
Secure ScoreSecuritySecurityEvents.Read.AllCollectedPermission granted and payload returned.
Secure Score ControlsSecuritySecurityEvents.Read.AllCollectedPermission granted and payload returned.
Security AlertsSecuritySecurityEvents.Read.AllCollectedPermission granted and payload returned.
Defender Software InventoryVulnerability ManagementSoftware.Read.All (WindowsDefenderATP)CollectedPermission granted and payload returned.
Defender TVM RecommendationsVulnerability ManagementSecurityRecommendation.Read.All (WindowsDefenderATP)CollectedPermission granted and payload returned.
Defender TVM VulnerabilitiesVulnerability ManagementVulnerability.Read.All (WindowsDefenderATP)CollectedPermission granted and payload returned.
Vulnerability AssessmentVulnerability ManagementSecurityEvents.Read.AllCollectedPermission granted and payload returned.
Findings At a Glance

Board-level hotspot map. Click severity or domain to filter the detailed findings list instantly.

Severity Mix

129

Top Risk Domains

Current Load + Run Delta

vs February 8, 2026

No material backlog movement since February 8, 2026.
Total129
Critical + High56
Critical2
High54
Security Findings
Priority backlog with owner, due-date, and verification context for the first remediation wave.
Priority backlog 56 Critical 2 High 54 Open 129 Resolved 0
Backlog
Framework
Showing 129 of 129 displayed findings
Attack Path Analysis

Threat scenarios derived from your assessment findings. Each path represents a realistic attack chain that exploits the identified control gaps. Remediate the mitigating controls to break these attack chains.

Credential Compromise Chain High Risk
An attacker targets user credentials via phishing or credential stuffing. With 30 identity control gaps (Block legacy authentication protocols, Legacy Authentication Not Blocked), the attacker can authenticate as a legitimate user, escalate privileges if admin accounts lack MFA, and access sensitive resources across the tenant. On-premises Active Directory data confirms 15 Tier-0 privileged accounts, enabling Kerberos relay and pass-the-hash escalation from cloud to on-premises.
Business Impact: Full tenant compromise, data exfiltration, ransomware deployment
Mitigating Controls: Block legacy authentication protocols, Legacy Authentication Not Blocked, 40 Users Not Covered by MFA Policy
Endpoint to Data Exfiltration High Risk
A compromised endpoint (malware, drive-by download) provides initial access. With 23 endpoint control gaps (Critical Security Configuration Gaps Require Action, Security Configuration Gaps Require Remediation), the attacker moves laterally to access business data, email, and shared drives from the compromised device.
Business Impact: Data breach, intellectual property theft, compliance violation
Mitigating Controls: Critical Security Configuration Gaps Require Action, Security Configuration Gaps Require Remediation, High-Severity Vulnerabilities Require Short-Term Remediation
Email-Based Initial Access High Risk
Phishing email bypasses basic protections (34 phishing detections in 30 days). User clicks malicious link or attachment, leading to credential harvest. With 18 email security gaps (Safe Links Protection Is Disabled, Safe Attachments Protection Is Disabled), the attacker gains account access, potentially bypassing MFA via token theft or session hijacking.
Business Impact: Account takeover, financial fraud, ransomware deployment via email
Mitigating Controls: Safe Links Protection Is Disabled, Safe Attachments Protection Is Disabled, Anti-Phishing Controls Are Not Fully Enabled
OAuth Token Theft Chain High Risk
Attacker compromises a high-risk OAuth application or registers a malicious one (1 high-risk apps detected). Stolen delegated tokens provide access to user mail, files, and calendar without MFA challenge. With 9 application control gaps (Third-Party Application Consents Include Elevated-Risk Integrations, 2 Apps with High-Risk OAuth Permissions), the attacker maintains persistent access and can exfiltrate data silently.
Business Impact: Persistent access, data exfiltration, supply chain compromise
Mitigating Controls: Third-Party Application Consents Include Elevated-Risk Integrations, 2 Apps with High-Risk OAuth Permissions, Teams Guest Access Requires Stronger Collaboration Governance
Guest Account Lateral Movement Medium Risk
External guest accounts (30 guest accounts) bypass internal Conditional Access policies. Guest users access SharePoint sites, Teams channels, and shared data without the same security controls applied to internal users. An attacker who compromises a guest account from a less-secure partner organization can exfiltrate shared data and pivot into internal resources.
Business Impact: Data leakage to external parties, compliance violation, supply chain risk
Mitigating Controls: 30 Guest Users Require Access Review (20.0% of user base), Teams Guest Access Requires Stronger Collaboration Governance, Excessive Guest Users in Directory
On-Premises AD Lateral Movement Critical Risk
1 non-default account have DCSync replication rights on the domain root, allowing full credential extraction (NTDS.dit equivalent) without touching a domain controller. 1 dangerous permission (GenericAll/WriteDACL/WriteOwner) were found on sensitive admin objects, enabling privilege escalation via ACL abuse (e.g., resetting passwords or modifying group membership). 2 user accounts have SPNs set, making them Kerberoastable targets (1 with passwords older than 1 year). Attackers can request service tickets offline and crack weak passwords without triggering lockout. 15 accounts are members of Tier-0 privileged groups across 7 groups, expanding the blast radius of a compromised admin account. LDAP signing is set to unknown, which could not be verified, leaving potential exposure to LDAP relay attacks.
Business Impact: Active Directory controls authentication for all on-premises resources. Compromise of AD typically gives complete control of the environment, including access to file shares, databases, and internal applications.
Mitigating Controls: AD: Privileged Admin Footprint Controlled, AD: LDAP Signing/Channel Binding Gap, AD: Legacy Authentication Active, AD: Domain Controller Patch Baseline Gap
CMMC Compliance Gap Exposure Medium Risk
Assessment covers 24 of 110 CMMC Level 2 controls; 8 are non-compliant (4 failing, 4 partial). Worst-affected domains: Access Control (1 control), Audit and Accountability (1 control), Configuration Management (1 control). Non-compliant CMMC practices represent exploitable gaps that an adversary could target to access Controlled Unclassified Information (CUI). Current SPRS score: 87/110.
Business Impact: CMMC certification failure, DoD contract loss, DFARS non-compliance, and potential False Claims Act liability
Mitigating Controls: Remediate 4 failing controls prioritized by SPRS weight. See Compliance Matrix tab for per-control detail.
Industry Context

Benchmarked against Microsoft 365 security assessments across SMB organizations (50-500 users).

Your Findings
129
Industry median: 8-12 findings
Identity Gaps
29
Above industry median (2-3)
Critical Findings
2
Industry median: 1-2 critical findings
Attack Paths Identified
7
High exposure profile
MFA Coverage
94.0%
Industry median: 78% | Gap: +16.0 points
Admin MFA
100.0%
Industry median: 85% | Gap: +15.0 points
Secure Score
56.7%
Industry median: 48% | Gap: +8.7 points
Device Compliance
96.7%
Industry median: 65% | Gap: +31.7 points
Findings Index

Quick reference to findings by ID, severity, domain, status, and timeline. Click any finding to jump to its detailed card. Showing all 129 findings.

# ID Title Severity Domain Status Timeline
1 Device-015 Critical Security Configuration Gaps Require Action Critical Endpoint Fail 7-30 days
2 Network-010 NSG Rules Allow All Inbound Traffic Critical Infrastructure Fail 7-30 days
3 Identity-010 2 High-Risk User Accounts Detected High Identity Fail 0-7 days
4 Security-001 28 Active Security Alerts (2 High, 5 Medium) High Monitoring Fail 0-7 days
5 Identity-008 40 Users Not Covered by MFA Policy High Identity Fail 7-30 days
6 ActiveDirectory-006 AD: LDAP Signing/Channel Binding Gap High Identity Fail 0-7 days
7 ActiveDirectory-003 AD: Privileged Admin Footprint Controlled High Identity Fail 0-7 days
8 Infrastructure-015 Anonymous Storage Access Enabled High Infrastructure Fail 7-30 days
9 Email-007 Anti-Phishing Controls Are Not Fully Enabled High Email Fail 7-30 days
10 Email-014 Auto-Forward to External Addresses Detected High Email Fail 7-30 days
11 CloudPosture-001 Azure Secure Score Below Target High Monitoring Fail 7-30 days
12 Endpoint-007 BitLocker or Device Encryption Not Enabled High Endpoint Fail 7-30 days
13 CMMC-AC.L2-3.1.6 CMMC AC.L2-3.1.6: Non-Privileged Account Use (Fail) High Compliance Fail 7-30 days
14 CMMC-AU.L2-3.3.4 CMMC AU.L2-3.3.4: Audit Failure Alerting (Fail) High Compliance Fail 7-30 days
15 CMMC-IA.L2-3.5.3 CMMC IA.L2-3.5.3: Multifactor Authentication (Fail) High Identity Fail 7-30 days
16 CMMC-IR.L2-3.6.1 CMMC IR.L2-3.6.1: Incident Handling (Partial) High Security Partial 7-30 days
17 Network-013 Email Encryption Not Enabled High Email Fail 7-30 days
18 Email-008 Email Threat Detection/Containment Rate Is Below Target High Email Fail 7-30 days
19 Identity-021 Emergency Access Accounts Missing or Incomplete High Identity Fail 7-30 days
20 DataProtection-017 Excessive Third-Party App Permissions High Apps Fail 7-30 days
21 Email-009 External Email Forwarding Rules Detected High Email Fail 7-30 days
22 Security-002 Failed and Risky Sign-In Volume Exceeds Baseline High Monitoring Fail 7-30 days
23 Device-016 High Endpoint Vulnerability Backlog High Endpoint Fail 7-30 days
24 Vulnerability-002 High-Severity Vulnerabilities Require Short-Term Remediation High Endpoint Fail 7-30 days
25 Resilience-001 Incident Response Plan Not Documented High Monitoring Fail 7-30 days
26 Infrastructure-016 Key Vault Soft-Delete Not Enabled High Infrastructure Fail 7-30 days
27 Identity-005 Legacy Authentication Not Blocked High Identity Fail 7-30 days
28 Identity-027 Legacy Authentication Sign-Ins Detected High Identity Fail 7-30 days
29 Email-013 Mail Flow Rules Bypass Security Filtering High Email Fail 7-30 days
30 Email-016 Multiple Domains Without DMARC High Email Fail 7-30 days
31 Infrastructure-001 Network Security Groups Allow Unrestricted Inbound Access High Infrastructure Fail 7-30 days
32 Device-013 No Device Compliance Policies Defined High Endpoint Fail 7-30 days
33 DataProtection-013 No DLP Policies Configured High Data Protection Fail 7-30 days
34 Infrastructure-010 No Effective Network Segmentation Detected High Infrastructure Fail 7-30 days
35 Email-012 No Outbound Spam Policy Enabled High Email Fail 7-30 days
36 Cost-001 Orphaned Cloud Resources Incurring Waste High Infrastructure Fail 7-30 days
37 Identity-014 Phishing-Resistant MFA Method (FIDO2) Is Disabled High Identity Fail 7-30 days
38 Identity-018 PIM Not Configured for Admin Roles High Identity Fail 7-30 days
39 Identity-026 PIM Not Utilized for Privileged Roles High Identity Fail 7-30 days
40 Governance-002 Privileged High-Risk Administrative Operations Require Review High Monitoring Fail 7-30 days
41 Identity-020 Risky Sign-Ins Not Investigated High Identity Fail 7-30 days
42 Email-006 Safe Attachments Protection Is Disabled High Email Fail 7-30 days
43 Email-005 Safe Links Protection Is Disabled High Email Fail 7-30 days
44 Governance-003 Secure Score Recommendation Backlog Is Accumulating High Monitoring Fail 7-30 days
45 Vulnerability-001 Security Configuration Gaps Require Remediation High Endpoint Fail 0-7 days
46 DataProtection-010 SharePoint External Sharing Is Enabled on Collaboration Sites High Data Protection Fail 7-30 days
47 Resilience-002 SIEM Not Connected High Monitoring Fail 7-30 days
48 Infrastructure-011 Storage Accounts Allow HTTP High Infrastructure Fail 7-30 days
49 Infrastructure-002 Storage Accounts Allow Public Blob Access High Data Protection Fail 0-7 days
50 Identity-017 Strong Authentication Method Adoption Is Below Target High Identity Fail 7-30 days
51 Endpoint-011 Tamper Protection Not Enabled High Endpoint Fail 7-30 days
52 Application-006 Third-Party Application Consents Include Elevated-Risk Integrations High Apps Fail 7-30 days
53 Security-003 Threat Pulse Indicates Elevated Active Alert Backlog High Monitoring Fail 7-30 days
54 Identity-025 Too Many Global Administrators High Identity Fail 7-30 days
55 Device-010 Unencrypted Devices Detected in Fleet High Endpoint Fail 7-30 days
56 Endpoint-013 Unsupported Operating Systems in Managed Fleet High Endpoint Fail 7-30 days
57 Identity-011 1 Service Principal with High-Risk Permissions Medium Apps Fail 7-30 days
58 Application-001 2 Apps with High-Risk OAuth Permissions Medium Apps Fail 7-30 days
59 Identity-006 3 Users Authenticating with Legacy Protocols Medium Identity Fail 7-30 days
60 Identity-013 30 Guest Users Require Access Review (20.0% of user base) Medium Identity Fail 7-30 days
61 ActiveDirectory-008 AD: Domain Controller Patch Baseline Gap Medium Identity Fail 7-30 days
62 ActiveDirectory-002 AD: Legacy Authentication Active Medium Identity Fail 7-30 days
63 Resilience-003 Alert Rules Not Configured Medium Monitoring Fail 7-30 days
64 Email-020 Anti-Impersonation Coverage Below Target Medium Email Fail 7-30 days
65 Endpoint-012 Attack Surface Reduction Rules Missing Medium Endpoint Fail 7-30 days
66 Cost-003 Azure Advisor Savings Not Yet Realized Medium Infrastructure Fail 7-30 days
67 Resilience-004 Backup Restore Testing Stale Medium Monitoring Fail 7-30 days
68 Cost-005 Budget Alerting Not Configured Medium Infrastructure Fail 0-7 days
69 CMMC-CM.L2-3.4.5 CMMC CM.L2-3.4.5: Access Restrictions for Change (Partial) Medium Compliance Partial 30-90 days
70 CMMC-SC.L2-3.13.2 CMMC SC.L2-3.13.2: Security Engineering (Partial) Medium Compliance Partial 30-90 days
71 CMMC-SI.L2-3.14.2 CMMC SI.L2-3.14.2: Malicious Code Protection (Partial) Medium Endpoint Partial 30-90 days
72 CMMC-SI.L2-3.14.5 CMMC SI.L2-3.14.5: Advanced Persistent Threat Protection (Fail) Medium Endpoint Fail 30-90 days
73 Identity-016 Default Domain Password Expiration Policy Increases Credential Risk Medium Identity Fail 7-30 days
74 Endpoint-014 Defender Onboarding Coverage Below 80% Medium Endpoint Fail 7-30 days
75 Endpoint-005 Device Compliance Policy Coverage Is Incomplete Medium Endpoint Fail 7-30 days
76 Endpoint-004 Device Configuration Baseline Policy Depth Is Limited Medium Endpoint Fail 7-30 days
77 CloudPosture-003 Diagnostic Settings Missing on Critical Resources Medium Monitoring Fail 7-30 days
78 Email-010 DMARC Aggregate Reporting Not Configured Medium Email Fail 7-30 days
79 Email-015 DMARC Policy Not Enforced at Reject Medium Email Fail 7-30 days
80 DataProtection-004 eDiscovery Not Configured Medium Data Protection Fail 7-30 days
81 Endpoint-015 EDR Block Mode Not Enabled Medium Endpoint Fail 7-30 days
82 Email-019 Email Quarantine Policy Not Configured Medium Email Fail 7-30 days
83 Identity-009 Excessive Global Administrators (7 accounts) Medium Identity Fail 7-30 days
84 Identity-023 Excessive Guest Users in Directory Medium Identity Fail 7-30 days
85 DataProtection-006 External Sharing Unrestricted on SharePoint Sites Medium Data Protection Fail 7-30 days
86 Infrastructure-013 Key Vault Secrets Not Rotated Medium Infrastructure Fail 7-30 days
87 Email-017 Mailbox Auditing Not Enabled for All Mailboxes Medium Email Fail 7-30 days
88 Vulnerability-003 Medium-Severity Vulnerabilities Require Planned Remediation Medium Endpoint Fail 30-90 days
89 Monitoring-001 Microsoft Sentinel SIEM Not Configured Medium Monitoring Fail 7-30 days
90 Identity-019 No Access Reviews Configured Medium Identity Fail 7-30 days
91 Network-014 No Attack Simulation Campaigns Executed Medium Monitoring Fail 7-30 days
92 CloudPosture-004 No Azure Policy Assignments Detected Medium Monitoring Fail 7-30 days
93 Device-014 No Device Configuration Policies Applied Medium Endpoint Fail 7-30 days
94 Infrastructure-014 No Private Endpoints for PaaS Resources Medium Infrastructure Fail 7-30 days
95 Identity-022 OAuth Consent Policy Allows User Consent Medium Identity Fail 7-30 days
96 DataProtection-007 OneDrive External Sharing Open Medium Data Protection Fail 7-30 days
97 Endpoint-006 OS Versions Not Current Medium Endpoint Fail 7-30 days
98 Device-012 Outdated Endpoint Operating System Versions Medium Endpoint Fail 7-30 days
99 Cost-004 Oversized VM Fleet Increasing Compute Spend Medium Infrastructure Fail 7-30 days
100 Infrastructure-006 Public IP Addresses With Exposure Risks Medium Infrastructure Fail 7-30 days
101 DataProtection-009 Retention Period Below Compliance Baseline Medium Data Protection Fail 7-30 days
102 DataProtection-012 Retention Policy Coverage Is Partial Across M365 Workloads Medium Data Protection Fail 7-30 days
103 Identity-028 Risky Sign-Ins from Unknown Locations Medium Identity Fail 7-30 days
104 DataProtection-019 SharePoint Sites Permit External Sharing Medium Data Protection Fail 7-30 days
105 Identity-029 SMS-Based MFA Still in Significant Use Medium Identity Fail 7-30 days
106 Email-011 SPF Record Too Permissive Medium Email Fail 7-30 days
107 Infrastructure-012 SQL Servers Without Azure AD Authentication Medium Infrastructure Fail 7-30 days
108 Device-011 Stale Device Sync Older Than 30 Days Medium Endpoint Fail 7-30 days
109 Endpoint-008 Stale Devices with No Sync > 90 Days Medium Endpoint Fail 7-30 days
110 Application-005 Teams Guest Access Requires Stronger Collaboration Governance Medium Apps Fail 7-30 days
111 Identity-015 Trusted Named Locations Coverage Is Too Narrow Medium Identity Fail 7-30 days
112 Network-011 Unassociated Public IP Addresses Detected Medium Infrastructure Fail 7-30 days
113 Cost-008 Underutilized Premium License Portfolio Medium Infrastructure Fail 7-30 days
114 Cost-006 Unlicensed Users Consuming Paid Service Capacity Medium Infrastructure Fail 7-30 days
115 Cost-002 Unused License Spend Detected Medium Infrastructure Fail 7-30 days
116 Email-001 929 Email Threat Detections Observed in Last 30 Days Low Email Fail 7-30 days
117 Cost-007 Duplicate Security Tools Detected Low Infrastructure Fail 30-90 days
118 Email-018 External Sender Warning Banner Missing Low Email Fail 7-30 days
119 DataProtection-005 Information Barriers Not Configured Low Data Protection Fail 7-30 days
120 Network-012 No Named Locations Configured Low Identity Fail 7-30 days
121 Identity-030 No Passwordless Authentication Adoption Low Identity Fail 7-30 days
122 Resilience-005 No Recent Security Tabletop Exercises Low Monitoring Fail 7-30 days
123 DataProtection-008 No Sensitivity Label Auto-Labeling Policies Low Data Protection Fail 7-30 days
124 DataProtection-016 Records Management Features Disabled Low Data Protection Fail 7-30 days
125 CloudPosture-005 Resource Tags Missing Across Cloud Inventory Low Monitoring Fail 7-30 days
126 DataProtection-003 Sensitivity Labels Configured but Under-Adopted Low Data Protection Fail 30-90 days
127 Identity-024 Stale Disabled Accounts Not Removed Low Identity Fail 7-30 days
128 DataProtection-020 Teams Without Assigned Owners Low Data Protection Fail 7-30 days
129 Endpoint-010 Windows Autopilot Not Configured Low Endpoint Fail 7-30 days
Remediation Plan

Prioritized remediation tasks organized by urgency. Check off items as they are completed.

1 = Immediate (72 Hours) · 2 = High (2 Weeks) · 3 = Standard (30–90 Days)
1 Immediate (0-7 Days)
Remediation items from assessment findings
2 High-Risk User Accounts Detected [High] - Owner: SecOps
28 Active Security Alerts (2 High, 5 Medium) [High] - Owner: SecOps
Storage Accounts Allow Public Blob Access [High] - Owner: Cloud/Security Team
Security Configuration Gaps Require Remediation [High] - Owner: Endpoint Security
AD: Privileged Admin Footprint Controlled [High] - Owner: Identity Governance
AD: LDAP Signing/Channel Binding Gap [High] - Owner: Directory Services
Budget Alerting Not Configured [Medium] - Owner: FinOps
2 High Priority (7-30 Days)
Remediation items from assessment findings
Critical Security Configuration Gaps Require Action [Critical] - Owner: Security Operations
NSG Rules Allow All Inbound Traffic [Critical] - Owner: Cloud/Network Team
Legacy Authentication Not Blocked [High] - Owner: Identity Team
40 Users Not Covered by MFA Policy [High] - Owner: Identity Team
Safe Links Protection Is Disabled [High] - Owner: Email Security Team
Safe Attachments Protection Is Disabled [High] - Owner: Email Security Team
Anti-Phishing Controls Are Not Fully Enabled [High] - Owner: Email Security Team
Email Threat Detection/Containment Rate Is Below Target [High] - Owner: Email Security Team
Phishing-Resistant MFA Method (FIDO2) Is Disabled [High] - Owner: Identity Team
Failed and Risky Sign-In Volume Exceeds Baseline [High] - Owner: Security Operations
Privileged High-Risk Administrative Operations Require Review [High] - Owner: Governance Team
SharePoint External Sharing Is Enabled on Collaboration Sites [High] - Owner: Data Protection Team
Secure Score Recommendation Backlog Is Accumulating [High] - Owner: Governance Team
Third-Party Application Consents Include Elevated-Risk Integrations [High] - Owner: Application Security
Strong Authentication Method Adoption Is Below Target [High] - Owner: Identity Team
Threat Pulse Indicates Elevated Active Alert Backlog [High] - Owner: Security Operations
Network Security Groups Allow Unrestricted Inbound Access [High] - Owner: Network/Cloud Team
High-Severity Vulnerabilities Require Short-Term Remediation [High] - Owner: Security Operations
Orphaned Cloud Resources Incurring Waste [High] - Owner: Cloud Operations
Too Many Global Administrators [High] - Owner: Identity Team
PIM Not Utilized for Privileged Roles [High] - Owner: Identity Team
Legacy Authentication Sign-Ins Detected [High] - Owner: Identity Team
Unencrypted Devices Detected in Fleet [High] - Owner: Endpoint Team
No Device Compliance Policies Defined [High] - Owner: Endpoint Team
High Endpoint Vulnerability Backlog [High] - Owner: Security Operations
No DLP Policies Configured [High] - Owner: Data Protection Team
Excessive Third-Party App Permissions [High] - Owner: Application Security
Email Encryption Not Enabled [High] - Owner: Messaging Security
External Email Forwarding Rules Detected [High] - Owner: Security Operations
No Outbound Spam Policy Enabled [High] - Owner: Security Operations
Mail Flow Rules Bypass Security Filtering [High] - Owner: Security Operations
Auto-Forward to External Addresses Detected [High] - Owner: Security Operations
Multiple Domains Without DMARC [High] - Owner: Security Operations
BitLocker or Device Encryption Not Enabled [High] - Owner: Security Operations
Tamper Protection Not Enabled [High] - Owner: Security Operations
Unsupported Operating Systems in Managed Fleet [High] - Owner: Security Operations
PIM Not Configured for Admin Roles [High] - Owner: Security Operations
Risky Sign-Ins Not Investigated [High] - Owner: Security Operations
Emergency Access Accounts Missing or Incomplete [High] - Owner: Security Operations
No Effective Network Segmentation Detected [High] - Owner: Security Operations
Storage Accounts Allow HTTP [High] - Owner: Security Operations
Anonymous Storage Access Enabled [High] - Owner: Security Operations
Key Vault Soft-Delete Not Enabled [High] - Owner: Security Operations
Azure Secure Score Below Target [High] - Owner: Security Operations
Incident Response Plan Not Documented [High] - Owner: Security Operations
SIEM Not Connected [High] - Owner: Security Operations
3 Users Authenticating with Legacy Protocols [Medium] - Owner: Identity Team
Excessive Global Administrators (7 accounts) [Medium] - Owner: Identity Team
Microsoft Sentinel SIEM Not Configured [Medium] - Owner: Security Operations
2 Apps with High-Risk OAuth Permissions [Medium] - Owner: Identity Team
1 Service Principal with High-Risk Permissions [Medium] - Owner: Identity Team / App Owners
30 Guest Users Require Access Review (20.0% of user base) [Medium] - Owner: Identity & Access Management
Trusted Named Locations Coverage Is Too Narrow [Medium] - Owner: Identity Team
Default Domain Password Expiration Policy Increases Credential Risk [Medium] - Owner: Identity Team
Teams Guest Access Requires Stronger Collaboration Governance [Medium] - Owner: Collaboration Team
Device Configuration Baseline Policy Depth Is Limited [Medium] - Owner: Endpoint Team
Device Compliance Policy Coverage Is Incomplete [Medium] - Owner: Endpoint Team
Retention Policy Coverage Is Partial Across M365 Workloads [Medium] - Owner: Compliance Team
Public IP Addresses With Exposure Risks [Medium] - Owner: Network/Cloud Team
Unused License Spend Detected [Medium] - Owner: IT Operations
Azure Advisor Savings Not Yet Realized [Medium] - Owner: Cloud Operations
Oversized VM Fleet Increasing Compute Spend [Medium] - Owner: Cloud Operations
Unlicensed Users Consuming Paid Service Capacity [Medium] - Owner: IT Operations
Underutilized Premium License Portfolio [Medium] - Owner: IT Operations
AD: Legacy Authentication Active [Medium] - Owner: Identity Team
AD: Domain Controller Patch Baseline Gap [Medium] - Owner: Infrastructure Security
Excessive Guest Users in Directory [Medium] - Owner: Identity Team
Risky Sign-Ins from Unknown Locations [Medium] - Owner: Security Operations
SMS-Based MFA Still in Significant Use [Medium] - Owner: Identity Team
Stale Device Sync Older Than 30 Days [Medium] - Owner: Endpoint Team
Outdated Endpoint Operating System Versions [Medium] - Owner: Endpoint Team
No Device Configuration Policies Applied [Medium] - Owner: Endpoint Team
SharePoint Sites Permit External Sharing [Medium] - Owner: Collaboration Team
Unassociated Public IP Addresses Detected [Medium] - Owner: Cloud/Network Team
No Attack Simulation Campaigns Executed [Medium] - Owner: Security Operations
DMARC Aggregate Reporting Not Configured [Medium] - Owner: Security Operations
SPF Record Too Permissive [Medium] - Owner: Security Operations
DMARC Policy Not Enforced at Reject [Medium] - Owner: Security Operations
Mailbox Auditing Not Enabled for All Mailboxes [Medium] - Owner: Security Operations
Email Quarantine Policy Not Configured [Medium] - Owner: Security Operations
Anti-Impersonation Coverage Below Target [Medium] - Owner: Security Operations
OS Versions Not Current [Medium] - Owner: Security Operations
Stale Devices with No Sync > 90 Days [Medium] - Owner: Security Operations
Attack Surface Reduction Rules Missing [Medium] - Owner: Security Operations
Defender Onboarding Coverage Below 80% [Medium] - Owner: Security Operations
EDR Block Mode Not Enabled [Medium] - Owner: Security Operations
eDiscovery Not Configured [Medium] - Owner: Security Operations
External Sharing Unrestricted on SharePoint Sites [Medium] - Owner: Security Operations
OneDrive External Sharing Open [Medium] - Owner: Security Operations
Retention Period Below Compliance Baseline [Medium] - Owner: Security Operations
No Access Reviews Configured [Medium] - Owner: Security Operations
OAuth Consent Policy Allows User Consent [Medium] - Owner: Security Operations
SQL Servers Without Azure AD Authentication [Medium] - Owner: Security Operations
Key Vault Secrets Not Rotated [Medium] - Owner: Security Operations
No Private Endpoints for PaaS Resources [Medium] - Owner: Security Operations
Diagnostic Settings Missing on Critical Resources [Medium] - Owner: Security Operations
No Azure Policy Assignments Detected [Medium] - Owner: Security Operations
Alert Rules Not Configured [Medium] - Owner: Security Operations
Backup Restore Testing Stale [Medium] - Owner: Security Operations
929 Email Threat Detections Observed in Last 30 Days [Low] - Owner: Email Security / IT Operations
Stale Disabled Accounts Not Removed [Low] - Owner: Identity Team
No Passwordless Authentication Adoption [Low] - Owner: Identity Team
Records Management Features Disabled [Low] - Owner: Compliance Team
Teams Without Assigned Owners [Low] - Owner: Collaboration Team
No Named Locations Configured [Low] - Owner: Identity Team
External Sender Warning Banner Missing [Low] - Owner: Security Operations
Windows Autopilot Not Configured [Low] - Owner: Security Operations
Information Barriers Not Configured [Low] - Owner: Security Operations
No Sensitivity Label Auto-Labeling Policies [Low] - Owner: Security Operations
Resource Tags Missing Across Cloud Inventory [Low] - Owner: Security Operations
No Recent Security Tabletop Exercises [Low] - Owner: Security Operations
CMMC AC.L2-3.1.6: Non-Privileged Account Use (Fail) [High] - Owner: Identity & Access Management
CMMC IA.L2-3.5.3: Multifactor Authentication (Fail) [High] - Owner: Identity & Access Management
CMMC AU.L2-3.3.4: Audit Failure Alerting (Fail) [High] - Owner: Security Operations
CMMC IR.L2-3.6.1: Incident Handling (Partial) [High] - Owner: Security Operations
3 Standard (30-90 Days)
Remediation items from assessment findings
Medium-Severity Vulnerabilities Require Planned Remediation [Medium] - Owner: IT Operations
Sensitivity Labels Configured but Under-Adopted [Low] - Owner: Compliance Team
Duplicate Security Tools Detected [Low] - Owner: FinOps
CMMC SC.L2-3.13.2: Security Engineering (Partial) [Medium] - Owner: Security Engineering
CMMC CM.L2-3.4.5: Access Restrictions for Change (Partial) [Medium] - Owner: Identity & Access Management
CMMC SI.L2-3.14.2: Malicious Code Protection (Partial) [Medium] - Owner: Security Operations
CMMC SI.L2-3.14.5: Advanced Persistent Threat Protection (Fail) [Medium] - Owner: Security Operations
90-Day Action Plan

Condensed owner-ready lane view aligned to 0-90 day delivery windows.

