Microsoft 365 Security Assessment
Microsoft 365 is the most targeted SaaS platform in the world. Our CREST-accredited testers assess Entra ID Conditional Access policies, Exchange Online mail flow rules, SharePoint sharing configurations, Teams guest access controls, and Intune compliance policies to identify the misconfigurations that allow business email compromise, data exfiltration, and lateral movement across your M365 tenant.
M365 Security Assessment Coverage
We review every layer of your Microsoft 365 tenant: identity, mail, collaboration, endpoint, and information protection. Identifying the exploitable chains that Secure Score cannot surface.
Entra ID and Conditional Access
We test every Conditional Access policy gap an attacker can exploit. Coverage includes legacy authentication bypass via IMAP, POP3, and SMTP, MFA policy gaps across user populations, PIM just-in-time role activation controls, B2B and B2C guest trust boundaries, and risky sign-in policy effectiveness. We enumerate every bypass path that allows a credential-only attack to succeed against accounts that should be MFA-protected.
Exchange Online Security
Mail flow rule misconfigurations are the leading enabler of business email compromise. We review SendAs and Full Access delegated mailbox permissions, auto-forwarding rules exfiltrating email externally, OAuth app consent grants with mail read/write scopes, and EOP and Defender for Office 365 anti-spoofing configuration.
SharePoint and OneDrive
Oversharing is the default posture for most M365 tenants. We assess organisation-wide sharing policies, the prevalence of anonymous sharing links, external domain access controls, site-level permission inheritance breaks, and sensitivity label application to understand how much data is accessible to guest users and unauthenticated external parties.
Teams Security
Teams is increasingly used as an initial access vector via phishing and external federation abuse. We review guest access policies, external federation allow-lists, channel permissions, third-party app permissions within Teams, meeting recording compliance policies, and whether external participants can exfiltrate meeting content or access internal channels beyond their intended scope.
Intune and Endpoint Management
Intune compliance policies gate device access to M365 resources, but only if configured correctly. We assess device compliance policy logic, enrollment restriction gaps, Conditional Access integration for device compliance, app protection policies for unmanaged devices, and conditional launch controls that determine whether a non-compliant device can access corporate data from a personal handset.
Microsoft Purview and AIP
DLP policies only protect data they can classify. We review DLP policy coverage and bypass paths, sensitivity label application consistency, Azure Information Protection encryption configuration, insider risk policy scope, and eDiscovery access controls that could expose all organisational data to an overprivileged compliance administrator.
Microsoft 365 Risk Profile
M365 is the primary attack surface for credential theft, business email compromise, and data exfiltration targeting UK organisations. The misconfigurations we find are systematic, not exceptional.
BEC Attack Vector
Of cyber attacks start with a phishing email targeting M365 credentials, making tenant configuration the primary business risk control.
OAuth App Exposure
Of M365 tenants we assess have at least one overpermissive OAuth app consent grant with mail read/write or file access to all users.
Framework Coverage
Every finding is mapped to industry standard security benchmarks, ISO 27001, SOC 2, and Cyber Essentials Plus controls, providing direct audit evidence.
Controls
What We Find in M365 Tenants
Representative findings from recent Microsoft 365 security assessments. These are not edge cases. They are the default misconfiguration posture for most tenants.
Overpermissive OAuth Application Consent Grant
A third-party OAuth application had been granted Mail.ReadWrite and Files.ReadWrite.All permissions via admin consent. The application publisher's domain had expired, allowing potential domain takeover and full mailbox and OneDrive access for all users in the tenant without any further authentication.
Business Impact: Full read/write access to every user's email and OneDrive files via a compromised third-party OAuth application. No user interaction required.
Conditional Access Bypass via Legacy Authentication
Legacy authentication protocols (IMAP, SMTP, POP3) were not blocked by Conditional Access policies. Attackers with valid credentials obtained via phishing could bypass MFA enforcement using legacy mail clients, enabling full mailbox access and data exfiltration without triggering an MFA challenge.
Business Impact: Complete MFA bypass for any compromised account, enabling business email compromise and data exfiltration without triggering MFA challenges or Entra ID sign-in risk policies.
Platform Coverage
Every M365 workload in scope, from identity to information protection.
