Pre-Assessment
Not every M365 configuration can be read automatically through APIs. Some settings require admin portal access or organizational context that the relay's Managed Identity cannot retrieve. The Pre-Assessment questionnaire lets you attest to these items so they can be included in your healthcheck score.
Optional but recommended. You can run a scan without completing the pre-assessment. Unanswered questions will be excluded from your score — they won't penalize you, but your score will only reflect what was evaluated.
How it works
- Navigate to Healthcheck → Pre-Assessment in the dashboard
- Answer each question with the available options (Yes/No, specific choices, N/A, or Not Licensed)
- Optionally add a note for additional context on any answer
- Your answers are saved immediately and included in the next scan you run
How answers affect scoring
| Answer | Effect on score |
|---|---|
| Yes (or a recommended option) | Counts as a passing check |
| No | Counts as a failing check at the question's severity level |
| N/A | Excluded from scoring — does not count for or against you |
| Not Licensed | Excluded from scoring — the feature is not part of your M365 plan |
| Unanswered | Excluded from scoring — treated as not evaluated |
Security & Governance questions
These cover security configurations that require elevated portal access or features outside the relay's API reach:
| Question | Where to check |
|---|---|
| Are third-party Teams apps restricted? | Teams admin center → Teams apps → Manage apps → Org-wide app settings |
| Is the default SharePoint sharing link type set to “Specific people”? | SharePoint admin center → Policies → Sharing → Default link type |
| Is Privileged Identity Management (PIM) configured? | Entra admin center → Identity governance → Privileged Identity Management |
| Are Purview sensitivity labels configured and published? | Purview compliance portal → Information protection → Labels |
| Are Purview DLP policies configured? | Purview compliance portal → Data loss prevention |
Operational questions
These cover operational settings and service configuration choices:
| Question | Where to check |
|---|---|
| What M365 Apps update channel is the tenant on? | M365 admin center → Settings → Org settings → Office software download, or config.office.com |
| What release track is the tenant on? | M365 admin center → Settings → Org settings → Organization profile → Release preferences |
| Have Office Cloud Policy settings been reviewed? | config.office.com → Office cloud policy service |
| Is Viva Engage in Native Mode (or not in use)? | M365 admin center → Yammer network admin |
| Have Viva Insights privacy settings been reviewed? | M365 admin center → Viva → Viva Insights settings |
Data Protection questions
These assess your organization's readiness for data loss and incident response:
| Question | Where to check |
|---|---|
| Is a third-party backup solution configured for M365 data? | Check if Veeam, Datto, AvePoint, or Microsoft 365 Backup is deployed |
| Is there a documented incident response plan covering M365? | Should cover account compromise, phishing, data exfiltration, audit log review |
Governance questions
These cover administrative practices and policy management:
| Question | Where to check |
|---|---|
| Are Conditional Access policies reviewed quarterly? | Entra admin center → Protection → Conditional Access |
| Is there a guest access review process? | Entra ID access reviews (P2) or manual quarterly guest audit |
| Are admin accounts separate from daily-use accounts? | Best practice: dedicated admin accounts (admin-user@contoso.com) for privileged tasks |
| Is SharePoint site creation governed by a process? | SharePoint admin center → Settings → Site creation |
Tips
- Use N/A for services your organization does not use (e.g., Viva Engage)
- Use Not Licensed for features that require a license tier you don't have (e.g., PIM requires Entra ID P2)
- Add notes to explain partial configurations or planned changes — these are visible in scan exports
- Re-visit the pre-assessment periodically as your tenant configuration changes