2 critical risks 54 high risks 122 due in 14 days Target score 13 -> 43 Next assessment June 6, 2026
Stabilize
8-14 days
P1 0 items
No actions in this lane.
Sustain
31-90 days
P3 0 items
No actions in this lane.
Instructional Action Board (1 item)

Execution-ready actions derived from security findings. Each item includes implementation checklists, owners, due windows, and verification evidence. See the Findings tab for full technical analysis.

Block legacy authentication protocols High
Owner: Identity Team Due: 0-7 days Priority: P1 Affected: 3 users with legacy auth
Why this matters: Legacy authentication (POP3, IMAP, SMTP, ActiveSync basic) bypasses MFA. Over 99% of password spray attacks use legacy auth.
Affected: Users on Legacy Protocols (3)
UserProtocolLast Sign-in
david.mitchell@contoso.comIMAP4Feb 11, 2026 21:14
patricia.kowalski@contoso.comIMAP4Feb 12, 2026 07:14
robert.chen@contoso.comSMTPFeb 12, 2026 15:14
Implementation Checklist:
Verification: Policy exists with State = 'enabled' and GrantControls = 'block' Evidence: Screenshot of CA policy in Entra ID showing legacy auth blocked
Confidence-Weighted Priority Engine

Findings ranked by severity, confidence quality, affected scope, urgency, and effort. This keeps prioritization consistent across different tenant sizes. See Technical Appendix for methodology details.

Total Risk Exposure$1,674,545
Total Remediation Cost$201,420
Estimated Value Protected$1,473,125
Portfolio ROI8.31x

30-day execution window: $262,089 risk exposure vs $11,880 remediation cost (22.06x).

Done Rank Finding Severity Confidence Score Risk $ Cost $ ROI Owner Due
1 40 Users Not Covered by MFA Policy High OBSERVED 153.3 $29,805 $540 55.2x Identity Team 7-30 days
2 Critical Security Configuration Gaps Require Action Critical OBSERVED 150.6 $49,833 $1,620 30.8x Security Operations 7-30 days
3 Failed and Risky Sign-In Volume Exceeds Baseline High OBSERVED 146.2 $33,600 $1,620 20.7x Security Operations 7-30 days
4 High Endpoint Vulnerability Backlog High OBSERVED 143.4 $32,958 $1,620 20.3x Security Operations 7-30 days
5 28 Active Security Alerts (2 High, 5 Medium) High OBSERVED 140.1 $28,332 $1,620 17.5x SecOps 0-7 days
6 Strong Authentication Method Adoption Is Below Target High OBSERVED 134.5 $30,898 $1,620 19.1x Identity Team 7-30 days
7 High-Severity Vulnerabilities Require Short-Term Remediation High OBSERVED 123.3 $28,332 $1,620 17.5x Security Operations 7-30 days
8 Threat Pulse Indicates Elevated Active Alert Backlog High OBSERVED 123.3 $28,332 $1,620 17.5x Security Operations 7-30 days
9 Legacy Authentication Sign-Ins Detected High OBSERVED 119.8 $27,526 $1,620 17x Identity Team 7-30 days
10 Orphaned Cloud Resources Incurring Waste High OBSERVED 114.6 $22,282 $540 41.3x Cloud Operations 7-30 days
11 PIM Not Configured for Admin Roles High OBSERVED 108.4 $24,917 $1,620 15.4x Security Operations 7-30 days
12 PIM Not Utilized for Privileged Roles High OBSERVED 108.4 $24,917 $1,620 15.4x Identity Team 7-30 days
13 Secure Score Recommendation Backlog Is Accumulating High OBSERVED 107 $24,576 $1,620 15.2x Governance Team 7-30 days
14 NSG Rules Allow All Inbound Traffic Critical OBSERVED 102.5 $33,900 $1,620 20.9x Cloud/Network Team 7-30 days
15 Security Configuration Gaps Require Remediation High OBSERVED 100.1 $24,917 $3,240 7.7x Endpoint Security 0-7 days
Operational Playbook (Tickets, Rollback, Escalation, Comms)
Monday Morning Priority List

Top 5 actions to start this week, with owner, effort, and explicit validation signals.

Done P Action Owner Effort Validation Signal Dependencies
P0 Critical Security Configuration Gaps Require Action Security Operations M (1-2 hrs active + 24-48hr propagation) Critical Security Configuration Gaps Require Action Pilot device ring established; Exception workflow approved; Microsoft Intune; Defender for Endpoint
P0 NSG Rules Allow All Inbound Traffic Cloud/Network Team M (1-2 hrs active + 24-48hr propagation) NSG Rules Allow All Inbound Traffic Documented allowlist; Change ticket approved
P1 Legacy Authentication Not Blocked Identity Team M (1-2 hrs active + 24-48hr propagation) Legacy Auth Block Policy (Block legacy auth (risk reduction)) 14-day Report-only monitoring completed; Legacy auth usage reviewed; Entra ID P1 or P2
P1 40 Users Not Covered by MFA Policy Identity Team S (15-30 min active work) MFA Policy Coverage (+0 points to reach 90%) MFA registration campaign communicated to affected users; Entra ID P1 or P2 (for Conditional Access)
P1 2 High-Risk User Accounts Detected SecOps M (1-2 hrs active + 24-48hr propagation) High-Risk Users Risk investigation SOP documented; Entra ID P2 (for Identity Protection)
Escalation Framework

If remediation is blocked or causes impact, escalate to Your MSP Name at support@contoso.com with the finding ID and impact summary.

Priority Begin By Escalate After Contact Response SLA
P0 Immediately 4 hours Your MSP Name Within 1 hour
P1 Within 24 hours 48 hours Your MSP Name Within 4 hours
P2 Within 1 week 2 weeks Your MSP Name Within 1 business day
P3 Within 30 days 60 days Your MSP Name Within 3 business days
Helpdesk Ticket Summary (129 tickets)

Ready-to-file tickets for your IT service management system. Each row represents one remediation work item with priority, owner, and timeline pre-assigned. Covers all 129 findings.

Ticket ID Title Severity Priority Assignee Due
Device-015 Critical Security Configuration Gaps Require Action Critical P0 Security Operations 7-30 days
Network-010 NSG Rules Allow All Inbound Traffic Critical P0 Cloud/Network Team 7-30 days
Identity-010 2 High-Risk User Accounts Detected High P1 SecOps 0-7 days
Security-001 28 Active Security Alerts (2 High, 5 Medium) High P1 SecOps 0-7 days
Identity-008 40 Users Not Covered by MFA Policy High P1 Identity Team 7-30 days
ActiveDirectory-006 AD: LDAP Signing/Channel Binding Gap High P1 Directory Services 0-7 days
ActiveDirectory-003 AD: Privileged Admin Footprint Controlled High P1 Identity Governance 0-7 days
Infrastructure-015 Anonymous Storage Access Enabled High P1 Security Operations 7-30 days
Email-007 Anti-Phishing Controls Are Not Fully Enabled High P1 Email Security Team 7-30 days
Email-014 Auto-Forward to External Addresses Detected High P1 Security Operations 7-30 days
CloudPosture-001 Azure Secure Score Below Target High P1 Security Operations 7-30 days
Endpoint-007 BitLocker or Device Encryption Not Enabled High P1 Security Operations 7-30 days
CMMC-AC.L2-3.1.6 CMMC AC.L2-3.1.6: Non-Privileged Account Use (Fail) High P1 Identity & Access Management 7-30 days
CMMC-AU.L2-3.3.4 CMMC AU.L2-3.3.4: Audit Failure Alerting (Fail) High P1 Security Operations 7-30 days
CMMC-IA.L2-3.5.3 CMMC IA.L2-3.5.3: Multifactor Authentication (Fail) High P1 Identity & Access Management 7-30 days
CMMC-IR.L2-3.6.1 CMMC IR.L2-3.6.1: Incident Handling (Partial) High P1 Security Operations 7-30 days
Network-013 Email Encryption Not Enabled High P1 Messaging Security 7-30 days
Email-008 Email Threat Detection/Containment Rate Is Below Target High P1 Email Security Team 7-30 days
Identity-021 Emergency Access Accounts Missing or Incomplete High P1 Security Operations 7-30 days
DataProtection-017 Excessive Third-Party App Permissions High P1 Application Security 7-30 days
Email-009 External Email Forwarding Rules Detected High P1 Security Operations 7-30 days
Security-002 Failed and Risky Sign-In Volume Exceeds Baseline High P1 Security Operations 7-30 days
Device-016 High Endpoint Vulnerability Backlog High P1 Security Operations 7-30 days
Vulnerability-002 High-Severity Vulnerabilities Require Short-Term Remediation High P1 Security Operations 7-30 days
Resilience-001 Incident Response Plan Not Documented High P1 Security Operations 7-30 days
Infrastructure-016 Key Vault Soft-Delete Not Enabled High P1 Security Operations 7-30 days
Identity-005 Legacy Authentication Not Blocked High P1 Identity Team 7-30 days
Identity-027 Legacy Authentication Sign-Ins Detected High P1 Identity Team 7-30 days
Email-013 Mail Flow Rules Bypass Security Filtering High P1 Security Operations 7-30 days
Email-016 Multiple Domains Without DMARC High P1 Security Operations 7-30 days
Infrastructure-001 Network Security Groups Allow Unrestricted Inbound Access High P1 Network/Cloud Team 7-30 days
Device-013 No Device Compliance Policies Defined High P1 Endpoint Team 7-30 days
DataProtection-013 No DLP Policies Configured High P1 Data Protection Team 7-30 days
Infrastructure-010 No Effective Network Segmentation Detected High P1 Security Operations 7-30 days
Email-012 No Outbound Spam Policy Enabled High P1 Security Operations 7-30 days
Cost-001 Orphaned Cloud Resources Incurring Waste High P1 Cloud Operations 7-30 days
Identity-014 Phishing-Resistant MFA Method (FIDO2) Is Disabled High P1 Identity Team 7-30 days
Identity-018 PIM Not Configured for Admin Roles High P1 Security Operations 7-30 days
Identity-026 PIM Not Utilized for Privileged Roles High P1 Identity Team 7-30 days
Governance-002 Privileged High-Risk Administrative Operations Require Review High P1 Governance Team 7-30 days
Identity-020 Risky Sign-Ins Not Investigated High P1 Security Operations 7-30 days
Email-006 Safe Attachments Protection Is Disabled High P1 Email Security Team 7-30 days
Email-005 Safe Links Protection Is Disabled High P1 Email Security Team 7-30 days
Governance-003 Secure Score Recommendation Backlog Is Accumulating High P1 Governance Team 7-30 days
Vulnerability-001 Security Configuration Gaps Require Remediation High P1 Endpoint Security 0-7 days
DataProtection-010 SharePoint External Sharing Is Enabled on Collaboration Sites High P1 Data Protection Team 7-30 days
Resilience-002 SIEM Not Connected High P1 Security Operations 7-30 days
Infrastructure-011 Storage Accounts Allow HTTP High P1 Security Operations 7-30 days
Infrastructure-002 Storage Accounts Allow Public Blob Access High P1 Cloud/Security Team 0-7 days
Identity-017 Strong Authentication Method Adoption Is Below Target High P1 Identity Team 7-30 days
Endpoint-011 Tamper Protection Not Enabled High P1 Security Operations 7-30 days
Application-006 Third-Party Application Consents Include Elevated-Risk Integrations High P1 Application Security 7-30 days
Security-003 Threat Pulse Indicates Elevated Active Alert Backlog High P1 Security Operations 7-30 days
Identity-025 Too Many Global Administrators High P1 Identity Team 7-30 days
Device-010 Unencrypted Devices Detected in Fleet High P1 Endpoint Team 7-30 days
Endpoint-013 Unsupported Operating Systems in Managed Fleet High P1 Security Operations 7-30 days
Identity-011 1 Service Principal with High-Risk Permissions Medium P2 Identity Team / App Owners 7-30 days
Application-001 2 Apps with High-Risk OAuth Permissions Medium P2 Identity Team 7-30 days
Identity-006 3 Users Authenticating with Legacy Protocols Medium P2 Identity Team 7-30 days
Identity-013 30 Guest Users Require Access Review (20.0% of user base) Medium P2 Identity & Access Management 7-30 days
ActiveDirectory-008 AD: Domain Controller Patch Baseline Gap Medium P2 Infrastructure Security 7-30 days
ActiveDirectory-002 AD: Legacy Authentication Active Medium P2 Identity Team 7-30 days
Resilience-003 Alert Rules Not Configured Medium P2 Security Operations 7-30 days
Email-020 Anti-Impersonation Coverage Below Target Medium P2 Security Operations 7-30 days
Endpoint-012 Attack Surface Reduction Rules Missing Medium P2 Security Operations 7-30 days
Cost-003 Azure Advisor Savings Not Yet Realized Medium P2 Cloud Operations 7-30 days
Resilience-004 Backup Restore Testing Stale Medium P2 Security Operations 7-30 days
Cost-005 Budget Alerting Not Configured Medium P2 FinOps 0-7 days
CMMC-CM.L2-3.4.5 CMMC CM.L2-3.4.5: Access Restrictions for Change (Partial) Medium P2 Identity & Access Management 30-90 days
CMMC-SC.L2-3.13.2 CMMC SC.L2-3.13.2: Security Engineering (Partial) Medium P2 Security Engineering 30-90 days
CMMC-SI.L2-3.14.2 CMMC SI.L2-3.14.2: Malicious Code Protection (Partial) Medium P2 Security Operations 30-90 days
CMMC-SI.L2-3.14.5 CMMC SI.L2-3.14.5: Advanced Persistent Threat Protection (Fail) Medium P2 Security Operations 30-90 days
Identity-016 Default Domain Password Expiration Policy Increases Credential Risk Medium P2 Identity Team 7-30 days
Endpoint-014 Defender Onboarding Coverage Below 80% Medium P2 Security Operations 7-30 days
Endpoint-005 Device Compliance Policy Coverage Is Incomplete Medium P2 Endpoint Team 7-30 days
Endpoint-004 Device Configuration Baseline Policy Depth Is Limited Medium P2 Endpoint Team 7-30 days
CloudPosture-003 Diagnostic Settings Missing on Critical Resources Medium P2 Security Operations 7-30 days
Email-010 DMARC Aggregate Reporting Not Configured Medium P2 Security Operations 7-30 days
Email-015 DMARC Policy Not Enforced at Reject Medium P2 Security Operations 7-30 days
DataProtection-004 eDiscovery Not Configured Medium P2 Security Operations 7-30 days
Endpoint-015 EDR Block Mode Not Enabled Medium P2 Security Operations 7-30 days
Email-019 Email Quarantine Policy Not Configured Medium P2 Security Operations 7-30 days
Identity-009 Excessive Global Administrators (7 accounts) Medium P2 Identity Team 7-30 days
Identity-023 Excessive Guest Users in Directory Medium P2 Identity Team 7-30 days
DataProtection-006 External Sharing Unrestricted on SharePoint Sites Medium P2 Security Operations 7-30 days
Infrastructure-013 Key Vault Secrets Not Rotated Medium P2 Security Operations 7-30 days
Email-017 Mailbox Auditing Not Enabled for All Mailboxes Medium P2 Security Operations 7-30 days
Vulnerability-003 Medium-Severity Vulnerabilities Require Planned Remediation Medium P2 IT Operations 30-90 days
Monitoring-001 Microsoft Sentinel SIEM Not Configured Medium P2 Security Operations 7-30 days
Identity-019 No Access Reviews Configured Medium P2 Security Operations 7-30 days
Network-014 No Attack Simulation Campaigns Executed Medium P2 Security Operations 7-30 days
CloudPosture-004 No Azure Policy Assignments Detected Medium P2 Security Operations 7-30 days
Device-014 No Device Configuration Policies Applied Medium P2 Endpoint Team 7-30 days
Infrastructure-014 No Private Endpoints for PaaS Resources Medium P2 Security Operations 7-30 days
Identity-022 OAuth Consent Policy Allows User Consent Medium P2 Security Operations 7-30 days
DataProtection-007 OneDrive External Sharing Open Medium P2 Security Operations 7-30 days
Endpoint-006 OS Versions Not Current Medium P2 Security Operations 7-30 days
Device-012 Outdated Endpoint Operating System Versions Medium P2 Endpoint Team 7-30 days
Cost-004 Oversized VM Fleet Increasing Compute Spend Medium P2 Cloud Operations 7-30 days
Infrastructure-006 Public IP Addresses With Exposure Risks Medium P2 Network/Cloud Team 7-30 days
DataProtection-009 Retention Period Below Compliance Baseline Medium P2 Security Operations 7-30 days
DataProtection-012 Retention Policy Coverage Is Partial Across M365 Workloads Medium P2 Compliance Team 7-30 days
Identity-028 Risky Sign-Ins from Unknown Locations Medium P2 Security Operations 7-30 days
DataProtection-019 SharePoint Sites Permit External Sharing Medium P2 Collaboration Team 7-30 days
Identity-029 SMS-Based MFA Still in Significant Use Medium P2 Identity Team 7-30 days
Email-011 SPF Record Too Permissive Medium P2 Security Operations 7-30 days
Infrastructure-012 SQL Servers Without Azure AD Authentication Medium P2 Security Operations 7-30 days
Device-011 Stale Device Sync Older Than 30 Days Medium P2 Endpoint Team 7-30 days
Endpoint-008 Stale Devices with No Sync > 90 Days Medium P2 Security Operations 7-30 days
Application-005 Teams Guest Access Requires Stronger Collaboration Governance Medium P2 Collaboration Team 7-30 days
Identity-015 Trusted Named Locations Coverage Is Too Narrow Medium P2 Identity Team 7-30 days
Network-011 Unassociated Public IP Addresses Detected Medium P2 Cloud/Network Team 7-30 days
Cost-008 Underutilized Premium License Portfolio Medium P2 IT Operations 7-30 days
Cost-006 Unlicensed Users Consuming Paid Service Capacity Medium P2 IT Operations 7-30 days
Cost-002 Unused License Spend Detected Medium P2 IT Operations 7-30 days
Email-001 929 Email Threat Detections Observed in Last 30 Days Low P3 Email Security / IT Operations 7-30 days
Cost-007 Duplicate Security Tools Detected Low P3 FinOps 30-90 days
Email-018 External Sender Warning Banner Missing Low P3 Security Operations 7-30 days
DataProtection-005 Information Barriers Not Configured Low P3 Security Operations 7-30 days
Network-012 No Named Locations Configured Low P3 Identity Team 7-30 days
Identity-030 No Passwordless Authentication Adoption Low P3 Identity Team 7-30 days
Resilience-005 No Recent Security Tabletop Exercises Low P3 Security Operations 7-30 days
DataProtection-008 No Sensitivity Label Auto-Labeling Policies Low P3 Security Operations 7-30 days
DataProtection-016 Records Management Features Disabled Low P3 Compliance Team 7-30 days
CloudPosture-005 Resource Tags Missing Across Cloud Inventory Low P3 Security Operations 7-30 days
DataProtection-003 Sensitivity Labels Configured but Under-Adopted Low P3 Compliance Team 30-90 days
Identity-024 Stale Disabled Accounts Not Removed Low P3 Identity Team 7-30 days
DataProtection-020 Teams Without Assigned Owners Low P3 Collaboration Team 7-30 days
Endpoint-010 Windows Autopilot Not Configured Low P3 Security Operations 7-30 days
Rollback Plans

Pre-defined reversal procedures for each remediation action. If implementation causes unexpected impact, follow these steps to safely restore the previous state.

Block legacy authentication protocols Estimated rollback: ~5 minutes
When to rollback: User complaints > 5% in first hour or critical service disruption
User impact: Legacy email clients (Outlook 2010, Thunderbird IMAP) will stop working.
1 Navigate to Entra ID > Protection > Conditional Access
2 Locate the 'Block Legacy Authentication' policy
3 Set policy state to 'Report-only'
4 Identify affected users via sign-in logs
Notify: IT Director, Help Desk
Critical Security Configuration Gaps Require Action Estimated rollback: 15-30 minutes
When to rollback: If endpoint hardening materially impacts business-critical workflows.
1 Rollback affected policy assignment for impacted device cohorts.
2 Validate endpoint functionality and service access restoration.
3 Reapply remediations with pilot-first rollout and updated exclusions.
Notify: Endpoint Team, Security Operations, Helpdesk
NSG Rules Allow All Inbound Traffic Estimated rollback: 10-20 minutes
When to rollback: If network or messaging control enforcement disrupts validated production traffic.
1 Rollback the last rule/policy change impacting connectivity.
2 Verify service connectivity and workflow recovery for approved traffic.
3 Reintroduce controls with a staged rollout and explicit allowlist review.
Notify: Network Team, Cloud Operations, Security Operations
Legacy Authentication Not Blocked Estimated rollback: 5 minutes
When to rollback: If critical business application stops working
1 Identify the failing application from sign-in logs
2 Set legacy auth CA policy to Report-only
3 Verify application functionality restored
4 Plan modern auth upgrade for the application
5 Re-enable block after app is upgraded
Notify: Security Team, Application Owner, Helpdesk
40 Users Not Covered by MFA Policy Estimated rollback: 5 minutes per user
When to rollback: If MFA registration requirement blocks user access
1 Temporarily exclude affected users from the MFA CA policy
2 Assist users with MFA registration via Helpdesk
3 Re-include users once registration is complete
Notify: Security Team, Helpdesk
2 High-Risk User Accounts Detected Estimated rollback: 10 minutes
When to rollback: If risk remediation disables a legitimate user
1 Confirm risk is a false positive in Entra ID Protection
2 Dismiss the risk and restore user access
3 Reset user credentials as a precaution
Notify: Security Team, Affected User's Manager
28 Active Security Alerts (2 High, 5 Medium) Estimated rollback: 5-15 minutes
When to rollback: If remediation action causes service disruption
1 Revert the specific configuration change in the relevant admin portal
2 Verify service is restored for affected users
3 Document the conflict for security review
Notify: Security Operations, Helpdesk
Safe Links Protection Is Disabled Estimated rollback: 10-20 minutes
When to rollback: If Safe Links blocks legitimate business URLs
1 Place policy in monitor mode or exclude known-safe business domains
2 Review user false-positive reports
3 Re-enable full enforcement after tuning
Notify: Email Team, Helpdesk
Safe Attachments Protection Is Disabled Estimated rollback: 10-20 minutes
When to rollback: If Safe Attachments delays legitimate email delivery
1 Switch policy action to Dynamic Delivery
2 Review quarantine and detonation outcomes
3 Tune exclusions for approved low-risk senders
Notify: Email Team, Helpdesk
Anti-Phishing Controls Are Not Fully Enabled Estimated rollback: 15 minutes
When to rollback: If anti-phishing policy tuning produces false positives
1 Reduce impersonation strictness temporarily for impacted domains/users
2 Review blocked sender patterns
3 Re-enable strict policy after tuning
Notify: Email Team, Helpdesk
Email Threat Detection/Containment Rate Is Below Target Estimated rollback: 20 minutes
When to rollback: If detection threshold changes create alert fatigue
1 Restore prior threshold configuration
2 Validate true-positive rates on recent detections
3 Retune gradually with SOC feedback
Notify: Security Operations, Email Team
Phishing-Resistant MFA Method (FIDO2) Is Disabled Estimated rollback: 5 minutes
When to rollback: If pilot users cannot complete FIDO2 registration
1 Disable FIDO2 method policy target group temporarily
2 Keep Microsoft Authenticator available as fallback
3 Review registration failures before re-enabling
Notify: Identity Team, Helpdesk
Failed and Risky Sign-In Volume Exceeds Baseline Estimated rollback: 5 minutes
When to rollback: If sign-in hardening blocks critical business workflows
1 Set impacted Conditional Access rules to report-only
2 Review sign-in logs for top failure causes
3 Tune policy scope before enforcing again
Notify: Security Operations, Identity Team
Privileged High-Risk Administrative Operations Require Review Estimated rollback: 15 minutes
When to rollback: If privileged operation controls hinder approved admin changes
1 Temporarily relax operation approval condition
2 Complete emergency change with ticket references
3 Reinstate controls and review exception
Notify: Security Team, IT Leadership
SharePoint External Sharing Is Enabled on Collaboration Sites Estimated rollback: 10 minutes
When to rollback: If SharePoint sharing controls block critical partner workflows
1 Temporarily allow partner domain sharing for approved sites
2 Maintain strict sharing controls on sensitive sites
3 Re-tune policy after business validation
Notify: Data Protection Team, Site Owners
Secure Score Recommendation Backlog Is Accumulating Estimated rollback: 15 minutes
When to rollback: If recommendation sprint deprioritizes critical maintenance work
1 Pause recommendation sprint board updates
2 Reprioritize backlog with risk and business owners
3 Resume with adjusted scope
Notify: Security Team, IT Leadership
Third-Party Application Consents Include Elevated-Risk Integrations Estimated rollback: 10 minutes
When to rollback: If third-party app consent revocation breaks critical integrations
1 Re-consent approved business-critical applications
2 Restrict permissions to minimum required scope
3 Schedule vendor remediation for high-risk permissions
Notify: Application Security, Integration Owners
Strong Authentication Method Adoption Is Below Target Estimated rollback: 10 minutes
When to rollback: If phishing-resistant MFA rollout causes user lockouts
1 Temporarily exempt affected users from strict auth strength policy
2 Keep Authenticator MFA as fallback
3 Complete registration support and re-apply
Notify: Identity Team, Helpdesk
Threat Pulse Indicates Elevated Active Alert Backlog Estimated rollback: 10 minutes
When to rollback: If alert response workflow changes create operational noise
1 Revert triage automation to prior rule set
2 Restore previous alert routing
3 Retune thresholds and redeploy
Notify: Security Operations
Network Security Groups Allow Unrestricted Inbound Access Estimated rollback: 5-10 minutes
When to rollback: If restricting NSG rules breaks connectivity for a production workload
1 Identify the affected NSG rule from Azure Activity Log
2 Re-add the specific allow rule for the affected service
3 Verify the workload is accessible again
4 Schedule a change window to implement the restriction with proper testing
Notify: Cloud Operations, Application Owner
Storage Accounts Allow Public Blob Access Estimated rollback: 5 minutes
When to rollback: If disabling public blob access breaks an application that serves public content
1 Re-enable public blob access on the specific storage account
2 Verify the application content is accessible
3 Evaluate Azure CDN or Azure Front Door as alternatives to public blob access
4 Implement SAS token-based access for non-public content
Notify: Cloud Operations, Application Owner
Security Configuration Gaps Require Remediation Estimated rollback: Varies by vulnerability
When to rollback: If remediation breaks application functionality
1 Restore previous configuration or patch level
2 Document the incompatibility
3 Engage vendor for compatible fix
4 Implement compensating controls
Notify: Security Operations, Application Owner
High-Severity Vulnerabilities Require Short-Term Remediation Estimated rollback: Varies by vulnerability
When to rollback: If remediation breaks application functionality
1 Restore previous configuration or patch level
2 Document the incompatibility
3 Engage vendor for compatible fix
4 Implement compensating controls
Notify: Security Operations, Application Owner
Orphaned Cloud Resources Incurring Waste Estimated rollback: 15-30 minutes
When to rollback: If deleting resources impacts a dependent workload
1 Restore deleted resource from backup or deployment template
2 Reattach recovered resource to dependent workload
3 Tag resource as protected from cleanup automation
Notify: Cloud Operations, Application Owner
User Communication Templates

Pre-written email templates for communicating security changes to end users. Customize dates and details before sending. Templates are auto-matched to your assessment findings.

Legacy Email Protocol Cutoff
Subject: Important: Legacy Email Protocols Will Be Blocked on [set date]
Dear Team,

On [set date], legacy authentication protocols (POP3, IMAP, SMTP Basic Auth) will be disabled across Your MSP Name's Microsoft 365 environment.

Questions? Contact support@contoso.com
Executive Decision Points

Changes requiring leadership sign-off before implementation.

Decision Recommended Alternative Tradeoffs Timeline Approval
Block legacy authentication protocols Approve cutoff after report-only pilot Defer Legacy clients may fail; requires exception process 7-21 days Awaiting Review
Risk Acceptance Register

Document risks that cannot be immediately remediated and require business sign-off. Pre-populated with low/informational findings for review.

