Microsoft 365 Security Assessment: The Complete Guide for 2026

A Microsoft 365 security assessment is a structured evaluation of how your tenant is actually configured — measured against a recognised security baseline rather than gut feel or a vendor's default settings. Done properly, it tells you precisely which settings across identity, email, data, and collaboration are leaving you exposed, ranks them by severity, and gives you a concrete order in which to fix them.

This guide explains what a Microsoft 365 security assessment covers, how a manual assessment differs from an automated one, what a useful assessment should deliver, and how to run one against your own tenant — including the part you can do for free.

What Is a Microsoft 365 Security Assessment?

A Microsoft 365 security assessment is not a scan of one product or a glance at your Microsoft Secure Score. It is a tenant-wide review of every configuration surface that affects your security posture, scored against an external baseline so the result is objective and repeatable.

The most widely referenced baseline for this work is the CIS Microsoft 365 Foundations Benchmark v5.0.0, which defines 129 controls across 9 sections of a Microsoft 365 environment. Each control is a specific, testable configuration — "two emergency access accounts must be defined", "Safe Links must rewrite URLs at click time", "external calendar sharing must be disabled" — and the benchmark provides both Level 1 (safe, minimal-impact) and Level 2 (stricter, security-focused) profiles.

It helps to separate two terms that are often used interchangeably:

• A security assessment evaluates the current state of your tenant against that baseline and produces prioritised findings — where you stand and what to fix first.
• A security audit is the formal procedure of working through each control and recording the result. If you want the step-by-step procedure, see our Microsoft 365 security audit guide.

In practice the two overlap heavily. The assessment is the why and the what; the audit is the how. This guide focuses on the assessment.

What a Microsoft 365 Security Assessment Covers

A complete assessment checks all 129 controls, organised into the benchmark's 9 sections:

1. Microsoft 365 admin center — 14 controls covering administrative accounts, Microsoft 365 Groups, and tenant-wide policies. See the deep dive on all 14 Section 1 controls.
2. Microsoft Defender / Defender for Office 365 — 19 controls covering Safe Links, Safe Attachments, threat policies, and priority-account protection. See what Section 2 checks.
3. Microsoft Purview — 4 controls covering audit log search, Data Loss Prevention, and Information Protection.
4. Microsoft Intune — 2 controls covering device compliance policies and enrollment restrictions.
5. Microsoft Entra (Identity) — 37 controls covering MFA, Conditional Access, password protection, authentication methods, and Privileged Identity Management. This is the largest section by far, because identity is the most exploited attack surface.
6. Microsoft Exchange Online — 11 controls covering mailbox auditing, mail flow, anti-phishing, and modern authentication.
7. Microsoft SharePoint Online & OneDrive — 15 controls covering external sharing defaults and site settings.
8. Microsoft Teams — 16 controls covering external access, file sharing, meetings, and messaging policies.
9. Microsoft Fabric / Power BI — 11 controls covering tenant settings.

Most teams find the highest-severity findings concentrated in Microsoft Entra (37 controls) and Microsoft Defender (19 controls) — identity gaps such as Conditional Access exclusions that quietly exempt admins from MFA, and email-security policies left at permissive defaults.

Manual vs. Automated Assessment

You can run an assessment either way. The difference is mostly cost, speed, and how long the result stays accurate.

Manual assessment. An experienced engineer works through each control by hand across nine separate admin portals — Microsoft 365 admin center, Entra, Defender, Purview, Intune, Exchange, SharePoint, Teams, and the Fabric admin portal. Each has its own interface, role requirements, and export format. For all 129 controls this typically takes two to three full working days, and the result is a point-in-time snapshot that begins drifting the moment someone adds a Conditional Access exception or loosens a sharing setting.

Automated assessment. A tool connects to your tenant through the Microsoft Graph API and evaluates the same controls programmatically. The advantages are speed (minutes, not days), repeatability (run it again next week and compare), and consistency (the same logic every time, with no controls skipped because the engineer ran out of hours). The trade-off is that a small number of controls still need a human to confirm intent — for example, whether a Public group is meant to be public.

For an occasional one-off review, manual works. For an ongoing posture you can actually trust between reviews, automation is the only practical option — because the real risk is not the gap you find on assessment day, it is the gap that appears two weeks later and goes unnoticed until the next manual review.

