IT EN
Client Portal →
sales@10punto10.eu · 02 87176855
SECURITY AUDIT

Microsoft 365
Security Audit for SMBs

Complete security analysis of your Microsoft 365 tenant. Over 400 checks on identity, email, SharePoint, Teams and compliance.

Request an audit → CSPM Cloud
400+ checks Prowler + ScubaGear CIS + NIST + GDPR Read-only zero impact

The problem: insecure configurations

Most Microsoft 365 tenants have weak security configurations that were never changed from defaults. No sophisticated attacks needed: an account without MFA or an overly permissive sharing policy is enough.

70%

Of tenants don't have MFA enabled for all users, exposing accounts to compromise

65%

Still allow legacy authentication, bypassing modern security protections

55%

Have overly permissive sharing policies on SharePoint and OneDrive

50%

Don't have audit logging enabled, making incident tracking impossible

What we analyze

Six analysis areas to cover the entire attack surface of your Microsoft 365 tenant.

Identity and access
MFA · Conditional Access · Privileged roles · Password policy · Guest access
Email Security
Anti-phishing · DMARC · DKIM · SPF · Safe Attachments · Safe Links
SharePoint and OneDrive
Sharing policy · DLP · Sensitivity labels · External access · Anonymous links
Teams
External access · Guest policy · Meeting security · App permissions
Compliance and governance
Audit log · Microsoft Purview · Retention policy · eDiscovery · Data classification
Entra ID / Azure AD
Security defaults · PIM · App registrations · Consent policy · Sign-in risk

How it works

From authorization to final report, in four phases.

1

Authorization

Read-only access configuration to your tenant. No changes, no impact. Estimated time: 15 minutes.

2

Automated scan

Prowler M365 and ScubaGear CISA analyze the tenant in parallel. Duration: 2-4 hours, fully automated.

3

Analysis and correlation

Results are correlated, deduplicated and classified by severity and real impact on your environment.

4

Report and remediation

Complete report with executive summary, detailed findings and prioritized remediation plan.

Scanning engines

Two complementary engines for the broadest possible coverage of your Microsoft 365 tenant.

Prowler for M365

The leading open-source cloud security engine, extended to the Microsoft 365 ecosystem.

200+ M365-specific checks
CIS M365 Benchmark · MITRE ATT&CK · NIST · SOC2 · ISO 27001 · GDPR
ScubaGear CISA

Developed by CISA (Cybersecurity and Infrastructure Security Agency) of the United States.

Baselines for 6 M365 workloads
Entra ID · Exchange Online · SharePoint · Teams · Defender · Power Platform

What you get

Three concrete deliverables, ready for operational and strategic decisions.

Executive Summary

Concise overview for management: security posture, key risks, intervention priorities. Presentation-ready for board and stakeholders.

Detailed findings

Each finding with description, severity, impacted resource, technical evidence and step-by-step remediation. Mapped to CIS, NIST and GDPR frameworks.

Compliance dashboard

Aggregated compliance view by framework. Adherence percentage to CIS M365 Benchmark, NIST, GDPR. Trends over time for recurring audits.

Most common findings

The issues we find most frequently in our clients' Microsoft 365 tenants.

70% MFA not enabled for all users Critical
65% Legacy authentication still enabled Critical
60% Global Admin without PIM (Privileged Identity Management) High
55% Overly permissive external sharing on SharePoint High
50% Audit logging not enabled or insufficient retention Medium
45% No Conditional Access policy configured High
40% DMARC not configured or in none mode Medium

Frequently asked questions

Does the audit impact tenant performance?

No. The audit uses exclusively read-only access via Microsoft Graph API. No changes are made to the tenant, no data is altered, no performance impact for users.

How long does the entire process take?

The automated scan takes 2-4 hours. The complete analysis with report and remediation plan is delivered within 3-5 business days from the scan.

Are recurring audits available?

Yes. We offer quarterly or semi-annual recurring audits to monitor security posture improvement over time and detect new risky configurations.

Does it work with all Microsoft 365 plans?

Yes. The audit works with all plans: Business Basic, Business Standard, Business Premium, E3, E5. Some advanced features (PIM, Defender) are only available with premium licenses.

Do you provide remediation support?

Yes. Every finding includes step-by-step remediation instructions. We also offer an assisted remediation service where our team implements the fixes directly on your tenant.

Protect your Microsoft 365.

First step: a security audit of your tenant. We'll show you the vulnerabilities in your configuration and how to fix them.

Request the audit → 02 87176855