201 read-only checks across Microsoft 365 and Entra ID
ScanPosture assesses identity, privileged access, Conditional Access, collaboration, audit, device posture, non-human identity, Exchange Online, Teams, SharePoint, and configuration drift.
28-day trial · No credit card · Read-only Microsoft access
Checks are read-only. ScanPosture observes configuration and generates findings. It does not modify the tenant during scans.
15 coverage categories
Checks are organised into categories so remediation and reporting can be scoped to the areas most relevant to each stakeholder.
Privileged Access
28 checksAdmin role hygiene + PIM activation patterns.
Non-Human Identity
25 checksApp registrations, service principals, credential lifecycle.
Conditional Access
22 checksPolicy targeting, exclusions, and enforcement scope.
Tenant Configuration
21 checksTenant-wide security and collaboration defaults.
Account Hygiene
19 checksJoiner / mover / leaver, dormant + guest accounts.
Authentication & MFA
14 checksMFA coverage, methods used, authentication strength.
Exchange Online
14 checksDMARC, anti-spoof, mailbox auditing, transport rules.
SharePoint Online
11 checksExternal sharing posture, anonymous links, site permissions.
Microsoft Teams
11 checksFederation, guest access, meeting policy hygiene.
Logging & Audit
11 checksUnified audit log coverage and retention.
Monitoring & Risk
9 checksSign-in risk, identity protection signals, alerting.
AI Agent Identity
5 checksCopilot, agent and AI-app identity controls.
Device Security
5 checksDevice compliance and CA enforcement where observable.
Segregation of Duties
5 checksConflicting role assignments and toxic pair combinations.
App Permissions Drift
1 checkService-principal scope changes since the previous scan.
9 security domains, weighted into one posture score
Findings roll up into nine weighted domains. Domain weights reflect posture impact, so a gap in a high-weight area moves the overall score more than a gap in a low-weight area.
Identity & Authentication
User identity, MFA methods, authentication strength, and sign-in protections.
Privileged Access
Admin role assignments, PIM activation, and scoped privilege.
Conditional Access & Policy Enforcement
Who can access what, from where, under which conditions.
Account Lifecycle & Governance
Joiner, mover, leaver flows; dormant and guest accounts; access reviews.
Application & Non-Human Identity Security
Service principals, application permissions, credential hygiene.
Data Access & Collaboration Security
SharePoint, Teams, Exchange sharing posture and external access.
Monitoring, Drift & Posture
Security monitoring configuration and configuration drift detection.
Logging & Audit
Unified audit log coverage, retention, and diagnostic-settings.
Device Security
Device compliance, enrolment, and CA enforcement where observable.
A sample of what ScanPosture surfaces
Curated examples, not a raw export. Real scans typically surface dozens of findings, grouped by domain and sorted by priority.
Users without MFA enabled
Identifies accounts lacking any MFA method. Each unprotected account is a credential-theft risk.
Privileged users relying on weak MFA methods
Admins using SMS or Voice as their only MFA. Weak against phishing-resistant bypass.
Excessive Global Administrator accounts
Too many standing GA assignments increases blast radius if any are compromised.
New Global Administrator added
Drift signal, GA assignment changes since last scan.
Guest users with elevated privileges
External accounts with admin or privileged roles bypass normal governance.
Legacy authentication not blocked
Basic auth / legacy protocols bypass MFA and modern policy.
SharePoint anonymous sharing enabled
"Anyone with the link" level sharing exposes tenant data to the open internet.
DMARC not configured
Unprotected domain, vulnerable to spoofing and BEC.
Admin accounts with active mailboxes
Admin identities being used as daily drivers increase credential-theft blast radius.
PIM activation without MFA required
Just-in-time role activation should require step-up authentication.
Service principals with expiring credentials
Non-human identities with secrets about to lapse, operational and security signal.
Audit logging not configured
Without unified audit log, post-incident investigation is severely limited.
Licence-aware assessment
Some Microsoft controls require specific Entra ID or Microsoft 365 licensing. ScanPosture distinguishes between failed controls, skipped checks, insufficient evidence, and areas outside the current assessment scope.
Passed
The control is configured appropriately for the assessed scope.
Finding raised
ScanPosture observed a posture gap with severity and remediation guidance.
Skipped
Check could not run because a required permission or licence was not present.
Advisory
Informational signal. No score impact but recorded for context.
Insufficient evidence
Signals available do not support a reliable pass/fail conclusion.
Out of current assessment scope
The area is not assessed by the currently connected scope.
Read-only permission model
ScanPosture uses read-only access to observe configuration. It does not make tenant changes as part of scanning.
Future coverage
ScanPosture is Microsoft-first today, with future expansion planned for AWS and selected SaaS platforms where customers need a broader assurance picture.
Want to see what your tenant surfaces?
Start your 28-day trial and see your own posture in a few minutes.
201 read-only checks · 9 security domains · No credit card