The category, defined

What is a tenant security assessment?

A tenant security assessment is an expert review of your Microsoft 365 tenant's configuration against a recognised benchmark. A consultant examines identities, access policies, email protection, sharing and logging, then hands you a prioritised plan to fix what genuinely matters.

Why "tenant"

Your tenant is your Microsoft 365 estate

When your business signed up to Microsoft 365, Microsoft created a tenant: the dedicated instance holding your users, mailboxes, files, Teams and every security setting that governs them. Microsoft secures the platform underneath; the configuration of your tenant, all several hundred settings of it, is yours to get right. That split is called the shared responsibility model, and it is why a well-run assessment looks at configuration rather than infrastructure.

Microsoft's own documentation, its AppSource marketplace and the CIS benchmark all use the same phrase for the exercise this site is named after: reviewing that configuration is a tenant security assessment.

What one covers

  • Entra ID: admin roles, privileged access, stale accounts, sign-in policies
  • Conditional Access and MFA coverage, including legacy authentication
  • Exchange Online: mail flow rules, forwarding, anti-phishing, spoofing controls
  • SharePoint, Teams and OneDrive sharing, guest access and data exposure
  • Microsoft Defender policies, alerting and audit log configuration
  • Secure Score, benchmarked against comparable UK tenants

The distinction that matters

Assessment versus scan

Free automated scanners exist, and good ones. The difference is what happens between the raw settings and your decision about what to do.

A scan lists settings

Free tools like Microsoft's Zero Trust assessment or CoreView's scanner compare your tenant against a fixed baseline and output everything that deviates. Useful, fast, and undifferentiated: a 40-page list with no sense of which items matter for your business.

An assessment finds risk

A consultant reads the same configuration in context: which admin accounts are genuinely dormant, which sharing settings expose real client data, which policy gaps line up with how attackers actually break into tenants like yours. Findings become decisions.

The output is a plan

The deliverable is not a score. It is a remediation roadmap in priority order, a board summary of what the risk means commercially, and a debrief where your team can challenge every finding before anyone spends a day fixing anything.

Quick answers

Tenant assessment questions, answered

Is a tenant security assessment the same as a Microsoft 365 security assessment?

Yes. The tenant is the technical name for your organisation's instance of Microsoft 365, so a tenant security assessment, a Microsoft 365 security assessment, an Office 365 security assessment and an M365 security review all describe the same expert review of your configuration. Microsoft itself uses the tenant phrasing.

How is it different from a penetration test?

A penetration test attacks systems to prove what an intruder could do; an assessment reviews configuration to find what would let them in. For Microsoft 365, configuration review finds the overwhelming majority of real-world weaknesses at a fraction of the cost. If you genuinely need offensive testing, CyPro's penetration testing team covers that separately.

What do you need from us to run one?

Read-only administrative access to the tenant, one scoping call, and about an hour of your IT lead's time for questions. Nothing is changed, nothing is installed and users are never interrupted.

How long does it take?

Most assessments run over three to four working days from access to debrief, depending on which workloads are in scope. The pricing page sets out exactly what each scope band covers.

See the scope bands and prices

3D illustration of a rocket launching, representing a Microsoft 365 security assessment getting started

Now you know what it is

Find out what yours would find

A free 45 minute scoping call tells you which workloads to include, what it costs and how quickly you get the roadmap.