The whole Microsoft 365 control posture, on one page
ScanPosture connects read-only to Microsoft 365 and Entra ID, assesses security posture across key control areas, and turns technical findings into prioritised remediation, evidence, and trend visibility.
28-day trial · No credit card · Read-only Microsoft access
The live dashboard, at a glance
Posture score, open findings, scan coverage, priority actions, and what changed between scans, on one page, refreshed with every completed scan.
More than a dashboard
ScanPosture is designed to help teams understand what their Microsoft controls look like, where posture is weakening, what needs attention first, and what evidence can be shown to stakeholders.
Assess posture
Map Microsoft 365 and Entra ID signals into controls and domains so the picture holds together.
Prioritise remediation
Surface the actions with the greatest posture impact and make them easy to hand off.
Evidence improvement
Show recurring scans, trend history, and framework readiness to stakeholders that ask.
From connection to evidence, in four steps
Connect Microsoft 365
Read-only OAuth consent. No agents, no passwords, no tenant write actions.
OAuth · Read-only
Run a scan
ScanPosture assesses Microsoft 365 and Entra ID configuration against 201 read-only checks.
201 checks
Review posture
Findings are grouped into domains, controls, priority actions, and framework readiness views.
9 domains
Track improvement
Recurring scans show what changed, what improved, and what needs renewed attention.
Drift · Trend
Posture score, open findings, and what changed this scan
The dashboard refreshes with every completed scan. Score, open findings, priority actions, scan coverage, and what changed since the previous scan, in one place.
Posture score
A weighted score across 9 control domains, with movement against the previous scan.
Open findings
Grouped by severity, with affected counts and trend per domain.
Priority actions
Ranked by estimated score impact so teams fix the changes that move readiness most.
Scan coverage
Connected scope vs applicable checks. Areas not observable do not count as passes.
Drift since last scan
New, returned, resolved, and changed findings against the previous completed scan.
Access reviews
Risks assigned in-line, reviewer activity tracked across the tenant.
The ScanPosture score reflects connected and assessed scope. Areas not connected or not observable are not silently treated as passed or failed.
Control strength, across four dimensions
A control that exists but only covers a small number of users should not score the same as a control that is consistently enforced across the tenant. ScanPosture scoring is designed to reflect that difference.
Presence
Does the control exist in the tenant?
Coverage
What share of users, roles, apps, or data is in scope?
Quality
Are the settings configured with appropriate strength?
Strength
How resilient is the control against bypass or weak configuration?
Framework readiness scores are separate from the overall posture score.
Priority actions with real remediation detail
Findings become prioritised steps. Each one shows what to change, why it matters, and exactly where in the Microsoft admin experience to do it.
Ranked impact
Highest-impact actions for this scan, with estimated score gain per action.
Step-by-step guides
What to change, why it matters, and the exact portal path to do it.
Deep-links
Direct paths into Entra, Exchange, and SharePoint admin centres.
Prerequisites
Licensing, role, and dependency notes flagged where they apply.
Verification
Steps to confirm the fix actually applied after the change.
Hand-off ready
Each action exports cleanly so analysts or MSPs can pick it up.
What changed since the last completed scan
Every scan is compared against the previous completed scan. You see new findings, returned findings, resolved findings, and which areas have worsened.
First detected in the latest scan compared with the previous completed scan.
Previously seen historically, absent in the previous completed scan, and present again now.
Present in the previous scan, not present in the latest scan.
Evidence that refreshes itself
Every output reflects the latest scan, so stakeholders see current evidence without manual compilation, screenshots, or stitched-together spreadsheets.
PDF posture reports
Board-ready summary of score, priority actions, and movement between scans.
Executive summaries
Single-page narrative for leadership, refreshed every completed scan.
Scheduled digests
Weekly, monthly, or per-scan email digests delivered automatically.
CSV exports
Findings and controls exported for tickets, ticketing systems, or MSP hand-off.
Always current
Every output reflects the latest completed scan, never a stale snapshot.
Framework readiness
Per-framework readiness packs across the eight evidenced frameworks.
Read-only by design
Read-only access. No agents. No tenant changes.
ScanPosture observes configuration and generates findings. Policies, users, roles, and tenant settings are not changed during scans.
No passwords collected
OAuth-only. ScanPosture never stores or processes Microsoft account passwords.
No agent deployment
Cloud-side only. Nothing to install on endpoints, servers, or domain controllers.
Read-only OAuth
Every Microsoft Graph permission ScanPosture asks for is read-scoped. Verifiable in the consent screen.
Visible at consent
Your Global Administrator sees the full permission list before granting access.
No silent remediation
Findings are surfaced. Nothing is changed automatically. Future write actions need explicit authorisation.
Removable connection
Revoke ScanPosture’s tenant access at any time from the Microsoft admin centre.
Run posture across multiple Microsoft tenants under one account
Holding companies, M&A consolidation periods, in-house IT teams managing sister-company tenants, one ScanPosture account can hold and switch between every tenant a team is responsible for, with role-scoped access per tenant.
One sign-in, many tenants
A single Microsoft work account holds membership of every tenant you have access to. The dashboard sidebar carries a tenant picker; switching is one click.
Role-scoped per tenant
Owner / admin / analyst / billing / viewer is set per (user, tenant) pair. A user can be an owner on one tenant and an analyst on another. Row-level security keeps every read scoped to the active tenant.
Built for real situations
Holding companies with multiple operating subsidiaries. Acquired businesses inside their own Entra tenant during integration. Internal IT teams supporting sister companies. The same product, scoped cleanly.
MSP partners use the same multi-tenant model with extra fleet-level views, branded reporting and per-client billing. See the MSP page →
Platform questions
Everything an IT lead or Global Administrator typically asks before granting consent.
Yes. The scanning service principal is granted only read-only Microsoft Graph, Exchange Online and SharePoint Online permissions, all approved on the standard Microsoft admin consent screen. There are no write or modify scopes anywhere in the request set, and no agents are installed inside your tenant. ScanPosture cannot change a single setting in your environment.
You will see the standard Microsoft admin consent screen listing the read-only Graph, Exchange Online and SharePoint Online permissions ScanPosture needs to assess posture. Two optional Azure-resource checks also benefit from a Reader role at your tenant root, which is granted separately if you want them included. The full request set is shown to your Global Administrator at the moment of consent, nothing is hidden behind it.
Once a day by default, at 02:00 in your tenant timezone. You can raise that to up to four scans a day in settings, and any tenant owner or admin can trigger an unscheduled scan from the dashboard at any time.
Typically one to three minutes for a connected Entra ID tenant. Larger tenants with a high number of apps, guests and roles sit at the longer end of that range. Progress is shown live in the dashboard while the scan runs.
ScanPosture reads your Secure Score as a signal and links you to it inside the Microsoft Defender portal, it does not replace it. ScanPosture’s own score is a control-model rollup across nine weighted security domains, drift-aware between scans, framework-mapped, and licence-aware: missing licence coverage is reported as "out of assessment scope" rather than silently treated as a failure.
All customer data is stored in the United Kingdom, in our Supabase region in London. Application hosting and email delivery are routed through UK / EU infrastructure end-to-end.
Eight readiness views, Cyber Essentials, ISO 27001:2022, GDPR Article 32, NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8.1, SOC 2, and NCSC CAF 4.0. ScanPosture provides readiness evidence, not certification, it does not submit, approve or certify any framework assessment.
See your Microsoft posture clearly
Start your 28-day trial and see your own posture inside a few minutes.
Read-only · no agents · 201 checks · 9 domains · No credit card