Microsoft scores your tenant against a checklist of security best practices — think of it like a credit score for your Microsoft 365 setup. Higher means fewer easy openings for attackers. The list below shows what's still open, grouped by area (Identity, Apps, Data…), with the biggest opportunities first. A score climbing over time means the team is closing real risks.

Who can sign in to your company, how they prove it's really them, and who holds admin powers. People without multi-factor authentication are the single biggest risk in any tenant — one stolen password and the attacker is in. The admin lists below also matter: the more administrators you have, the larger the damage if one account is compromised.

The rules that decide who can sign in, from where, and under what conditions — for example "require MFA when signing in from a new device" or "block sign-ins from countries we don't do business in." This section highlights gaps: common attack patterns that aren't yet blocked. Each gap is a door we know how to close.

What Microsoft Defender has actually seen attempting to attack your tenant — suspicious sign-ins, leaked passwords found on the dark web, malware on company devices. A clean list is the goal. Anything red or recent should be reviewed by whoever owns security incident response.

How your email is protected against phishing, spoofing, and malicious attachments — and what's been caught recently. Email is the #1 way attackers get into companies, so this section answers two questions: are the standard protections turned on, and are they working?

Who you're paying Microsoft for, what they're actually using, and where you might be over- or under-licensed. Each user is a recurring cost; this section helps you spot licences that aren't being used (recoverable spend) and users whose role would justify a security upgrade (e.g. moving a high-risk admin from E3 to Entra ID P2).

Every app — both your internal tools and third-party services like DocuSign, Slack, or Salesforce — that has permission to read or write data in your tenant. A forgotten app with broad permissions is a quiet backdoor: nobody uses it, nobody is watching it, but an attacker who compromises that app gets access too. This section helps you spot what to retire.

The big-picture hygiene settings: who is allowed to create groups, invite external guests, register new apps, or run automation. Loose defaults here mean any employee can quietly expand the company's attack surface without anyone noticing. Tight defaults keep change deliberate and auditable.

Who's actually using Microsoft 365 day-to-day — last sign-in, mailbox activity, file usage. Two uses: licensing decisions (a paid account nobody logs into is waste), and risk (a long-dormant account, especially an admin one, is a door left unlocked).