Accept-vs-Remediate Guidance
Severity Guidance Count
Low / Info May be risk-accepted with documented compensating controls 14 findings
Medium May be risk-accepted with CISO approval and compensating controls 59 findings
High / Critical Must be remediated — risk acceptance not recommended 56 findings
Compliance-mappedCannot be risk-accepted without formal POA&M documentationSee Compliance tab
Finding ID Risk Description Severity Compensating Controls Accepted By Review Date
Email-001929 Email Threat Detections Observed in Last 30 DaysLowDocument compensating controls__________________________
Cost-007Duplicate Security Tools DetectedLowDocument compensating controls__________________________
Email-018External Sender Warning Banner MissingLowDocument compensating controls__________________________
DataProtection-005Information Barriers Not ConfiguredLowDocument compensating controls__________________________
Network-012No Named Locations ConfiguredLowDocument compensating controls__________________________
Identity-030No Passwordless Authentication AdoptionLowDocument compensating controls__________________________
Resilience-005No Recent Security Tabletop ExercisesLowDocument compensating controls__________________________
DataProtection-008No Sensitivity Label Auto-Labeling PoliciesLowDocument compensating controls__________________________
DataProtection-016Records Management Features DisabledLowDocument compensating controls__________________________
CloudPosture-005Resource Tags Missing Across Cloud InventoryLowDocument compensating controls__________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
Implementation Dependency Map

Phased execution order based on finding severity, prerequisites, and dependencies. Complete each phase before moving to the next to avoid conflicts and rollback scenarios.

Prerequisites
Purchase required licenses: Microsoft Intune, Defender for Endpoint, Entra ID P2 (for Identity Protection), Defender for Endpoint P2, Microsoft 365 E5 Security
Phase 1 (Week 1)
Critical Security Configuration Gaps Require Action, NSG Rules Allow All Inbound Traffic, AD: Privileged Admin Footprint Controlled, PIM Not Configured for Admin Roles (+3 more)
Phase 2 (Week 1-2)
2 High-Risk User Accounts Detected, 28 Active Security Alerts (2 High, 5 Medium), 40 Users Not Covered by MFA Policy, AD: LDAP Signing/Channel Binding Gap (+49 more)
Phase 3 (Week 2-3)
1 Service Principal with High-Risk Permissions, 2 Apps with High-Risk OAuth Permissions, 30 Guest Users Require Access Review (20.0% of user base), AD: Domain Controller Patch Baseline Gap (+51 more)
Phase 4 (Week 3-4)
929 Email Threat Detections Observed in Last 30 Days, Duplicate Security Tools Detected, External Sender Warning Banner Missing, Information Barriers Not Configured (+10 more)
Technical Appendix (Telemetry Evidence)
Vulnerability Data Source: Microsoft Secure Score configuration analysis. For CVE-level vulnerability data, enable Microsoft Defender for Endpoint P2 and grant WindowsDefenderATP > Vulnerability.Read.All permission.

Secure Score Recommendations

Security configuration gaps from Microsoft Secure Score (not software CVEs)

12 Critical Impact 28 High Impact 30 Medium Impact 15 Low Impact (85 Total Recommendations)

Average Score Impact: 6.8 points

High Priority Vulnerabilities (Specific Recommendations)

ID Specific Vulnerability / Recommendation Severity Affected Assets Score Impact
MSSS-IntegratedApps IntegratedApps Critical 0 9.0
MSSS-UserRiskPolicy Ensure User Risk Policy Is Enabled Critical 1 8.0
MSSS-SigninRiskPolicy SigninRiskPolicy Critical 0 8.5
CVE-2026-0012 Windows Print Spooler Elevation Of Privilege High 12 7.8
CVE-2025-21418 Windows Ancillary Function Driver For Win Sock Elevation Of Privilege High 8 7.8

Vulnerability Action Board (Operator-Ready)

Concrete remediation rows with ownership and executable commands for rapid triage.

Vulnerability ID / Title Severity CVSS / Impact Affected Assets Remediation Owner Execution Command
MSSS-IntegratedApps
IntegratedApps
 Critical 9.0 0 Security Operations Get-MgSecuritySecureScoreControlProfile -Filter "id eq 'MSSS-IntegratedApps'" | Select-Object Id,Title
MSSS-UserRiskPolicy
Ensure User Risk Policy Is Enabled
 Critical 8.5 1 Security Operations Get-MgSecuritySecureScoreControlProfile -Filter "id eq 'MSSS-UserRiskPolicy'" | Select-Object Id,Title
MSSS-SigninRiskPolicy
SigninRiskPolicy
 Critical 8.5 0 Security Operations Get-MgSecuritySecureScoreControlProfile -Filter "id eq 'MSSS-SigninRiskPolicy'" | Select-Object Id,Title
CVE-2026-0012
Windows Print Spooler Elevation Of Privilege
 High 7.8 12 Security Operations DeviceTvmSoftwareVulnerabilities | where CveId == 'CVE-2026-0012' | summarize AffectedDevices=dcount(DeviceName)
CVE-2025-21418
Windows Ancillary Function Driver For Win Sock Elevation Of Privilege
 High 7.8 8 Security Operations DeviceTvmSoftwareVulnerabilities | where CveId == 'CVE-2025-21418' | summarize AffectedDevices=dcount(DeviceName)

Defender Incidents

Microsoft Defender for Endpoint incident tracking

Metric Count
Total Incidents (All Time) 38
Incidents (Last 7 Days) 8
Total Alerts 45
Alerts (Last 7 Days) 12

Recent Incident Types:

  • Email reported by user as malware or phish
  • Impossible travel activity
  • Email messages containing malicious URL removed after delivery

Email Security

Exchange Online Protection and Microsoft Defender for Office 365

OAuth App Permissions

Third-party applications with delegated or application permissions

15 Total Apps
1 High Risk

High-Risk Applications

Application Publisher Consent Type Permissions
DataSync Pro (Unverified) Unknown Publisher Not Specified User.Read.All, Mail.ReadWrite, Files.ReadWrite.All +2 more

Secure Score — Top Improvement Opportunities

Top 8 actions to improve your Microsoft Secure Score, ranked by point value.

# Recommendation Category Points Cost Impact
1 Do Not Allow Users To Grant Consent To Unmanaged Applications Apps +10.0 low Low
2 Enable Sign-In Risk Policy To Protect Against Identity Compromise Identity +8.5 low Low
3 Require Mfa For Administrative Roles Identity +5.0 low Moderate
4 Block Legacy Authentication Protocols Identity +4.0 moderate Moderate
5 Ensure Password Protection Is Configured Identity +3.0 low Low
6 Create Dlp Policies To Protect Sensitive Information Data +4.0 moderate Low
7 Improve Device Compliance Policy Coverage Device +3.0 moderate Moderate
8 Configure Email Authentication (Spf, Dkim, Dmarc) Email +3.0 moderate Low

These are Microsoft's recommended actions for improving Secure Score.

Legacy Authentication

3 users still using legacy authentication protocols

Protocols: IMAP4: 28 | POP3: 12 | SMTP: 7

User Protocol Last sign-in
david.mitchell@contoso.com IMAP4 Feb 11, 2026 21:14
patricia.kowalski@contoso.com IMAP4 Feb 12, 2026 07:14
robert.chen@contoso.com SMTP Feb 12, 2026 15:14

Warning: Legacy authentication bypasses MFA. Block via Conditional Access policy.

OAuth Permission Grants

42 total grants (4 admin consent)

Application Scope Consent Type Granted To
Grant: User.Read User.Read User.ReadBasic.All Group.Read.All Files.Read.All Sites.Read.All Calend Allprincipals All Users
Grant: User.Read User.Read Files.ReadWrite.All Sites.ReadWrite.All Allprincipals All Users
Grant: User.Read User.Read User.ReadBasic.All Group.Read.All Presence.Read.All TeamsAppInstallati Allprincipals All Users
Grant: User.Read.All User.Read.All Mail.ReadWrite Files.ReadWrite.All Directory.Read.All Sites.FullCo Allprincipals All Users

Device Inventory

10 managed devices

Device Name OS Version Compliance Last Sync User
DESKTOP-FIN01 Windows 10 21H2 Unknown Jan 01, 2024 00:00

SharePoint Sites

15 sites (0 with external sharing)

Site Name Sharing Capability External Sharing Storage Used
Contoso - Main disabled No 2.0 GB
Human Resources externalUserSharingOnly No 0.5 GB
Client Engagements disabled No 1.0 GB
Finance and Billing externalUserAndGuestSharing No 4.0 GB
Marketing Assets disabled No 0.25 GB
IT Operations externalUserSharingOnly No 0.75 GB
Board of Directors disabled No 2.0 GB
Training Portal externalUserSharingOnly No 0.5 GB
Sarah Chen disabled No 1.0 GB
Marcus Williams externalUserAndGuestSharing No 4.0 GB
External Client Portal disabled No 0.25 GB
Partner Collaboration externalUserSharingOnly No 0.75 GB
Legal Documents disabled No 2.0 GB
Emily Rodriguez externalUserSharingOnly No 0.5 GB
Rachel Kim disabled No 1.0 GB

Teams Inventory

8 teams (0 public, 2 with guests)

Team Name Visibility Members Guests Channels
All Company Private 45 0 6
Leadership Team Private 8 0 3
Client Services Private 15 2 5
IT Operations Private 6 0 4
Human Resources Private 5 0 3
Finance Private 7 0 2
Marketing Private 10 1 4
New Hire Onboarding Private 12 0 3

Sign-In Analysis

0 total sign-ins, 120 failures, 12 risky.

Geographic Summary: United States: 4200 | Canada: 350 | United Kingdom: 180 | Germany: 120 | Unknown: 150

Top Failure Reasons

  • {'reason': 'Invalid password', 'count': 45}
  • {'reason': 'Account locked', 'count': 22}
  • {'reason': 'Conditional access failure', 'count': 18}
  • {'reason': 'MFA timeout', 'count': 15}
  • {'reason': 'Legacy auth blocked', 'count': 20}

High-Risk Operations Timeline

3 operations (1 critical).

ActorActionTargetTimestamp
UnknownAdd member to roleGlobal AdministratorFeb 09, 2026 16:50
UnknownDisable MFA for usermarcus.williams@contoso.comFeb 07, 2026 16:50
UnknownConsent to applicationUnknown OAuth App (app-9x7z)Feb 05, 2026 16:50

Service Principal Audit

412 principals, 18 high privilege, 9 stale.

ApplicationPermission CountRiskLast Activity
Unknown App0UnknownN/A
Unknown App0UnknownN/A

Assessment Configuration Health

Operator-readable collection status for critical data domains.

Endpoint Checks: 21/21 returned data successfully.

SignalStatus
Graph ConnectivityAvailable
Identity DataAvailable
Device DataAvailable
Alert DataAvailable
Compliance DataNot Assessed
Audit DataAvailable
ARM DataNot Assessed
Backup DataNot Assessed
Collaboration DataAvailable
OAuth Audit DataNot Assessed

Directory Role Assignments

Role assignment evidence used for privileged identity and governance findings.

RolePrincipalAssignment
Global AdministratorUnknownAssigned
Guest UserUnknownAssigned
User AdministratorUnknownAssigned
Helpdesk AdministratorUnknownAssigned
Exchange AdministratorUnknownAssigned
Security AdministratorUnknownAssigned
SharePoint AdministratorUnknownAssigned
Guest InviterUnknownAssigned

Public IP Addresses

2 public IPs (1 orphaned). Orphaned IPs should be deallocated.

Name IP Address Location Allocation Associated Resource DDoS Protection
Unknown 52.160.14.27 N/A N/A Orphaned No
Unknown 20.45.71.11 N/A N/A vm-finance-jumpbox No

Sensitivity Labels

3 sensitivity labels for document classification.

Label Description Priority Status
Public Data that is freely available to the public. 0 Active
Internal Data intended for internal use only. 1 Active
Confidential Sensitive business data that requires protection. 2 Active

Backup Vault Inventory

2 Recovery Services vault(s), 124 total protected items.

Vault Name Location Resource Group Protected Items
contoso-rsv-prod-eastus eastus rg-backup-prod 78
contoso-rsv-dr-westus westus2 rg-backup-dr 46

Recent Backup Jobs

3 recent job(s): 3 completed, 0 failed.

Protected Item Vault Status Start Time Duration Error
vm-finance-etl-01 contoso-rsv-prod-eastus Completed 2026-03-08T02:01:51 27m
sql-reporting-primary contoso-rsv-prod-eastus Completed 2026-03-08T01:21:51 33m
fileshare-operations contoso-rsv-dr-westus Completed 2026-03-08T00:16:51 21m

Recovery Readiness (RTO / RPO)

Overall status: Healthy

RTO (Recovery Time Objective)
Actual: 8h / Target: 24h — On Target
RPO (Recovery Point Objective)
Actual: 1h / Target: 4h — On Target

Decide this quarter: close shared findings that lift multiple frameworks simultaneously.

Compliance Command Center

Compliance is split into explicit surfaces: Operator Mode for execution queue and ownership, Auditor Mode for evidence traceability and control-level validation.

Compliance-Only View
Choose the active compliance surface
65%Compliant
Implemented31 (65%)
Partial14 (29%)
Non-compliant3 (6%)
64.6%
Compliance
31
Pass
14
Partial
3
Fail
62
Not Assessed
43.6%
Coverage
* Compliance rate (64.6%) calculated against 48 assessed controls only. Pass rate against all 110 controls: 28.2%
Evidence Platform Active: 24 of 110 CMMC controls assessed via 3-source merge (8 via API, 8 via PowerShell, 8 via Manual). Evidence platform results take precedence over Graph-API-only mapping where both sources have data.
What happens if you fail? Without CMMC certification, you cannot bid on or retain DoD contracts requiring it. Existing contracts may include DFARS 252.204-7012 clauses requiring compliance now. Non-compliance risks contract loss, False Claims Act liability, and exclusion from the defense industrial base.
What is CMMC and why should you care?

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for ensuring that companies handling government data meet specific cybersecurity standards. It is based on NIST SP 800-171, the federal standard for protecting Controlled Unclassified Information (CUI).

Who needs it? Any company that works with the DoD — whether as a prime contractor, subcontractor, or anywhere in the defense supply chain. If you handle CUI or even just Federal Contract Information (FCI), CMMC applies to you. And with upcoming federal acquisition rules, CMMC-like requirements are spreading to civilian agencies too.

What is Level 2? Level 2 requires implementation of all 110 security practices derived from NIST 800-171, organized across 14 security domains. A certified third-party assessor (C3PAO) verifies your implementation. This assessment maps your current M365 environment against those 110 practices.

SPRS Score (Supplier Performance Risk System)
87
/ 110
Good. Most practices are implemented. Address the remaining gaps and you can likely pass a C3PAO assessment with a small POA&M.

The SPRS score is the DoD's standard metric for measuring NIST 800-171 implementation. It starts at 110 and subtracts penalty weights for each unmet practice. Your score is submitted to the DoD's SPRS portal and is visible to contracting officers evaluating bids.

