Acme Corporation (Demo) · acme.example.com · last scan: Full (maester), 02/06/2026, 11:42:44
SimpleEntra
Microsoft 365 Security Intelligence
Security Posture Report
Q2 2026
Acme Corporation
acme.example.com
Report date
2 June 2026
Version
v2026.06
Security checks run
135
Open findings
45
1
Executive Summary
Acme Corporation's Microsoft 365 security posture is rated 67/100 — an improvement of 1 points since the last scan. 8 critical risks require action within 7 days. Score is based on 135 automatically verified security controls. NIS2 control coverage estimated at 84%.
Posture score
67/ 100
Critical findings
8
Open findings total
45
Checks run
135
2
Security Posture — Score
Dashed line = industry average (58/100)
▲ 1 points since last scan
The organisation has a moderate security posture. Critical and medium-severity findings should be prioritised.
Benchmark comparison
67
Acme Corporation
vs.
58
Industry average
+9 above avg
3
Risk distribution by security domain
ID
Identity
35 findings
8 H18 M9 L
DV
Devices
4 findings
4 M
NW
Network
1 finding
1 L
DA
Data
5 findings
3 M2 L
Columns show severity distribution (critical / medium / low) within each security domain. Colour intensity reflects relative risk concentration.
4
Top 5 identified risks
CRITICALidentity1. Application secrets expiring within 30 days: 5 apps
Business exposure
Internal-CRM-Connector (12d), Power-BI-Sync (18d), HR-Onboarding-Webhook (22d), Slack-Bot (26d), Sentinel-Forwarder (28d) have secrets expiring within 30 days.
Recommended action
Rotate all expiring secrets immediately. Replace secrets with certificate authentication where possible.
Deadline: Within 7 days
CRITICALidentity2. External guest user assigned to permanent control-plane role
Business exposure
1 external guest user (guest3@external.example.com) has a permanent Exchange Administrator role assignment. Guest role assignments should be time-limited via PIM.
Recommended action
Remove permanent Exchange Administrator role from guest3@external.example.com. If needed, assign via PIM eligible role with justification required.
Deadline: Within 7 days
CRITICALidentity3. Global Admin count exceeds recommended maximum: 7 admins
Business exposure
7 Global Admins active. CIS Controls v8 recommends ≤2 permanent Global Admins. Excess accounts increase blast radius if any one is compromised.
Recommended action
Audit all Global Admin accounts. Remove admin role from accounts not requiring it. Move remaining to PIM eligible assignments.
Deadline: Within 7 days
CRITICALidentity4. Global Administrator accounts without dedicated admin account
Business exposure
5 of 7 Global Admins use the same account for daily work and admin tasks. No separation of duties.
Recommended action
Create cloud-only admin accounts for all privileged role holders. Disable admin access on daily-use accounts.
Deadline: Within 7 days
CRITICALidentity5. Legacy authentication not blocked tenant-wide
Business exposure
POP3, IMAP4, and Authenticated SMTP still permitted. 14 sign-ins from legacy clients in past 30 days.
Recommended action
Block legacy authentication via a tenant-wide Conditional Access policy targeting all users.
Deadline: Within 7 days
5
Posture score over time — 13 scans
Each data point represents one complete security scan (Maester + ZeroTrustAssessment). Rises indicate improvements through remediation actions.
6
Framework mapping
Methodology: SimpleEntra automatically maps identified findings to applicable frameworks. Numbers indicate the proportion of framework controls covered by executed tests — they are not a full compliance attestation. Accurate framework mapping requires a formal audit.
CIS Controls v8(138 / 171 sub-controls)
81%
CISA SCuBA(Microsoft 365 baseline)
79%
NIS2 Art. 21(2)(Art. 21(2)(a-i))
84%
ISO 27001 Annex A(87 / 114 controls)
76%
DORA RTS(54 / 79 RTS)
68%
Tests powered by Maester — MIT-licensed open source security testing for Microsoft 365 · maester.dev
7
Prioritised actions
1
Rotate all expiring secrets immediately. Replace secrets with certificate authentication where possible.
Responsible: IT Security / IAM Lead
Within 7 days
2
Remove permanent Exchange Administrator role from guest3@external.example.com. If needed, assign via PIM eligible role with justification required.
Responsible: IT Security / IAM Lead
Within 7 days
3
Audit all Global Admin accounts. Remove admin role from accounts not requiring it. Move remaining to PIM eligible assignments.
Responsible: IT Security / IAM Lead
Within 7 days
4
Create cloud-only admin accounts for all privileged role holders. Disable admin access on daily-use accounts.
Responsible: IT Security / IAM Lead
Within 7 days
5
Block legacy authentication via a tenant-wide Conditional Access policy targeting all users.
Responsible: IT Security / IAM Lead
Within 7 days
SimpleEntra
Report generated automatically. Generated: 02 Jun 2026, 12:50 · v2026.06