What a Good Assessment Delivers

A useful assessment produces more than a pass/fail percentage. For every control it should give you:

• A clear status — pass, fail, or partial — for all 129 controls, with severity tagged from the benchmark itself so you know what to fix first.
• The actual configuration value that was evaluated, and the affected scope — which users, policies, or settings triggered the finding.
• A remediation path — the CIS remediation procedure, ideally as a copy-paste PowerShell script or admin-portal steps pre-filled for your tenant, so fixing a finding does not require a research project of its own.
• Audit-ready evidence — a CIS-certified PDF report with a timestamped tenant snapshot you can hand to an auditor, a client, or your own board.

If a finding arrives without a clear severity, the affected scope, and a remediation step, it is noise. The point of an assessment is to turn "your tenant has problems" into "fix these five things, in this order, with these scripts."

How to Run a Microsoft 365 Security Assessment

At a high level, every assessment follows the same arc:

1. Connect to the tenant with read-only access — you should never have to share an admin password or install an agent to assess configuration.
2. Evaluate the 129 controls across all 9 sections, starting with identity (Section 5) and email security (Section 2), where the most consequential misconfigurations live.
3. Triage the findings by severity and blast radius. An excluded Global Administrator outranks a permissive Fabric setting every time.
4. Remediate using the per-finding scripts or portal steps, working top-down by severity.
5. Re-assess to confirm the fixes landed and nothing regressed.

For the detailed, control-by-control procedure, follow the step-by-step Microsoft 365 security audit guide. If you would rather see real results against your own tenant before committing to anything, you can run a free assessment that covers 15 of the 129 controls immediately.

How Often Should You Run One?

Once is not enough. Identity settings get loosened for a migration, a vendor, or a "temporary" exception and quietly never tightened again — and threats like device-code phishing specifically target tenants running at permissive defaults.

A point-in-time assessment is a photograph; what you actually need is a live feed. That means continuous scanning on a daily, weekly, or monthly cadence, with drift detection that alerts you the moment a control regresses — so the gap is caught when it appears, not at the next quarterly review. The frequency that matters is not "how often do we audit" but "how quickly do we find out when something changes."

Run Your Microsoft 365 Security Assessment with ConfigCobra

ConfigCobra automates the entire assessment. It connects to your tenant using read-only Microsoft Graph permissions — no agents, no scripts running in your environment, no admin passwords shared — and runs the full CIS Microsoft 365 Foundations Benchmark v5.0.0 assessment, all 129 controls across all 9 sections, in 20–25 minutes.

For every finding you get a pass/fail/partial status, the actual configuration value that was evaluated, the CIS remediation procedure, and a generated PowerShell script where applicable — plus a CIS-certified PDF report with a timestamped tenant snapshot for your audit file. After the initial assessment, continuous monitoring runs on the cadence you set and alerts you the moment a control regresses.

It is built for teams running more than one tenant, too: assess subsidiaries or client tenants from a single workspace, and invite a read-only auditor seat for clients or external auditors. For teams using AI assistants, the ConfigCobra MCP server lets you query your live posture data in plain language — "which of my admin accounts are excluded from Conditional Access?" — answered from your actual scan data rather than a static report.

Book a demo to see ConfigCobra run the complete 129-control assessment against your own tenant, or explore exactly what the CIS Microsoft 365 Foundations Benchmark covers, section by section.

Frequently Asked Questions

What is the difference between a Microsoft 365 security audit and an assessment?

They overlap heavily. An assessment evaluates your tenant against a baseline and prioritises what to fix; an audit is the formal procedure of checking and recording each control. The Microsoft 365 security audit guide walks through that procedure control by control.

How long does a Microsoft 365 security assessment take?

By hand, a full 129-control assessment across nine admin portals takes two to three working days. Automated with ConfigCobra, it takes 20–25 minutes on read-only permissions.

Is a security assessment safe to run against a production tenant?

Yes, when it uses read-only access. ConfigCobra reads configuration through read-only Microsoft Graph permissions and never changes a setting, installs an agent, or requires an admin password — it evaluates, it does not modify.

Can I assess my tenant for free?

Yes. You can run a free assessment covering 15 of the 129 controls — including identity — to see real findings against your own tenant before deciding whether to assess the full benchmark.

Related reading

• Microsoft 365 Security Audit: A Complete Step-by-Step Guide
• CIS Microsoft 365 Foundations Benchmark — all 9 sections explained
• Microsoft 365 admin center security: all 14 CIS controls in Section 1
• Conditional Access exclusions: the quiet gap in your MFA rollout