Sample assessmentRepresentative output, fully anonymized (fictional “Northwind Traders”). Your report covers your own tenant.Get your assessment →
Bastion AI

Microsoft 365 Security Assessment

Northwind Traders sample · March 14, 2025 · scan #27

74%
Secure Score

Executive summary

Privileged access
7 standing Global Admins
2 privileged without MFA
4 risky users
8
Total findings
1
Critical
9
High
12
Medium
14
Low
Top priorities
  1. 1.High7 standing Global Administrators (recommend 2–4 permanent; make the rest PIM-eligible)
  2. 2.Critical118 critical + 742 high software vulnerabilities across managed devices
  3. 3.HighSuccessful legacy-auth sign-ins seen: Authenticated SMTP
  4. 4.HighApp "Northwind Backup Connector" holds tenant-wide write permissions
  5. 5.MediumMFA registered for only 78% of users (243/312) — registration, not enforcement

Highest-exposure items: 73 of 184 devices without EDR, 31 unmanaged (Defender-only), 7 standing Global Admins, 1 Critical finding. The unmanaged / no-EDR gaps are surfaced only by correlating Entra, Intune, and Defender into one inventory — no single Microsoft console shows them.

Not assessed: Identity Protection risky sign-ins (P2 license not detected). The absence of findings for an unassessed area does not imply it is secure.

Posture by area

AreaHighMediumLowTotal
Privileged roles11
Defender for Endpoint11
Sign-in logs11
App registrations11
MFA11
Intune11
Defender for O36511
Identity11

Sample findings (8)

Remediation commands are display-only — nothing is applied automatically. EachTenant-exactcommand is pre-filled with your real object IDs; AI-suggested items must be verified first. (A full assessment lists every finding; this sample shows 8.)

HighPrivileged rolesexploitability 8/10

7 standing Global Administrators (recommend 2–4 permanent; make the rest PIM-eligible)

ROLE-GA-MANY · 4 entities · first detected 3mo ago

Every standing Global Administrator is a full-tenant compromise if its credentials are phished. Microsoft recommends 2–4 permanent break-glass admins and Privileged Identity Management (just-in-time elevation) for the rest, shrinking the always-on attack surface.

RemediationTenant-exact
# 7 standing Global Administrators. Nothing is auto-applied — review EACH line below.
# ⚠ Do NOT remove your emergency-access ("break-glass") accounts. Confirm every removal first.
Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId 62e90394-69f5-4237-9190-012177145e10 -DirectoryObjectId 4f1a9c20-... # j.harper@northwind.example
Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId 62e90394-69f5-4237-9190-012177145e10 -DirectoryObjectId 8b3d77e1-... # it.contractor@northwind.example
Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId 62e90394-69f5-4237-9190-012177145e10 -DirectoryObjectId d92f1ab4-... # legacy-sync@northwind.example

Rollback: Add-MgDirectoryRoleMemberByRef -DirectoryRoleId 62e90394-69f5-4237-9190-012177145e10 -DirectoryObjectId <UserObjectId>

Maps to: CIS M365 1.1.3

Affected (4)
At riskj.harper@northwind.exampleidentity
At riska.okafor@northwind.exampleidentity
At riskit.contractor@northwind.exampleidentity
At risklegacy-sync@northwind.exampleidentity
CriticalDefender for Endpointexploitability 9/10

118 critical + 742 high software vulnerabilities across managed devices

MDE-CVE · 3 entities · first detected 12d ago

Defender Vulnerability Management surfaced exploitable CVEs on internet-facing and email-handling software. The top items are weaponized and used in real intrusions — patching them removes the highest-likelihood initial-access paths.

RemediationAI-suggested — verify before running
Deploy the missing security updates via Intune / WSUS, prioritizing the CVEs below by exposed-device count. Reboot to complete servicing-stack updates.
  • [Critical] CVE-2024-21413 · 41 devices
  • [Critical] CVE-2023-23397 · 38 devices
  • [High] CVE-2024-30103 · 33 devices
  • [High] CVE-2023-36884 · 27 devices
  • [High] CVE-2024-38021 · 22 devices

Maps to: Defender Vulnerability Management

Affected (3)
At riskFIN-WS-014device· Exposure: High · 11 CVEs
At riskENG-LT-203device· Exposure: High · 9 CVEs
At riskEXEC-LT-002device· Exposure: Medium · 7 CVEs
HighSign-in logsexploitability 7/10

Successful legacy-auth sign-ins seen: Authenticated SMTP

LEGACY-AUTH · 2 entities · first detected 2mo ago

Legacy authentication protocols bypass Conditional Access and MFA. Successful sign-ins over Authenticated SMTP mean an attacker with a stolen password can log in without ever facing MFA — the most common foothold in M365 account takeover.