Score by Domain
AC 7/22
AT 1/3
AU 4/9
CA 0/4
CM 2/9
IA 5/11
IR 0/3
MA 0/6
MP 0/9
PE 0/6
PS 0/2
RA 1/3
SC 4/16
SI 7/7
AC - Access Control
7/22
AT - Awareness and Training
1/3
AU - Audit and Accountability
4/9
CA - Security Assessment
0/4
CM - Configuration Management
2/9
IA - Identification and Authentication
5/11
IR - Incident Response
0/3
MA - Maintenance
0/6
MP - Media Protection
0/9
PE - Physical Protection
0/6
PS - Personnel Security
0/2
RA - Risk Assessment
1/3
SC - System and Communications Protection
4/16
SI - System and Information Integrity
7/7
AC Access Control — Who can access what, and under what conditions
32% Compliant 22 Controls
3.1.1
3.1.2
3.1.20
3.1.22
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.21
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
Detail View
AC.L1-3.1.1 Authorized Access Control ✓ Pass -5
Requirement (NIST 800-171 § 3.1.1) • Level L1 • Severity: critical
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Assessment Evidence (What We Found)
Conditional Access policies: 12
How to Prove It (Assessor Evidence)
Show your access control policy document. Export Entra ID Conditional Access policies and demonstrate they enforce the policy. Provide audit logs of quarterly access reviews.
AC.L1-3.1.2 Transaction & Function Control ✓ Pass -3
Requirement (NIST 800-171 § 3.1.2) • Level L1 • Severity: high
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Assessment Evidence (What We Found)
RBAC configured with 7 privileged accounts
How to Prove It (Assessor Evidence)
Assessor evidence: RBAC role assignments export; Administrative unit configuration; App role assignments
AC.L1-3.1.20 External Connections — Not Assessed -3
Requirement (NIST 800-171 § 3.1.20) • Level L1 • Severity: high
Verify and control/limit connections to and use of external information systems.
Assessment Evidence (What We Found)
External connections: 0 guest users, governed by 12 CA policies
How to Prove It (Assessor Evidence)
Assessor evidence: B2B settings configuration; Cross-tenant access policies; External user inventory
AC.L1-3.1.22 Control Public Information — Not Assessed -1
Requirement (NIST 800-171 § 3.1.22) • Level L1 • Severity: medium
Control information posted or processed on publicly accessible information systems.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Public information posting policy; SharePoint external sharing settings; Content review records
AC.L2-3.1.10 Session Lock ◔ Partial -3 POA&M Eligible
Requirement (NIST 800-171 § 3.1.10) • Level L2 • Severity: medium
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
Assessment Evidence (What We Found)
Session lock: 0 CA policies with session controls (sign-in frequency, persistent browser)
How to Prove It (Assessor Evidence)
Assessor evidence: Intune configuration profile for screen lock; Device compliance policy; CA session control configuration
Gap — What Closes This
  • 1. Configure Intune device configuration for screen lock timeout
  • 2. Set maximum inactivity time before lock (15 minutes recommended)
  • 3. Require password/PIN to unlock
AC.L2-3.1.11 Session Termination ◔ Partial -3 POA&M Eligible
Requirement (NIST 800-171 § 3.1.11) • Level L2 • Severity: medium
Terminate (automatically) a user session after a defined condition.
Assessment Evidence (What We Found)
Session controls configured in 0 CA policies
How to Prove It (Assessor Evidence)
Assessor evidence: CA sign-in frequency policy; Token lifetime configuration; CAE configuration
Gap — What Closes This
  • 1. Configure Conditional Access sign-in frequency
  • 2. Set token lifetime policies: Entra ID > Protection > Token lifetime
  • 3. Configure session timeout for sensitive apps
AC.L2-3.1.12 Remote Access Control ◔ Partial -3 POA&M Eligible
Requirement (NIST 800-171 § 3.1.12) • Level L2 • Severity: high
Monitor and control remote access sessions.
Assessment Evidence (What We Found)
Location-based CA policies: 0, Named locations: 0
How to Prove It (Assessor Evidence)
Assessor evidence: CA policies for remote access; Application Proxy configuration; Remote access audit logs
Gap — What Closes This
  • 1. Configure Conditional Access for remote access scenarios
  • 2. Require MFA for all remote access
  • 3. Use Azure AD Application Proxy for on-premises apps
AC.L2-3.1.13 Remote Access Encryption ◔ Partial -5 POA&M Eligible
Requirement (NIST 800-171 § 3.1.13) • Level L2 • Severity: critical
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Assessment Evidence (What We Found)
No compliant device policy found
How to Prove It (Assessor Evidence)
Assessor evidence: TLS configuration settings; VPN Gateway configuration; Azure Bastion deployment
Gap — What Closes This
  • 1. Ensure TLS 1.2+ for all Azure/M365 connections (default)
  • 2. Configure Azure VPN Gateway with IKEv2/IPsec
  • 3. Use Azure Bastion for secure VM access
AC.L2-3.1.14 Remote Access Routing ◔ Partial -3 POA&M Eligible
Requirement (NIST 800-171 § 3.1.14) • Level L2 • Severity: high
Route remote access via managed access control points.
Assessment Evidence (What We Found)
Wireless/platform access control: 0 CA policies enforce platform conditions
How to Prove It (Assessor Evidence)
Assessor evidence: Azure AD as IdP configuration; Network architecture diagram; Traffic flow documentation
Gap — What Closes This
  • 1. Use Azure AD as central identity provider
  • 2. Route all app access through Azure AD (no direct access)
  • 3. Implement Azure Front Door or Application Gateway
AC.L2-3.1.15 Privileged Remote Access ◔ Partial -5 POA&M Eligible
Requirement (NIST 800-171 § 3.1.15) • Level L2 • Severity: critical
Authorize remote execution of privileged commands and remote access to security-relevant information.
Assessment Evidence (What We Found)
Remote access controlled via 12 enabled CA policies, 0 location-based rules
How to Prove It (Assessor Evidence)
Assessor evidence: PIM configuration for remote roles; Azure Bastion deployment; Privileged session logs
Gap — What Closes This
  • 1. Use PIM for remote privileged access
  • 2. Require approval for privileged role activation
  • 3. Configure Azure Bastion for remote admin access
AC.L2-3.1.16 Wireless Access Authorization — Not Assessed -3
Requirement (NIST 800-171 § 3.1.16) • Level L2 • Severity: high
Authorize wireless access prior to allowing such connections.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: WiFi authentication configuration; Wireless access policy; Network segmentation diagram
AC.L2-3.1.17 Wireless Access Protection — Not Assessed -3
Requirement (NIST 800-171 § 3.1.17) • Level L2 • Severity: high
Protect wireless access using authentication and encryption.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Wireless encryption settings; Certificate configuration; WiFi security audit
AC.L2-3.1.18 Mobile Device Connection ◔ Partial -3 POA&M Eligible
Requirement (NIST 800-171 § 3.1.18) • Level L2 • Severity: high
Control connection of mobile devices.
Assessment Evidence (What We Found)
Mobile device connection control: 0 app protection policies
How to Prove It (Assessor Evidence)
Assessor evidence: Intune enrollment restrictions; Mobile compliance policy; App protection policy
Gap — What Closes This
  • 1. Configure Intune MDM enrollment requirements
  • 2. Create device compliance policies for mobile
  • 3. Require device encryption and PIN
AC.L2-3.1.19 Encrypt CUI on Mobile ◔ Partial -5 POA&M Eligible
Requirement (NIST 800-171 § 3.1.19) • Level L2 • Severity: critical
Encrypt CUI on mobile devices and mobile computing platforms.
Assessment Evidence (What We Found)
Mobile App Management policies: 0 policies configured
How to Prove It (Assessor Evidence)
Assessor evidence: Intune encryption compliance report; BitLocker/FileVault status; Device compliance dashboard
Gap — What Closes This
  • 1. Require device encryption in Intune compliance policy
  • 2. Configure BitLocker for Windows devices
  • 3. Verify FileVault for macOS devices
AC.L2-3.1.21 Portable Storage Use ◔ Partial -3 POA&M Eligible
Requirement (NIST 800-171 § 3.1.21) • Level L2 • Severity: high
Limit use of portable storage devices on external systems.
Assessment Evidence (What We Found)
Portable storage control: 0 device configuration policies
How to Prove It (Assessor Evidence)
Assessor evidence: Intune device restriction policy; Defender device control rules; USB usage audit logs
Gap — What Closes This
  • 1. Configure Intune device restrictions for removable storage
  • 2. Block or encrypt USB storage devices
  • 3. Use Microsoft Defender for Endpoint device control
AC.L2-3.1.3 Control CUI Flow ✓ Pass -5 ✓ Verified (api_auto)
Requirement (NIST 800-171 § 3.1.3) • Level L2 • Severity: critical
Control the flow of CUI in accordance with approved authorizations.
Assessment Evidence (What We Found)
[Evidence Platform (API Auto)] Conditional Access policies enforce CUI flow controls; 8 DLP policies active with sensitivity labels applied to 94% of CUI repositories
How to Prove It (Assessor Evidence)
Demonstrate DLP policies in Microsoft Purview that restrict CUI flow. Show sensitivity labels applied to CUI documents. Provide DLP incident report for the last 90 days.
AC.L2-3.1.4 Separation of Duties ✓ Pass -3 ✓ Verified (api_auto)
Requirement (NIST 800-171 § 3.1.4) • Level L2 • Severity: high
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Assessment Evidence (What We Found)
[Evidence Platform (API Auto)] Separation of duties enforced: no single admin holds both Security Admin and Global Admin roles; PIM approval workflows require 2-person authorization
How to Prove It (Assessor Evidence)
Assessor evidence: Separation of duties matrix; Role assignment audit; Approval workflow configuration
AC.L2-3.1.5 Least Privilege ✓ Pass -5 ✓ Verified (powershell)
Requirement (NIST 800-171 § 3.1.5) • Level L2 • Severity: critical
Employ the principle of least privilege, including for specific security functions and privileged accounts.
Assessment Evidence (What We Found)
[Evidence Platform (PowerShell)] Privileged account review via PS collector: 3 Global Admins, 8 privileged roles total; PIM enabled for 6/8 roles; standing access limited to break-glass accounts
How to Prove It (Assessor Evidence)
Show that admin accounts use PIM with just-in-time activation. Export role assignment audit showing minimal Global Admins. Provide evidence of least-privilege reviews.
AC.L2-3.1.6 Non-Privileged Account Use ✗ Fail -3 POA&M Eligible ✗ Evidence Gap (manual)
Requirement (NIST 800-171 § 3.1.6) • Level L2 • Severity: high
Use non-privileged accounts or roles when accessing nonsecurity functions.
Assessment Evidence (What We Found)
[Evidence Platform (Manual)] Questionnaire response: No documented acceptable use policy for CUI systems; no signed user agreements on file
How to Prove It (Assessor Evidence)
Assessor evidence: Admin account inventory showing separation; Account usage policy; Sign-in logs showing account separation
Gap — What Closes This
  • 1. Ensure admins have separate non-privileged accounts for daily work
  • 2. Document privileged vs non-privileged account policy
  • 3. Configure Conditional Access to restrict privileged accounts
Linked Finding
CMMC-AC.L2-3.1.6 — CMMC AC.L2-3.1.6: Non-Privileged Account Use (Fail)
AC.L2-3.1.7 Privileged Functions ✓ Pass -5 ✓ Verified (api_auto)
Requirement (NIST 800-171 § 3.1.7) • Level L2 • Severity: critical
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
Assessment Evidence (What We Found)
[Evidence Platform (API Auto)] Privileged functions restricted via 12 Conditional Access policies; admin portals gated behind compliant device + MFA requirements
How to Prove It (Assessor Evidence)
Assessor evidence: RBAC configuration; Audit log settings; Privileged operation alerts
AC.L2-3.1.8 Unsuccessful Logon Attempts ✓ Pass -3
Requirement (NIST 800-171 § 3.1.8) • Level L2 • Severity: high
Limit unsuccessful logon attempts.
Assessment Evidence (What We Found)
Azure AD Smart Lockout enabled by default
How to Prove It (Assessor Evidence)
Assessor evidence: Smart Lockout configuration; Account lockout reports; Sign-in risk policy configuration
AC.L2-3.1.9 Privacy & Security Notices — Not Assessed -1
Requirement (NIST 800-171 § 3.1.9) • Level L2 • Severity: medium
Provide privacy and security notices consistent with applicable CUI rules.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Terms of use configuration; Sign-in page customization; Notice acceptance records
AT Awareness and Training — Security training and role-based awareness
33% Compliant 3 Controls
3.2.1
3.2.2
3.2.3
Detail View
AT.L2-3.2.1 Security Awareness ✓ Pass -1 ✓ Verified (manual)
Requirement (NIST 800-171 § 3.2.1) • Level L2 • Severity: medium
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
Assessment Evidence (What We Found)
[Evidence Platform (Manual)] Security awareness training program active: KnowBe4 platform, 94% completion rate, quarterly phishing simulations with 8% click rate (down from 22%)
How to Prove It (Assessor Evidence)
Assessor evidence: Training completion records; Phishing simulation results; Security awareness policy
AT.L2-3.2.2 Role-Based Training — Not Assessed -1
Requirement (NIST 800-171 § 3.2.2) • Level L2 • Severity: medium
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Role-based training matrix; Training completion certificates; Training curriculum documentation
AT.L2-3.2.3 Insider Threat Awareness — Not Assessed -1
Requirement (NIST 800-171 § 3.2.3) • Level L2 • Severity: medium
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Insider threat training materials; Reporting procedure documentation; Training completion records
AU Audit and Accountability — Logging, monitoring, and audit trail integrity
44% Compliant 9 Controls
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.3.8
3.3.9
Detail View
AU.L2-3.3.1 System Auditing ✓ Pass -5 ✓ Verified (api_auto)
Requirement (NIST 800-171 § 3.3.1) • Level L2 • Severity: critical
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Assessment Evidence (What We Found)
[Evidence Platform (API Auto)] Audit events configured: M365 Unified Audit Log enabled; 14 audit categories active; 90-day retention in compliance center; SIEM forwarding via Sentinel
How to Prove It (Assessor Evidence)
Show audit log retention configuration (minimum 90 days). If using Log Analytics, export workspace retention settings. Provide sample audit query output.
AU.L2-3.3.2 User Accountability ✓ Pass -5 ✓ Verified (api_auto)
Requirement (NIST 800-171 § 3.3.2) • Level L2 • Severity: critical
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Assessment Evidence (What We Found)
[Evidence Platform (API Auto)] Audit records attributed to individual users: UPN recorded in all sign-in and activity logs; service principal actions tagged with app registration ID
How to Prove It (Assessor Evidence)
Assessor evidence: Sign-in log showing user attribution; Account policy prohibiting shared accounts; Audit log samples with user IDs
AU.L2-3.3.3 Event Review — Not Assessed -1
Requirement (NIST 800-171 § 3.3.3) • Level L2 • Severity: medium
Review and update logged events.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Log review procedures; Sentinel analytics rules; Log review records
AU.L2-3.3.4 Audit Failure Alerting ✗ Fail -3 POA&M Eligible ✗ Evidence Gap (manual)
Requirement (NIST 800-171 § 3.3.4) • Level L2 • Severity: high
Alert in the event of an audit logging process failure.
Assessment Evidence (What We Found)
[Evidence Platform (Manual)] Alert mechanism for audit processing failures not configured: no alert rule for Sentinel workspace ingestion failures; no monitoring for log pipeline disruptions. [Graph API] Alert configuration requires verification in Azure Monitor. Note: Evidence platform result takes precedence over Graph API.
How to Prove It (Assessor Evidence)
Assessor evidence: Azure Monitor alert rules; Alert notification configuration; Alert test records
Gap — What Closes This
  • 1. Configure Azure Monitor alerts for log collection failures
  • 2. Set up health monitoring for Log Analytics workspace
  • 3. Create Sentinel health workbook
Linked Finding
CMMC-AU.L2-3.3.4 — CMMC AU.L2-3.3.4: Audit Failure Alerting (Fail)
AU.L2-3.3.5 Audit Correlation — Not Assessed -3
Requirement (NIST 800-171 § 3.3.5) • Level L2 • Severity: high
Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Sentinel data connectors; UEBA configuration; Investigation procedures
AU.L2-3.3.6 Audit Reduction — Not Assessed -1
Requirement (NIST 800-171 § 3.3.6) • Level L2 • Severity: medium
Provide audit record reduction and report generation to support on-demand analysis and reporting.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: KQL query library; Workbook configurations; Sample compliance reports
AU.L2-3.3.7 Authoritative Time Source — Not Assessed -1
Requirement (NIST 800-171 § 3.3.7) • Level L2 • Severity: medium
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: NTP configuration documentation; Time sync verification tests; Device compliance for time settings
AU.L2-3.3.8 Audit Protection ✓ Pass -5
Requirement (NIST 800-171 § 3.3.8) • Level L2 • Severity: critical
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Assessment Evidence (What We Found)
Audit log protection: Azure AD audit logs immutable by design, Log Analytics RBAC-protected with 90-day retention
How to Prove It (Assessor Evidence)
Assessor evidence: Log Analytics RBAC configuration; Immutable storage policy; Access audit for log systems
AU.L2-3.3.9 Audit Management ✓ Pass -3
Requirement (NIST 800-171 § 3.3.9) • Level L2 • Severity: high
Limit management of audit logging functionality to a subset of privileged users.
Assessment Evidence (What We Found)
Audit management: 8 directory roles controlling audit log access via RBAC
How to Prove It (Assessor Evidence)
Assessor evidence: Audit admin role assignment; PIM configuration for audit roles; Role assignment review records
CA Security Assessment — Periodic security evaluations and continuous monitoring
0% Compliant 4 Controls
3.12.1
3.12.2
3.12.3
3.12.4
Detail View
CA.L2-3.12.1 Security Assessments — Not Assessed -3
Requirement (NIST 800-171 § 3.12.1) • Level L2 • Severity: high
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Security assessment report; Secure Score history; Remediation tracking
CA.L2-3.12.2 Plan of Action — Not Assessed -3
Requirement (NIST 800-171 § 3.12.2) • Level L2 • Severity: high
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: POA&M document; Remediation status reports; Closure evidence
CA.L2-3.12.3 Security Control Monitoring — Not Assessed -3
Requirement (NIST 800-171 § 3.12.3) • Level L2 • Severity: high
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Monitoring dashboards; Control status reports; Alert configurations
CA.L2-3.12.4 System Security Plan — Not Assessed -3
Requirement (NIST 800-171 § 3.12.4) • Level L2 • Severity: high
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: System Security Plan document; Network diagrams; Data flow diagrams
CM Configuration Management — Baseline configs, change control, and least functionality
22% Compliant 9 Controls
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.4.9
Detail View
CM.L2-3.4.1 System Baseline Configuration ✓ Pass -5 ✓ Verified (api_auto)
Requirement (NIST 800-171 § 3.4.1) • Level L2 • Severity: high
Establish and maintain baseline configurations and inventories of organizational systems throughout the respective system development life cycles.
Assessment Evidence (What We Found)
[Evidence Platform (API Auto)] Baseline config established: 8 Intune configuration profiles enforced across fleet; CIS Windows 11 Level 1 benchmark applied; 92% compliance rate
How to Prove It (Assessor Evidence)
Export Intune device compliance dashboard showing compliance rate. Show compliance policies configured and their assignment scope.
CM.L2-3.4.2 Security Configuration Enforcement ✓ Pass -3 ✓ Verified (powershell)
Requirement (NIST 800-171 § 3.4.2) • Level L2 • Severity: high
Establish and enforce security configuration settings for information technology products employed in organizational systems.
Assessment Evidence (What We Found)
[Evidence Platform (PowerShell)] Security config settings enforced: GPO audit shows 14 security baselines applied; Intune remediation scripts correct drift on 6 critical settings
How to Prove It (Assessor Evidence)
Assessor evidence: Compliance policy configuration; Non-compliance reports; Remediation records
CM.L2-3.4.3 System Change Management — Not Assessed -3
Requirement (NIST 800-171 § 3.4.3) • Level L2 • Severity: medium
Track, review, approve or disapprove, and log changes to organizational systems.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Change management policy; Change request tickets; Audit log exports
CM.L2-3.4.4 Security Impact Analysis — Not Assessed -3
Requirement (NIST 800-171 § 3.4.4) • Level L2 • Severity: medium
Analyze the security impact of changes prior to implementation.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Security impact analysis forms; Change approval records; Test results
CM.L2-3.4.5 Access Restrictions for Change ◔ Partial -3 POA&M Eligible ◔ Partial (manual)
Requirement (NIST 800-171 § 3.4.5) • Level L2 • Severity: high
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
Assessment Evidence (What We Found)
[Evidence Platform (Manual)] Access restrictions for change control partially implemented: change advisory board exists but approval workflow is informal; no automated enforcement of change windows. [Graph API] Access restriction for change: 7 privileged accounts, 0 Global Admins control system changes. Note: Evidence platform result takes precedence over Graph API.
How to Prove It (Assessor Evidence)
Assessor evidence: Admin role assignments; PIM configuration; Change audit logs
Gap — What Closes This
  • 1. Restrict system change access to authorized admins
  • 2. Use PIM for just-in-time admin access
  • 3. Require MFA for all administrative changes
Linked Finding
CMMC-CM.L2-3.4.5 — CMMC CM.L2-3.4.5: Access Restrictions for Change (Partial)
CM.L2-3.4.6 Least Functionality — Not Assessed -1
Requirement (NIST 800-171 § 3.4.6) • Level L2 • Severity: medium
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: System hardening checklist; Service configuration; Application inventory
CM.L2-3.4.7 Nonessential Functionality — Not Assessed -3
Requirement (NIST 800-171 § 3.4.7) • Level L2 • Severity: medium
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
Assessment Evidence (What We Found)
App registration data not available
How to Prove It (Assessor Evidence)
Assessor evidence: Firewall policy configuration; Windows features audit; Protocol analysis
CM.L2-3.4.8 Application Allowlisting ◔ Partial -3 POA&M Eligible
Requirement (NIST 800-171 § 3.4.8) • Level L2 • Severity: high
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
Assessment Evidence (What We Found)
Application whitelisting: 0 managed app protection policies
How to Prove It (Assessor Evidence)
Assessor evidence: WDAC policy configuration; AppLocker rules; Blocked execution logs
Gap — What Closes This
  • 1. Deploy Windows Defender Application Control (WDAC)
  • 2. Create application allowlisting policies in Intune
  • 3. Use AppLocker for legacy systems
CM.L2-3.4.9 User-Installed Software ◔ Partial -3 POA&M Eligible
Requirement (NIST 800-171 § 3.4.9) • Level L2 • Severity: medium
Control and monitor user-installed software.
Assessment Evidence (What We Found)
User-installed software control: 0 device configuration profiles restrict software installation
How to Prove It (Assessor Evidence)
Assessor evidence: Admin rights audit; Software inventory report; Installation policy
Gap — What Closes This
  • 1. Remove local admin rights from standard users
  • 2. Deploy Company Portal for approved app installation
  • 3. Configure software restriction policies
IA Identification and Authentication — MFA, password policies, and credential management
45% Compliant 11 Controls
3.5.1
3.5.2
3.5.10
3.5.11
3.5.3
3.5.4
3.5.5
3.5.6
3.5.7
3.5.8
3.5.9
Detail View
IA.L1-3.5.1 Identification ✓ Pass -5
Requirement (NIST 800-171 § 3.5.1) • Level L1 • Severity: critical
Identify information system users, processes acting on behalf of users, or devices.
Assessment Evidence (What We Found)
User identification: 150 users in directory
How to Prove It (Assessor Evidence)
Export your Azure AD user directory showing unique identity per person. Show that shared/generic accounts are prohibited by policy.
IA.L1-3.5.2 Authentication ✓ Pass -5
Requirement (NIST 800-171 § 3.5.2) • Level L1 • Severity: critical
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Assessment Evidence (What We Found)
Authentication configured, MFA coverage: 94.0%
How to Prove It (Assessor Evidence)
Show authentication policy requiring MFA or strong credential. Provide Entra ID Authentication Methods report showing enrolled methods.
IA.L2-3.5.10 Cryptographic Password Protection — Not Assessed -5
Requirement (NIST 800-171 § 3.5.10) • Level L2 • Severity: critical
Store and transmit only cryptographically-protected passwords.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Show FIDO2 or certificate-based authentication enrollment numbers. Export Conditional Access policy requiring phishing-resistant MFA for privileged users.
IA.L2-3.5.11 Obscure Feedback — Not Assessed -1
Requirement (NIST 800-171 § 3.5.11) • Level L2 • Severity: low
Obscure feedback of authentication information during the authentication process.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Sign-in page screenshots; Error message samples; Security testing results
IA.L2-3.5.3 Multifactor Authentication ✗ Fail -5 ✗ Evidence Gap (manual)
Requirement (NIST 800-171 § 3.5.3) • Level L2 • Severity: critical
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Assessment Evidence (What We Found)
[Evidence Platform (Manual)] MFA enforcement gap: 35% of network access points lack MFA; VPN concentrator allows password-only authentication for 12 service accounts. [Graph API] MFA coverage: 94.0% users, 100.0% admins. Note: Evidence platform result takes precedence over Graph API.
How to Prove It (Assessor Evidence)
Show MFA enrollment report from Entra ID. Export Conditional Access policy requiring MFA for all users. Document any exceptions with business justification and compensating controls.
Gap — What Closes This
  • 1. Enable MFA for all users: Entra ID > Security > MFA
  • 2. Configure CA policy requiring MFA for all apps
  • 3. Require phishing-resistant MFA for admins (FIDO2/WHfB)
Linked Finding
CMMC-IA.L2-3.5.3 — CMMC IA.L2-3.5.3: Multifactor Authentication (Fail)
IA.L2-3.5.4 Replay-Resistant Authentication ✓ Pass -3 ✓ Verified (powershell)
Requirement (NIST 800-171 § 3.5.4) • Level L2 • Severity: high
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
Assessment Evidence (What We Found)
[Evidence Platform (PowerShell)] Replay-resistant auth verified: FIDO2 keys deployed to all admins; Windows Hello for Business enabled for 78% of users; session tokens use rolling nonces
How to Prove It (Assessor Evidence)
Assessor evidence: Token lifetime configuration; CAE configuration; Authentication architecture doc
IA.L2-3.5.5 Identifier Reuse Prevention — Not Assessed -1
Requirement (NIST 800-171 § 3.5.5) • Level L2 • Severity: medium
Prevent reuse of identifiers for a defined period.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: User deletion policy; Soft-delete configuration; Terminated user records
IA.L2-3.5.6 Identifier Disabling — Not Assessed -1
Requirement (NIST 800-171 § 3.5.6) • Level L2 • Severity: medium
Disable identifiers after a defined period of inactivity.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Inactive account report; Access review configuration; Automation scripts
IA.L2-3.5.7 Password Complexity ✓ Pass -3 ✓ Verified (powershell)
Requirement (NIST 800-171 § 3.5.7) • Level L2 • Severity: high
Enforce a minimum password complexity and change of characters when new passwords are created.
Assessment Evidence (What We Found)
[Evidence Platform (PowerShell)] Password policy: 14-char minimum, 24-password history, 60-day max age; fine-grained policy for admin accounts requires 16-char minimum
How to Prove It (Assessor Evidence)
Export password policy settings from Entra ID. Show banned password list configuration. Demonstrate complexity requirements meet NIST 800-63B guidance.
IA.L2-3.5.8 Password Reuse Prohibition ✓ Pass -3
Requirement (NIST 800-171 § 3.5.8) • Level L2 • Severity: medium
Prohibit password reuse for a specified number of generations.
Assessment Evidence (What We Found)
Password complexity enforced across 3 domains
How to Prove It (Assessor Evidence)
Assessor evidence: Password policy documentation; Banned password configuration; Passwordless adoption metrics
IA.L2-3.5.9 Temporary Passwords — Not Assessed -1
Requirement (NIST 800-171 § 3.5.9) • Level L2 • Severity: medium
Allow temporary password use for system logons with an immediate change to a permanent password.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: New user provisioning process; TAP configuration; Password change logs
IR Incident Response — Detecting, reporting, and recovering from security incidents
0% Compliant 3 Controls
3.6.1
3.6.2
3.6.3
Detail View
IR.L2-3.6.1 Incident Handling ◔ Partial -5 ◔ Partial (manual)
Requirement (NIST 800-171 § 3.6.1) • Level L2 • Severity: high
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
Assessment Evidence (What We Found)
[Evidence Platform (Manual)] Incident response plan exists but last reviewed 14 months ago; IR team roster outdated (2 members departed); no tabletop exercise conducted in past 12 months
How to Prove It (Assessor Evidence)
Provide your Incident Response Plan document. Show Defender/Sentinel alert configurations and incident workflow. Provide sample incident report from the last 12 months.
Gap — What Closes This
  • 1. Document incident response plan
  • 2. Define incident severity levels and escalation
  • 3. Configure Microsoft Sentinel for detection
Linked Finding
CMMC-IR.L2-3.6.1 — CMMC IR.L2-3.6.1: Incident Handling (Partial)
IR.L2-3.6.2 Incident Reporting — Not Assessed -5
Requirement (NIST 800-171 § 3.6.2) • Level L2 • Severity: high
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Incident reporting procedures; Incident log/tickets; Sample incident reports
IR.L2-3.6.3 Incident Response Testing — Not Assessed -3
Requirement (NIST 800-171 § 3.6.3) • Level L2 • Severity: medium
Test the organizational incident response capability.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Tabletop exercise records; Simulation results; Lessons learned documentation
MA Maintenance — Controlled system maintenance and remote maintenance tools
0% Compliant 6 Controls
3.7.1
3.7.2
3.7.3
3.7.4
3.7.5
3.7.6
Detail View
MA.L2-3.7.1 System Maintenance — Not Assessed -3
Requirement (NIST 800-171 § 3.7.1) • Level L2 • Severity: medium
Perform maintenance on organizational systems.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Maintenance schedule; Maintenance procedures; Maintenance logs
MA.L2-3.7.2 Maintenance Controls — Not Assessed -3
Requirement (NIST 800-171 § 3.7.2) • Level L2 • Severity: medium
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Authorized personnel list; Tool inventory; Maintenance approval records
MA.L2-3.7.3 Equipment Sanitization — Not Assessed -3
Requirement (NIST 800-171 § 3.7.3) • Level L2 • Severity: high
Ensure equipment removed for off-site maintenance is sanitized of any CUI.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Sanitization procedures; Sanitization records; Verification checklists
MA.L2-3.7.4 Media Inspection — Not Assessed -1
Requirement (NIST 800-171 § 3.7.4) • Level L2 • Severity: medium
Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Media inspection procedures; Scan logs; Device control policies
MA.L2-3.7.5 Nonlocal Maintenance — Not Assessed -3
Requirement (NIST 800-171 § 3.7.5) • Level L2 • Severity: high
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Assessment Evidence (What We Found)
No automated evidence mapping available - manual assessment required
How to Prove It (Assessor Evidence)
Assessor evidence: MFA policy for admins; Azure Bastion configuration; Session logs
MA.L2-3.7.6 Maintenance Personnel — Not Assessed -1
Requirement (NIST 800-171 § 3.7.6) • Level L2 • Severity: medium
Supervise the maintenance activities of maintenance personnel without required access authorization.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Supervision policy; Visitor logs; Access authorization records
MP Media Protection — Protecting CUI on digital and physical media
0% Compliant 9 Controls
3.8.3
3.8.1
3.8.2
3.8.4
3.8.5
3.8.6
3.8.7
3.8.8
3.8.9
Detail View
MP.L1-3.8.3 Media Disposal — Not Assessed -5
Requirement (NIST 800-171 § 3.8.3) • Level L1 • Severity: high
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Sanitization procedures; Destruction certificates; Asset disposal records
MP.L2-3.8.1 Media Protection — Not Assessed -3
Requirement (NIST 800-171 § 3.8.1) • Level L2 • Severity: high
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Show sensitivity labels configured in Microsoft Purview. Demonstrate that CUI media is marked and protected by label policies.
MP.L2-3.8.2 Media Access — Not Assessed -3
Requirement (NIST 800-171 § 3.8.2) • Level L2 • Severity: high
Limit access to CUI on system media to authorized users.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Authorized user list; Access logs; Access review records
MP.L2-3.8.4 Media Markings — Not Assessed -1
Requirement (NIST 800-171 § 3.8.4) • Level L2 • Severity: medium
Mark media with necessary CUI markings and distribution limitations.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Marking procedures; Sample marked documents; Training records
MP.L2-3.8.5 Media Accountability — Not Assessed -3
Requirement (NIST 800-171 § 3.8.5) • Level L2 • Severity: high
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Transport logs; Chain of custody forms; Receipt confirmations
MP.L2-3.8.6 Portable Storage Encryption — Not Assessed -3
Requirement (NIST 800-171 § 3.8.6) • Level L2 • Severity: critical
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: USB encryption policy; BitLocker configuration; Device control settings
MP.L2-3.8.7 Removable Media Control — Not Assessed -3
Requirement (NIST 800-171 § 3.8.7) • Level L2 • Severity: high
Control the use of removable media on system components.
Assessment Evidence (What We Found)
No automated evidence mapping available - manual assessment required
How to Prove It (Assessor Evidence)
Assessor evidence: Device restriction policy; Defender device control rules; Usage logs
MP.L2-3.8.8 Shared Media — Not Assessed -1
Requirement (NIST 800-171 § 3.8.8) • Level L2 • Severity: medium
Prohibit the use of portable storage devices when such devices have no identifiable owner.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Media ownership policy; Device inventory; Training records
MP.L2-3.8.9 CUI Backup Protection — Not Assessed -3
Requirement (NIST 800-171 § 3.8.9) • Level L2 • Severity: high
Protect the confidentiality of backup CUI at storage locations.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Backup encryption settings; Access controls for backup; Restore test records
PE Physical Protection — Physical access controls and environmental protections
0% Compliant 6 Controls
3.10.1
3.10.3
3.10.4
3.10.5
3.10.2
3.10.6
Detail View
PE.L1-3.10.1 Physical Access Control — Not Assessed -5
Requirement (NIST 800-171 § 3.10.1) • Level L1 • Severity: high
Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Access control policy; Authorized personnel list; Access logs
PE.L1-3.10.3 Escort Visitors — Not Assessed -1
Requirement (NIST 800-171 § 3.10.3) • Level L1 • Severity: medium
Escort visitors and monitor visitor activity.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Visitor policy; Visitor logs; Badge issuance records
PE.L1-3.10.4 Physical Access Logs — Not Assessed -1
Requirement (NIST 800-171 § 3.10.4) • Level L1 • Severity: medium
Maintain audit logs of physical access.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Access log samples; Log retention settings; Review records
PE.L1-3.10.5 Physical Access Devices — Not Assessed -1
Requirement (NIST 800-171 § 3.10.5) • Level L1 • Severity: medium
Control and manage physical access devices.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Device inventory; Issuance records; Deactivation logs
PE.L2-3.10.2 Facility Protection — Not Assessed -1
Requirement (NIST 800-171 § 3.10.2) • Level L2 • Severity: high
Protect and monitor the physical facility and support infrastructure for organizational systems.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Surveillance system documentation; Monitoring procedures; Patrol logs
PE.L2-3.10.6 Alternative Work Sites — Not Assessed -1
Requirement (NIST 800-171 § 3.10.6) • Level L2 • Severity: medium
Enforce safeguarding measures for CUI at alternate work sites.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Telework policy; Security requirements checklist; Training records
PS Personnel Security — Screening, termination, and personnel transfers
0% Compliant 2 Controls
3.9.1
3.9.2
Detail View
PS.L2-3.9.1 Screen Individuals — Not Assessed -3
Requirement (NIST 800-171 § 3.9.1) • Level L2 • Severity: high
Screen individuals prior to authorizing access to organizational systems containing CUI.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Background check policy; Screening records; Re-screening schedule
PS.L2-3.9.2 Personnel Actions — Not Assessed -3
Requirement (NIST 800-171 § 3.9.2) • Level L2 • Severity: high
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Offboarding checklist; Account disable records; Device return records
RA Risk Assessment — Identifying and evaluating organizational risk
33% Compliant 3 Controls
3.11.1
3.11.2
3.11.3
Detail View
RA.L2-3.11.1 Risk Assessments — Not Assessed -5
Requirement (NIST 800-171 § 3.11.1) • Level L2 • Severity: high
Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Risk assessment report; Risk register; Data flow diagrams
RA.L2-3.11.2 Vulnerability Scanning ✓ Pass -3
Requirement (NIST 800-171 § 3.11.2) • Level L2 • Severity: high
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
Assessment Evidence (What We Found)
Vulnerability scanning: 85 tracked (12 critical)
How to Prove It (Assessor Evidence)
Show vulnerability scanning is active (Defender Vulnerability Management or third-party). Provide scan results and remediation tracking evidence.
RA.L2-3.11.3 Vulnerability Remediation — Not Assessed -3
Requirement (NIST 800-171 § 3.11.3) • Level L2 • Severity: high
Remediate vulnerabilities in accordance with risk assessments.
Assessment Evidence (What We Found)
No automated evidence mapping available - manual assessment required
How to Prove It (Assessor Evidence)
Assessor evidence: Remediation SLA document; Patch compliance reports; Risk acceptance records
SC System and Communications Protection — Boundary protection, encryption, and network segmentation
25% Compliant 16 Controls
3.13.1
3.13.5
3.13.10
3.13.11
3.13.12
3.13.13
3.13.14
3.13.15
3.13.16
3.13.2
3.13.3
3.13.4
3.13.6
3.13.7
3.13.8
3.13.9
Detail View
SC.L1-3.13.1 Boundary Protection — Not Assessed -5
Requirement (NIST 800-171 § 3.13.1) • Level L1 • Severity: critical
Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of information systems.
Assessment Evidence (What We Found)
No automated evidence mapping available - manual assessment required
How to Prove It (Assessor Evidence)
Assessor evidence: Firewall rules; NSG configuration; Traffic monitoring dashboards
SC.L1-3.13.5 Public Access System Separation — Not Assessed -3
Requirement (NIST 800-171 § 3.13.5) • Level L1 • Severity: high
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Assessment Evidence (What We Found)
No automated evidence mapping available - manual assessment required
How to Prove It (Assessor Evidence)
Assessor evidence: Network architecture diagram; Subnet configuration; NSG rules
SC.L2-3.13.10 Cryptographic Key Management — Not Assessed -3
Requirement (NIST 800-171 § 3.13.10) • Level L2 • Severity: high
Establish and manage cryptographic keys for cryptography employed in organizational systems.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Key Vault configuration; Key rotation policy; Access policies
SC.L2-3.13.11 CUI Encryption ✓ Pass -5 ✓ Verified (powershell)
Requirement (NIST 800-171 § 3.13.11) • Level L2 • Severity: critical
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
Assessment Evidence (What We Found)
[Evidence Platform (PowerShell)] CUI encryption at rest verified: BitLocker enabled on 47/48 endpoints (98%); Azure Storage encryption with customer-managed keys for CUI blob containers
How to Prove It (Assessor Evidence)
Assessor evidence: FIPS compliance documentation; Encryption configuration; Azure compliance attestation
SC.L2-3.13.12 Collaborative Device Control — Not Assessed -1
Requirement (NIST 800-171 § 3.13.12) • Level L2 • Severity: medium
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Teams admin settings; Device configuration profiles; Training records
SC.L2-3.13.13 Mobile Code Control — Not Assessed -1
Requirement (NIST 800-171 § 3.13.13) • Level L2 • Severity: medium
Control and monitor the use of mobile code.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Browser security configuration; Macro settings; WDAC policies
SC.L2-3.13.14 Voice over IP Control — Not Assessed -1
Requirement (NIST 800-171 § 3.13.14) • Level L2 • Severity: medium
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Teams voice configuration; VoIP policy; Call quality reports
SC.L2-3.13.15 Communications Authenticity — Not Assessed -1
Requirement (NIST 800-171 § 3.13.15) • Level L2 • Severity: high
Protect the authenticity of communications sessions.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Email authentication records (DMARC); TLS configuration; Certificate validation
SC.L2-3.13.16 Data at Rest Encryption ✓ Pass -5
Requirement (NIST 800-171 § 3.13.16) • Level L2 • Severity: critical
Protect the confidentiality of CUI at rest.
Assessment Evidence (What We Found)
CUI at rest: 97% device compliance (includes BitLocker/encryption requirements in compliance policies)
How to Prove It (Assessor Evidence)
Assessor evidence: Intune encryption compliance; Azure storage encryption; BitLocker reports
SC.L2-3.13.2 Security Engineering ◔ Partial -3 POA&M Eligible ◔ Partial (manual)
Requirement (NIST 800-171 § 3.13.2) • Level L2 • Severity: high
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
Assessment Evidence (What We Found)
[Evidence Platform (Manual)] Architectural design partially documented: network diagram exists but lacks CUI data flow annotations; boundary protection documented for external but not internal segments
How to Prove It (Assessor Evidence)
Assessor evidence: Security architecture document; Design review records; Development standards
Gap — What Closes This
  • 1. Document security architecture
  • 2. Follow secure development practices
  • 3. Conduct security design reviews
Linked Finding
CMMC-SC.L2-3.13.2 — CMMC SC.L2-3.13.2: Security Engineering (Partial)
SC.L2-3.13.3 Role Separation — Not Assessed -3
Requirement (NIST 800-171 § 3.13.3) • Level L2 • Severity: medium
Separate user functionality from system management functionality.
Assessment Evidence (What We Found)
No automated evidence mapping available - manual assessment required
How to Prove It (Assessor Evidence)
Assessor evidence: Admin account inventory; CA policy for admin portals; PIM configuration
SC.L2-3.13.4 Shared Resource Control — Not Assessed -1
Requirement (NIST 800-171 § 3.13.4) • Level L2 • Severity: medium
Prevent unauthorized and unintended information transfer via shared system resources.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Resource isolation documentation; DLP policies; Access reviews
SC.L2-3.13.6 Network Communication by Exception ✓ Pass -3 ✓ Verified (powershell)
Requirement (NIST 800-171 § 3.13.6) • Level L2 • Severity: high
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Assessment Evidence (What We Found)
[Evidence Platform (PowerShell)] Default-deny firewall: all 3 Windows Firewall profiles enabled with default block inbound; 23 explicit allow rules reviewed and documented
How to Prove It (Assessor Evidence)
Assessor evidence: NSG rules with deny-all default; Rule justification document; Review records
SC.L2-3.13.7 Split Tunneling Prevention — Not Assessed -1
Requirement (NIST 800-171 § 3.13.7) • Level L2 • Severity: medium
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: VPN configuration; Split tunnel policy; Test results
SC.L2-3.13.8 Data in Transit Encryption ✓ Pass -5 ✓ Verified (api_auto)
Requirement (NIST 800-171 § 3.13.8) • Level L2 • Severity: critical
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
Assessment Evidence (What We Found)
[Evidence Platform (API Auto)] TLS 1.2+ enforced on all endpoints: 100% of Exchange Online connections use TLS 1.2; legacy TLS disabled via CA policy; SharePoint Online HTTPS-only. [Graph API] Encryption: Disabled, DKIM: Disabled, DMARC: Disabled, SPF: Disabled. Note: Evidence platform result takes precedence over Graph API.
How to Prove It (Assessor Evidence)
Show email encryption settings (TLS enforcement, S/MIME or OME). Provide DKIM, DMARC, and SPF configuration records.
SC.L2-3.13.9 Connection Termination — Not Assessed -1
Requirement (NIST 800-171 § 3.13.9) • Level L2 • Severity: medium
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
Assessment Evidence (What We Found)
Manual assessment required - outside M365 API scope
How to Prove It (Assessor Evidence)
Assessor evidence: Session timeout configuration; VPN timeout settings; Test results
SI System and Information Integrity — Malware protection, patching, and security monitoring
100% Compliant 7 Controls
3.14.1
3.14.2
3.14.4
3.14.5
3.14.3
3.14.6
3.14.7
Detail View
SI.L1-3.14.1 Flaw Remediation ✓ Pass -3
Requirement (NIST 800-171 § 3.14.1) • Level L1 • Severity: high
Identify, report, and correct information and information system flaws in a timely manner.
Assessment Evidence (What We Found)
MDE protection coverage: 90% (65/15 devices)
How to Prove It (Assessor Evidence)
Show Microsoft Defender for Endpoint deployment status across all devices. Export protection coverage percentage and any exclusions.
SI.L1-3.14.2 Malicious Code Protection ✓ Pass -5
Requirement (NIST 800-171 § 3.14.2) • Level L1 • Severity: critical
Provide protection from malicious code at appropriate locations within organizational information systems.
Assessment Evidence (What We Found)
Real-time protection enabled on 65 devices, 8 malware events detected
How to Prove It (Assessor Evidence)
Show real-time protection is enabled on all endpoints. Provide malware detection/remediation report for the last 90 days.
SI.L1-3.14.4 Update Malicious Code Protection ✓ Pass -1
Requirement (NIST 800-171 § 3.14.4) • Level L1 • Severity: high
Update malicious code protection mechanisms when new releases are available.
Assessment Evidence (What We Found)
Update/patch protection: MDE coverage 90%, device compliance 97%
How to Prove It (Assessor Evidence)
Assessor evidence: Definition update status; Update policy configuration; Currency reports
SI.L1-3.14.5 System & File Scanning ✓ Pass -1
Requirement (NIST 800-171 § 3.14.5) • Level L1 • Severity: high
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Assessment Evidence (What We Found)
System scanning: MDE monitoring 15 devices, 45 alerts generated
How to Prove It (Assessor Evidence)
Assessor evidence: Scan schedule configuration; Real-time protection status; Scan history
SI.L2-3.14.3 Security Alerts & Advisories ✓ Pass -1
Requirement (NIST 800-171 § 3.14.3) • Level L2 • Severity: high
Monitor system security alerts and advisories and take action in response.
Assessment Evidence (What We Found)
MDE security alerts configured: 45 total alerts, 0 critical
How to Prove It (Assessor Evidence)
Assessor evidence: Sentinel alert rules; Alert triage records; Response procedures
SI.L2-3.14.6 Monitor Communications ✓ Pass -1
Requirement (NIST 800-171 § 3.14.6) • Level L2 • Severity: high
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
Assessment Evidence (What We Found)
Communications monitoring requires Defender/Sentinel
How to Prove It (Assessor Evidence)
Assessor evidence: Sentinel data connectors; NSG flow logs; CASB configuration
SI.L2-3.14.7 Identify Unauthorized Use ✓ Pass -1
Requirement (NIST 800-171 § 3.14.7) • Level L2 • Severity: high
Identify unauthorized use of organizational systems.
Assessment Evidence (What We Found)
Unauthorized use detection: 0 risky users, 45 MDE alerts
How to Prove It (Assessor Evidence)
Assessor evidence: Identity Protection configuration; UEBA alerts; Investigation records
Plan of Action & Milestones (POA&M)
A POA&M documents known security deficiencies and your plan to fix them. Under CMMC, you may submit a POA&M for eligible practices and still receive a Conditional certification, provided all blocker practices are met and deficiencies are remediated within 180 days. The table below is auto-generated from your failing practices in the format C3PAO assessors expect.
2 Blockers Found: Practices marked "No (Blocker)" under POA&M Eligible are not eligible for a Plan of Action — they must be fully implemented before a C3PAO will grant certification. These are typically weight-5 controls protecting CUI confidentiality.
CMMC Plan of Action and Milestones
Practice ID Weakness Description Domain Weight Status POA&M Eligible Responsible Party Planned Remediation Milestone
AC.L2-3.1.13 Remote Access Encryption AC - Access Control -5 Partial Eligible Network Security 1. Ensure TLS 1.2+ for all Azure/M365 connections (default) 180 days
AC.L2-3.1.15 Privileged Remote Access AC - Access Control -5 Partial Eligible Identity & Access Management 1. Use PIM for remote privileged access 180 days
AC.L2-3.1.19 Encrypt CUI on Mobile AC - Access Control -5 Partial Eligible IT Operations 1. Require device encryption in Intune compliance policy 180 days
IA.L2-3.5.3 Multifactor Authentication IA - Identification and Authentication -5 Not Implemented Blocker Identity & Access Management 1. Enable MFA for all users: Entra ID > Security > MFA 180 days
IR.L2-3.6.1 Incident Handling IR - Incident Response -5 Partial Blocker Security Operations 1. Document incident response plan 180 days
AC.L2-3.1.10 Session Lock AC - Access Control -3 Partial Eligible IT Operations 1. Configure Intune device configuration for screen lock timeout 180 days
AC.L2-3.1.11 Session Termination AC - Access Control -3 Partial Eligible Identity & Access Management 1. Configure Conditional Access sign-in frequency 180 days
AC.L2-3.1.12 Remote Access Control AC - Access Control -3 Partial Eligible Network Security 1. Configure Conditional Access for remote access scenarios 180 days
AC.L2-3.1.14 Remote Access Routing AC - Access Control -3 Partial Eligible Network Security 1. Use Azure AD as central identity provider 180 days
AC.L2-3.1.18 Mobile Device Connection AC - Access Control -3 Partial Eligible IT Operations 1. Configure Intune MDM enrollment requirements 180 days
AC.L2-3.1.21 Portable Storage Use AC - Access Control -3 Partial Eligible IT Operations 1. Configure Intune device restrictions for removable storage 180 days
AC.L2-3.1.6 Non-Privileged Account Use AC - Access Control -3 Not Implemented Eligible Identity & Access Management 1. Ensure admins have separate non-privileged accounts for daily work 180 days
AU.L2-3.3.4 Audit Failure Alerting AU - Audit and Accountability -3 Not Implemented Eligible Security Operations 1. Configure Azure Monitor alerts for log collection failures 180 days
CM.L2-3.4.5 Access Restrictions for Change CM - Configuration Management -3 Partial Eligible Identity & Access Management 1. Restrict system change access to authorized admins 180 days
CM.L2-3.4.8 Application Allowlisting CM - Configuration Management -3 Partial Eligible Endpoint Security 1. Deploy Windows Defender Application Control (WDAC) 180 days
CM.L2-3.4.9 User-Installed Software CM - Configuration Management -3 Partial Eligible IT Operations 1. Remove local admin rights from standard users 180 days
SC.L2-3.13.2 Security Engineering SC - System and Communications Protection -3 Partial Eligible Security Engineering 1. Document security architecture 180 days

