Alternative to Maester M365-Assess ScubaGear TenantShield ✦

M365 Security Assessment
Without the PowerShell

Those tools are great — if you want to spend a weekend installing modules and parsing JSON. TenantShield runs the same 400+ checks and hands you a branded PDF report in 24 hours.

No PowerShell required
Read-only OAuth — no agent installed
Remediation execution included
Step 1 — Free instant scan
DNS Perimeter Check
No account needed. DNS lookups only — we never touch your tenant. Skip to the full 400-check assessment →
Checking DNS records…
0 / 100
Scanning…
DNS & Perimeter Checks (7 of 400+)

That's your perimeter. Here's what's hiding inside.

DNS checks are the surface layer — Maester, M365-Assess, and ScubaGear all go deeper. So does TenantShield. The full assessment runs 400+ checks live inside your tenant: Conditional Access policy gaps, admin role sprawl, Defender misconfiguration, guest access exposure, device compliance failures, and more.

400+ Checks — What We Actually Run

Every M365 Attack Surface,
Covered

We built TenantShield on top of the same check categories used by Maester, M365-Assess, and CISA SCuBA — then added remediation, compliance mapping, and a human review layer.

89+
Identity & Entra ID
Users, groups, roles, admin accounts, app registrations, service principals
Global Admin sprawl
Stale guest accounts
MFA gaps on admins
42+
Conditional Access
Policy gaps, legacy auth, location bypass, sign-in risk controls
Legacy auth not blocked
No risk-based CA policy
Report-only policies
58+
Defender for Office
Anti-phishing, safe links, safe attachments, zero-hour auto purge
Safe Links disabled
Impersonation rules weak
DKIM not enforced
45+
Exchange Online
Mail flow rules, relay, journaling, mailbox permissions, transport rules
Open relay rules
Overpermissioned delegates
Journaling unconfigured
38+
SharePoint & OneDrive
External sharing, link expiry, guest access, DLP policies, sensitivity labels
Anyone links enabled
No link expiry
External sharing unrestricted
32+
Microsoft Teams
Guest access, anonymous meetings, third-party app permissions, channels
Anonymous join enabled
External apps uncontrolled
Guest messaging allowed
55+
Intune & Devices
Compliance policies, encryption, OS patch level, jailbreak detection, MAM
Non-compliant devices in use
Encryption not enforced
No MDM compliance CA
41+
Email Auth & DNS
SPF, DMARC, DKIM, MX, DNSSEC, Autodiscover, mail relay exposure
DMARC policy = none
SPF too permissive
DKIM key not rotated
400+
automated checks, read-only, no agent installed
CIS v8 NIST 800-53 CMMC 2.0 SOC 2 CISA SCuBA ISO 27001 HIPAA
Tool Comparison

TenantShield vs the DIY Tools

Maester, M365-Assess, and ScubaGear are excellent open-source projects. TenantShield is what you use when you want the results without doing the work.

DIY Open-Source Tools
Maester / M365-Assess / ScubaGear
Setup required: Install PowerShell 7, import modules, configure app registration
You run it: CLI commands, auth flows, wait for execution (1–4 hours)
Local output only: HTML file on your disk, no shared report
No remediation: You get findings — fixing them is on you
~ Free but costly: Engineer time, setup, interpretation = real cost
✦ TenantShield Managed
We run everything for you
Zero setup: Click OAuth → grant read-only scopes → done
We run it: 400+ checks executed by our team, results in 24 hours
Branded PDF report: Executive summary + prioritized findings + compliance matrix
Remediation included: We fix the critical findings, not just list them
$3,500 all-in: vs $10K–$25K traditional consultants for the same scope
Feature Maester M365-Assess ScubaGear (CISA) TenantShield ✦
Total checks 360+ 292+ ~200 400+
Setup required PS7 + modules PS7 + modules PS7 + OPA + Python None
Who runs it You You You We do
Time to results 1–4 hrs 1–4 hrs 2–8 hrs 24 hrs
Report format Local HTML HTML + XLSX REGO / HTML Branded PDF
Remediation included ✓ Included
Human expert review ✓ vCISO review
Compliance frameworks CIS, NIST 15 frameworks CISA SCuBA CIS, NIST, CMMC, SOC 2, SCuBA, ISO, HIPAA
Price Free (your time) Free (your time) Free (gov only) $3,500 all-in

"The open-source tools are great if you have a PowerShell expert on staff. Most companies don't. That's exactly the gap TenantShield fills — same rigor, none of the setup, with someone who fixes it afterward."

— TenantShield

Ready for the Full Assessment?

Grant read-only OAuth access. We run 400+ checks across your entire M365 tenant and deliver a prioritized, branded report in 24 hours — with remediation execution included.

Read-only access — removed after assessment
Results in 24 hours
$3,500 flat — no surprises