PASS
Legacy authentication blocked via CA
2 enabled policy/policies block legacy authentication.
// microsoft 365 security audit · v1.0 · sample
Tenant audit report.
Read-only baseline audit of identity, email security, endpoint, and licensing posture for the Contoso Ltd tenant. Findings below are grouped by category, with status, detail, and recommendation per check.
10
PASS
3
FAIL
10
WARNING
23
TOTAL CHECKS
Identity & Access
WARNING
Global Administrator count
5 Global Administrators.
recommendation Reduce to 2-4. Use PIM and lower-privilege roles for daily admin work.
PASS
Break-glass accounts excluded from CA
2 excluded principal(s) found across broad CA policies.
PASS
Tenant-wide MFA Conditional Access policy
1 policy/policies require MFA for all users on all cloud apps.
WARNING
Self-service password reset (SSPR) enabled
SSPR enablement scope is not directly exposed via Microsoft Graph; manual verification required.
recommendation Verify in Entra admin center: Protection > Password reset > Properties (Self service password reset enabled = All).
Email Security
WARNING
DMARC: contoso.com
p=quarantine
recommendation Move to p=reject after monitoring rua aggregate reports for 30+ days.
FAIL
DMARC: contoso.co.uk
No DMARC TXT record found.
recommendation Publish: v=DMARC1; p=quarantine; rua=mailto:[email protected]
PASS
SPF: contoso.com
SPF -all (hard fail).
WARNING
SPF: contoso.co.uk
SPF ~all (soft fail).
recommendation Tighten to -all once all sending sources are confirmed in the SPF record.
PASS
DKIM: contoso.com
DKIM signing enabled on default selectors.
FAIL
DKIM: contoso.co.uk
DKIM signing disabled.
recommendation Publish CNAMEs and enable: Set-DkimSigningConfig -Identity 'contoso.co.uk' -Enabled $true
PASS
External auto-forwarding blocked
Default remote domain blocks auto-forwarding and outbound spam policy AutoForwardingMode is Off.
PASS
Mailbox audit logging (tenant)
Tenant-level mailbox auditing enabled (default since 2019).
PASS
Shared mailboxes: sign-in disabled
All 2 shared mailbox(es) have sign-in disabled.
Licensing
WARNING
Shared mailboxes: no paid licences
1 shared mailbox(es) carry licences: [email protected]
recommendation Shared mailboxes <50 GB do not require a licence. Reclaim unless archive or litigation hold requires Exchange Online Plan 2.
WARNING
Unassigned licences
Microsoft 365 E5: 12 of 50 unassigned; Microsoft Entra ID P2: 8 of 50 unassigned; Microsoft Intune Plan 1: 3 of 25 unassigned
recommendation Reclaim or downsize unused licences at the next renewal cycle.
WARNING
Inactive licensed users (90 days)
5 licensed user(s) with no sign-in in 90 days.
recommendation Review and reclaim licences. Disable accounts where the user has left.
Endpoint
PASS
Intune compliance policies deployed
4 compliance policy/policies deployed.
PASS
App protection policies deployed
3 MAM policy/policies deployed (iOS: 2, Android: 1).
App Registrations
WARNING
App registration certificates expired or expiring
1 certificate(s) expire within 30 days: Backup Service / Backup-cert-2024 / expires 2026-05-25
recommendation Rotate before expiry. Both old and new certs can coexist on the registration during transition.
FAIL
App registration client secrets expired or expiring
2 expired secret(s): Legacy Sync App / expires 2026-04-02; Old API Client / expires 2026-03-15
recommendation Rotate expired secrets immediately. Prefer migrating to certificate-based credentials where the host can hold a non-exportable private key.
WARNING
High-privilege Graph application permissions
2 app(s) hold high-privilege Graph permissions: Lifecycle Workflows: User.ReadWrite.All; Audit Bot: Directory.ReadWrite.All
recommendation Review whether each high-privilege permission is still required. Replace with narrower scopes or migrate to delegated flows where possible.
WARNING
App registrations with owners
3 app(s) without owners: Backup Service, Legacy Sync App, Old API Client
recommendation Assign at least one owner per app registration so there is a clear human accountable for credential rotation and lifecycle.