17 total deficiencies • 2 blockers • 15 POA&M eligible

27%Compliant
Implemented3 (27%)
Partial8 (73%)
Non-compliant0 (0%)
27.3%
Compliance
3
Pass
8
Partial
0
Fail
7
Not Assessed
61.1%
Coverage
CIS v8
Filter by status:
CIS v8 compliance controls
Control ID Name Category Status Evidence
CIS-1 Inventory and Control of Enterprise Assets Inventory and Control ✓ Pass Managed devices inventoried: 150
CIS-2 Inventory and Control of Software Assets Inventory and Control ◔ Partial Application inventory: 0 apps, vulnerability signals: 85, recommendations: 0
CIS-3 Data Protection Data Protection — Not Assessed DLP policies: 0, sensitivity labels: 0, retention policies: 0, records enabled: No [Evidence available -- manual review recommended]
CIS-4 Secure Configuration of Enterprise Assets and Software Secure Configuration ◔ Partial Device compliance: 96.7%, config policies: 0, compliance policies: 0
CIS-5 Account Management Identity and Access ✓ Pass Directory account inventory observed for 150 users
CIS-6 Access Control Management Identity and Access ✓ Pass MFA coverage: 94.0% with 12 CA policies enabled
CIS-7 Continuous Vulnerability Management Vulnerability Management ◔ Partial Secure Score: 56.7% with 0 remediation recommendations
CIS-8 Audit Log Management Monitoring and Detection — Not Assessed Sign-in events: 0, alerts: 0, active threat signals: 0 [Evidence available -- manual review recommended]
CIS-9 Email and Web Browser Protections Malware Defense — Not Assessed Email controls enabled: 0/7 (Safe Links=No, Safe Attachments=No) [Evidence available -- manual review recommended]
CIS-10 Malware Defenses Malware Defense ◔ Partial Anti-malware enabled: No, managed endpoints: 150, active threats: 0
CIS-11 Data Recovery Data Protection — Not Assessed Backup enabled: No, retention policies: 0, records management enabled: No [Evidence available -- manual review recommended]
CIS-12 Network Infrastructure Management Network Security ◔ Partial Network security groups: 0, public IP resources: 2
CIS-13 Network Monitoring and Defense Network Security ◔ Partial Security monitoring telemetry: alerts=0, active threat signals=0, secure score=56.7%
CIS-14 Security Awareness and Skills Training People and Process — Not Assessed Attack simulation campaigns: 0, attack simulation telemetry live: No [Evidence available -- manual review recommended]
CIS-15 Service Provider Management Third-Party Risk — Not Assessed Third-party apps inventoried: 0, unverified publishers: 0 [Evidence available -- manual review recommended]
CIS-16 Application Software Security Application Security — Not Assessed Registered applications: 0, app-security remediation recommendations: 0 [Evidence available -- manual review recommended]
CIS-17 Incident Response Management Incident Response ◔ Partial High-risk operations: 3, alerts: 0, active threat signals: 0
CIS-18 Penetration Testing Security Assessment ◔ Partial Vulnerability findings: 85, security hardening recommendations: 0
60%Compliant
Implemented3 (60%)
Partial2 (40%)
Non-compliant0 (0%)
60%
Compliance
3
Pass
2
Partial
0
Fail
18
Not Assessed
21.7%
Coverage
NIST CSF
Filter by status:
⚠ Low Coverage: Only 5 of 23 controls assessed (21.7%). Compliance score (60%) may not be representative. Collect additional evidence to improve assessment accuracy.
Showing 5 assessed controls. 18 controls not yet assessed are hidden.
NIST CSF compliance controls
Control ID Name Function Status Evidence
ID.RA Risk Assessment Identify ◔ Partial Secure Score coverage: 56.7%
PR.AC Identity Management and Access Control Protect ✓ Pass MFA coverage 94.0% with 12 CA policies
PR.PT Protective Technology Protect ✓ Pass Device compliance baseline: 96.7%
DE.AE Anomalies and Events Detect ✓ Pass Risky sign-ins: 0, high-risk operations: 3
RS.CO Communications Respond ◔ Partial Response communications supported by 3 high-risk operations
15%Compliant
Implemented2 (15%)
Partial11 (85%)
Non-compliant0 (0%)
15.4%
Compliance
2
Pass
11
Partial
0
Fail
80
Not Assessed
14%
Coverage
ISO 27001
Filter by status:
⚠ Low Coverage: Only 13 of 93 controls assessed (14%). Compliance score (15.4%) may not be representative. Collect additional evidence to improve assessment accuracy.
Showing 13 assessed controls. 80 controls not yet assessed are hidden.
ISO 27001 compliance controls
Control ID Name Category Status Evidence
A.5.15 Access Control A.5 - Organizational Controls ✓ Pass Enabled CA policies=12, MFA coverage=94.0%
A.8.3 Information Access Restriction A.8 - Technological Controls ◔ Partial Enabled CA policies=12, named locations=0
A.8.5 Secure Authentication A.8 - Technological Controls ◔ Partial MFA user coverage=94.0%, admin coverage=100.0%, enabled auth methods=0
A.8.6 Capacity Management A.8 - Technological Controls ◔ Partial Capacity signals: managed_devices=0, secure_score=56.7%, recommendations=0
A.8.8 Management of Technical Vulnerabilities A.8 - Technological Controls ◔ Partial Secure Score=56.7%, recommendations=0
A.8.20 Networks Security A.8 - Technological Controls ◔ Partial Network security groups=0, public_ips=2
A.8.21 Security of Network Services A.8 - Technological Controls ◔ Partial Network service controls: nsgs=0, enabled_ca=12
A.8.24 Use of Cryptography A.8 - Technological Controls ◔ Partial Cryptography signals: encrypted_devices=11, email_encryption=No, passwordless_users=0
A.8.27 Secure System Architecture and Engineering Principles A.8 - Technological Controls ◔ Partial Architecture hardening signals: secure_score=56.7%, nsgs=0
A.8.28 Secure Coding A.8 - Technological Controls ◔ Partial Secure coding governance: compliant_assessments=16, assessed_controls=24, recommendations=0
A.8.29 Security Testing in Development and Acceptance A.8 - Technological Controls ✓ Pass Security testing evidence: assessed_controls=24, partial=4, non_compliant=4
A.8.31 Separation of Development, Test and Production Environments A.8 - Technological Controls ◔ Partial Environment separation signals: teams=8, sharepoint_sites=15, app_registrations=0
A.8.34 Protection of Information Systems During Audit Testing A.8 - Technological Controls ◔ Partial Audit testing protections: audit_enabled=No, assessed_controls=24, attack_simulation_campaigns=0
41%Compliant
Implemented7 (41%)
Partial10 (59%)
Non-compliant0 (0%)
41.2%
Compliance
7
Pass
10
Partial
0
Fail
16
Not Assessed
51.5%
Coverage
SOC 2
Filter by status:
SOC 2 compliance controls
Control ID Name Category Status Evidence
CC1.1 COSO Principle 1: Commitment to Integrity and Ethical Values CC1 - Control Environment ◔ Partial Governance evidence: assessed_controls=24, recommendations=0
CC1.2 COSO Principle 2: Board Independence and Oversight CC1 - Control Environment ◔ Partial Organization context present=No, secure score=56.7%
CC1.3 COSO Principle 3: Management Structure and Authority CC1 - Control Environment — Not Assessed Invalid data shape for privileged_accounts; expected object/list payloads from collectors. [Evidence available -- manual review recommended]
CC1.4 COSO Principle 4: Commitment to Competence CC1 - Control Environment — Not Assessed Attack simulation campaigns=0, telemetry_live=No [Evidence available -- manual review recommended]
CC1.5 COSO Principle 5: Accountability for Internal Control CC1 - Control Environment — Not Assessed Tracked deficiencies: recommendations=0, non_compliant_assessments=4 [Evidence available -- manual review recommended]
CC2.1 COSO Principle 13: Quality Information CC2 - Communication and Information ◔ Partial Security data quality signals: secure score=56.7%, alerts=0
CC2.2 COSO Principle 14: Internal Communication CC2 - Communication and Information ◔ Partial Internal comm channels: teams=8, recommendations=0
CC2.3 COSO Principle 15: External Communication CC2 - Communication and Information ◔ Partial External comm surfaces: SharePoint sites=15, third-party apps=0
CC3.1 COSO Principle 6: Specifies Suitable Objectives CC3 - Risk Assessment ◔ Partial Risk objective signals: secure score=56.7%, recommendations=0
CC3.2 COSO Principle 7: Identifies and Analyzes Risk CC3 - Risk Assessment ✓ Pass Risk analysis correlated from findings telemetry: active_alerts=0, risky_signins=0, high_risk_ops=3, non_compliant_assessments=4
CC3.3 COSO Principle 8: Assesses Fraud Risk CC3 - Risk Assessment ✓ Pass Fraud-risk indicators: risky_signins=0, critical_findings=2
CC3.4 COSO Principle 9: Identifies and Analyzes Significant Change CC3 - Risk Assessment — Not Assessed Change-impact controls: config_policies=0, compliance_policies=0 [Evidence available -- manual review recommended]
CC4.1 COSO Principle 16: Ongoing and Separate Evaluations CC4 - Monitoring Activities ◔ Partial Ongoing evaluations: assessed_controls=24, total_alerts=0
CC4.2 COSO Principle 17: Evaluates and Communicates Deficiencies CC4 - Monitoring Activities — Not Assessed Deficiency communication signals: recommendations=0, open_findings=129 [Evidence available -- manual review recommended]
CC5.1 COSO Principle 10: Selects and Develops Control Activities CC5 - Control Activities ✓ Pass Control activities: enabled_CA=12, MFA_coverage=94.0%
CC5.2 COSO Principle 11: Selects and Develops Technology Controls CC5 - Control Activities — Not Assessed Technology controls: managed_devices=0, device_compliance=96.7%, device_policies=0 [Evidence available -- manual review recommended]
CC5.3 COSO Principle 12: Deploys Through Policies and Procedures CC5 - Control Activities — Not Assessed Policy deployment signals: records_enabled=No, retention=0, recommendations=0 [Evidence available -- manual review recommended]
CC6.1 Logical Access Security Software CC6 - Logical and Physical Access ✓ Pass 12 Conditional Access policies configured
CC6.2 User Authentication and Authorization CC6 - Logical and Physical Access ✓ Pass MFA coverage baseline: 94.0% (141/150)
CC6.3 Removal of Access Rights CC6 - Logical and Physical Access — Not Assessed Deprovisioning evidence: disabled_users=0 [Evidence available -- manual review recommended]
CC6.4 Role-Based Access Control CC6 - Logical and Physical Access — Not Assessed Privileged access model: global_admins=0, privileged_roles=0 [Evidence available -- manual review recommended]
CC6.5 Physical Access Restrictions CC6 - Logical and Physical Access — Not Assessed Named location controls collected: 0 [Evidence available -- manual review recommended]
CC6.6 Security of Data Assets CC6 - Logical and Physical Access — Not Assessed Endpoint protection not detected [Evidence available -- manual review recommended]
CC6.7 Transmission and Movement of Data CC6 - Logical and Physical Access — Not Assessed Data transmission controls: email_encryption=No, DLP=0 [Evidence available -- manual review recommended]
CC6.8 Prevention and Detection of Unauthorized Access CC6 - Logical and Physical Access ✓ Pass Unauthorized access detection correlated from telemetry: alerts=0, risky_signins=0, high_risk_ops=3
CC7.1 Detection of Security Events CC7 - System Operations ◔ Partial Secure Score: 680/1200 (56.7%)
CC7.2 Security Event Monitoring CC7 - System Operations — Not Assessed Monitoring coverage: unified_audit=No, alerts=0 [Evidence available -- manual review recommended]
CC7.3 Security Event Evaluation CC7 - System Operations ◔ Partial Event evaluation correlated from findings lifecycle: non_compliant_assessments=4, partial_assessments=4, recommendations=0
CC7.4 Security Incident Response CC7 - System Operations ✓ Pass Incident response signals: high_risk_ops=3, critical_findings=2, active_alerts=0
CC7.5 Recovery from Security Incidents CC7 - System Operations — Not Assessed Recovery capability: backup_enabled=No, retention_policies=0 [Evidence available -- manual review recommended]
CC8.1 Change Management Process CC8 - Change Management — Not Assessed Change management controls: config_policies=0, compliance_policies=0, azure_policies=0 [Evidence available -- manual review recommended]
CC9.1 Business Disruption Risk Mitigation CC9 - Risk Mitigation ◔ Partial Disruption resilience: backup_enabled=No, retention=0, secure_score=56.7%
CC9.2 Vendor Risk Management CC9 - Risk Mitigation — Not Assessed Vendor ecosystem inventory: total_apps=0, unverified_publishers=0 [Evidence available -- manual review recommended]
49%Compliant
Implemented46 (49%)
Partial45 (48%)
Non-compliant3 (3%)
Compliance Command Deck

What To Fix First

One view for executives, auditors, and operators: current posture, failure concentration, and immediate moves to reduce certification risk.

This deck is all frameworks combined. CMMC tab metrics are a separate CMMC-only scope (110 controls / SPRS model).

ISO 27001 15%CIS v8 27%SOC 2 TSC 41%
Average Framework Score
41.7%
Across 5 frameworks
Assessed Controls
94/277
33.9% coverage
At-Risk Controls
48
3 fail, 45 partial
Highest-Risk Framework
ISO 27001
15% compliance
Action Queue
  1. Lift ISO 27001 first: 0 failing controls and 11 partial controls are currently dragging score.
  2. Lift CIS v8 first: 0 failing controls and 8 partial controls are currently dragging score.
  3. Close Device-015 (CRITICAL) to improve 4 framework mappings.
  4. Close Network-010 (CRITICAL) to improve 4 framework mappings.
  5. Close ActiveDirectory-003 (HIGH) to improve 4 framework mappings.

Operator Priority Queue

Owner-ready sequence with explicit due windows and done-when outcomes.

  1. P0 Critical Security Configuration Gaps Require Action
    Owner: Security Operations · Due: 7-30 days
    Done when: See portal verification steps
  2. P0 NSG Rules Allow All Inbound Traffic
    Owner: Cloud/Network Team · Due: 7-30 days
    Done when: See portal verification steps
  3. P1 Legacy Authentication Not Blocked
    Owner: Identity Team · Due: 7-30 days
    Done when: See portal verification steps
  4. P1 40 Users Not Covered by MFA Policy
    Owner: Identity Team · Due: 7-30 days
    Done when: See portal verification steps
  5. P1 2 High-Risk User Accounts Detected
    Owner: SecOps · Due: 7-30 days
    Done when: See portal verification steps
  6. P1 28 Active Security Alerts (2 High, 5 Medium)
    Owner: SecOps · Due: 7-30 days
    Done when: See portal verification steps
  7. P1 Safe Links Protection Is Disabled
    Owner: Email Security Team · Due: 7-30 days
    Done when: See portal verification steps
  8. P1 Safe Attachments Protection Is Disabled
    Owner: Email Security Team · Due: 7-30 days
    Done when: See portal verification steps

Compliance Posture

CMMC L2
65% (31/110)
CIS v8
27% (3/18)
NIST CSF
60% (3/23)
SOC 2 TSC
41% (7/33)
ISO 27001
15% (2/93)
Fixing your top 10 findings addresses 24 compliance gaps across 5 frameworks simultaneously.

Compliance Data Quality

StatusPASS
Coverage100.0%
Contradictions0
Assessed0
Not Consented0
Not Licensed0
API Failure0
Domain Collected Coverage Assessability
Identity & Access0/0100.0%collected
Data Protection0/0100.0%collected
Endpoint Security0/0100.0%collected
Email Security0/0100.0%collected
Security & Compliance0/0100.0%collected
Collaboration0/0100.0%collected
Network Security0/00.0%not_assessed
Application Security0/0100.0%collected
Infrastructure0/0100.0%collected
Security Monitoring0/0100.0%collected
Compliance0/0100.0%collected

Evidence Inventory

Dataset Assessability Source Endpoint Last Collected
access_review_summarynot_assessedaccess_review_summaryData unavailable
pim_role_settingsassessedpim_role_settingsData unavailable
directory_rolesassesseddirectory_rolesData unavailable
terms_of_use_summarynot_assessedterms_of_use_summaryData unavailable
lifecycle_summarynot_assessedlifecycle_summaryData unavailable
sharepoint_sharing_settingsnot_assessedsharepoint_sharing_settingsData unavailable
teams_policiesassessedteams_policiesData unavailable
bitlocker_recovery_keysnot_assessedbitlocker_recovery_keysData unavailable
records_managementassessedrecords_managementData unavailable
retention_policiesassessedretention_policiesData unavailable
data_governance_summarynot_assesseddata_governance_summaryData unavailable
risk_detection_summarynot_assessedrisk_detection_summaryData unavailable
entra_recommendationsnot_assessedentra_recommendationsData unavailable
ca_whatif_resultsnot_assessedca_whatif_resultsData unavailable
arm_network_nsgsassessedarm_network_nsgsData unavailable
arm_storage_accountsassessedarm_storage_accountsData unavailable
arm_key_vaultsassessedarm_key_vaultsData unavailable
arm_sql_serversassessedarm_sql_serversData unavailable

