← Back to blog

M365-Assess 2.0 — A New Report Engine and 274 Automated Checks

M365-AssessreleasesecurityPowerShellcompliance

Most Microsoft 365 tenants have security gaps nobody has mapped. Conditional Access policies get added over time and never reviewed. Licensing changes quietly invalidate assumptions. New features roll out with permissive defaults. Unless you run regular assessments, configuration drift accumulates without anyone noticing — until an auditor finds it, or an attacker does.

Running a thorough M365 audit used to mean hours of manual work: clicking through admin portals, cross-referencing framework documents, and assembling findings into something a client could read. We built M365-Assess to automate that. Version 2.0 is the best version of that tool yet.

What M365-Assess does

M365-Assess is a read-only PowerShell module that connects to your Microsoft 365 tenant, runs a complete security posture scan, and produces a self-contained interactive HTML report — all without leaving your machine.

🚫 No telemetry · 🚫 No accounts · 🔒 Data stays in your tenant · 👁 Read-only Graph API · 📄 MIT licensed · ⚡ Runs on your machine

The new interactive report

The headline feature in v2.0 is a completely rebuilt report engine. The HTML report is now a fully interactive React application — self-contained, no server required, opens directly in any browser.

Three color themes ship out of the box: Neon (purple/teal gradient), Console (navy operations), and SaaS (corporate blue). Each has a light and dark mode. A high-contrast mode (WCAG AAA) is also available for accessibility.

Beyond themes, the report includes:

  • Live compliance filter panel — toggle frameworks on and off to focus on CIS, NIST, SOC 2, or any mapped framework without re-running the assessment
  • Paginated navigation with hash routing and keyboard support — works like a proper app, not a scrolling document
  • PDF export via the browser print dialog — no headless browser, no external dependency
  • Mobile-responsive navigation — readable on a tablet when presenting to a client

How the engine was rebuilt

The old report was generated by a single 4,424-line PowerShell function that assembled the entire HTML document through string concatenation. The file weighed over 6MB. Making UI changes meant editing PowerShell string templates — slow, fragile, and untestable.

V2.0 replaces this with a clean three-stage pipeline:

# Assessment run → CSV exports → Build-ReportData.ps1 (JSON bridge) → React app (inlined)
Invoke-M365Assessment   # produces CSVs + calls Build-ReportData + inlines React → single HTML file

The assessment logic and the report UI are now completely separate. The React app is compiled and inlined — the output is still a single portable HTML file, but the architecture is maintainable. The report size dropped from over 6MB to 1.3MB.

That’s not a compression trick — it’s what happens when you replace 4,424 lines of duplicated HTML string building with a proper component model.

Coverage: 274 checks across 14 frameworks

V2.0 ships 274 automated security checks across 8 M365 service areas:

Identity (Entra ID) · Exchange Online · Intune · Security (Defender / Secure Score) · Collaboration (Teams / SharePoint / OneDrive) · PowerBI · Hybrid / Active Directory · Purview

Every finding is mapped to the compliance frameworks you actually work with:

CIS M365 v6 · CIS Controls v8 · NIST 800-53 Rev 5 · NIST CSF · CISA SCuBA · CMMC · Essential Eight · FedRAMP · HIPAA · ISO 27001 · MITRE ATT&CK · PCI DSS v4 · SOC 2 TSC · DISA STIG

The compliance filter panel in the report lets you scope findings to one or more frameworks live — useful when a client has a specific audit scope.

Also new in v2.0

Baseline drift detection. Compare-M365Baseline compares two scans and generates a change report showing exactly what improved, regressed, or shifted between assessments. Useful for tracking remediation progress or demonstrating improvement to auditors.

Flexible authentication. Certificate, device code, managed identity, app secret, and pre-existing connection modes are all supported with enforced parameter sets. Full CI/CD pipeline support — run automated assessments without interactive sign-in.

White-label reports. Custom company name, logo, and accent color for client-facing deliverables.

License-aware checks. The tool automatically skips checks that require service plans your tenant doesn’t have — no false positives from features you haven’t licensed.

Trust

Running a security tool against your tenant requires trust. M365-Assess is fully open source under the MIT license. It makes read-only Microsoft Graph API calls. No data is sent anywhere — results are written to a timestamped folder on your machine. No accounts required, no telemetry, no tracking of any kind. Review the source on GitHub.

Get started

Install-Module M365-Assess
Invoke-M365Assessment