Print / PDF ← Live audit
Microsoft tenant security audit · read-only

Findings report

acme-portco.onmicrosoft.com
databa
v0.3.1
code-signed · sha256-verified
Run id
8c2e-4a3f-2c91
Started
2026-05-15 19:42:03 UTC
Duration
00:29:43
Operator
itadmin@acme-portco
Critical
7
Findings that materially expand the tenant's attack surface or violate baseline policy. Recommend action within 7 days.
Non-critical
23
Hygiene findings. No immediate exposure, but each represents accumulated drift from a clean baseline.
01

What we found

plain-language summary

This tenant has been operating without consistent identity-perimeter hygiene for several years. The audit identified seven critical findings and twenty-three non-critical findings across six Microsoft surfaces in 29 minutes 43 seconds.

Three of the seven critical items concentrate around legacy authentication and identity drift: basic-auth protocols remain enabled tenant-wide, a long-standing conditional access policy never moved out of report-only, and a service principal with system-administrator privileges has no second factor and was last used yesterday. Two more critical items involve Power BI and Power Automate flows reaching destinations outside the company's stated allowlist, including known transient-webhook providers.

None of the findings indicate an active breach. All can be remediated by an in-house IT team with admin-level access to the Microsoft 365 admin center, Azure portal, and Power Platform admin center. Estimated total remediation effort is twelve to twenty engineering hours.

Surface
Crit
Non-c
Probed
GR
Microsoft Graph
1
2
20.9s
BI
Power BI
1
5
20.5s
FL
Power Automate
1
3
17.6s
AP
Power Apps
0
4
8.1s
AZ
Azure AD
2
6
19.4s
DV
Dataverse
2
3
15.4s
02

Findings by surface

30 entries · grouped, severity-sorted
GR

Microsoft Graph

1 crit · 2 non-crit
scope graph.microsoft.com / v1.0 probes 18 elapsed 00:00:20.906
F-001 Critical

Guest users with directory-write privileges

scope /v1.0/users?$filter=userType eq 'Guest' · policy identity.guest.write
3 guest principals hold roles permitting directory writes: alex.r@vendor.io role=Directory Writers invited=2023-08-14 k.lee@p3.co role=Application Administrator invited=2024-01-09 ops@old-tld.com role=Directory Writers invited=2022-11-30 (domain unreachable)
What this means

External accounts can modify directory objects, including creating users, resetting passwords, and assigning roles. One of the three accounts is at a domain that no longer resolves, suggesting the original recipient is no longer reachable but the account remains active.

Recommended action

Revoke directory-write roles from all three guests. Reach via secondary channel if access is still required. Block guest assignment to Directory Writers at policy level.

F-002 Non-critical

Service principals without credential expiry

scope /v1.0/applications · policy identity.app.credential.rotation
12 of 47 SPNs have no rotation policy. oldest secret: etl-prod-2019 created 2019-04-11 (age: 2,592 days) most-used: reporting-pipeline-prod last used 14h ago
What this means

Long-lived application secrets are a standard exfiltration target. None are exposed today, but a leaked secret will remain valid indefinitely.

Recommended action

Rotate the four oldest secrets this quarter. Adopt managed identities for the two SPNs that run inside Azure.

F-003 Non-critical

Applications consenting to non-standard scopes

scope /v1.0/oauth2PermissionGrants · policy identity.consent.scope.review
4 apps with tenant-wide Mail.ReadWrite consent. last consent grant 2025-11-03. app="Slido for Teams" consented_by=admin reviewed=never app="PriorityMatrix" consented_by=admin reviewed=never
What this means

Mail.ReadWrite grants the app the ability to read and write every mailbox in the tenant. Even reputable apps should be reviewed against current need.

Recommended action

Re-confirm business need with the requesting users. Downgrade to Mail.Read where read-only is sufficient.

AZ

Azure AD

2 crit · 6 non-crit
scope graph.microsoft.com / identity probes 14 elapsed 00:00:19.389
F-004 Critical

Legacy authentication protocols still enabled tenant-wide

scope identity/authenticationMethodsPolicy · policy identity.legacy.auth.disabled
protocols enabled: IMAP, POP3, SMTP-AUTH, MAPI (basic). last sign-in via basic-auth observed: 2026-05-12 11:08:42 UTC distinct users in past 30d: 4
What this means

Basic-auth protocols bypass conditional access and MFA. Microsoft retired basic-auth for new tenants in 2022; manual re-enablement is the only way it remains active.

