Not $25K. Not a PowerShell script. Results.

Your M365 tenant has gaps.
We find them free.

400+ automated checks across Entra ID, Conditional Access, Defender, and email security. Read-only access. Branded PDF report with prioritized remediation — delivered in 24 hours. Traditional consultants charge $10K–$25K for less.

No software installs Read-only delegated access Remove app anytime Results in 24 hours
400+
Automated Checks
24hr
Report Delivery
$0
Assessment Cost
100%
Read-Only Access

See how it works

// Why TenantShield

Security teams shouldn't choose between expensive and effective.

DIY tools like Maester and ScubaGear are powerful — but they take hours to configure and require PowerShell expertise. Traditional consultants charge $10K–$25K and take weeks. TenantShield gives you the same depth, without the overhead.

What matters DIY (Maester / Scripts) TenantShield ✦ Big Consultant
Cost Free — but your time isn't Free / $3,500 $10K–$25K
Setup time Hours (expert required) 60 seconds Days (onboarding calls)
Time to results Same day — if it runs 24 hours 2–4 weeks
Report format Raw HTML / CLI output Branded PDF + scorecard PDF (generic template)
Human review None Every finding reviewed Yes — but billable hours
Compliance mapping CIS / CISA built-in CIS, NIST, CMMC, SOC 2 Varies by firm
Remediation roadmap Not included Included, prioritized Add-on / extra cost
Tenant access removed after Manual We walk you through it Varies
// How It Works

Three steps. No software.
No disruption to your team.

01

Connect your tenant

Click "Start Assessment" and approve read-only access on Microsoft's standard consent screen. Your admin clicks one button — done.

⏱ 60 seconds
02

We scan everything

400+ Maester checks run against your Entra ID, Conditional Access, authentication methods, Defender, and email security config. Completely automated.

⏱ 15 minutes
03

Get your report

Branded PDF with every finding prioritized by severity, mapped to CIS/NIST/CMMC, with specific remediation steps. We remove the app from your tenant, then email you the results.

⏱ 24 hours
TenantShield_Report_AcmeCorp.pdf
72 /100
B–
acmecorp.onmicrosoft.com
25 Critical Findings
400+ checks run
168 passed · 25 critical · 9 warn
CIS · NIST · CMMC mapped
7 Conditional Access gaps — Legacy authentication not blocked on 3 policies; admin accounts excluded from MFA enforcement.
Global Admin sprawl — 9 accounts with standing Global Admin; CIS benchmark recommends ≤5 with PIM.
DMARC policy: none — Domain open to spoofing; upgrade to p=quarantine → p=reject.
$4,200/mo in savings found — 14 E5 licenses assigned to users with E3-level usage.
// What We Find

The gaps your IT team
doesn't know about yet.

89+
Entra ID & Identity
Admin roles, PIM, stale accounts, app registrations
42+
Conditional Access
Policy gaps, legacy auth, device compliance, location
58+
Defender for Office
Anti-phishing, Safe Attachments, Safe Links, DMARC
45+
Exchange Online
Transport rules, mailbox auditing, mail flow security
38+
SharePoint & OneDrive
External sharing, guest access, DLP, retention
32+
Microsoft Teams
Guest federation, meeting policies, channel access
55+
Intune & Devices
Compliance policies, BitLocker, MDM enrollment gaps
41+
Email Auth (DNS)
SPF, DKIM, DMARC — per domain, including subdomains
🔓

Missing MFA enforcement

Conditional Access policies with gaps — admin accounts without MFA, legacy auth still enabled, no device compliance requirements.

🛡

Entra ID misconfigurations

Over-privileged admin roles, stale accounts with access, app registrations with dangerous permissions, missing PIM activation.

Email security failures

Missing or misconfigured SPF, DKIM, DMARC records. No DMARC reject policy. Domains vulnerable to spoofing attacks.

🔍

Defender policy gaps

Safe Attachments not enabled, Safe Links misconfigured, anti-phishing policies missing, outbound spam filtering gaps.

📋

Compliance drift

Findings mapped to CIS Microsoft 365 Benchmarks, NIST 800-53, CMMC, and SOC 2. Know exactly where you stand before an audit.

💰

Wasted license spend

E5 licenses assigned to users who only need E3. Most clients discover $2K–$8K/month in savings that fund security improvements.

// Who's behind this

Not a faceless SaaS.
A real person.

TenantShield is run by Jason Soto, a Microsoft Endpoint & Security Architect with 10+ years hands-on in the M365 security stack — Entra ID, Intune, Conditional Access, Defender for Endpoint.

Every assessment is personally reviewed. Built for organizations with 50–500 M365 users — large enough for real security complexity, lean enough to need outside expertise rather than a full-time CISO.

Maester CISA ScubaGear CIS Benchmarks NIST 800-53 BloodHound CE
// Pricing

Transparent. No surprises.

Traditional consultants charge $10K–$25K for a one-time M365 assessment. Our full assessment is $3,500 — with remediation execution included.

Free
Security Assessment
$0
  • 400+ Maester checks
  • Branded PDF report
  • Interactive scorecard
  • Prioritized findings
  • 30-min results briefing
Start Free Assessment
Monthly
vCISO Retainer
$5,000/mo
  • Everything in full assessment
  • Ongoing remediation execution
  • Monthly posture reviews
  • CA & Defender management
  • Incident response planning
  • Quarterly re-assessments
  • Direct Slack/Teams channel
Schedule Consultation →
// Common questions

Everything you need to know before you start.

Do you need admin access to our tenant?

We request read-only delegated access through Microsoft's standard OAuth consent flow. Your Global Admin reviews and approves the exact permissions on Microsoft's own login page — nothing runs without explicit approval. We request SecurityEvents.Read, Policy.Read.All, and similar read-only Graph API scopes.

Is the free assessment actually free?

Yes — 400+ checks, a branded PDF report, and a 30-minute results briefing are completely free. No credit card, no trial period. We offer the free assessment because it consistently surfaces findings that lead to paid remediation work — but that's entirely your choice.

How is this different from Microsoft Secure Score?

Microsoft Secure Score tracks your own progress over time — it doesn't show exploitable attack paths or benchmark you against real-world risk. TenantShield uses Maester + CISA SCuBA + BloodHound attack path analysis to find what attackers actually target: credential phishing paths, admin role sprawl, legacy auth bypasses, and CA policy loopholes.

Can we remove the app after the assessment?

Yes — one click in Entra ID under Enterprise Applications. We include step-by-step instructions in your report and walk you through removal during the results briefing. You're in full control of the timeline.

What compliance frameworks do you map to?

Every finding is cross-referenced against CIS Microsoft 365 Foundations Benchmark, NIST 800-53, CMMC 2.0, and SOC 2. For the full assessment, we also include CISA SCuBA guidance mappings. If you have a specific regulatory requirement (HIPAA, PCI, ISO 27001), mention it in the contact form.

How long does the full assessment take?

60 seconds to connect your tenant → 15 minutes of automated scanning → 24 hours for your report. Traditional consultants take 2–4 weeks for a comparable assessment. We move fast because we're not billing by the hour.

// Get in touch

Prefer email
over a call?

Fill out the form and I'll respond within one business day. Or start the free assessment directly — no call needed.

We'll respond within 1 business day. No spam, no drip. Just a real conversation.

Start Free Assessment