Finding → Framework Cross-Reference

Auditor Appendix: finding-level framework evidence mapping
Finding CIS CMMC NIST SOC 2 ISO
Device-015 CRITICAL
Critical Security Configuration Gaps Require Action
 CIS-7.1 NIST-SI-2 SOC2-CC6.1 ISO-A.12.6.1
Network-010 CRITICAL
NSG Rules Allow All Inbound Traffic
 CIS-4.1 NIST-SC-7 SOC2-CC6.6 ISO-A.13.1.1
ActiveDirectory-003 HIGH
AD: Privileged Admin Footprint Controlled
 CIS-5.2 NIST-IA-2, NIST-AC-6 SOC2-CC6.1 ISO-A.9.2.3
ActiveDirectory-006 HIGH
AD: LDAP Signing/Channel Binding Gap
 CIS-5.2 NIST-IA-2, NIST-AC-6 SOC2-CC6.1 ISO-A.9.2.3
Application-006 HIGH
Third-Party Application Consents Include Elevated-Risk Integrations
 CIS-16.1 NIST-CM-7 SOC2-CC6.7 ISO-A.9.4.5
CMMC-AC.L2-3.1.6 HIGH
CMMC AC.L2-3.1.6: Non-Privileged Account Use (Fail)
 AC.L2-3.1.6
CMMC-AU.L2-3.3.4 HIGH
CMMC AU.L2-3.3.4: Audit Failure Alerting (Fail)
 AU.L2-3.3.4
CMMC-IA.L2-3.5.3 HIGH
CMMC IA.L2-3.5.3: Multifactor Authentication (Fail)
 IA.L2-3.5.3
CMMC-IR.L2-3.6.1 HIGH
CMMC IR.L2-3.6.1: Incident Handling (Partial)
 IR.L2-3.6.1
CloudPosture-001 HIGH
Azure Secure Score Below Target
 CIS-8.1 NIST-IR-4 SOC2-CC7.2 ISO-A.16.1.4
Cost-001 HIGH
Orphaned Cloud Resources Incurring Waste
 CIS-1.1 NIST-ID.AM SOC2-CC3.2 ISO-A.8.6
DataProtection-010 HIGH
SharePoint External Sharing Is Enabled on Collaboration Sites
 CIS-3.1 NIST-SC-28 SOC2-CC6.7 ISO-A.8.2.3
DataProtection-013 HIGH
No DLP Policies Configured
 CIS-3.1 NIST-SC-28 SOC2-CC6.7 ISO-A.8.2.3
DataProtection-017 HIGH
Excessive Third-Party App Permissions
 CIS-16.1 NIST-CM-7 SOC2-CC6.7 ISO-A.9.4.5
Device-010 HIGH
Unencrypted Devices Detected in Fleet
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Device-013 HIGH
No Device Compliance Policies Defined
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Device-016 HIGH
High Endpoint Vulnerability Backlog
 CIS-7.1 NIST-SI-2 SOC2-CC6.1 ISO-A.12.6.1
Email-005 HIGH
Safe Links Protection Is Disabled
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-006 HIGH
Safe Attachments Protection Is Disabled
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-007 HIGH
Anti-Phishing Controls Are Not Fully Enabled
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-008 HIGH
Email Threat Detection/Containment Rate Is Below Target
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-009 HIGH
External Email Forwarding Rules Detected
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-012 HIGH
No Outbound Spam Policy Enabled
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-013 HIGH
Mail Flow Rules Bypass Security Filtering
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-014 HIGH
Auto-Forward to External Addresses Detected
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-016 HIGH
Multiple Domains Without DMARC
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Endpoint-007 HIGH
BitLocker or Device Encryption Not Enabled
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Endpoint-011 HIGH
Tamper Protection Not Enabled
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Endpoint-013 HIGH
Unsupported Operating Systems in Managed Fleet
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Governance-002 HIGH
Privileged High-Risk Administrative Operations Require Review
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.5
Governance-003 HIGH
Secure Score Recommendation Backlog Is Accumulating
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.5
Identity-005 HIGH
Legacy Authentication Not Blocked
 CIS-6.5 NIST-IA-2 SOC2-CC6.1 ISO-A.9.4.2
Identity-008 HIGH
40 Users Not Covered by MFA Policy
 CIS-6.5 NIST-IA-2 SOC2-CC6.1 ISO-A.9.4.2
Identity-010 HIGH
2 High-Risk User Accounts Detected
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.3
Identity-014 HIGH
Phishing-Resistant MFA Method (FIDO2) Is Disabled
 CIS-6.5 NIST-IA-2 SOC2-CC6.1 ISO-A.9.4.2
Identity-017 HIGH
Strong Authentication Method Adoption Is Below Target
 CIS-6.5 NIST-IA-2 SOC2-CC6.1 ISO-A.9.4.2
Identity-018 HIGH
PIM Not Configured for Admin Roles
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.3
Identity-020 HIGH
Risky Sign-Ins Not Investigated
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.3
Identity-021 HIGH
Emergency Access Accounts Missing or Incomplete
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.3
Identity-025 HIGH
Too Many Global Administrators
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.3
Identity-026 HIGH
PIM Not Utilized for Privileged Roles
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.3
Identity-027 HIGH
Legacy Authentication Sign-Ins Detected
 CIS-6.5 NIST-IA-2 SOC2-CC6.1 ISO-A.9.4.2
Infrastructure-001 HIGH
Network Security Groups Allow Unrestricted Inbound Access
 CIS-4.1 NIST-SC-7 SOC2-CC6.6 ISO-A.13.1.1
Infrastructure-002 HIGH
Storage Accounts Allow Public Blob Access
 CIS-3.7 NIST-SC-28 SOC2-CC6.1 ISO-A.8.2.3
Infrastructure-010 HIGH
No Effective Network Segmentation Detected
 CIS-4.1 NIST-SC-7 SOC2-CC6.6 ISO-A.13.1.1
Infrastructure-011 HIGH
Storage Accounts Allow HTTP
 CIS-4.1 NIST-SC-7 SOC2-CC6.6 ISO-A.13.1.1
Infrastructure-015 HIGH
Anonymous Storage Access Enabled
 CIS-4.1 NIST-SC-7 SOC2-CC6.6 ISO-A.13.1.1
Infrastructure-016 HIGH
Key Vault Soft-Delete Not Enabled
 CIS-4.1 NIST-SC-7 SOC2-CC6.6 ISO-A.13.1.1
Network-013 HIGH
Email Encryption Not Enabled
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Resilience-001 HIGH
Incident Response Plan Not Documented
 CIS-10.1 NIST-CP-9 SOC2-A1.2 ISO-A.12.3.1
Resilience-002 HIGH
SIEM Not Connected
 CIS-10.1 NIST-CP-9 SOC2-A1.2 ISO-A.12.3.1
Security-001 HIGH
28 Active Security Alerts (2 High, 5 Medium)
 CIS-8.1 NIST-IR-4 SOC2-CC7.2 ISO-A.16.1.4
Security-002 HIGH
Failed and Risky Sign-In Volume Exceeds Baseline
 CIS-8.1 NIST-IR-4 SOC2-CC7.2 ISO-A.16.1.4
Security-003 HIGH
Threat Pulse Indicates Elevated Active Alert Backlog
 CIS-8.1 NIST-IR-4 SOC2-CC7.2 ISO-A.16.1.4
Vulnerability-001 HIGH
Security Configuration Gaps Require Remediation
 CIS-7.1 NIST-SI-2 SOC2-CC6.1 ISO-A.12.6.1
Vulnerability-002 HIGH
High-Severity Vulnerabilities Require Short-Term Remediation
 CIS-7.1 NIST-SI-2 SOC2-CC6.1 ISO-A.12.6.1
ActiveDirectory-002 MEDIUM
AD: Legacy Authentication Active
 CIS-5.2 NIST-IA-2, NIST-AC-6 SOC2-CC6.1 ISO-A.9.2.3
ActiveDirectory-008 MEDIUM
AD: Domain Controller Patch Baseline Gap
 CIS-5.2 NIST-IA-2, NIST-AC-6 SOC2-CC6.1 ISO-A.9.2.3
Application-001 MEDIUM
2 Apps with High-Risk OAuth Permissions
 CIS-16.1 NIST-CM-7 SOC2-CC6.7 ISO-A.9.4.5
Application-005 MEDIUM
Teams Guest Access Requires Stronger Collaboration Governance
 CIS-16.1 NIST-CM-7 SOC2-CC6.7 ISO-A.9.4.5
CMMC-CM.L2-3.4.5 MEDIUM
CMMC CM.L2-3.4.5: Access Restrictions for Change (Partial)
 CM.L2-3.4.5
CMMC-SC.L2-3.13.2 MEDIUM
CMMC SC.L2-3.13.2: Security Engineering (Partial)
 SC.L2-3.13.2
CMMC-SI.L2-3.14.2 MEDIUM
CMMC SI.L2-3.14.2: Malicious Code Protection (Partial)
 SI.L2-3.14.2
CMMC-SI.L2-3.14.5 MEDIUM
CMMC SI.L2-3.14.5: Advanced Persistent Threat Protection (Fail)
 SI.L2-3.14.5
CloudPosture-003 MEDIUM
Diagnostic Settings Missing on Critical Resources
 CIS-8.1 NIST-IR-4 SOC2-CC7.2 ISO-A.16.1.4
CloudPosture-004 MEDIUM
No Azure Policy Assignments Detected
 CIS-8.1 NIST-IR-4 SOC2-CC7.2 ISO-A.16.1.4
Cost-002 MEDIUM
Unused License Spend Detected
 CIS-1.1 NIST-ID.AM SOC2-CC3.2 ISO-A.8.6
Cost-003 MEDIUM
Azure Advisor Savings Not Yet Realized
 CIS-1.1 NIST-ID.AM SOC2-CC3.2 ISO-A.8.6
Cost-004 MEDIUM
Oversized VM Fleet Increasing Compute Spend
 CIS-1.1 NIST-ID.AM SOC2-CC3.2 ISO-A.8.6
Cost-005 MEDIUM
Budget Alerting Not Configured
 CIS-1.1 NIST-ID.AM SOC2-CC3.2 ISO-A.8.6
Cost-006 MEDIUM
Unlicensed Users Consuming Paid Service Capacity
 CIS-1.1 NIST-ID.AM SOC2-CC3.2 ISO-A.8.6
Cost-008 MEDIUM
Underutilized Premium License Portfolio
 CIS-1.1 NIST-ID.AM SOC2-CC3.2 ISO-A.8.6
DataProtection-004 MEDIUM
eDiscovery Not Configured
 CIS-3.1 NIST-SC-28 SOC2-CC6.7 ISO-A.8.2.3
DataProtection-006 MEDIUM
External Sharing Unrestricted on SharePoint Sites
 CIS-3.1 NIST-SC-28 SOC2-CC6.7 ISO-A.8.2.3
DataProtection-007 MEDIUM
OneDrive External Sharing Open
 CIS-3.1 NIST-SC-28 SOC2-CC6.7 ISO-A.8.2.3
DataProtection-009 MEDIUM
Retention Period Below Compliance Baseline
 CIS-3.1 NIST-SC-28 SOC2-CC6.7 ISO-A.8.2.3
DataProtection-012 MEDIUM
Retention Policy Coverage Is Partial Across M365 Workloads
 CIS-3.1 NIST-AU-11 SOC2-CC6.7 ISO-A.8.2.3
DataProtection-019 MEDIUM
SharePoint Sites Permit External Sharing
 CIS-3.1 NIST-SC-28 SOC2-CC6.7 ISO-A.8.2.3
Device-011 MEDIUM
Stale Device Sync Older Than 30 Days
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Device-012 MEDIUM
Outdated Endpoint Operating System Versions
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Device-014 MEDIUM
No Device Configuration Policies Applied
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Email-010 MEDIUM
DMARC Aggregate Reporting Not Configured
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-011 MEDIUM
SPF Record Too Permissive
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-015 MEDIUM
DMARC Policy Not Enforced at Reject
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-017 MEDIUM
Mailbox Auditing Not Enabled for All Mailboxes
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-019 MEDIUM
Email Quarantine Policy Not Configured
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-020 MEDIUM
Anti-Impersonation Coverage Below Target
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Endpoint-004 MEDIUM
Device Configuration Baseline Policy Depth Is Limited
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Endpoint-005 MEDIUM
Device Compliance Policy Coverage Is Incomplete
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Endpoint-006 MEDIUM
OS Versions Not Current
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Endpoint-008 MEDIUM
Stale Devices with No Sync > 90 Days
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Endpoint-012 MEDIUM
Attack Surface Reduction Rules Missing
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Endpoint-014 MEDIUM
Defender Onboarding Coverage Below 80%
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Endpoint-015 MEDIUM
EDR Block Mode Not Enabled
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Identity-006 MEDIUM
3 Users Authenticating with Legacy Protocols
 CIS-6.5 NIST-IA-2 SOC2-CC6.1 ISO-A.9.4.2
Identity-009 MEDIUM
Excessive Global Administrators (7 accounts)
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.3
Identity-011 MEDIUM
1 Service Principal with High-Risk Permissions
 CIS-16.1 NIST-CM-7 SOC2-CC6.7 ISO-A.9.4.5
Identity-013 MEDIUM
30 Guest Users Require Access Review (20.0% of user base)
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.5
Identity-015 MEDIUM
Trusted Named Locations Coverage Is Too Narrow
 CIS-6.5 NIST-IA-2 SOC2-CC6.1 ISO-A.9.4.2
Identity-016 MEDIUM
Default Domain Password Expiration Policy Increases Credential Risk
 CIS-6.5 NIST-IA-2 SOC2-CC6.1 ISO-A.9.4.2
Identity-019 MEDIUM
No Access Reviews Configured
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.3
Identity-022 MEDIUM
OAuth Consent Policy Allows User Consent
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.3
Identity-023 MEDIUM
Excessive Guest Users in Directory
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.5
Identity-028 MEDIUM
Risky Sign-Ins from Unknown Locations
 CIS-6.1 NIST-SI-4 SOC2-CC7.2 ISO-A.12.4.1
Identity-029 MEDIUM
SMS-Based MFA Still in Significant Use
 CIS-6.5 NIST-IA-2 SOC2-CC6.1 ISO-A.9.4.2
Infrastructure-006 MEDIUM
Public IP Addresses With Exposure Risks
 CIS-4.3 NIST-SC-7 SOC2-CC6.6 ISO-A.13.1.1
Infrastructure-012 MEDIUM
SQL Servers Without Azure AD Authentication
 CIS-4.1 NIST-SC-7 SOC2-CC6.6 ISO-A.13.1.1
Infrastructure-013 MEDIUM
Key Vault Secrets Not Rotated
 CIS-4.1 NIST-SC-7 SOC2-CC6.6 ISO-A.13.1.1
Infrastructure-014 MEDIUM
No Private Endpoints for PaaS Resources
 CIS-4.1 NIST-SC-7 SOC2-CC6.6 ISO-A.13.1.1
Monitoring-001 MEDIUM
Microsoft Sentinel SIEM Not Configured
 CIS-8.1 NIST-IR-4 SOC2-CC7.2 ISO-A.16.1.4
Network-011 MEDIUM
Unassociated Public IP Addresses Detected
 CIS-4.3 NIST-SC-7 SOC2-CC6.6 ISO-A.13.1.1
Network-014 MEDIUM
No Attack Simulation Campaigns Executed
 CIS-14.1 NIST-AT-2 SOC2-CC1.4 ISO-A.7.2.2
Resilience-003 MEDIUM
Alert Rules Not Configured
 CIS-10.1 NIST-CP-9 SOC2-A1.2 ISO-A.12.3.1
Resilience-004 MEDIUM
Backup Restore Testing Stale
 CIS-10.1 NIST-CP-9 SOC2-A1.2 ISO-A.12.3.1
Vulnerability-003 MEDIUM
Medium-Severity Vulnerabilities Require Planned Remediation
 CIS-7.1 NIST-SI-2 SOC2-CC6.1 ISO-A.12.6.1
CloudPosture-005 LOW
Resource Tags Missing Across Cloud Inventory
 CIS-8.1 NIST-IR-4 SOC2-CC7.2 ISO-A.16.1.4
Cost-007 LOW
Duplicate Security Tools Detected
 CIS-1.1 NIST-ID.AM SOC2-CC3.2 ISO-A.8.6
DataProtection-003 LOW
Sensitivity Labels Configured but Under-Adopted
 CIS-3.1 NIST-SC-28 SOC2-CC6.7 ISO-A.8.2.3
DataProtection-005 LOW
Information Barriers Not Configured
 CIS-3.1 NIST-SC-28 SOC2-CC6.7 ISO-A.8.2.3
DataProtection-008 LOW
No Sensitivity Label Auto-Labeling Policies
 CIS-3.1 NIST-SC-28 SOC2-CC6.7 ISO-A.8.2.3
DataProtection-016 LOW
Records Management Features Disabled
 CIS-3.1 NIST-AU-11 SOC2-CC6.7 ISO-A.8.2.3
DataProtection-020 LOW
Teams Without Assigned Owners
 CIS-6.1 NIST-AC-6 SOC2-CC6.2 ISO-A.9.2.5
Email-001 LOW
929 Email Threat Detections Observed in Last 30 Days
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Email-018 LOW
External Sender Warning Banner Missing
 CIS-9.1 NIST-SI-8 SOC2-CC6.1 ISO-A.12.2.1
Endpoint-010 LOW
Windows Autopilot Not Configured
 CIS-10.1 NIST-CM-8 SOC2-CC6.6 ISO-A.8.1.1
Identity-024 LOW
Stale Disabled Accounts Not Removed
 CIS-6.2 NIST-PS-4 SOC2-CC6.2 ISO-A.9.2.6
Identity-030 LOW
No Passwordless Authentication Adoption
 CIS-6.5 NIST-IA-2 SOC2-CC6.1 ISO-A.9.4.2
Network-012 LOW
No Named Locations Configured
 CIS-6.5 NIST-IA-2 SOC2-CC6.1 ISO-A.9.4.2
Resilience-005 LOW
No Recent Security Tabletop Exercises
 CIS-10.1 NIST-CP-9 SOC2-A1.2 ISO-A.12.3.1
Assessment Methodology (Rules, Unknowns, and Rationale)
Assessment Methodology

Every rule used in this assessment, its data source, and severity rationale, with mapped compliance frameworks. This section is intended for auditors and compliance reviewers.

Rule Catalog (125 rules)
Rule IDTitleData SourcePermissionSeverityRationaleFrameworks
Identity-001 Admin MFA enforced Microsoft Graph: Authentication Methods API Reports.Read.All Critical Immediate exploitation risk or active breach indicator Microsoft Secure Score, CIS Microsoft 365 Benchmark, NIST 800-63B
Identity-002 User MFA coverage >= 90% Microsoft Graph: Authentication Methods API Reports.Read.All High Significant security gap exposing sensitive resources Microsoft Secure Score, CIS Microsoft 365 Benchmark, NIST 800-63B
Identity-005 Legacy authentication blocked Microsoft Graph: Authentication Methods API Policy.Read.All High Significant security gap exposing sensitive resources Microsoft Secure Score, CIS Microsoft 365 Benchmark, NIST 800-63B
Identity-007 Baseline Conditional Access policies >= 3 Microsoft Graph: Authentication Methods API Policy.Read.All High Significant security gap exposing sensitive resources Microsoft Secure Score, CIS Microsoft 365 Benchmark, NIST 800-63B
Endpoint-001 Device compliance >= 80% Microsoft Graph: Device Management API DeviceManagementManagedDevices.Read.All Medium Configuration weakness that increases attack surface Microsoft Secure Score, CIS Controls v8, NIST 800-53 CM
Security-002 Secure Score >= 50% Microsoft Graph API SecurityEvents.Read.All Medium Configuration weakness that increases attack surface Microsoft Secure Score, CIS Microsoft 365 Benchmark, NIST 800-63B
Device-015 Critical Security Configuration Gaps Require Action Microsoft Graph API SecurityEvents.Read.All Critical Immediate exploitation risk or active breach indicator CIS-7.1, NIST-SI-2, SOC2-CC6.1, ISO-A.12.6.1
Network-010 NSG Rules Allow All Inbound Traffic Microsoft Graph API Check Permission Health Critical Immediate exploitation risk or active breach indicator CIS-4.1, NIST-SC-7, SOC2-CC6.6, ISO-A.13.1.1
Identity-008 40 Users Not Covered by MFA Policy Microsoft Graph: Authentication Methods API AuditLog.Read.All High Significant security gap exposing sensitive resources CIS-6.5, NIST-IA-2, SOC2-CC6.1, ISO-A.9.4.2
Identity-010 2 High-Risk User Accounts Detected Microsoft Graph: Authentication Methods API IdentityRiskyUser.Read.All High Significant security gap exposing sensitive resources CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.3
Security-001 28 Active Security Alerts (2 High, 5 Medium) Microsoft Graph API SecurityEvents.Read.All High Significant security gap exposing sensitive resources CIS-8.1, NIST-IR-4, SOC2-CC7.2, ISO-A.16.1.4
Email-005 Safe Links Protection Is Disabled Microsoft Graph: Mail Assessment API MailboxSettings.Read High Significant security gap exposing sensitive resources CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-006 Safe Attachments Protection Is Disabled Microsoft Graph: Mail Assessment API MailboxSettings.Read High Significant security gap exposing sensitive resources CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-007 Anti-Phishing Controls Are Not Fully Enabled Microsoft Graph: Mail Assessment API MailboxSettings.Read High Significant security gap exposing sensitive resources CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-008 Email Threat Detection/Containment Rate Is Below Target Microsoft Graph: Mail Assessment API MailboxSettings.Read High Significant security gap exposing sensitive resources CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Identity-014 Phishing-Resistant MFA Method (FIDO2) Is Disabled Microsoft Graph: Authentication Methods API Policy.Read.All High Significant security gap exposing sensitive resources CIS-6.5, NIST-IA-2, SOC2-CC6.1, ISO-A.9.4.2
Governance-002 Privileged High-Risk Administrative Operations Require Review Microsoft Graph API Check Permission Health High Significant security gap exposing sensitive resources CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.5
DataProtection-010 SharePoint External Sharing Is Enabled on Collaboration Sites Microsoft Graph API Sites.Read.All High Significant security gap exposing sensitive resources CIS-3.1, NIST-SC-28, SOC2-CC6.7, ISO-A.8.2.3
Governance-003 Secure Score Recommendation Backlog Is Accumulating Microsoft Graph API Check Permission Health High Significant security gap exposing sensitive resources CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.5
Application-006 Third-Party Application Consents Include Elevated-Risk Integrations Microsoft Graph: OAuth2 Permissions API DelegatedPermissionGrant.ReadWrite.All High Significant security gap exposing sensitive resources CIS-16.1, NIST-CM-7, SOC2-CC6.7, ISO-A.9.4.5
Identity-017 Strong Authentication Method Adoption Is Below Target Microsoft Graph: Authentication Methods API Check Permission Health High Significant security gap exposing sensitive resources CIS-6.5, NIST-IA-2, SOC2-CC6.1, ISO-A.9.4.2
Security-003 Threat Pulse Indicates Elevated Active Alert Backlog Microsoft Graph API ThreatIndicators.Read.All High Significant security gap exposing sensitive resources CIS-8.1, NIST-IR-4, SOC2-CC7.2, ISO-A.16.1.4
Infrastructure-001 Network Security Groups Allow Unrestricted Inbound Access Microsoft Graph API Check Permission Health High Significant security gap exposing sensitive resources CIS-4.1, NIST-SC-7, SOC2-CC6.6, ISO-A.13.1.1
Infrastructure-002 Storage Accounts Allow Public Blob Access Microsoft Graph API Check Permission Health High Significant security gap exposing sensitive resources CIS-3.7, NIST-SC-28, SOC2-CC6.1, ISO-A.8.2.3
Vulnerability-001 Security Configuration Gaps Require Remediation Microsoft Secure Score API SecurityEvents.Read.All High Significant security gap exposing sensitive resources CIS-7.1, NIST-SI-2, SOC2-CC6.1, ISO-A.12.6.1
Vulnerability-002 High-Severity Vulnerabilities Require Short-Term Remediation Microsoft Secure Score API SecurityEvents.Read.All High Significant security gap exposing sensitive resources CIS-7.1, NIST-SI-2, SOC2-CC6.1, ISO-A.12.6.1
Cost-001 Orphaned Cloud Resources Incurring Waste Microsoft Graph API Check Permission Health High Significant security gap exposing sensitive resources CIS-1.1, NIST-ID.AM, SOC2-CC3.2, ISO-A.8.6
ActiveDirectory-003 AD: Privileged Admin Footprint Controlled Microsoft Graph API Check Permission Health High Significant security gap exposing sensitive resources CIS-5.2, NIST-IA-2, NIST-AC-6, SOC2-CC6.1, ISO-A.9.2.3
ActiveDirectory-006 AD: LDAP Signing/Channel Binding Gap Microsoft Graph API Check Permission Health High Significant security gap exposing sensitive resources CIS-5.2, NIST-IA-2, NIST-AC-6, SOC2-CC6.1, ISO-A.9.2.3
Identity-025 Too Many Global Administrators Microsoft Graph: Authentication Methods API RoleManagement.Read.All High Significant security gap exposing sensitive resources CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.3
Identity-026 PIM Not Utilized for Privileged Roles Microsoft Graph: Authentication Methods API RoleManagement.Read.All High Significant security gap exposing sensitive resources CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.3
Identity-027 Legacy Authentication Sign-Ins Detected Microsoft Graph: Authentication Methods API AuditLog.Read.All High Significant security gap exposing sensitive resources CIS-6.5, NIST-IA-2, SOC2-CC6.1, ISO-A.9.4.2
Device-010 Unencrypted Devices Detected in Fleet Microsoft Graph API DeviceManagementManagedDevices.Read.All High Significant security gap exposing sensitive resources CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
Device-013 No Device Compliance Policies Defined Microsoft Graph API DeviceManagementConfiguration.Read.All High Significant security gap exposing sensitive resources CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
Device-016 High Endpoint Vulnerability Backlog Microsoft Graph API SecurityEvents.Read.All High Significant security gap exposing sensitive resources CIS-7.1, NIST-SI-2, SOC2-CC6.1, ISO-A.12.6.1
DataProtection-013 No DLP Policies Configured Microsoft Graph API InformationProtectionPolicy.Read.All High Significant security gap exposing sensitive resources CIS-3.1, NIST-SC-28, SOC2-CC6.7, ISO-A.8.2.3
DataProtection-017 Excessive Third-Party App Permissions Microsoft Graph API DelegatedPermissionGrant.ReadWrite.All High Significant security gap exposing sensitive resources CIS-16.1, NIST-CM-7, SOC2-CC6.7, ISO-A.9.4.5
Network-013 Email Encryption Not Enabled Microsoft Graph API MailboxSettings.Read High Significant security gap exposing sensitive resources CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-009 External Email Forwarding Rules Detected Microsoft Graph: Mail Assessment API Exchange.ManageAsApp High Significant security gap exposing sensitive resources CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-012 No Outbound Spam Policy Enabled Microsoft Graph: Mail Assessment API MailboxSettings.Read High Significant security gap exposing sensitive resources CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-013 Mail Flow Rules Bypass Security Filtering Microsoft Graph: Mail Assessment API Exchange.ManageAsApp High Significant security gap exposing sensitive resources CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-014 Auto-Forward to External Addresses Detected Microsoft Graph: Mail Assessment API MailboxSettings.Read High Significant security gap exposing sensitive resources CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-016 Multiple Domains Without DMARC Microsoft Graph: Mail Assessment API MailboxSettings.Read High Significant security gap exposing sensitive resources CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Endpoint-007 BitLocker or Device Encryption Not Enabled Microsoft Graph: Device Management API DeviceManagementManagedDevices.Read.All High Significant security gap exposing sensitive resources CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
Endpoint-011 Tamper Protection Not Enabled Microsoft Graph: Device Management API SecurityEvents.Read.All High Significant security gap exposing sensitive resources CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
Endpoint-013 Unsupported Operating Systems in Managed Fleet Microsoft Graph: Device Management API DeviceManagementManagedDevices.Read.All High Significant security gap exposing sensitive resources CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
Identity-018 PIM Not Configured for Admin Roles Microsoft Graph: Authentication Methods API RoleManagement.Read.All High Significant security gap exposing sensitive resources CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.3
Identity-020 Risky Sign-Ins Not Investigated Microsoft Graph: Authentication Methods API Check Permission Health High Significant security gap exposing sensitive resources CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.3
Identity-021 Emergency Access Accounts Missing or Incomplete Microsoft Graph: Authentication Methods API RoleManagement.Read.All High Significant security gap exposing sensitive resources CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.3
Infrastructure-010 No Effective Network Segmentation Detected Microsoft Graph API Check Permission Health High Significant security gap exposing sensitive resources CIS-4.1, NIST-SC-7, SOC2-CC6.6, ISO-A.13.1.1
Infrastructure-011 Storage Accounts Allow HTTP Microsoft Graph API Check Permission Health High Significant security gap exposing sensitive resources CIS-4.1, NIST-SC-7, SOC2-CC6.6, ISO-A.13.1.1
Infrastructure-015 Anonymous Storage Access Enabled Microsoft Graph API Check Permission Health High Significant security gap exposing sensitive resources CIS-4.1, NIST-SC-7, SOC2-CC6.6, ISO-A.13.1.1
Infrastructure-016 Key Vault Soft-Delete Not Enabled Microsoft Graph API Check Permission Health High Significant security gap exposing sensitive resources CIS-4.1, NIST-SC-7, SOC2-CC6.6, ISO-A.13.1.1
CloudPosture-001 Azure Secure Score Below Target Microsoft Graph API SecurityEvents.Read.All High Significant security gap exposing sensitive resources CIS-8.1, NIST-IR-4, SOC2-CC7.2, ISO-A.16.1.4
Resilience-001 Incident Response Plan Not Documented Microsoft Graph API Check Permission Health High Significant security gap exposing sensitive resources CIS-10.1, NIST-CP-9, SOC2-A1.2, ISO-A.12.3.1
Resilience-002 SIEM Not Connected Microsoft Graph API AuditLog.Read.All High Significant security gap exposing sensitive resources CIS-10.1, NIST-CP-9, SOC2-A1.2, ISO-A.12.3.1
Identity-006 3 Users Authenticating with Legacy Protocols Microsoft Graph: Authentication Methods API AuditLog.Read.All Medium Configuration weakness that increases attack surface CIS-6.5, NIST-IA-2, SOC2-CC6.1, ISO-A.9.4.2
Identity-009 Excessive Global Administrators (7 accounts) Microsoft Graph: Authentication Methods API RoleManagement.Read.All Medium Configuration weakness that increases attack surface CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.3
Monitoring-001 Microsoft Sentinel SIEM Not Configured Microsoft Graph: Security Alerts API AuditLog.Read.All Medium Configuration weakness that increases attack surface CIS-8.1, NIST-IR-4, SOC2-CC7.2, ISO-A.16.1.4
Application-001 2 Apps with High-Risk OAuth Permissions Microsoft Graph: OAuth2 Permissions API DelegatedPermissionGrant.ReadWrite.All Medium Configuration weakness that increases attack surface CIS-16.1, NIST-CM-7, SOC2-CC6.7, ISO-A.9.4.5
Identity-011 1 Service Principal with High-Risk Permissions Microsoft Graph: Authentication Methods API Check Permission Health Medium Configuration weakness that increases attack surface CIS-16.1, NIST-CM-7, SOC2-CC6.7, ISO-A.9.4.5
Identity-013 30 Guest Users Require Access Review (20.0% of user base) Microsoft Graph: Authentication Methods API User.Read.All Medium Configuration weakness that increases attack surface CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.5
Identity-015 Trusted Named Locations Coverage Is Too Narrow Microsoft Graph: Authentication Methods API Directory.Read.All Medium Configuration weakness that increases attack surface CIS-6.5, NIST-IA-2, SOC2-CC6.1, ISO-A.9.4.2
Identity-016 Default Domain Password Expiration Policy Increases Credential Risk Microsoft Graph: Authentication Methods API Domain.Read.All Medium Configuration weakness that increases attack surface CIS-6.5, NIST-IA-2, SOC2-CC6.1, ISO-A.9.4.2
Application-005 Teams Guest Access Requires Stronger Collaboration Governance Microsoft Graph: OAuth2 Permissions API Team.ReadBasic.All Medium Configuration weakness that increases attack surface CIS-16.1, NIST-CM-7, SOC2-CC6.7, ISO-A.9.4.5
Endpoint-004 Device Configuration Baseline Policy Depth Is Limited Microsoft Graph: Device Management API DeviceManagementConfiguration.Read.All Medium Configuration weakness that increases attack surface CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
Endpoint-005 Device Compliance Policy Coverage Is Incomplete Microsoft Graph: Device Management API DeviceManagementConfiguration.Read.All Medium Configuration weakness that increases attack surface CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
DataProtection-012 Retention Policy Coverage Is Partial Across M365 Workloads Microsoft Graph API RecordsManagement.Read.All Medium Configuration weakness that increases attack surface CIS-3.1, NIST-AU-11, SOC2-CC6.7, ISO-A.8.2.3
Infrastructure-006 Public IP Addresses With Exposure Risks Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-4.3, NIST-SC-7, SOC2-CC6.6, ISO-A.13.1.1
Vulnerability-003 Medium-Severity Vulnerabilities Require Planned Remediation Microsoft Secure Score API SecurityEvents.Read.All Medium Configuration weakness that increases attack surface CIS-7.1, NIST-SI-2, SOC2-CC6.1, ISO-A.12.6.1
Cost-002 Unused License Spend Detected Microsoft Graph API Organization.Read.All Medium Configuration weakness that increases attack surface CIS-1.1, NIST-ID.AM, SOC2-CC3.2, ISO-A.8.6
Cost-003 Azure Advisor Savings Not Yet Realized Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-1.1, NIST-ID.AM, SOC2-CC3.2, ISO-A.8.6
Cost-004 Oversized VM Fleet Increasing Compute Spend Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-1.1, NIST-ID.AM, SOC2-CC3.2, ISO-A.8.6
Cost-005 Budget Alerting Not Configured Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-1.1, NIST-ID.AM, SOC2-CC3.2, ISO-A.8.6
Cost-006 Unlicensed Users Consuming Paid Service Capacity Microsoft Graph API Organization.Read.All Medium Configuration weakness that increases attack surface CIS-1.1, NIST-ID.AM, SOC2-CC3.2, ISO-A.8.6
Cost-008 Underutilized Premium License Portfolio Microsoft Graph API Organization.Read.All Medium Configuration weakness that increases attack surface CIS-1.1, NIST-ID.AM, SOC2-CC3.2, ISO-A.8.6
ActiveDirectory-002 AD: Legacy Authentication Active Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-5.2, NIST-IA-2, NIST-AC-6, SOC2-CC6.1, ISO-A.9.2.3
ActiveDirectory-008 AD: Domain Controller Patch Baseline Gap Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-5.2, NIST-IA-2, NIST-AC-6, SOC2-CC6.1, ISO-A.9.2.3
Identity-023 Excessive Guest Users in Directory Microsoft Graph: Authentication Methods API User.Read.All Medium Configuration weakness that increases attack surface CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.5
Identity-028 Risky Sign-Ins from Unknown Locations Microsoft Graph: Authentication Methods API AuditLog.Read.All Medium Configuration weakness that increases attack surface CIS-6.1, NIST-SI-4, SOC2-CC7.2, ISO-A.12.4.1
Identity-029 SMS-Based MFA Still in Significant Use Microsoft Graph: Authentication Methods API Check Permission Health Medium Configuration weakness that increases attack surface CIS-6.5, NIST-IA-2, SOC2-CC6.1, ISO-A.9.4.2
Device-011 Stale Device Sync Older Than 30 Days Microsoft Graph API DeviceManagementManagedDevices.Read.All Medium Configuration weakness that increases attack surface CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
Device-012 Outdated Endpoint Operating System Versions Microsoft Graph API DeviceManagementManagedDevices.Read.All Medium Configuration weakness that increases attack surface CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
Device-014 No Device Configuration Policies Applied Microsoft Graph API DeviceManagementConfiguration.Read.All Medium Configuration weakness that increases attack surface CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
DataProtection-019 SharePoint Sites Permit External Sharing Microsoft Graph API Sites.Read.All Medium Configuration weakness that increases attack surface CIS-3.1, NIST-SC-28, SOC2-CC6.7, ISO-A.8.2.3
Network-011 Unassociated Public IP Addresses Detected Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-4.3, NIST-SC-7, SOC2-CC6.6, ISO-A.13.1.1
Network-014 No Attack Simulation Campaigns Executed Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-14.1, NIST-AT-2, SOC2-CC1.4, ISO-A.7.2.2
Email-010 DMARC Aggregate Reporting Not Configured Microsoft Graph: Mail Assessment API MailboxSettings.Read Medium Configuration weakness that increases attack surface CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-011 SPF Record Too Permissive Microsoft Graph: Mail Assessment API MailboxSettings.Read Medium Configuration weakness that increases attack surface CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-015 DMARC Policy Not Enforced at Reject Microsoft Graph: Mail Assessment API MailboxSettings.Read Medium Configuration weakness that increases attack surface CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-017 Mailbox Auditing Not Enabled for All Mailboxes Microsoft Graph: Mail Assessment API MailboxSettings.Read Medium Configuration weakness that increases attack surface CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-019 Email Quarantine Policy Not Configured Microsoft Graph: Mail Assessment API MailboxSettings.Read Medium Configuration weakness that increases attack surface CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Email-020 Anti-Impersonation Coverage Below Target Microsoft Graph: Mail Assessment API MailboxSettings.Read Medium Configuration weakness that increases attack surface CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Endpoint-006 OS Versions Not Current Microsoft Graph: Device Management API DeviceManagementManagedDevices.Read.All Medium Configuration weakness that increases attack surface CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
Endpoint-008 Stale Devices with No Sync > 90 Days Microsoft Graph: Device Management API DeviceManagementManagedDevices.Read.All Medium Configuration weakness that increases attack surface CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
Endpoint-012 Attack Surface Reduction Rules Missing Microsoft Graph: Device Management API SecurityEvents.Read.All Medium Configuration weakness that increases attack surface CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
Endpoint-014 Defender Onboarding Coverage Below 80% Microsoft Graph: Device Management API SecurityEvents.Read.All Medium Configuration weakness that increases attack surface CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
Endpoint-015 EDR Block Mode Not Enabled Microsoft Graph: Device Management API SecurityEvents.Read.All Medium Configuration weakness that increases attack surface CIS-10.1, NIST-CM-8, SOC2-CC6.6, ISO-A.8.1.1
DataProtection-004 eDiscovery Not Configured Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-3.1, NIST-SC-28, SOC2-CC6.7, ISO-A.8.2.3
DataProtection-006 External Sharing Unrestricted on SharePoint Sites Microsoft Graph API Sites.Read.All Medium Configuration weakness that increases attack surface CIS-3.1, NIST-SC-28, SOC2-CC6.7, ISO-A.8.2.3
DataProtection-007 OneDrive External Sharing Open Microsoft Graph API Sites.Read.All Medium Configuration weakness that increases attack surface CIS-3.1, NIST-SC-28, SOC2-CC6.7, ISO-A.8.2.3
DataProtection-009 Retention Period Below Compliance Baseline Microsoft Graph API RecordsManagement.Read.All Medium Configuration weakness that increases attack surface CIS-3.1, NIST-SC-28, SOC2-CC6.7, ISO-A.8.2.3
Identity-019 No Access Reviews Configured Microsoft Graph: Authentication Methods API RoleManagement.Read.All Medium Configuration weakness that increases attack surface CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.3
Identity-022 OAuth Consent Policy Allows User Consent Microsoft Graph: Authentication Methods API Check Permission Health Medium Configuration weakness that increases attack surface CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.3
Infrastructure-012 SQL Servers Without Azure AD Authentication Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-4.1, NIST-SC-7, SOC2-CC6.6, ISO-A.13.1.1
Infrastructure-013 Key Vault Secrets Not Rotated Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-4.1, NIST-SC-7, SOC2-CC6.6, ISO-A.13.1.1
Infrastructure-014 No Private Endpoints for PaaS Resources Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-4.1, NIST-SC-7, SOC2-CC6.6, ISO-A.13.1.1
CloudPosture-003 Diagnostic Settings Missing on Critical Resources Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-8.1, NIST-IR-4, SOC2-CC7.2, ISO-A.16.1.4
CloudPosture-004 No Azure Policy Assignments Detected Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-8.1, NIST-IR-4, SOC2-CC7.2, ISO-A.16.1.4
Resilience-003 Alert Rules Not Configured Microsoft Graph API AuditLog.Read.All Medium Configuration weakness that increases attack surface CIS-10.1, NIST-CP-9, SOC2-A1.2, ISO-A.12.3.1
Resilience-004 Backup Restore Testing Stale Microsoft Graph API Check Permission Health Medium Configuration weakness that increases attack surface CIS-10.1, NIST-CP-9, SOC2-A1.2, ISO-A.12.3.1
Email-001 929 Email Threat Detections Observed in Last 30 Days Microsoft Graph: Mail Assessment API MailboxSettings.Read Low Best-practice deviation with limited immediate risk CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
DataProtection-003 Sensitivity Labels Configured but Under-Adopted Microsoft Graph API InformationProtectionPolicy.Read.All Low Best-practice deviation with limited immediate risk CIS-3.1, NIST-SC-28, SOC2-CC6.7, ISO-A.8.2.3
Cost-007 Duplicate Security Tools Detected Microsoft Graph API Check Permission Health Low Best-practice deviation with limited immediate risk CIS-1.1, NIST-ID.AM, SOC2-CC3.2, ISO-A.8.6
Identity-024 Stale Disabled Accounts Not Removed Microsoft Graph: Authentication Methods API User.Read.All Low Best-practice deviation with limited immediate risk CIS-6.2, NIST-PS-4, SOC2-CC6.2, ISO-A.9.2.6
Identity-030 No Passwordless Authentication Adoption Microsoft Graph: Authentication Methods API Check Permission Health Low Best-practice deviation with limited immediate risk CIS-6.5, NIST-IA-2, SOC2-CC6.1, ISO-A.9.4.2
DataProtection-016 Records Management Features Disabled Microsoft Graph API RecordsManagement.Read.All Low Best-practice deviation with limited immediate risk CIS-3.1, NIST-AU-11, SOC2-CC6.7, ISO-A.8.2.3
DataProtection-020 Teams Without Assigned Owners Microsoft Graph API Team.ReadBasic.All Low Best-practice deviation with limited immediate risk CIS-6.1, NIST-AC-6, SOC2-CC6.2, ISO-A.9.2.5
Network-012 No Named Locations Configured Microsoft Graph API Directory.Read.All Low Best-practice deviation with limited immediate risk CIS-6.5, NIST-IA-2, SOC2-CC6.1, ISO-A.9.4.2
Email-018 External Sender Warning Banner Missing Microsoft Graph: Mail Assessment API MailboxSettings.Read Low Best-practice deviation with limited immediate risk CIS-9.1, NIST-SI-8, SOC2-CC6.1, ISO-A.12.2.1
Unknowns Register (1 item)
UnknownReasonHow to FixOwnerTarget Date
Network Security telemetry No checks executed Requires ARM API integration. Deploy Azure Network Watcher; use az network nsg list for manual audit. SecOps Next collection
CMMC Evidence Snapshot