RemediationTenant-exact
# Block legacy authentication tenant-wide via a Conditional Access policy (report-only first).
New-MgIdentityConditionalAccessPolicy -BodyParameter @{
  displayName = "Block legacy authentication"; state = "enabledForReportingButNotEnforced"
  conditions = @{ clientAppTypes = @("exchangeActiveSync","other") ; users = @{ includeUsers = @("All") } }
  grantControls = @{ operator = "OR"; builtInControls = @("block") } }

Rollback: Set the policy state to 'disabled' in Entra → Security → Conditional Access.

Block in report-only mode first to catch service accounts before enforcing.

Authenticated SMTP: 14 · IMAP4: 3

Maps to: CIS M365 1.1 / Entra

Affected (2)
At riskscanner-svc@northwind.exampleidentity· Authenticated SMTP
At riskk.devlin@northwind.exampleidentity· Authenticated SMTP, IMAP4
HighApp registrationsexploitability 8/10

App "Northwind Backup Connector" holds tenant-wide write permissions

APP-PRIV · 1 entity · first detected 4mo ago

This service principal was granted Directory.ReadWrite.All — it can modify any user, group, or role in the tenant. A compromised secret on this app is equivalent to Global Admin. Least-privilege the grant down to only what the integration needs.

RemediationTenant-exact
Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId 7c2e9f3a-… -AppRoleAssignmentId q1W2e3R4-…  # Directory.ReadWrite.All

Granted permissions: Directory.ReadWrite.All, Group.ReadWrite.All

Maps to: CIS M365 / least privilege

Affected (1)
At riskNorthwind Backup Connectorapplication
MediumMFA

MFA registered for only 78% of users (243/312) — registration, not enforcement

MFA-COVER · first detected 2mo ago

Roughly one in five accounts has no MFA method registered, so a stolen password is all an attacker needs. Note this measures registration — enforcement is governed by your Conditional Access policies, reviewed separately.

RemediationAI-suggested — verify before running
Target the 69 unregistered users with an Authentication Methods registration campaign (Entra → Authentication methods → Registration campaign), then enforce via Conditional Access.

registration ≠ enforcement; see Conditional Access findings

Maps to: CIS M365 1.1

HighIntuneexploitability 6/10

3 of 141 managed devices have no disk encryption

INTUNE-ENCRYPT · 3 entities · first detected 1mo ago

An unencrypted laptop is a full data breach the moment it's lost or stolen — disk contents are readable without the user's password. BitLocker/FileVault closes this for data-at-rest.

RemediationAI-suggested — verify before running
Assign a Disk encryption policy (Intune → Endpoint security → Disk encryption) targeting these devices; confirm a TPM is present and the recovery key escrows to Entra.

Maps to: CIS M365 / Intune

Affected (3)
At riskSALES-LT-118device· Not encrypted
At riskWS-OPS-040device· Not encrypted
At riskEXEC-LT-002device· Not encrypted
MediumDefender for O365

2 domains send email without DKIM signing

MDO-DKIM · 2 domains · first detected 6mo ago

Without DKIM, recipients can't cryptographically verify your mail wasn't forged — raising spoofing/phishing risk against your brand and weakening DMARC enforcement.

RemediationTenant-exact
Set-DkimSigningConfig -Identity northwind.example -Enabled $true
Set-DkimSigningConfig -Identity mail.northwind-traders.example -Enabled $true

Maps to: Defender for O365 / DMARC

Affected domains: northwind.example, mail.northwind-traders.example
LowIdentity

9 guest accounts present — review external access

GUEST-INV · first detected 7mo ago

Guest accounts are valid identities in your tenant. Stale or over-permissioned guests are a quiet lateral-movement path; review access quarterly and remove the unused.

RemediationAI-suggested — verify before running
Run an Entra access review (Identity Governance → Access reviews) over all guests; remove those with no sign-in in 90 days.

Maps to: CIS M365 / Identity

This is a sample. Your assessment covers your tenant.

Read-only across 12+ Microsoft 365 / Entra security domains, BYOK, delivered as this report plus an authenticated console — with the exact, human-approved fix for every finding.

Get your Discovery Assessment
Bastion AI · Sample assessment · All names, devices, domains, and IDs are fictional. CVE identifiers are real public references.