Tenant Healthcheck
The Tenant Healthcheck product scans your Microsoft 365 tenant configuration against industry best practices and operational standards. It runs entirely through your Calibrant Relay using Managed Identity — no credentials leave your environment.
How it works
- Complete the Pre-Assessment questionnaire to cover checks that can't be auto-detected
- Click Start Scan and select which categories to check
- Calibrant sends PowerShell scripts to your relay as commands
- The relay executes each script using its Managed Identity (no user credentials)
- Results are returned to Calibrant, scored against health rules weighted by severity
- Claude AI generates an executive summary and prioritized recommendations
For details on running scans, understanding scores, and reading results, see the Scanning guide.
No M365 OAuth consent required. Unlike Agent Optimizer (which uses your M365 OAuth connection for persona authentication), Healthcheck uses only the relay's Managed Identity. Your Calibrant M365 connection is not needed for this product.
Prerequisites
- Relay deployed and online — follow the Relay Setup guide
- Managed Identity permissions granted — the relay's Managed Identity needs Graph app roles and M365 admin roles. Follow Step 4 of the Relay Setup guide to run the permission grant script.
- Professional or Enterprise plan — Healthcheck is a second product slot. Free and Starter plans include one product slot (Agent Optimizer by default). Upgrade your plan and select Tenant Healthcheck from your product selection.
Check categories
You can select any combination of categories when starting a scan:
| Category | Checks | Requires |
|---|---|---|
| Tenant | Org branding, technical contacts, directory sync health, service health incidents, delegated admin relationships | Graph app roles |
| Entra ID | Global admin count, guest settings, app registrations, password policy, privileged roles, stale guests, consent policies | Graph app roles |
| Exchange Online | Modern auth, audit logging, DKIM, IMAP/POP, transport rules, TLS connectors, distribution groups, SPF records | Exchange.ManageAsApp + Exchange Administrator role |
| Microsoft Teams | Upgrade mode, guest access, external federation, consumer access, team ownership, app policies, meeting settings | Graph app roles + Teams Administrator role |
| SharePoint Online | External sharing level, domain restrictions, resharing, legacy auth, anonymous link expiry, default link type, idle sign-out | SharePointTenantSettings.Read.All + SharePoint Administrator role |
| OneDrive for Business | Storage quota, sync restrictions, orphaned account retention, sharing alignment with SharePoint | SharePoint Administrator role |
| Power Platform | DLP policies, environment inventory, flow failures (last 7 days) | BAP REST API via Managed Identity |
| Intune / Endpoint | Device enrollment, compliance policies, Defender AV status, BitLocker encryption, Autopilot, update rings | Graph DeviceManagement roles |
Credit cost
Each scan costs 2 credits regardless of how many categories are selected. Credits are deducted when the scan starts.