Supplemental CMMC-specific scoring. Use the command center above for cross-framework execution and auditor workflow.

SPRS 87
Controls Assessed 24/110
Pass / Fail 16/4
Coverage 22%
16 Pass 4 Fail 4 Partial 8 API 8 PS 8 Manual 110 max SPRS
Technical Evidence Appendix

Use this appendix to validate methodology, coverage, and evidence confidence after the primary decisions are clear.

Start with the summary sections below. Expand detailed appendices only when you need implementation proof or troubleshooting depth.

§How to Use This Report

Severity Levels

LevelPriorityAction Window
CriticalP0Immediate — within 72 hours
HighP1This week (7 days)
MediumP2This month (30 days)
LowP3Track & plan (90 days)

Suggested Workflow

  1. Overview — check security posture, scorecard, quick wins
  2. Findings — review critical and high severity items with remediation steps
  3. Compliance — review framework coverage and gaps (CMMC, CIS, NIST)
  4. Technical Evidence — data sources, collection health, glossary, and traceability
  5. Track Progress — check off items as completed in the Findings tab

Where to Find Things

  • Overview tab — tenant identity, security posture, scorecard, quick wins
  • Findings tab — detailed security issues with remediation steps
  • Compliance tab — framework mappings (CMMC, CIS, NIST, ISO, SOC 2)
  • Technical Evidence tab — data sources, collection health, glossary, and traceability

Tenant Overview

Users
150
120 active, 15 disabled
120 members, 35 guests
Admins
7
7/7 with MFA
Devices
150
145 compliant (97%)
Secure Score
56.7%
12 CA policies
Licenses
Microsoft 365 Business Premium: 120/130, Exchange Online Plan 1: 5/5, Power Bi Free: 4/50
Domains
contoso.onmicrosoft.com, contoso.com, contoso.mail.onmicrosoft.com
Organization: Contoso Corporation Tenant ID: a1b2c3d4...7890
Data Sources

Security data was collected from the following sources for this assessment.

Microsoft Graph API
Compliance Evidence Platform
23-Dataset Actionability Matrix

Fixed coverage contract for high-value telemetry datasets. Missing or degraded states are explicitly disclosed with next actions.

Datasets Tracked
23
Assessed
23
Not Assessed
0
Not Consented
0
API Failure
0
Not Licensed
0
Dataset Key Dataset Domain Status Observed Why Next Action
oauth_grants_summary OAuth Permission Grants Identity / Apps Assessed total grants=42 Payload collected. Review admin-consent grants and remove unused high-risk permissions.
log_analytics_summary Log Analytics / Sentinel Monitoring Assessed keys: is_live, endpoint, retention_days (+10 more) Payload collected. Validate workspace ingestion and alert rule coverage for critical detections.
service_principal_summary Service Principal Audit Identity / Apps Assessed stale count=9 Payload collected. Reduce high-privilege app credentials and remove stale service principals.
sharepoint_sites SharePoint Sites (Raw) Collaboration / Data Assessed total count=15 Payload collected. Validate externally shared sites and restrict broad link exposure.
sharepoint_summary SharePoint Summary Collaboration / Data Assessed total sites=15 Payload collected. Use site-level evidence to prioritize external-sharing remediation.
teams_inventory_summary Teams Inventory Collaboration Assessed total teams=8 Payload collected. Review public teams and guest-access sprawl by owner.
teams_summary Teams Summary Collaboration Assessed total count=8 Payload collected. Align Teams governance controls with collaboration policy baseline.
named_locations_summary Named Locations Identity Assessed keys: total_locations, trusted_locations, locations (+1 more) Payload collected. Define trusted network boundaries for conditional access enforcement.
retention_policies Retention Policies Data Protection Assessed total policies=0 Payload collected. Confirm retention coverage for regulated workloads and high-risk data sets.
admin_operations_summary High-Risk Admin Operations Monitoring Assessed total operations=3 Payload collected. Investigate privileged admin operations and enforce approval controls.
arm_public_ips ARM Public IP Inventory Infrastructure Assessed 2 records Payload collected. Remove orphaned public IPs and attach exposure controls to internet-facing assets.
secure_score_recommendations Secure Score Recommendations Security Assessed keys: biggest_lift, stats, is_live Payload collected. Close high-impact recommendations with owner and due-date tracking.
vulnerability_data Vulnerability Evidence (Detailed) Endpoint Assessed critical count=12 Payload collected. Patch or mitigate critical CVEs with asset-level accountability.
vulnerability_summary Vulnerability Summary Endpoint Assessed total=85 Payload collected. Prioritize remediation backlog by severity and exploitability.
guest_users_list Guest Users Identity / Collaboration Assessed 5 records Payload collected. Review inactive/excessive guest access and enforce recertification cadence.
backup_jobs Backup Jobs Resilience Assessed 3 records Payload collected. Validate backup job success rates and remediate recurring failures.
backup_vaults Backup Vaults Resilience Assessed 2 records Payload collected. Confirm vault coverage for critical workloads and immutable backup posture.
recovery_readiness Recovery Readiness Resilience Assessed keys: is_live, overall_status, rto_target_hours (+5 more) Payload collected. Test restore/RTO/RPO assumptions against business recovery objectives.
exchange_transport_rules Exchange Transport Rules Email Assessed keys: total_rules, enabled_rules, rules (+1 more) Payload collected. Harden anti-phish and external-mail controls in transport policy.
intune_app_protection Intune App Protection Endpoint Assessed total count=0 Payload collected. Enforce app data-protection controls for unmanaged/mobile access paths.
managed_app_policies Managed App Policies Endpoint Assessed total count=0 Payload collected. Close managed-app policy gaps for data exfiltration controls.
pim_role_settings PIM Role Settings Identity Assessed keys: total_assignments, assignments, is_live Payload collected. Require just-in-time activation and approval workflows for privileged roles.
teams_policies Teams Policies Collaboration Assessed total policies=0 Payload collected. Restrict risky Teams app/guest defaults and enforce baseline policy controls.
Environment Snapshot & License Detail
Cloud API Microsoft Graph
PowerShell On-premises collection
Snapshot
FieldValue
Tenant Ida1b2c3d4-e5f6-7890-abcd-ef1234567890
Tenant NameContoso Corporation
Primary Domainscontoso.onmicrosoft.com, contoso.com, contoso.mail.onmicrosoft.com
Run Id20260308T052650Z_ad-hoc
Collector Versionead632e
Countsusers: 150; devices: 150; ca policies: 12; licenses: 157
Data collected via Microsoft Graph API
License Utilization (Detailed)
SKUAssignedTotalUtilization
Microsoft 365 Business Premium 120 130 92%
Exchange Online Plan 1 5 5 100%
Power BI (Free) 4 50 8%
Microsoft Teams Exploratory Dept N/A N/A N/A
Collection Checklist
ItemValueStatusCollection Step
Tenant ID a1b2c3d4-e5f6-7890-abcd-ef1234567890 OK Grant Directory.Read.All and Organization.Read.All; re-run collection.API
Tenant Name Contoso Corporation OK Grant Directory.Read.All and Organization.Read.All; re-run collection.API
Primary Domains contoso.onmicrosoft.com, contoso.com, contoso.mail.onmicrosoft.com OK Grant Domain.Read.All; re-run collection.API
MFA Coverage 94.0% OK Grant Reports.Read.All; re-run MFA coverage collector.API
Admin MFA Coverage 100.0% OK Grant RoleManagement.Read.All + Reports.Read.All; re-run privileged account collector.API
Secure Score 56.7% OK Grant SecurityEvents.Read.All; re-run secure score collector.API
Device Compliance 96.7% OK Grant DeviceManagementManagedDevices.Read.All; re-run device compliance collector.API
Backup & DR Health Azure Backup

Azure Backup coverage and disaster recovery readiness across Recovery Services vaults.

100
% Protected
Healthy
0 protected items across configured vaults
0
Protected Items
8h
Since Last Backup
Healthy
RTO Status
Healthy
RPO Status
Data Collection Health

Per-endpoint collection status showing what data was successfully retrieved. 49 of 49 endpoints collected.

EndpointStatusObject CountSource API
Secure Score (Security)OK-SecurityEvents.Read.All
MFA Coverage (Identity)OK-Reports.Read.All
Risky Users (Identity)OK-IdentityRiskyUser.Read.All
Privileged Accounts (Identity)OK-RoleManagement.Read.All
Conditional Access (Identity)OK-Policy.Read.All
Device Compliance (Endpoint)OK-DeviceManagementManagedDevices.Read.All
Security Alerts (Security)OK-SecurityEvents.Read.All
User Summary (Identity)OK-User.Read.All
Secure Score Controls (Security)OK-SecurityEvents.Read.All
Network Security Groups (Network)OK-Reader (ARM)
Storage Accounts (Infrastructure)OK-Reader (ARM)
Key Vaults (Infrastructure)OK-Reader (ARM)
SQL Servers (Infrastructure)OK-Reader (ARM)
Backup Health (Infrastructure)OK-Reader (ARM)
Backup Vaults (Infrastructure)OK-Reader (ARM)
Backup Jobs (Infrastructure)OK-Reader (ARM)
Recovery Readiness (Infrastructure)OK-Reader (ARM)
Vulnerability Assessment (Vulnerability Management)OK-SecurityEvents.Read.All
Defender TVM Vulnerabilities (Vulnerability Management)OK-Vulnerability.Read.All (WindowsDefenderATP)
Defender TVM Recommendations (Vulnerability Management)OK-SecurityRecommendation.Read.All (WindowsDefenderATP)
Defender Software Inventory (Vulnerability Management)OK-Software.Read.All (WindowsDefenderATP)
Evidence: API Auto-CollectionOK8Rule Engine (Graph API Analysis)
Evidence: PowerShell CollectorOK8Invoke-SecurityCollection.ps1
Evidence: Manual QuestionnaireOK8Compliance Questionnaire
All Security Checks Completed

All security checks were successfully performed. No permissions issues detected.

Security Feature Scorecard

20 of 29 assessable features enabled (69%)
20 enabled9 not configured0 permission needed6 not assessed
Identity & Access
5/8
3 blockers
Endpoint Security
2/6
4 blockers
Data Protection
3/5
2 blockers
Application Security
4/4
0 blockers
Email Security
1/3
2 blockers
Collaboration
0/3
3 blockers
Security Monitoring
4/4
0 blockers
Compliance
1/2
1 blockers
Quick Wins (4)
  1. Retention Policies - Licensed but not configured
  2. SharePoint External Sharing - Licensed but not configured
  3. Teams Governance - Licensed but not configured
  4. Guest Access Controls - Licensed but not configured
Full feature inventory by domain

Identity & Access

MFA Registration94.0% of users registered
MFA Enforcement (CA)CA policy enforcing MFA
Conditional Access Policies12 policies configured
Privileged Identity ManagementLicensed but not configured
Risk-based sign-in protectionLicensed but not configured
Legacy Auth BlockingCannot assess via API
Password PoliciesPassword policies configured
Auth Methods PolicyAuth method policies configured

Endpoint Security

Intune Device EnrollmentLicensed but not configured
Device Compliance PoliciesLicensed but not configured
BitLocker EncryptionCannot assess via API
Defender for EndpointDefender for Endpoint active
Device Compliance Rate96.7% devices compliant
App Protection PoliciesLicensed but not configured

Data Protection

DLP Policies1 DLP policy enabled
Sensitivity LabelsCannot assess via API
Retention PoliciesLicensed but not configured
Microsoft PurviewPurview governance active
Safe Links / Safe AttachmentsEmail protection active

Application Security

OAuth App Governance15 apps audited
Service Principal AuditService principals audited
App Registration GovernanceApp registrations inventoried
Third-Party App ReviewThird-party apps reviewed

Email Security

Anti-Phishing Policies605 threats blocked
Transport RulesCannot assess via API
DKIM / DMARC / SPFCannot assess via API

Collaboration

SharePoint External SharingLicensed but not configured
Teams GovernanceLicensed but not configured
Guest Access ControlsLicensed but not configured

Security Monitoring

Secure Score TrackingSecure Score tracked
Security AlertsSecurity alerts monitored
Sign-in analysisSign-in patterns analyzed
Admin Operations MonitoringAdmin ops monitored

Compliance

Compliance Framework MappingCannot assess via API
Vulnerability AssessmentVulnerability data assessed
Integrations

Optional security integrations that enhance assessment coverage.

S
Azure Resource Manager
Endpoint protection signals available. Device onboarding data not yet collected.
✓ Collected
S
Azure Backup & DR
Azure Backup & DR integration is not configured.
○ Not Configured
S
Defender Vulnerability Assessment
Endpoint protection signals available. Device onboarding data not yet collected.
✓ Collected
P
Microsoft Purview
Purview data collected. Sensitivity labels and DLP policies assessed.
✓ Connected
L
Log Analytics / Sentinel
Log Analytics workspace connected.
✓ Connected

How to Enable (Microsoft Entra ID / Graph)

Grant least-privilege Graph permissions to the reporting app, then rerun collection.

Required Graph API permissions (Application):
  • User.Read.All
  • Directory.Read.All
  • Policy.Read.All
  • RoleManagement.Read.All
  • Reports.Read.All
  • SecurityEvents.Read.All
Verification:
  • Rerun the pipeline and confirm the Identity status becomes Connected
  • Confirm Conditional Access counts appear in the report
Identity + Endpoint Operations Detail
Active Directory Overview PowerShell

On-premises Active Directory assessment via PowerShell collector.

69
AD Security Score
Collection Statuscomplete
Data Collection Coverage100%
ConfidenceHigh
Risk LevelMedium
Controls Assessed8 of 8
DomainN/A
ForestN/A
4
Compliant
2
Non-Compliant
2
Partial
0
Unknown
Control Assessment (8 controls)
IDControlStatusEvidence
AD-001AD Connect Sync Healthy✓ CompliantAD Connect delta sync healthy, last run 23m ago, 0 export errors
AD-002Legacy Authentication Active✗ Non-CompliantSign-in logs show 47 legacy auth events from 3 users in past 7 days
AD-003Privileged Admin Footprint Controlled◔ Partial3 Global Admins found; admin3@contoso.com lacks MFA registration
AD-004Brute-Force Activity Monitored✓ CompliantNo accounts exceeded failed sign-in threshold in past 7 days
AD-005Risky Sign-In Pressure Controlled✓ Compliant8 risky sign-ins detected; 1 high, 2 medium risk
AD-006LDAP Signing/Channel Binding Gap✗ Non-CompliantGPO audit shows LDAPServerIntegrity = 0 (Not Required) on DC-01, DC-02
AD-007NTLMv1 Disabled✓ CompliantNTLM audit logs show no NTLMv1 usage in past 30 days
AD-008Domain Controller Patch Baseline Gap◔ PartialDC-01: up to date; DC-02: 1 critical update pending (KB5034441, 18 days old)
Action Plan
PriorityActionOwnerVerification
1Block Legacy AuthenticationControl AD-002 | Severity: high | Effort: M | Due: 0-7 days
2Enforce LDAP SigningControl AD-006 | Severity: high | Effort: M | Due: 0-7 days
3Patch DC-02Control AD-008 | Severity: high | Effort: S | Due: 0-7 days
4Enforce MFA for All AdminsControl AD-003 | Severity: medium | Effort: S | Due: 7-30 days
Domain Controller Inventory PowerShell
Domain Controllers (2)
HostnameIPv4OSVersionSiteGCTypeFSMO RolesLast Hotfix
DC-01Not collectedWindows Server 2022Not collectedNot collectedUnknownUnknownPDC Emulator, Schema MasterNot collected
DC-02Not collectedWindows Server 2019Not collectedNot collectedUnknownUnknownRID Master, Infrastructure MasterNot collected
ACL & Delegation Audit PowerShell

Active Directory ACL audit covering DCSync rights, dangerous permissions on admin objects, Kerberoastable service accounts, and constrained delegation configuration.

DCSync-Eligible Accounts (2) (1 non-builtin — requires immediate review)
IdentityReplication RightsBuilt-in?
CONTOSO\Domain ControllersDS-Replication-Get-Changes, DS-Replication-Get-Changes-AllYes
CONTOSO\svc_backupDS-Replication-Get-Changes, DS-Replication-Get-Changes-AllNo
Dangerous Permissions on Admin Objects (1)
Target ObjectIdentityPermissionInheritance
AdminSDHolderCONTOSO\HelpDesk-TeamGenericAllExplicit
Kerberoastable Service Accounts (2)
AccountSPNsPassword AgePrivileged?Enabled
svc_sql2847dNoYes
svc_web145dNoYes
Constrained Delegation (1)
IdentityDelegated ServicesProtocol Transition?
svc_proxyHTTP/web01.contoso.com, HTTP/web02.contoso.comYes

Device Inventory

15 Total Devices 9 Compliant 6 Non-Compliant 0 Unknown
OS Count Compliant Non-Compliant Compliance %
Windows 9 4 5 44%
macOS 3 2 1 67%
iOS 3 3 0 100%
Total 15 9 6 60%

Showing 1 of 10 devices. Full inventory available via Microsoft Endpoint Manager.

Privileged Accounts

Accounts without MFA are highlighted in red and listed first.

Account Role(s) MFA Status Last sign-in
admin.breakglass@contoso.com Global Admin ✓ Registered Jun 20, 2025
david.mitchell@contoso.com Security Admin ✓ Registered Feb 07, 2026
emily.rodriguez@contoso.com SharePoint Admin ✓ Registered Feb 05, 2026
kevin.patel@contoso.com Helpdesk Admin ✓ Registered Feb 07, 2026
michael.torres@contoso.com Global Admin, User Admin ✓ Registered Feb 07, 2026
rachel.kim@contoso.com Exchange Admin ✓ Registered Feb 06, 2026
sarah.chen@contoso.com Global Admin ✓ Registered Feb 07, 2026

Identity Risk

2 High 3 Medium 1 Low
User Risk Level Risk State Last Updated
marcus.williams@contoso.com High At Risk Feb 12, 2026 04:50
jennifer.park@contoso.com High At Risk Feb 12, 2026 04:50
emily.rodriguez@contoso.com Medium At Risk Feb 12, 2026 04:50
james.okafor@contoso.com Medium At Risk Feb 12, 2026 04:50
rachel.kim@contoso.com Medium Remediated Feb 12, 2026 04:50
thomas.bergstrom@contoso.com Low Dismissed Feb 12, 2026 04:50

External Collaboration

30 Guest Users
5 Unique Domains

Guest Domains: clientcorp.com (1), partnerfirm.com (1), outsideaudit.com (1), vendorservices.io (1), defunct-company.com (1)

Collaboration Action Board

Action guidance is shown only when collaboration telemetry is live and active risk signals are non-zero.

Signal Observed Required Action Owner Execution Command
Teams with guest users2Run quarterly guest access review and remove inactive guest memberships.Teams Service OwnerGet-Team | Where-Object {$_.AllowGuestUser -eq $true}

Access Policies (Conditional Access)

12 Enabled 0 Report-only 0 Disabled
Policy Name State Target Enforcement
Unnamed Policy Enabled Not specified Not specified
Unnamed Policy Enabled Not specified Not specified
Unnamed Policy Enabled Not specified Not specified
Unnamed Policy Enabled Not specified Not specified
Unnamed Policy Enabled Not specified Not specified
Unnamed Policy Enabled Not specified Not specified
Unnamed Policy Enabled Not specified Not specified
Unnamed Policy Enabled Not specified Not specified
Unnamed Policy Enabled Not specified Not specified
Unnamed Policy Enabled Not specified Not specified
Unnamed Policy Enabled Not specified Not specified
Unnamed Policy Enabled Not specified Not specified
Application + Collaboration Telemetry Detail
Application Inventory

All detected OAuth app registrations and enterprise applications (service principals) in the tenant. High-risk applications are highlighted.

App Registrations
15
Service Principals
0
High Risk
1
Admin Consent
0
Attention: 1 high-risk application detected. Review permissions and consent grants below.

15 app registrations detected (detail listing requires Application.Read.All permission).

Software Inventory

Applications detected by Intune across managed devices, with end-of-life software flagged.

15
Total Applications
2
End-of-Life Software
windows
Top Platform
End-of-Life Software Detected

The following software has reached end-of-life and no longer receives security updates:

  • Windows Server 2012 R2 — 3 device(s)
  • Office 2016 — 8 device(s)
ApplicationVersionPublisherDevicesPlatform
Microsoft 365 Apps16.0.17928Microsoft45windows
Microsoft Teams24004.1309Microsoft44windows
Google Chrome121.0.6167Google42windows
Adobe Acrobat Reader24.001.20604Adobe38windows
Slack4.38.125Slack Technologies35windows
Zoom Workplace6.0.11Zoom34windows
7-Zip24.05Igor Pavlov25windows
Notepad++8.6.4Notepad++ Team20windows
Visual Studio Code1.87.2Microsoft18windows
Git2.44.0The Git Development Community15windows
Python 3.113.11.8Python Software Foundation12windows
VLC media player3.0.20VideoLAN10windows
FileZilla3.66.5FileZilla Project8windows
Office 2016 EOL16.0.4266Microsoft8windows
Windows Server 2012 R2 EOL6.3.9600Microsoft3windows
Lifecycle Governance

Identity governance workflows for employee onboarding, transfers, and offboarding, plus Terms of Use agreements enforced at sign-in.

Lifecycle Workflows

3 workflow(s), 2 enabled.

WorkflowCategoryStatusCreated
Onboard new hireJoinerEnabled2025-06-01
Transfer employeeMoverEnabled2025-07-01
Offboard departing employeeLeaverDisabled2025-08-01
Terms of Use Agreements
AgreementRequired Before AccessReaccept Frequency
Acceptable Use PolicyYesP90D
Data Governance

Data Loss Prevention alerts, retention labels, and records management status.

Data Governance Status
Configured
DLP Alerts: 3 | Retention Labels: 2
DLP Alerts (3)

By severity: 1 high, 1 medium, 1 low

AlertSeverityStatusDate
Social Security Number detected in outbound emailHighNew2026-02-10
Credit card number shared via TeamsMediumInprogress2026-02-09
External file sharing of sensitive documentLowResolved2026-02-08
Retention Labels (2)
LabelRetention DurationRecord BehaviorStatus
Financial Records 7yrP2555DstartLockedActive
HR Documents 5yrP1825DstartLockedActive
Conditional Access Scenario Testing

Simulated attack scenarios tested against your Conditional Access policies. PASS = blocked, FAIL = allowed through, WARN = requires MFA or report-only.

Scenario Test Results
Attack scenarios evaluated against Conditional Access policies
3/5
External Admin
✓ PASS
Admin login from unrecognized country on unknown device
Blocked by risk-based CA policy
  • Block high-risk sign-ins
Guest Sharepoint
✗ FAIL
Guest user accessing SharePoint from personal device
No policy blocks guest SharePoint access — gap identified
Legacy Auth
✓ PASS
Legacy authentication attempt (Exchange ActiveSync)
Legacy auth blocked by CA policy
  • Block legacy authentication
Mobile Exchange
✓ PASS
Unmanaged mobile device accessing Exchange Online
Non-compliant device blocked
  • Require compliant device
Unknown Ip Portal
⚠ WARN
Unknown IP accessing Azure Portal with medium sign-in risk
MFA triggered by medium sign-in risk
  • Require MFA for medium risk
Technical Appendix (Coverage Audit, Glossary, Raw Explorer)
Coverage Unlock Matrix

Exactly what is collected today, what is missing, and the specific action to unlock remaining visibility.

Permission Coverage
100%
Permissions Granted + Pulled
11/11
Permission Gaps
0
Endpoint Success
21/21 (100%)
Signal / Permission Current Status Business Impact Unlock Action
On-Prem Active Directory Signals Not Collected Tier-0, LDAP, NTLM, and AD attack-path controls are outside current telemetry scope. Run `Invoke-SecurityCollection.ps1` on a domain-joined host and upload results.
Azure Cost Optimization Signals Not Collected Potential savings opportunities and waste detection are not currently quantified. Enable Cost Management + Advisor collection to generate savings opportunities.
Measurement Map

KPI sources, permissions, and confidence so every metric is traceable. Showing 10 of 10 entries.