Entra ID
- Conditional Access
- PIM / RBAC
- B2B and B2C Trust
- Risky Sign-ins
Exchange Online
- Mail Flow Rules
- Delegated Access
- EOP Configuration
- Defender for Office 365
SharePoint Online
- Sharing Policies
- External Access
- Site Permissions
- Sensitivity Labels
OneDrive
- Sharing Settings
- Sync Policies
- Conditional Access
- External Sharing Links
Microsoft Teams
- Guest Access
- External Federation
- App Permissions
- Meeting Policies
Intune
- Compliance Policies
- Enrollment Restrictions
- App Protection
- Conditional Launch
Microsoft Purview
- DLP Policies
- Sensitivity Labels
- Insider Risk
- eDiscovery Access
Azure Information Protection
- Classification Rules
- Label Inheritance
- Encryption Config
- Rights Management
You need an M365 assessment if...
You have experienced a business email compromise attempt or phishing campaign targeting your M365 tenant.
Your organisation has grown its M365 footprint with new workloads (Teams, Intune, Purview) that have never been independently reviewed for security configuration.
Your Board or CISO has requested evidence of M365 security posture validation beyond the Microsoft Secure Score dashboard.
A compliance requirement such as Cyber Essentials Plus or ISO 27001 has flagged cloud configuration as an audit control gap.
You have completed a post-phishing incident review and want to confirm whether tenant-level misconfigurations were exploited or remain exploitable.
You are migrating to M365 E5 and want to validate that newly activated security features (Defender, Purview, Entra ID P2) are configured correctly before they are relied upon.
Compliance Ready
Every finding is mapped to industry standard security benchmark controls for Microsoft 365. Our reports satisfy audit evidence requirements for ISO 27001, SOC 2, Cyber Essentials Plus, and GDPR technical security obligations.
Industry Benchmarks
Full benchmark coverage for M365. Every finding references the specific control and remediation recommendation.
ISO 27001
Mapped to Annex A.8.8 (technical vulnerability management) and A.8.25 (secure development lifecycle for SaaS).
SOC 2
Findings reference CC6.1 (logical access controls) and CC6.6 (external network transmission controls).
Cyber Essentials Plus
Covers cloud-hosted services in CE Plus scope. Our report provides the configuration evidence auditors require.
GDPR
Identifies oversharing configurations that create personal data exposure risk under UK GDPR Article 32 obligations.
Cyber Insurance
Increasingly required by major UK underwriters for M365-heavy organisations above £1M coverage threshold.
M365 Assessment Workflow
Four phases from scoping to compliance-ready report, with no operational disruption to your M365 environment.
Scoping and Access Provisioning
We define the tenant scope, agree which M365 workloads are in scope, and provision Global Reader and Security Reader roles. A fixed-price quote is issued after a free 30-minute scoping call with no commitment required.
Tenant Configuration Review
Our testers systematically review Entra ID Conditional Access policies, Exchange Online mail flow and delegation settings, SharePoint and OneDrive sharing configurations, Teams external access, Intune compliance policies, and Purview information protection settings against industry standard security benchmarks.
Exploitation and Bypass Testing
We attempt to chain configuration findings into exploitable attack paths: Conditional Access bypass via legacy authentication, OAuth consent abuse, anonymous sharing link exploitation, and privilege escalation through overpermissive role assignments.
Report and Retest
You receive a prioritised findings report, a board-ready executive summary with business risk context, and a technical remediation guide with step-by-step fixes.
What You Receive
Every M365 assessment produces a complete report package designed for both technical remediation teams and board-level decision makers.
Board-Ready Executive Summary
A non-technical summary of M365 security posture, business risk context, and prioritised remediation recommendations suitable for CISO and board presentation.
Technical Remediation Guide
Step-by-step remediation instructions for every finding, with CVSS scores and PowerShell or portal configuration guidance.
Industry Benchmark Mapping
Every finding is mapped to industry standard security benchmarks, enabling direct evidence submission for compliance audits including ISO 27001 and Cyber Essentials Plus.
Retest of Remediated Findings
After you apply the recommended fixes, we retest every critical and high finding within the assessment window at no additional cost to provide closure evidence for your compliance or cyber insurance requirements.
M365 Security Assessment Pricing
Fixed-price engagements. No day-rate overruns. All tiers include CREST-accredited testers, industry standard benchmark mapping, and a full retest of remediated findings.
Close the Loop.
After the Test.
Your M365 assessment identifies what is misconfigured today. We feed those exact findings into our 24/7 Cloud Security Monitoring service, building custom detection rules for the Conditional Access bypass paths and OAuth abuse techniques discovered during your assessment.
Explore Defensive ServicesCloud Security Monitoring
24/7 detection rules tuned to the M365 misconfigurations found in your assessment.
Azure Penetration Testing
Extend coverage to your Azure infrastructure and Azure AD tenant configuration.
AWS Penetration Testing
Full AWS IAM, S3, and workload security assessment from CREST-accredited testers.
