Microsoft 365 | Board of cyber

Continuously audit the security of your Microsoft 365 tenant

Microsoft records over 600 million cyberattacks targeting its services every day. Entra ID, SharePoint, Teams, OneDrive, Exchange, Microsoft Defender… every component of your Microsoft 365 environment is a potential attack surface. Between configuration errors introduced by teams, the rapid evolution of cloud environments, and emerging threats, one question remains central: What is the actual security level of your Microsoft 365 tenant?

365 Rating® enables you to:

Obtain a clear Microsoft 365 security score (0–1,000) to manage your posture and communicate with the C-suite
Continuously identify vulnerabilities and misconfigurations across your 3 critical axes: Entra ID, collaboration tools, and Microsoft Defender
Prioritize remediation actions through concrete recommendations and integrated guides
Manage multiple tenants simultaneously from a consolidated dashboard
Produce reports tailored to each audience: C-suite and technical teams

Discover 365 Rating

Why securing your Microsoft 365 environment has become critical

Microsoft 365 has become the backbone of identity and collaboration in most organisations. But this widespread adoption also makes it a prime target: compromised identities, uncontrolled file sharing and incomplete Defender configurations are all entry points exploited by cybercriminals on a daily basis.

The three most frequent attack vectors on Microsoft 365:

Entra ID identity compromise : phishing, credential theft, MFA bypass, and exploitation of poorly configured privileged accounts

Data exposure via collaboration tools : excessive sharing on SharePoint, Teams, or OneDrive exposing sensitive data to unauthorized third parties

Incomplete or misconfigured Defender protection : insufficient coverage of endpoints, email, and cloud applications leaving exploitable blind spots

The native Microsoft Secure Score is not enough: oriented toward Microsoft's commercial recommendations, it provides neither an independent synthetic score, nor a consolidated multi-tenant view, nor a report adapted for the C-suite. 365 Rating® fills precisely these gaps.

365 Rating®: evaluate, prioritize, and continuously strengthen your Microsoft 365 security

365 Rating® continuously analyzes the configuration of your Microsoft 365 tenant across 10 domains grouped into 3 axes, relying on 130+ automated controls updated daily. Its global score of 0–1,000 and per-domain ratings (A to E) offer an immediately actionable view, for both technical teams and management.

An Microsoft 365 security score to manage your posture

Global score 0–1,000 updated daily, synthesizing the maturity of your tenant
130+ automated controls covering 10 analysis domains
Per-domain rating from A to E to immediately identify your weak points
Score trend tracking over time
Simplified communication with the C-suite and operational teams

11 analysis axes for comprehensive coverage

365 Rating® provides in-depth analysis of the three critical components of your Microsoft 365 environment:

Axis 1 — Identities (Entra ID)

Identity and access management : conditional access policies, MFA, risky configurations
Guest management : control of external access and guest accounts
Privileged account management : exposure and practices on administrator accounts

Axis 2 — Collaboration Tools

General configuration : global tenant security settings
Collaboration tools : SharePoint, Teams, OneDrive: excessive sharing and risky usage
Email settings : Exchange configuration and mail flow security
Email security settings : anti-phishing, anti-spam, DKIM, DMARC, SPF

Axis 3 — Microsoft Defender

Microsoft Defender for Cloud Apps : control of third-party applications connected to the tenant
Microsoft Defender for Endpoints : workstation protection coverage
Microsoft Defender for Office : email and collaboration tool protection

Detailed observables to move from detection to remediation

Severity level for each observable
Technical risk description and exploitation context
Concrete remediation recommendations with integrated guides
Progress tracking and correction validation over time

Centralized dashboard — multi-tenant

Consolidated view to manage multiple tenants simultaneously
Security score comparison by entity to identify weak links
Risk trend tracking over time
Simplified governance and C-suite communication

Executive and technical reports

COMEX Report : executive summary, overall score, key risks, strategic priorities
Detailed technical report : findings, severity, recommendations and remediation plan
Exportable reports for NIS2, DORA and ISO 27001 compliance audits

Multilingual platform

Available in French, English, German, Italian, and Spanish — designed for international organizations.

Request a demo

Do you also manage an on-premises Active Directory?

365 Rating® covers the security of your Microsoft 365 and Entra ID environments. To assess and manage the security of your on-premises Active Directory, discover AD Rating®, our dedicated solution.

I'm securing my Active Directory

365 Rating® vs Microsoft Secure Score: what's the difference?

Microsoft Secure Score is a useful built-in tool, but it has inherent limitations for organisations that require independent, consolidated reporting that can be presented to senior management.

Comparison of 365 Rating® and Microsoft Secure Score:

Criteria	365 Rating®	Microsoft Secure Score
Analysis scope	✅ Entra ID + collaborative tools + Defender	⚠️ Commercial bias in Microsoft recommendations
Readable synthetic score	✅ Score 0–1,000	⚠️ Technical score, difficult to contextualize
Rating by axis (A to E)	✅ 10 rated domains	❌ No
Executive report	✅ Yes, automated	❌ Manual writing
Detailed technical report	✅ Yes, with findings and priorities	⚠️ Recommendations without clear prioritization
Multi-tenant	✅ Consolidated dashboard	❌ Tenant-by-tenant view
Independence from Microsoft	✅ Independent third-party analysis	❌ Vendor self-assessment
Multilingual	✅ 5 languages	⚠️ Limited

365 Rating® offers a fundamentally different approach:

Continuous, independent analysis, not a self-assessment by the vendor
A score ranging from 0 to 1,000 that is immediately understandable to non-cybersecurity experts
A consolidated, multi-tenant view, ideal for groups, MSPs and investment funds
A remediation-focused approach, each observable is linked to a concrete action with guidance
Reports tailored to each audience without the need for manual data entry

Implementing 365 Rating® in 5 steps

1

Download the installation script from the Board of Cyber platform

2

Install the 365 Rating® application on your tenant; you must be a tenant administrator to run the script locally on your machine. The script installs the Microsoft dependencies required for the application to function.

