Security assessment

A security assessment of your M365 tenant. In minutes.

Not a six-week consulting engagement - a read-only scan that grades your tenant on the misconfigurations attackers actually use: MFA gaps, Conditional Access drift, legacy auth, over-privileged apps, and stale admins. Prioritized, explained, and mapped to CIS/NIST.

Read-only Graph access · graded findings in minutes · CIS / NIST mapping on Pro

What the assessment covers

The four places tenant security quietly erodes.

Conditional Access drift

Policies stuck in report-only, risky exclusions that outlived their reason, and coverage gaps between policies that each looked fine alone.

MFA & identity gaps

Users - and worse, admins - without MFA, plus guest accounts nobody remembers inviting and stale privileged role assignments.

Legacy authentication

Protocols that bypass MFA entirely, still enabled because something might break. The single most common gap in real-world tenant breaches.

Over-privileged applications

App registrations with tenant-wide write permissions that no one has reviewed since the integration shipped.

Already watching Microsoft Secure Score? See how Tenant Hawk compares - and what Secure Score doesn't tell you.

Frequently asked questions

What does the assessment check?

Conditional Access coverage and risky exclusions (including policies stuck in report-only), users and admins without MFA, legacy authentication still enabled, over-privileged app registrations, stale admin role assignments, and guest accounts that should be gone. Each finding is graded by severity with concrete remediation steps.

How is this different from hiring a consultant for an assessment?

A consulting engagement produces a similar findings list in two to six weeks for thousands of dollars - accurate for the day it was written. Tenant Hawk produces the graded findings list in minutes and re-runs it daily, so the assessment never goes stale. Many consultants use tooling like this to do the engagement anyway.

How is this different from Microsoft Secure Score?

Secure Score is a useful number but it mixes products you don't own, rewards enabling Microsoft upsells, and doesn't cover cost or expiry risk. Tenant Hawk focuses on the misconfigurations that actually get tenants breached, adds dollar impact, and explains each fix in plain language. See the full comparison on our compare page.

Is it safe to run against production?

Yes - the scan is read-only end to end. App-only Microsoft Graph permissions via standard admin consent, no agents, no writes, no stored credentials. You can revoke access at any time from Entra.

Can I show the results to leadership or an auditor?

Pro includes an executive report with category grades and trends, shareable as a read-only link or exported to PDF - plus CIS Controls and NIST SP 800-53 mapping so findings translate directly into compliance language.

Know your gaps before someone else does.

Connect read-only and get a graded, prioritized security assessment of your tenant today - then watch it stay current with daily scans.

Run my assessment