Know your M365 tenant
health — automatically
100+ configuration checks across 8 M365 categories. Severity-weighted scoring. AI recommendations. Override what you handle elsewhere. Runs in minutes via your own relay — no credentials required.
The problem
M365 audits are a spreadsheet and a prayer
Most tenants are audited once — usually after an incident. The checklist is long, the findings go into a report that nobody reads, and the configuration drifts the moment the auditor leaves. Six months later, DKIM is still off.
The solution
Automated. Scored. Actionable.
Calibrant runs the audit for you — in minutes, against a curated set of 56+ rules built from CIS benchmarks and M365 best practices. Every finding is severity-ranked. Every scan gets an AI summary and prioritized action list. Run it weekly.
Protocol
How it works
Three steps from zero to scored.
Deploy Relay
A small Windows service in your Azure subscription runs scans via Managed Identity. No credentials leave your environment.
Select & Scan
Pick the categories you want to audit. Calibrant dispatches PowerShell scripts to the relay and collects results.
Review & Act
Get a scored report with severity-ranked findings and an AI-generated executive summary with prioritized actions.
Everything an audit should be
Complete coverage. No manual effort. Results in minutes.
100+ Configuration Checks
Covers identity, email security, endpoint management, external sharing, license utilization, Defender policies, and more across 8 M365 categories.
Managed Identity — No Credentials
The relay uses its Azure Managed Identity for all M365 access. No service account passwords, no OAuth tokens stored on-prem.
AI Executive Summary
Claude analyzes your findings and produces a 2–3 paragraph executive summary plus top 5 prioritized remediation recommendations.
Severity-Weighted Scoring
Critical findings carry 20× more weight than low-severity issues. Your score reflects real risk, not a simple pass/fail count.
Category-Level Breakdown
Scores per M365 workload — Entra ID, Exchange, Teams, SharePoint, OneDrive, Power Platform, and Intune/Endpoint. Drill into exactly where the gaps are.
Override & Accept Risk
Mark findings as handled by another product or accepted risk. Overridden checks are excluded from scoring and tracked on a dedicated management page.
CSV + Raw Log Export
Export findings to CSV for stakeholder reporting, or download raw PowerShell output for deep-dive troubleshooting.
What gets checked
Every check runs via PowerShell against your live tenant configuration.
Global admin count, conditional access, guest settings, inactive accounts, license utilization, OAuth scope audit, app credential expiry
DKIM/DMARC/SPF, IMAP/POP, TLS connectors, mailbox auditing, transport rules, malware filter, anti-spam, auto-expanding archive
External sharing level, anonymous link expiry, unmanaged device sync, resharing restrictions, idle session sign-out
Consumer access, external federation, app policies, anonymous meeting join, lobby bypass, messaging policies
Orphaned account retention, sync restrictions, storage quota alignment
DLP policies, environment inventory, Power Automate flow failures
Device enrollment, compliance policies, Defender AV status, BitLocker encryption, Windows Autopilot, update rings
Safe Attachments, Safe Links, anti-phishing policies, malware filter, outbound spam, quarantine policies
Zero credentials stored
The relay uses its Azure Managed Identity for all M365 connections. No passwords, no OAuth tokens, no service accounts. The VM makes outbound-only HTTPS calls to Calibrant and Microsoft APIs — no inbound ports required.
Ready to audit your tenant?
Deploy the relay once, run scans whenever you want. Most tenants complete their first full scan in under 5 minutes.