๐Ÿ“‹ SAMPLE REPORT โ€” illustrative data for demonstration only. Run your own free scan to see your real numbers โ†’

This is what your real report will look like โ€” built from your own tenant's data.

Run your free scan
Organization
Contoso Retail Group (sample)
Domain
contoso-retail.com
Scanned by
Alex Tan ยท [email protected]
Scan date
June 18, 2026, 9:42 AM
62/ 100
M365 Health Score
Needs attention. There are real gaps below, several worth fixing this week.
Total monthly waste
$434.00
$5,208.00/year
47 users scanned ยท June 18, 2026, 9:42 AM
6
High
4
Medium
2
Low

Action roadmap

Every finding below, re-sorted into what to tackle first.

This week

MFA gap โ€” Require MFA for 4 users with no method registered
Email security โ€” Publish a DMARC record for contoso-retail.com
Risky app โ€” Review "QuickReports Connector" โ€” granted Mail.ReadWrite

This month

Admin sprawl โ€” Review 7 Global Admins, move most to scoped roles
Stale guest โ€” Remove guest access for 2 inactive external collaborators
License โ€” Remove Microsoft 365 E3 from 3 disabled accounts

This quarter

License โ€” Reduce Microsoft 365 E3 by 6 unassigned seats at renewal
Secure Score โ€” Enable self-service password reset

Findings by category

Every finding across all five pillars, listed in full โ€” nothing here is truncated or summarized.

๐Ÿ’ฐ License Efficiency

4 findings
Every unassigned seat, disabled account, or inactive user holding a license is money leaving your budget for no benefit.
High priority2 items
Microsoft 365 E3 โ€” 6 seats
6 purchased seats not assigned to any user
โ†’ Reduce your Microsoft 365 E3 subscription by 6 seats at next renewal
$216.00/mo
Microsoft 365 E3 โ€” Maria Santos ยท [email protected]
Disabled account still holding Microsoft 365 E3
โ†’ Remove Microsoft 365 E3 from disabled account: Maria Santos
$36.00/mo
Medium priority2 items
Power BI Pro โ€” David Kim ยท [email protected]
No M365 activity in 90+ days while holding Power BI Pro
โ†’ Confirm with David Kim whether they still need this license
$10.00/mo
Visio Plan 2 โ€” 3 seats
3 purchased seats not assigned to any user
โ†’ Reduce your Visio Plan 2 subscription by 3 seats at next renewal
$45.00/mo

๐Ÿ” Identity & Access

5 findings
Identity is the most common breach entry point. Admin sprawl, missing MFA, and stale guest access all widen your attack surface.
High priority3 items
No MFA method registered โ€” Priya Patel ยท [email protected]
โ†’ Require Priya Patel to register MFA, or enforce it tenant-wide via Conditional Access / Security Defaults
7 users hold Global Administrator โ€” Microsoft recommends 2โ€“4
โ†’ Review the 7 Global Admins and move anyone who doesn't need full tenant control to a scoped role
Global Administrator with no M365 activity in 90+ days โ€” Tom Reyes ยท [email protected]
โ†’ Confirm whether Tom Reyes still needs Global Admin โ€” if not, remove the role
Medium priority2 items
Guest account with no recorded M365 activity, added over 90 days ago โ€” Jordan Lee (Guest) ยท [email protected]
โ†’ Remove guest access for Jordan Lee if the collaboration has ended
Password set to never expire, and no MFA registered โ€” Sam Wong ยท [email protected]
โ†’ Register MFA for Sam Wong โ€” a non-expiring password with no MFA is a standing exposure

๐Ÿ›ก๏ธ Secure Score

3 findings
Microsoft's own composite security score for your tenant, with the highest-impact unresolved recommendations surfaced here.
Medium priority3 items
Enable self-service password reset
โ†’ See Microsoft Secure Score in the admin center for remediation steps
Designate more than one global admin
โ†’ See Microsoft Secure Score in the admin center for remediation steps
Use limited administrative roles
โ†’ See Microsoft Secure Score in the admin center for remediation steps

๐Ÿ“ Data Exposure

1 finding
Third-party apps with broad permissions and license-holding shared mailboxes are quiet sources of data exposure and cost.
High priority1 item
Third-party app "QuickReports Connector" has been granted: Mail.ReadWrite
โ†’ Review "QuickReports Connector" in Entra ID โ†’ Enterprise Applications and remove it if it's not actively in use

๐Ÿ“ง Email Authentication

1 finding
Missing SPF/DMARC is the single most common reason SMBs get spoofed โ€” anyone can send email pretending to be you.
High priority1 item
No DMARC record found for contoso-retail.com โ€” this is the single most common reason SMBs get spoofed
โ†’ Publish a DMARC TXT record at _dmarc.contoso-retail.com (start with p=none to monitor, then move to p=quarantine)

Methodology & glossary

What was scanned

This report was generated using Microsoft Graph API with read-only permissions (User.Read, Reports.Read.All, Directory.Read.All, Organization.Read.All, SecurityEvents.Read.All). M365 Health Score cannot and does not modify your tenant, change any licenses, or alter any settings.

"90+ days inactive"

Based on Microsoft's Office 365 Active User Detail report over a trailing 90-day window, covering Exchange, Teams, SharePoint, and OneDrive activity.

Health Score formula

Your overall Health Score blends four weighted inputs: Microsoft Secure Score (40%), Identity & Access findings (25%), License Efficiency โ€” waste as a share of total license spend (20%), and Email Authentication โ€” SPF/DMARC presence (15%).

Ready to see your tenant's actual Health Score?

Run your free scan