Cloud Security Hub
Full cloud penetration testing services across M365, Azure, AWS, and GCP.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
A Microsoft 365 security assessment is a specialist manual review of your M365 tenant conducted by CREST-accredited consultants. Unlike Microsoft Secure Score, which provides an automated compliance score, a manual assessment identifies exploitable misconfigurations that automated tools cannot detect, such as Conditional Access bypass paths via legacy authentication protocols, overpermissive OAuth application consent grants, and mail forwarding rules silently exfiltrating email to external addresses. Our testers assess every layer of your M365 environment: Entra ID Conditional Access policies, Exchange Online mail flow and delegation settings, SharePoint and OneDrive sharing configurations, Teams external access controls, Intune device compliance policies, and Microsoft Purview information protection settings. The output is a prioritised findings report mapped to industry standard security benchmarks, with a board-ready executive summary and a technical remediation guide.
Our M365 security assessment covers the full suite of Microsoft 365 services: Entra ID (Conditional Access, PIM, B2B/B2C trust, risky sign-in policies), Exchange Online (mail flow rules, delegated access, OAuth app consent, auto-forwarding, EOP and Defender for Office 365 configuration), SharePoint Online and OneDrive (sharing policies, external access, anonymous links, site-level permissions, sensitivity labels), Microsoft Teams (guest access, external federation, app permissions, meeting policies, compliance recording), Intune and Microsoft Endpoint Manager (device compliance policies, enrollment restrictions, app protection policies, conditional launch controls), Microsoft Purview (DLP policies, sensitivity labels, insider risk policies, eDiscovery access controls), and Azure Information Protection (classification rules, label inheritance, encryption configuration, rights management). The specific workloads assessed are agreed during scoping and depend on which M365 services your organisation has licensed and deployed.
Our testers require read-only administrative access to your M365 tenant. The minimum roles required are Global Reader and Security Reader, which provide read access to all configuration settings without granting any write or administrative capability. We do not require Global Administrator access. For Intune assessments, the Intune Service Administrator (read-only) role may be added. All access is provisioned before the engagement, documented in a signed Scope of Work, and the accounts are disabled or removed at the end of the engagement. No changes are made to your tenant configuration during the assessment. We operate in a purely read-only posture unless you specifically request that we attempt active exploitation under controlled conditions (available as an optional add-on to the standard review).
A Microsoft 365 security assessment starts from £3,750 for a single tenant with up to 500 users, covering the core workloads: Entra ID, Exchange Online, SharePoint, OneDrive, and Teams. Larger tenants with 500 to 2,000 users and additional workloads such as Intune and Microsoft Purview typically cost between £6,250 and £10,000. Multi-tenant environments or engagements requiring active exploitation testing are quoted separately after scoping. All engagements are fixed-price: the quote you receive after a free scoping call is the amount you pay, with no day-rate overruns. A retest of remediated findings is included in all engagements.
Microsoft Secure Score is a dashboard metric that tracks your organisation's adherence to Microsoft's recommended configuration settings. It identifies low-hanging configuration weaknesses and provides actionable recommendations, but it has significant limitations as a security assurance tool. Secure Score cannot detect exploitable attack chains, such as a Conditional Access policy that appears correctly configured but has a legacy authentication exclusion that bypasses MFA for a subset of high-privilege accounts. It cannot identify overpermissive OAuth application consent grants that give third-party apps full mailbox and OneDrive access. It cannot assess whether mail forwarding rules are silently exfiltrating email to external addresses. And it cannot evaluate the business risk of a SharePoint sharing policy that exposes sensitive files to anonymous links with no expiry. A manual assessment by CREST-accredited testers identifies these exploitable chains and provides a prioritised remediation roadmap that Secure Score alone cannot produce.
Yes. Conditional Access testing and legacy authentication bypass are primary focus areas in every M365 assessment. We enumerate every Conditional Access policy in your tenant, map which users and applications are in scope or excluded, and identify gaps where an attacker with valid credentials could authenticate without completing an MFA challenge. The most common bypass path we identify is legacy authentication protocol support: when IMAP, POP3, POP, SMTP, MAPI, and Exchange ActiveSync are not blocked by Conditional Access, an attacker who obtains valid credentials via phishing can authenticate directly to Exchange using a legacy mail client without triggering an MFA challenge. We also test for named location exclusions, device platform exclusions, and service principal exemptions that create unintended bypass paths. Every Conditional Access gap is documented with a proof-of-concept attack scenario, business impact description, and specific remediation steps aligned to industry standard security benchmarks.