Recommended action

Disable basic-auth in the authentication methods policy. Audit the four recent users to identify which app or device required it.

F-005 Critical

Conditional access policy in report-only since 2023

scope identity/conditionalAccess/policies · policy identity.ca.enforce.deadline
policy="block-legacy-auth" state=reportOnly age=864 days policy="require-mfa-admins" state=reportOnly age=312 days report-only matches in past 30d: 1,847 (would have blocked)
What this means

The blocking policy has been validated by 1,847 report-only matches but never moved to enforcement. The intent was clear; only the toggle is missing.

Recommended action

Move both policies to enabled after a 7-day notice window. Both have substantial report-only signal.

F-006 Non-critical

Named locations include broad CIDR ranges

scope identity/conditionalAccess/namedLocations
named_location="corp-vpn" ranges=10.0.0.0/8 trust=true named_location="hq-office" ranges=192.168.0.0/16 trust=true
What this means

RFC1918 ranges as trusted locations effectively whitelist anything reaching the policy from inside any private network. The intended scope was almost certainly narrower.

Recommended action

Replace with the company's actual public egress CIDRs. Confirm with networking before saving.

DV

Dataverse

2 crit · 3 non-crit
scope api.crm.dynamics.com probes 8 elapsed 00:00:15.408
F-007 Critical

Service principal with system-admin role and no MFA

scope dataverse / systemusers · policy dataverse.spn.admin.mfa
spn="dataverse-etl-prod" role=System Administrator mfa=false client_secret_age=1,127 days last_used=2026-05-14 03:11:09 UTC
What this means

An automation account with the highest Dataverse role, a three-year-old secret, and no second factor. Currently active in production.

Recommended action

Migrate to a managed identity. If that is blocked, rotate the secret and scope the role down to System Customizer or a narrower table-level role.

F-008 Non-critical

Tables with org-wide read on personal data

scope dataverse / tables
table=Account org-read=true pii=likely rows≈14,200 table=Contact org-read=true pii=likely rows≈38,900
What this means

Every authenticated user in this Dataverse environment can read every Account and Contact row. May be intentional; flagged so the owner can confirm.

Recommended action

Confirm with the Dataverse environment owner. If unintended, replace with business-unit or owner-level read.

Power BI, Power Automate, Power Apps

2 crit · 12 non-crit
Findings F-009 through F-030 follow the same structure. Omitted from this preview for brevity.
03

Scope and methodology

what was and wasn't checked

In scope

  • Microsoft Graph identity and consent users, guests, applications, oauth2 permission grants, role assignments
  • Azure AD authentication policy conditional access, legacy auth, named locations, MFA enrolment
  • Power Platform export and connectors flow ownership, connector destinations, DLP policy posture
  • Power BI sharing surface workspaces, public links, dataset ownership, refresh state
  • Dataverse roles and table privileges system roles, service principals, table-level org-wide reads

Out of scope

  • Endpoint posture Intune, Defender for Endpoint, device compliance
  • Mailbox content no message bodies or headers were read
  • SharePoint and OneDrive file-level access aggregate counts only, no file contents inspected
  • Third-party SaaS connected via SSO identified but not probed
  • Anything requiring write or elevated impersonation this audit performs no writes against any surface

Generated by

Databa v0.3.1
build sha a37e91c·signed
run on SURFACE-IT-04 / Windows 11 23H2
runtime: Tauri 2 webview
Code-signed binary · sha256 verified

Report integrity

run_id 8c2e-4a3f-2c91
report sha256 b914 cf02 1a7d 8e6c · 4f29 3a91 0d77 e8b1 · 25cf 5e88 6b3a 1042 · af71 0c83 9d44 2e6f
written to %LOCALAPPDATA%\databa-audit\reports\2026-05-15T19-42-03Z.html
operator clock 2026-05-15 20:11:46 UTC

This report is a static HTML artifact. No data leaves this machine.