KPI Source API Permission Last Collected Confidence
MFA coverage % Microsoft Graph Reports Reports.Read.All Mar 08, 2026 05:26 OBSERVED
Admin MFA coverage % Microsoft Graph Reports Reports.Read.All Mar 08, 2026 05:26 OBSERVED
Legacy auth blocked Microsoft Graph Policies Policy.Read.All Mar 08, 2026 05:26 OBSERVED
Enabled CA policy count Microsoft Graph Conditional Access Policy.Read.All Mar 08, 2026 05:26 OBSERVED
Risky sign-ins (count) Identity Protection IdentityRiskEvent.Read.All Mar 08, 2026 05:26 OBSERVED
Secure Score % Microsoft Defender Secure Score SecurityEvents.Read.All Mar 08, 2026 05:26 OBSERVED
Device compliance % Microsoft Intune DeviceManagementManagedDevices.Read.All Mar 08, 2026 05:26 OBSERVED
CMMC Evidence: API Auto-Collection Rule Engine (Graph API Analysis) Application permissions (varies by rule) N/A HIGH
CMMC Evidence: PowerShell Collector Invoke-SecurityCollection.ps1 Domain Admin / local collector N/A HIGH
CMMC Evidence: Manual Questionnaire Compliance Questionnaire Portal Portal user attestation N/A HIGH
Permission Collection Status

Explicit permission traceability: what was both granted and produced data in this run, versus permissions that did not return data.

Granted + Pulled requires a successful endpoint status and a non-empty collected payload.
Consent completeness: Unknown (insufficient permission telemetry)
Assessment accuracy degraded: consent completeness is inferred/proxy-based. Some controls remain Not Assessed until full consent telemetry is available.
Permissions Checked
11
Granted + Pulled
11
Not Pulled / Not Granted
0
Endpoint Checks
21
Endpoint Granted + Pulled
21
Endpoint Not Pulled / Not Granted
0

Granted + Pulled

Permission Successful Endpoints Endpoint Samples
DeviceManagementManagedDevices.Read.All 1 Device Compliance
IdentityRiskyUser.Read.All 1 Risky Users
Policy.Read.All 1 Conditional Access
Reader (ARM) 8 Network Security Groups, Storage Accounts, Key Vaults +5 more
Reports.Read.All 1 MFA Coverage
RoleManagement.Read.All 1 Privileged Accounts
SecurityEvents.Read.All 4 Secure Score, Security Alerts, Secure Score Controls +1 more
SecurityRecommendation.Read.All (WindowsDefenderATP) 1 Defender TVM Recommendations
Software.Read.All (WindowsDefenderATP) 1 Defender Software Inventory
User.Read.All 1 User Summary
Vulnerability.Read.All (WindowsDefenderATP) 1 Defender TVM Vulnerabilities

Not Pulled / Not Granted

Permission Impacted Endpoints Endpoint Samples Why
None

Endpoint-Level Verification Matrix

Permission Endpoint Domain Endpoint Status Data Pulled Result Why
DeviceManagementManagedDevices.Read.All Device Compliance Endpoint success Yes Granted + Pulled Permission granted and payload returned.
IdentityRiskyUser.Read.All Risky Users Identity success Yes Granted + Pulled Permission granted and payload returned.
Policy.Read.All Conditional Access Identity success Yes Granted + Pulled Permission granted and payload returned.
Reader (ARM) Backup Health Infrastructure success Yes Granted + Pulled Permission granted and payload returned.
Reader (ARM) Backup Jobs Infrastructure success Yes Granted + Pulled Permission granted and payload returned.
Reader (ARM) Backup Vaults Infrastructure success Yes Granted + Pulled Permission granted and payload returned.
Reader (ARM) Key Vaults Infrastructure success Yes Granted + Pulled Permission granted and payload returned.
Reader (ARM) Network Security Groups Network success Yes Granted + Pulled Permission granted and payload returned.
Reader (ARM) Recovery Readiness Infrastructure success Yes Granted + Pulled Permission granted and payload returned.
Reader (ARM) SQL Servers Infrastructure success Yes Granted + Pulled Permission granted and payload returned.
Reader (ARM) Storage Accounts Infrastructure success Yes Granted + Pulled Permission granted and payload returned.
Reports.Read.All MFA Coverage Identity success Yes Granted + Pulled Permission granted and payload returned.
RoleManagement.Read.All Privileged Accounts Identity success Yes Granted + Pulled Permission granted and payload returned.
SecurityEvents.Read.All Secure Score Security success Yes Granted + Pulled Permission granted and payload returned.
SecurityEvents.Read.All Secure Score Controls Security success Yes Granted + Pulled Permission granted and payload returned.
SecurityEvents.Read.All Security Alerts Security success Yes Granted + Pulled Permission granted and payload returned.
SecurityEvents.Read.All Vulnerability Assessment Vulnerability Management success Yes Granted + Pulled Permission granted and payload returned.
SecurityRecommendation.Read.All (WindowsDefenderATP) Defender TVM Recommendations Vulnerability Management success Yes Granted + Pulled Permission granted and payload returned.
Software.Read.All (WindowsDefenderATP) Defender Software Inventory Vulnerability Management success Yes Granted + Pulled Permission granted and payload returned.
User.Read.All User Summary Identity success Yes Granted + Pulled Permission granted and payload returned.
Vulnerability.Read.All (WindowsDefenderATP) Defender TVM Vulnerabilities Vulnerability Management success Yes Granted + Pulled Permission granted and payload returned.
Data Coverage and Limitations

This assessment collected security telemetry from your Microsoft 365 environment. The table below summarizes data coverage by domain. Controls in domains marked 'Not Collected' are shown as 'Not Assessed' in framework mappings.

Domain Collected Not Collected Confidence Notes
Apps App registrations, OAuth grants Service Principals NONE -
Collaboration SharePoint sites, OneDrive usage Teams Summary LOW -
Compliance - Sign-in Analysis, High Risk Operations NONE Not collected - controls marked 'Not Assessed'
Data Protection DLP policies, Sensitivity labels Information Protection Labels LOW -
Email Email threat alerts Email Security Config LOW -
Endpoint Intune compliance, managed devices Device Compliance Policies LOW -
Identity Users, MFA, Conditional Access Authentication Methods Policy, Password Policies LOW -
§Glossary

Key terms used throughout this report.

TermDefinition
MFAMultifactor authentication — requires two or more verification methods to sign in, reducing credential theft risk.
CAConditional Access — Azure AD policies that enforce access controls based on user, device, location, and risk signals.
SIEMSecurity Information and Event Management — centralized log collection and threat detection platform (e.g., Microsoft Sentinel).
RBACRole-Based Access Control — permissions model that assigns access based on organizational roles rather than individual users.
PIMPrivileged Identity Management — Azure AD service for just-in-time admin role activation with approval workflows.
DLPData Loss Prevention — policies that detect and block sensitive data from leaving the organization via email, files, or chat.
DKIMDomainKeys Identified Mail — email authentication that digitally signs outbound messages to prevent spoofing.
DMARCDomain-based Message Authentication, Reporting & Conformance — email policy that combines SPF and DKIM to protect against domain impersonation.
SPFSender Policy Framework — DNS record that specifies which mail servers are authorized to send email for a domain.
SSPRSelf-Service Password Reset — allows users to reset their own passwords without helpdesk involvement.
CVSSCommon Vulnerability Scoring System — standardized 0-10 severity rating for software vulnerabilities.
SPRSSupplier Performance Risk System — DoD scoring system (-203 to +110) measuring NIST 800-171 implementation maturity.
CMMCCybersecurity Maturity Model Certification — DoD framework requiring contractors to meet specific cybersecurity practices at graduated levels.
CUIControlled Unclassified Information — government information that requires safeguarding per federal regulations (32 CFR Part 2002).
POA&MPlan of Action and Milestones — document identifying tasks needed to remediate security weaknesses, with scheduled completion dates.
CISCenter for Internet Security — nonprofit that publishes security benchmarks and hardening guidelines for IT systems.
NISTNational Institute of Standards and Technology — U.S. agency that develops cybersecurity frameworks (800-53, 800-171, CSF).
Data Coverage Map

End-to-end traceability for this run: 67/159 top-level JSON keys are shown in narrative sections; all keys are available in the Full Data Explorer below.

Top-level Key Data Shape Visibility
ad_action_plan array (4 items) Explorer only
ad_assessment_available boolean Explorer only
ad_collection_status string Explorer only
ad_connect_health object (4 keys) Explorer only
ad_controls array (8 items) Explorer only
ad_coverage_items array (0 items) Explorer only
ad_domain_controllers array (3 items) Explorer only
ad_findings array (3 items) Explorer only
ad_kerberos object (3 keys) Explorer only
ad_ldap_signing object (2 keys) Explorer only
ad_metrics object (6 keys) Explorer only
ad_ntlm_telemetry object (3 keys) Explorer only
ad_security_score object (6 keys) Explorer only
ad_tier0_groups array (7 items) Explorer only
ad_trusts array (0 items) Explorer only
admin_operations_summary object (5 keys) Narrative + Explorer
app_registrations_summary object (11 keys) Explorer only
arm_diagnostic_settings object (1 key) Explorer only
arm_policy_assignments object (1 key) Explorer only
arm_private_endpoints object (0 keys) Explorer only
arm_public_ips array (2 items) Narrative + Explorer
arm_resource_tags object (1 key) Explorer only
artifacts array (0 items) Narrative + Explorer
assessment_period object (2 keys) Explorer only
assessment_ready boolean Explorer only
assessment_ref string Explorer only
auth_methods_summary object (4 keys) Explorer only
backup_dashboard object (8 keys) Explorer only
backup_jobs array (3 items) Narrative + Explorer
backup_status object (0 keys) Explorer only
backup_vaults array (2 items) Narrative + Explorer
baseline_metrics object (14 keys) Narrative + Explorer
bitlocker_recovery_keys object (3 keys) Explorer only
branding object (11 keys) Explorer only
ca_gap_analysis object (5 keys) Explorer only
ca_policy_summary object (5 keys) Narrative + Explorer
ca_whatif_results object (5 keys) Explorer only
collection_health_summary object (10 keys) Narrative + Explorer
compliance_context object (5 keys) Explorer only
compliance_data_quality object (5 keys) Explorer only
compliance_decision_queue array (10 items) Explorer only
compliance_evidence_inventory array (18 items) Explorer only
compliance_policies_summary object (3 keys) Narrative + Explorer
composite_rating object (8 keys) Explorer only
conditional_access object (6 keys) Explorer only
configuration_status object (0 keys) Explorer only
contradiction_dashboard object (3 keys) Explorer only
cost_summary object (6 keys) Explorer only
data_governance_summary object (8 keys) Explorer only
data_quality_by_domain array (11 items) Explorer only
data_quality_gate object (4 keys) Explorer only
decision_points array (1 item) Narrative + Explorer
defender_summary object (7 keys) Narrative + Explorer
device_compliance object (14 keys) Narrative + Explorer
device_configuration_policies object (5 keys) Explorer only
device_inventory array (4 items) Narrative + Explorer
device_inventory_footnote string Explorer only
directory_roles object (3 keys) Explorer only
dlp_summary object (4 keys) Explorer only
domain_stats object (11 keys) Narrative + Explorer
domain_validations object (7 keys) Narrative + Explorer
email_security object (20 keys) Narrative + Explorer
entra_recommendations object (6 keys) Explorer only
environment_snapshot object (6 keys) Narrative + Explorer
evidence_assessment_available boolean Explorer only
evidence_assessment_results object (6 keys) Explorer only
evidence_controls array (24 items) Explorer only
evidence_coverage object (7 keys) Explorer only
evidence_domain_rollup object (14 keys) Explorer only
evidence_findings array (8 items) Explorer only
evidence_manifest object (1 key) Narrative + Explorer
evidence_poam array (4 items) Explorer only
evidence_sprs_score object (4 keys) Explorer only
exchange_transport_rules object (4 keys) Narrative + Explorer
failed_endpoints array (0 items) Narrative + Explorer
findings array (129 items) Narrative + Explorer
findings_by_domain object (11 keys) Explorer only
findings_generation_status string Explorer only
generated_at string Narrative + Explorer
guest_summary object (11 keys) Narrative + Explorer
guest_users_list array (5 items) Narrative + Explorer
high_risk_operations object (5 keys) Explorer only
implicit_actions array (1 item) Narrative + Explorer
inferred_findings array (0 items) Explorer only
integrations object (3 keys) Narrative + Explorer
intune_app_protection object (3 keys) Narrative + Explorer
legacy_auth_summary object (5 keys) Narrative + Explorer
license_overview object (9 keys) Narrative + Explorer
license_utilization object (4 keys) Explorer only
lifecycle_summary object (6 keys) Explorer only
log_analytics_summary object (13 keys) Narrative + Explorer
managed_app_policies object (3 keys) Narrative + Explorer
managed_devices_summary object (3 keys) Narrative + Explorer
mde_summary object (18 keys) Explorer only
measurement_map array (7 items) Narrative + Explorer
mfa_coverage object (11 keys) Narrative + Explorer
named_locations_summary object (4 keys) Narrative + Explorer
next_7_days_actions array (10 items) Narrative + Explorer
oauth_audit object (1 key) Explorer only
oauth_grants_summary object (4 keys) Narrative + Explorer
oauth_risk object (5 keys) Narrative + Explorer
observed_findings array (129 items) Explorer only
onedrive_usage object (0 keys) Explorer only
onprem_ad_assessment object (10 keys) Narrative + Explorer
onprem_ad_environment object (17 keys) Narrative + Explorer
org_slug string Narrative + Explorer
password_policies object (3 keys) Explorer only
permission_collection_status object (11 keys) Explorer only
permission_status object (0 keys) Explorer only
pim_role_settings object (3 keys) Narrative + Explorer
pim_summary object (0 keys) Explorer only
positive_findings array (6 items) Explorer only
prior_snapshot object (4 keys) Explorer only
prior_snapshots array (5 items) Explorer only
privileged_accounts array (7 items) Narrative + Explorer
purview_summary object (9 keys) Explorer only
recovery_readiness object (8 keys) Narrative + Explorer
remediation object (3 keys) Explorer only
report_metadata object (8 keys) Narrative + Explorer
report_mode string Explorer only
report_schema_version string Explorer only
retention_policies object (3 keys) Narrative + Explorer
risk_detection_summary object (0 keys) Explorer only
risky_signins_summary object (6 keys) Narrative + Explorer
risky_users_summary object (5 keys) Narrative + Explorer
rule_catalog array (125 items) Narrative + Explorer
run_id string Narrative + Explorer
runbook object (6 keys) Narrative + Explorer
secure_score object (10 keys) Narrative + Explorer
secure_score_benchmarks object (5 keys) Explorer only
secure_score_controls object (4 keys) Explorer only
secure_score_recommendations object (3 keys) Narrative + Explorer
security_alerts_summary object (9 keys) Explorer only
security_feature_scorecard object (5 keys) Explorer only
sensitivity_labels_summary object (3 keys) Explorer only
service_principal_summary object (5 keys) Narrative + Explorer
sharepoint_sharing_settings object (2 keys) Explorer only
sharepoint_sites object (5 keys) Narrative + Explorer
sharepoint_summary object (4 keys) Narrative + Explorer
sign_in_summary object (7 keys) Explorer only
snapshot_metrics object (4 keys) Explorer only
software_inventory_summary object (6 keys) Explorer only
sprs_score number Explorer only
tactical_lists object (5 keys) Narrative + Explorer
teams_inventory_summary object (5 keys) Narrative + Explorer
teams_policies object (3 keys) Narrative + Explorer
teams_summary object (3 keys) Narrative + Explorer
tenant_identity_issues array (0 items) Explorer only
tenant_overview object (15 keys) Narrative + Explorer
tenant_overview_checklist array (7 items) Narrative + Explorer
terms_of_use_summary object (4 keys) Explorer only
third_party_summary object (4 keys) Explorer only
threat_hunting object (3 keys) Explorer only
threat_pulse_summary object (7 keys) Narrative + Explorer
trend_summary object (3 keys) Narrative + Explorer
unknowns_register array (1 item) Narrative + Explorer
value_model object (5 keys) Explorer only
vulnerability_data object (11 keys) Narrative + Explorer
vulnerability_summary object (12 keys) Narrative + Explorer
Full Data Explorer

Complete run payload for technical validation. Payload values are hidden in customer report mode. Enable private mode to view full JSON.

ad_action_plan array (4 items)
4 items; first item shape: object (6 keys)
ad_assessment_available boolean
Boolean value present.
ad_collection_status string
Text value present (0 chars).
ad_connect_health object (4 keys)
Keys: sync_enabled, last_sync, sync_errors, connector_health
ad_controls array (8 items)
8 items; first item shape: object (10 keys)
ad_coverage_items array (0 items)
No items.
ad_domain_controllers array (3 items)
3 items; first item shape: object (10 keys)
ad_findings array (3 items)
3 items; first item shape: object (10 keys)
ad_kerberos object (3 keys)
Keys: unconstrained_delegation, des_only, rc4_only
ad_ldap_signing object (2 keys)
Keys: enforcement_status, mode
ad_metrics object (6 keys)
Keys: legacy_auth_count, risky_signins_count, brute_force_candidates, global_admin_count, total_privileged_accounts (+1 more)
ad_ntlm_telemetry object (3 keys)
Keys: ntlm_v1_count, ntlm_v2_count, service_accounts
ad_security_score object (6 keys)
Keys: score_pct, quality_pct, confidence, risk_level, known_controls (+1 more)
ad_tier0_groups array (7 items)
7 items; first item shape: object (3 keys)
ad_trusts array (0 items)
No items.
admin_operations_summary object (5 keys)
Keys: total_operations, critical_operations, operations, by_category, is_live
app_registrations_summary object (11 keys)
Keys: total_apps, apps_with_secrets, apps_with_certs, expiring_soon, applications (+6 more)
arm_diagnostic_settings object (1 key)
Keys: missing_count
arm_policy_assignments object (1 key)
Keys: total_count
arm_private_endpoints object (0 keys)
Keys: none
arm_public_ips array (2 items)
2 items; first item shape: object (2 keys)
arm_resource_tags object (1 key)
Keys: missing_tags_count
artifacts array (0 items)
No items.
assessment_period object (2 keys)
Keys: start_date, end_date
assessment_ready boolean
Boolean value present.
assessment_ref string
Text value present (32 chars).
auth_methods_summary object (4 keys)
Keys: methods, enabled_count, disabled_count, is_live
backup_dashboard object (8 keys)
Keys: is_live, protected_percent, total_protected_items, total_critical_systems, hours_since_backup (+3 more)
backup_jobs array (3 items)
3 items; first item shape: object (6 keys)
backup_status object (0 keys)
Keys: none
backup_vaults array (2 items)
2 items; first item shape: object (4 keys)
baseline_metrics object (14 keys)
Keys: mfa_coverage_pct, ca_enabled_count, ca_total_count, ca_report_only_count, ca_disabled_count (+9 more)
bitlocker_recovery_keys object (3 keys)
Keys: total_keys, keys, is_live
branding object (11 keys)
Keys: brand_id, company_name, logo_url, support_email, support_url (+6 more)
ca_gap_analysis object (5 keys)
Keys: is_assessed, baseline_checklist, report_only_policies, coverage_summary, gaps
ca_policy_summary object (5 keys)
Keys: total_policies, enabled_count, report_only_count, disabled_count, policies
ca_whatif_results object (5 keys)
Keys: scenarios, total_scenarios, blocked_count, score, is_live
collection_health_summary object (10 keys)
Keys: total_endpoints, successful_endpoints, failed_endpoints, collected_at, collection_completed (+5 more)
compliance_context object (5 keys)
Keys: schema_version, status_enum, assessability_reason_enum, operator_focus, auditor_focus
compliance_data_quality object (5 keys)
Keys: status, overall_coverage_pct, taxonomy_counts, contradictions, domain_coverage
compliance_decision_queue array (10 items)
10 items; first item shape: object (5 keys)
compliance_evidence_inventory array (18 items)
18 items; first item shape: object (6 keys)
compliance_policies_summary object (3 keys)
Keys: total_policies, policies, is_live
composite_rating object (8 keys)
Keys: score, grade, label, why, components (+3 more)
conditional_access object (6 keys)
Keys: total_policies, enabled_count, report_only_count, disabled_count, policies (+1 more)
configuration_status object (0 keys)
Keys: none
contradiction_dashboard object (3 keys)
Keys: status, count, rows
cost_summary object (6 keys)
Keys: estimated_cost_usd, total_calls_est, successful_calls, failed_calls, provider_calls (+1 more)
data_governance_summary object (8 keys)
Keys: dlp_alerts_count, dlp_alerts_by_severity, recent_dlp_alerts, retention_labels_count, retention_labels (+3 more)
data_quality_by_domain array (11 items)
11 items; first item shape: object (8 keys)
data_quality_gate object (4 keys)
Keys: status, reasons, thresholds, overall_coverage_pct
decision_points array (1 item)
1 item; first item shape: object (5 keys)
defender_summary object (7 keys)
Keys: total_incidents, incidents_last_7d, total_alerts, alerts_last_7d, top_incident_titles (+2 more)
device_compliance object (14 keys)
Keys: total_devices, compliant_count, non_compliant_count, unknown_count, compliance_percent (+9 more)
device_configuration_policies object (5 keys)
Keys: configurations, total_count, is_live, autopilot_profile_count, autopilot_profiles
device_inventory array (4 items)
4 items; first item shape: object (4 keys)
device_inventory_footnote string
Text value present (34 chars).
directory_roles object (3 keys)
Keys: total_count, roles, is_live
dlp_summary object (4 keys)
Keys: total_policies, enabled_policies, policies, is_live
domain_stats object (11 keys)
Keys: identity, data, endpoint, email, security (+6 more)
domain_validations object (7 keys)
Keys: Identity, Apps, Endpoint, Email, Collaboration (+2 more)
email_security object (20 keys)
Keys: status, safe_links, safe_attachments, dkim, dmarc (+15 more)
entra_recommendations object (6 keys)
Keys: is_live, total, by_priority, by_status, active_high_priority (+1 more)
environment_snapshot object (6 keys)
Keys: tenant_id, tenant_name, primary_domains, run_id, collector_version (+1 more)
evidence_assessment_available boolean
Boolean value present.
evidence_assessment_results object (6 keys)
Keys: is_live, source, total_controls_assessed, domains_assessed, sprs_score (+1 more)
evidence_controls array (24 items)
24 items; first item shape: object (13 keys)
evidence_coverage object (7 keys)
Keys: total_controls, assessed, pass, fail, partial (+2 more)
evidence_domain_rollup object (14 keys)
Keys: AC, AT, AU, CM, IA (+9 more)
evidence_findings array (8 items)
8 items; first item shape: object (8 keys)
evidence_manifest object (1 key)
Keys: entries
evidence_poam array (4 items)
4 items; first item shape: object (8 keys)
evidence_sprs_score object (4 keys)
Keys: score, max_score, percentage, domain_scores
exchange_transport_rules object (4 keys)
Keys: total_rules, enabled_rules, rules, is_live
failed_endpoints array (0 items)
No items.
findings array (129 items)
129 items; first item shape: object (47 keys)
findings_by_domain object (11 keys)
Keys: identity, data, endpoint, email, security (+6 more)
findings_generation_status string
Text value present (2 chars).
generated_at string
Text value present (32 chars).
guest_summary object (11 keys)
Keys: total_guests, unique_domains, domains, guests_with_direct_access, guests_via_groups (+6 more)
guest_users_list array (5 items)
5 items; first item shape: object (7 keys)
high_risk_operations object (5 keys)
Keys: is_live, total_count, critical_count, operations, by_category
implicit_actions array (1 item)
1 item; first item shape: object (21 keys)
inferred_findings array (0 items)
No items.
integrations object (3 keys)
Keys: arm, backup, defender_vuln
intune_app_protection object (3 keys)
Keys: total_count, policies, is_live
legacy_auth_summary object (5 keys)
Keys: unique_users, total_signins, protocols, users, is_live
license_overview object (9 keys)
Keys: total_licenses, assigned_licenses, available_licenses, by_sku, excluded_sku_count (+4 more)
license_utilization object (4 keys)
Keys: is_assessed, licensed_features, summary, inactive_features_detail
lifecycle_summary object (6 keys)
Keys: total_workflows, by_category, enabled_count, has_leaver_workflow, workflows (+1 more)
log_analytics_summary object (13 keys)
Keys: is_live, endpoint, retention_days, log_sources, recent_audit_events (+8 more)
managed_app_policies object (3 keys)
Keys: total_count, policies, is_live
managed_devices_summary object (3 keys)
Keys: total_devices, devices, is_live
mde_summary object (18 keys)
Keys: is_live, endpoint, total_mde_alerts, alerts_by_severity, total_devices (+13 more)
measurement_map array (7 items)
7 items; first item shape: object (7 keys)
mfa_coverage object (11 keys)
Keys: total_users, users_with_mfa, user_coverage_percent, total_admins, admins_with_mfa (+6 more)
named_locations_summary object (4 keys)
Keys: total_locations, trusted_locations, locations, is_live
next_7_days_actions array (10 items)
10 items; first item shape: object (14 keys)
oauth_audit object (1 key)
Keys: user_consent_allowed
oauth_grants_summary object (4 keys)
Keys: total_grants, admin_consent_count, grants, is_live
oauth_risk object (5 keys)
Keys: total_apps, high_risk_count, high_risk_apps, permission_summary, is_live
observed_findings array (129 items)
129 items; first item shape: object (44 keys)
onedrive_usage object (0 keys)
Keys: none
onprem_ad_assessment object (10 keys)
Keys: is_live, source, controls, domain_controllers, metrics (+5 more)
onprem_ad_environment object (17 keys)
Keys: is_live, source, controls, domain_controllers, metrics (+12 more)
org_slug string
Text value present (4 chars).
password_policies object (3 keys)
Keys: domains, total_domains, is_live
permission_collection_status object (11 keys)
Keys: total_permissions, granted_and_pulled_permissions, not_pulled_or_not_granted_permissions, granted_and_pulled, not_pulled_or_not_granted (+6 more)
permission_status object (0 keys)
Keys: none
pim_role_settings object (3 keys)
Keys: total_assignments, assignments, is_live
pim_summary object (0 keys)
Keys: none
positive_findings array (6 items)
6 items; first item shape: object (36 keys)
prior_snapshot object (4 keys)
Keys: tenant_id, run_id, collected_at, metrics
prior_snapshots array (5 items)
5 items; first item shape: object (4 keys)
privileged_accounts array (7 items)
7 items; first item shape: object (6 keys)
purview_summary object (9 keys)
Keys: is_live, endpoint, sensitivity_labels_count, sensitivity_labels, has_labels_configured (+4 more)
recovery_readiness object (8 keys)
Keys: is_live, overall_status, rto_target_hours, rto_actual_hours, rpo_target_hours (+3 more)
remediation object (3 keys)
Keys: 72h, 2week, 30day
report_metadata object (8 keys)
Keys: report_version, environment, prepared_by, confidentiality, data_current_as_of (+3 more)
report_mode string
Text value present (10 chars).
report_schema_version string
Text value present (5 chars).
retention_policies object (3 keys)
Keys: total_policies, policies, is_live
risk_detection_summary object (0 keys)
Keys: none
risky_signins_summary object (6 keys)
Keys: total_7d, total_30d, high_risk_7d, medium_risk_7d, events (+1 more)
risky_users_summary object (5 keys)
Keys: total_risky, high_risk_count, medium_risk_count, low_risk_count, users
rule_catalog array (125 items)
125 items; first item shape: object (9 keys)
run_id string
Text value present (23 chars).
runbook object (6 keys)
Keys: identity, data, endpoint, network, apps (+1 more)
secure_score object (10 keys)
Keys: current_score, max_score, score_percent, percentile, controls (+5 more)
secure_score_benchmarks object (5 keys)
Keys: your_score_percent, all_tenants, similar_size, industry, organization_size
secure_score_controls object (4 keys)
Keys: controls, biggest_lift, stats, is_live
secure_score_recommendations object (3 keys)
Keys: biggest_lift, stats, is_live
security_alerts_summary object (9 keys)
Keys: total_alerts, active_alerts, critical_count, high_count, medium_count (+4 more)
security_feature_scorecard object (5 keys)
Keys: features, summary, domain_rollups, quick_wins, permission_gaps
sensitivity_labels_summary object (3 keys)
Keys: total_labels, labels, is_live
service_principal_summary object (5 keys)
Keys: total_service_principals, high_privilege_count, stale_count, service_principals, is_live
sharepoint_sharing_settings object (2 keys)
Keys: settings, is_live
sharepoint_sites object (5 keys)
Keys: sites, total_count, is_live, external_sharing_open_sites, onedrive_external_sharing_open
sharepoint_summary object (4 keys)
Keys: total_sites, external_sharing_enabled, sites, is_live
sign_in_summary object (7 keys)
Keys: total_sign_ins, failed_sign_ins, risky_sign_ins, unique_users, top_failures (+2 more)
snapshot_metrics object (4 keys)
Keys: tenant_id, run_id, collected_at, metrics
software_inventory_summary object (6 keys)
Keys: total_apps, top_apps, eol_software, platforms, apps (+1 more)
sprs_score number
Numeric value present.
tactical_lists object (5 keys)
Keys: top_apps, top_apps_note, top_risky_users, top_risky_signins, top_vulns
teams_inventory_summary object (5 keys)
Keys: total_teams, public_teams, teams_with_guests, teams, is_live
teams_policies object (3 keys)
Keys: total_policies, policies, is_live
teams_summary object (3 keys)
Keys: teams, total_count, is_live
tenant_identity_issues array (0 items)
No items.
tenant_overview object (15 keys)
Keys: total_users, enabled_users, disabled_users, guest_users, member_users (+10 more)
tenant_overview_checklist array (7 items)
7 items; first item shape: object (4 keys)
terms_of_use_summary object (4 keys)
Keys: total, agreements, has_active_tou, is_live
third_party_summary object (4 keys)
Keys: total_apps, high_risk_apps, apps, is_live
threat_hunting object (3 keys)
Keys: queries, summary, is_live
threat_pulse_summary object (7 keys)
Keys: critical, high, medium, total_active, threat_sources (+2 more)
trend_summary object (3 keys)
Keys: has_prior, kpi_deltas, notes
unknowns_register array (1 item)
1 item; first item shape: object (6 keys)
value_model object (5 keys)
Keys: generated_at, hourly_rate_usd, priority_queue, roi_summary, assumptions
vulnerability_data object (11 keys)
Keys: total_vulnerabilities, critical_count, high_count, medium_count, low_count (+6 more)
vulnerability_summary object (12 keys)
Keys: total, critical, high, medium, low (+7 more)