Know your M365 tenant
health — automatically
56+ configuration checks across every M365 workload. Severity-weighted scoring. AI recommendations. Runs in minutes via your own relay — no credentials required.
The problem
M365 audits are a spreadsheet and a prayer
Most tenants are audited once — usually after an incident. The checklist is long, the findings go into a report that nobody reads, and the configuration drifts the moment the auditor leaves. Six months later, DKIM is still off.
The solution
Automated. Scored. Actionable.
Calibrant runs the audit for you — in minutes, against a curated set of 56+ rules built from CIS benchmarks and M365 best practices. Every finding is severity-ranked. Every scan gets an AI summary and prioritized action list. Run it weekly.
Protocol
How it works
Three steps from zero to scored.
Deploy Relay
A small Windows service in your Azure subscription runs scans via Managed Identity. No credentials leave your environment.
Select & Scan
Pick the categories you want to audit. Calibrant dispatches PowerShell scripts to the relay and collects results.
Review & Act
Get a scored report with severity-ranked findings and an AI-generated executive summary with prioritized actions.
Everything an audit should be
Complete coverage. No manual effort. Results in minutes.
56+ Configuration Checks
Covers authentication, email security, external sharing, audit logging, guest access, device sync, and more across all M365 workloads.
Managed Identity — No Credentials
The relay uses its Azure Managed Identity for all M365 access. No service account passwords, no OAuth tokens stored on-prem.
AI Executive Summary
Claude analyzes your findings and produces a 2–3 paragraph executive summary plus top 5 prioritized remediation recommendations.
Severity-Weighted Scoring
Critical findings carry 20× more weight than low-severity issues. Your score reflects real risk, not a simple pass/fail count.
Category-Level Breakdown
Scores per M365 workload — Entra ID, Exchange, Teams, SharePoint, OneDrive, Power Platform. Drill into exactly where the gaps are.
CSV + Raw Log Export
Export findings to CSV for stakeholder reporting, or download raw PowerShell output for deep-dive troubleshooting.
What gets checked
Every check runs via PowerShell against your live tenant configuration.
Global admin count, MFA enforcement, conditional access, guest settings, stale accounts, app consent policies
DKIM/DMARC/SPF, IMAP/POP disabled, TLS connectors, mailbox auditing, unified audit log, transport rules
External sharing level, anonymous link expiry, legacy auth, unmanaged device sync, resharing restrictions
Consumer access, external federation, third-party app policies, anonymous meeting join, guest access
Orphaned account retention, sync restrictions, storage quota alignment
DLP policies, environment inventory, Power Automate flow failures
Zero credentials stored
The relay uses its Azure Managed Identity for all M365 connections. No passwords, no OAuth tokens, no service accounts. The VM makes outbound-only HTTPS calls to Calibrant and Microsoft APIs — no inbound ports required.
Ready to audit your tenant?
Deploy the relay once, run scans whenever you want. Most tenants complete their first full scan in under 5 minutes.