400+ automated checks across Entra ID, Conditional Access, Defender, and email security. Read-only access. Branded PDF report with prioritized remediation — delivered in 24 hours. Traditional consultants charge $10K–$25K for less.
See how it works
DIY tools like Maester and ScubaGear are powerful — but they take hours to configure and require PowerShell expertise. Traditional consultants charge $10K–$25K and take weeks. TenantShield gives you the same depth, without the overhead.
| What matters | DIY (Maester / Scripts) | TenantShield ✦ | Big Consultant |
|---|---|---|---|
| Cost | Free — but your time isn't | Free / $3,500 | $10K–$25K |
| Setup time | Hours (expert required) | 60 seconds | Days (onboarding calls) |
| Time to results | Same day — if it runs | 24 hours | 2–4 weeks |
| Report format | Raw HTML / CLI output | Branded PDF + scorecard | PDF (generic template) |
| Human review | None | Every finding reviewed | Yes — but billable hours |
| Compliance mapping | CIS / CISA built-in | CIS, NIST, CMMC, SOC 2 | Varies by firm |
| Remediation roadmap | Not included | Included, prioritized | Add-on / extra cost |
| Tenant access removed after | Manual | We walk you through it | Varies |
Click "Start Assessment" and approve read-only access on Microsoft's standard consent screen. Your admin clicks one button — done.
400+ Maester checks run against your Entra ID, Conditional Access, authentication methods, Defender, and email security config. Completely automated.
Branded PDF with every finding prioritized by severity, mapped to CIS/NIST/CMMC, with specific remediation steps. We remove the app from your tenant, then email you the results.
Conditional Access policies with gaps — admin accounts without MFA, legacy auth still enabled, no device compliance requirements.
Over-privileged admin roles, stale accounts with access, app registrations with dangerous permissions, missing PIM activation.
Missing or misconfigured SPF, DKIM, DMARC records. No DMARC reject policy. Domains vulnerable to spoofing attacks.
Safe Attachments not enabled, Safe Links misconfigured, anti-phishing policies missing, outbound spam filtering gaps.
Findings mapped to CIS Microsoft 365 Benchmarks, NIST 800-53, CMMC, and SOC 2. Know exactly where you stand before an audit.
E5 licenses assigned to users who only need E3. Most clients discover $2K–$8K/month in savings that fund security improvements.
TenantShield is run by Jason Soto, a Microsoft Endpoint & Security Architect with 10+ years hands-on in the M365 security stack — Entra ID, Intune, Conditional Access, Defender for Endpoint.
Every assessment is personally reviewed. Built for organizations with 50–500 M365 users — large enough for real security complexity, lean enough to need outside expertise rather than a full-time CISO.
Traditional consultants charge $10K–$25K for a one-time M365 assessment. Our full assessment is $3,500 — with remediation execution included.
We request read-only delegated access through Microsoft's standard OAuth consent flow. Your Global Admin reviews and approves the exact permissions on Microsoft's own login page — nothing runs without explicit approval. We request SecurityEvents.Read, Policy.Read.All, and similar read-only Graph API scopes.
Yes — 400+ checks, a branded PDF report, and a 30-minute results briefing are completely free. No credit card, no trial period. We offer the free assessment because it consistently surfaces findings that lead to paid remediation work — but that's entirely your choice.
Microsoft Secure Score tracks your own progress over time — it doesn't show exploitable attack paths or benchmark you against real-world risk. TenantShield uses Maester + CISA SCuBA + BloodHound attack path analysis to find what attackers actually target: credential phishing paths, admin role sprawl, legacy auth bypasses, and CA policy loopholes.
Yes — one click in Entra ID under Enterprise Applications. We include step-by-step instructions in your report and walk you through removal during the results briefing. You're in full control of the timeline.
Every finding is cross-referenced against CIS Microsoft 365 Foundations Benchmark, NIST 800-53, CMMC 2.0, and SOC 2. For the full assessment, we also include CISA SCuBA guidance mappings. If you have a specific regulatory requirement (HIPAA, PCI, ISO 27001), mention it in the contact form.
60 seconds to connect your tenant → 15 minutes of automated scanning → 24 hours for your report. Traditional consultants take 2–4 weeks for a comparable assessment. We move fast because we're not billing by the hour.
Fill out the form and I'll respond within one business day. Or start the free assessment directly — no call needed.