A 15-minute read on your Microsoft 365 setup.
This takes 10–15 minutes. We connect to your tenant with read-only Graph permissions, pull a snapshot, and email you a PDF report. The stuff that usually gets missed — MFA gaps, stale admins, half-configured CA policies, licenses you're paying for and not using.
We don't see your inbox. We don't see your files. We can't change a setting. When the report ships, you remove the consent in 60 seconds and we're gone.
I run an MSP in Calgary. I built this audit because every prospect asks me "how secure is our Microsoft 365, really?" and I got tired of quoting an audit project before they could see if there was even a problem worth fixing. So now I just show people. Free, read-only, and the report is yours either way.
Honest answer: we're an MSP and free audits are how we meet potential clients. Most people who run one never become clients — that's fine, we don't follow up unless you reply to the report email. The audit is a real deliverable on its own. The hope is that maybe one in twenty looks at the findings and decides hiring us is the easiest fix. That ratio works for both sides.
- MFA registration coverage across users
- Global admin exposure (count, MFA, last sign-in)
- Conditional access policies — what's enabled vs. what's actually enforcing
- Recent admin sign-in activity (last 30 days)
- License waste — assigned but unused E3 / E5 features, abandoned guest accounts
- Posture against CMMC L2 / CIS / NIST 800-171 — fast pass, not a full assessment
- An overall score and a one-paragraph summary
- Top findings in plain language — what's broken and why it matters
- An actionable fix list short enough to actually work through
- PDF you can keep, forward to your IT person, or hand to your insurance broker
The four Microsoft Graph permissions we ask for are .Read.All — Microsoft's strict read-only tier. Spelled out:
- can't send email from any mailbox
- can't change a single setting in your tenant
- can't read your inbox, calendar, or files
- can't grant itself more permissions later
- can read user/group counts, MFA stats, audit logs, identity policies, and licensing reports
You can verify this on Microsoft's docs or by reading the consent screen before you click Approve. If anything looks off, just close the tab.
- 1Drop your work email in the form. We send you a one-time consent link.
- 2Click the link, sign in to Microsoft, approve four read-only permissions.
- 3The scan runs in the background — about 15 minutes.
- 4The PDF lands in your inbox. That's the deliverable.
- 5Revoke access whenever you want. Steps below.
- portal.azure.com → Microsoft Entra ID → Enterprise Applications
- Search "Stellar IT"
- Open the result → Properties → Delete
The service principal is removed from your tenant entirely. The report we already shipped is yours; nothing else lingers.
This is a free preliminary snapshot. It is not a formal CMMC L2 / NIST 800-171 audit, a penetration test, or ongoing monitoring. The PDF is watermarked accordingly so nobody mistakes it for one. If you need any of those, that's a paid engagement — talk to us.
No signup. No card. We email you the consent link directly.