3

Enable permissions for the API: from the ‘API Permissions’ menu, click on ‘Grant admin consent for [Your company]’

4

Synchronise the application with the Board of Cyber platform and import your tenant’s configuration details

5

View risk findings, scores and recommendations directly from the Board of Cyber platform

365 Rating® Use Cases

Continuously improving your Microsoft 365 security posture Post-incident or pre-audit hardening Mergers and acquisitions Managing multiple tenants simultaneously Reporting to executives and technical teams Meeting regulatory requirements

Continuously improving your Microsoft 365 security posture

Maintain an optimal security level across your Microsoft 365 tenant, regardless of how fast your cloud environment evolves.

Daily detection of new vulnerabilities and configuration drifts
Tracking security score evolution over time
Prioritized recommendations to quickly address the most critical risks
Continuous alignment with Microsoft best practices and security standards

Post-incident or pre-audit hardening

Before an internal, client, or insurance audit, or following a security incident, 365 Rating® allows you to objectively measure your posture and document your corrective actions.

Rapid assessment of the current security level of your tenant
Identification of critical control points to address as a priority
Generation of exportable reports for internal auditors, clients, and insurers
Tracking and validation of corrections over time

Mergers and acquisitions — audit and remediate during and after the deal

During a merger or acquisition, the target entity's Microsoft 365 environment is often a blind spot from a security perspective. 365 Rating® enables a rapid and structured assessment from the very first stages.

Rapid audit of the acquired entity's M365 tenant without direct infrastructure access
Identification of critical vulnerabilities and gaps against the acquirer's standards
Tracking remediation and secure integration over time
Exportable assessment report for due diligence purposes

Managing multiple tenants simultaneously

For international groups, managed service providers (MSSPs), or investment funds, 365 Rating® provides a consolidated view of the security posture across all your Microsoft 365 tenants.

Unified dashboard to compare the security posture of multiple tenants
Rapid identification of the most exposed entities
Centralized tracking of continuous improvement
Simplified governance for group cyber teams

Reporting to executives and technical teams in a unified way

365 Rating® automatically generates two types of reports tailored to each audience, with no manual reformatting required.

Executive report : overall score, trends, key risks, and strategic priorities
Technical report : detailed findings, criticality, recommendations, and remediation plan
0–1,000 score readable by non-cybersecurity experts
Industry benchmarks to contextualize your security level

Meeting regulatory requirements

NIS2, DORA, and ISO 27001 place the security of identities, access, and collaborative tools at the heart of their requirements. 365 Rating® generates the evidence and reports needed for your compliance audits.

Identification of critical control points
Exportable reports for internal and external auditors
Documentation of continuous improvement of the security posture

Request a demo

Frequently asked questions about Microsoft 365 security

What is a Microsoft 365 security audit? ▼

A Microsoft 365 security audit is an in-depth analysis of your tenant's configuration: identity and access management (Entra ID), collaborative tools settings (SharePoint, Teams, OneDrive, Exchange), and Microsoft Defender configuration. Its goal is to identify vulnerabilities, misconfigurations, and data exposure risks before an attacker can exploit them. With 365 Rating®, this audit is fully automated and updated on a daily basis.

What is the difference between 365 Rating® and Microsoft Secure Score? ▼

Microsoft Secure Score is a useful native tool, but it is a self-assessment produced by Microsoft, oriented toward its own commercial recommendations. 365 Rating® is a trusted, independent third-party analysis: it covers the entire tenant (Entra ID, collaborative tools, Defender), generates a 0–1,000 score readable by non-experts, offers a consolidated multi-tenant view, and produces reports tailored for executive leadership, all features absent from the native Secure Score.

How can you effectively secure your Microsoft 365 tenant? ▼

Securing a Microsoft 365 tenant relies on several pillars: enforcing robust conditional access policies and enabling MFA on all accounts, controlling Entra ID privileged account permissions, managing sharing settings on SharePoint and Teams, properly configuring Exchange protections (DKIM, DMARC, SPF, anti-phishing), and enabling Microsoft Defender across the entire perimeter. But tenant security is not a fixed state, configurations constantly evolve. That is precisely why a continuous audit solution like 365 Rating® is more effective than a one-time assessment.

Does 365 Rating® help meet NIS2 and DORA requirements? ▼

Yes. NIS2 and DORA require organizations to demonstrate active management of risks related to identities, access, and digital tools. 365 Rating® incorporates the critical control points tied to these regulations, generates exportable reports usable during audits, and enables documentation of the continuous improvement of your Microsoft 365 security posture.

Is 365 Rating® suitable for MSSPs and multi-tenant organizations? ▼

Yes, and it is actually one of its flagship use cases. The consolidated dashboard of 365 Rating® allows you to simultaneously manage the security of multiple Microsoft 365 tenants — ideal for managed security service providers (MSSPs), international groups, and investment funds managing a portfolio of entities. Each tenant has its own score and its own recommendations, all visible from a centralized view.

Do you need administrator rights to deploy 365 Rating®? ▼

Only for the initial installation of the 365 Rating® application on your tenant: you need to be a tenant administrator to run the installation script and grant the required read-only API permissions (Graph API). Once the installation is complete, the analysis runs automatically.

Microsoft 365 - 365 Rating®