Microsoft 365 Compliance Monitoring

Continuously assess your Microsoft 365 security posture

Automatically evaluate identity, email, collaboration, data protection and device security controls across your Microsoft 365 tenant.

Microsoft 365
CIS Benchmark assessment
160
Security controls
9
Microsoft 365 security domains
143
Benchmark-automated controls
4
Supported profiles

What we assess

9 security domains. One unified assessment.

160 checks across 9 Microsoft cloud services

Identity & Access

Global administrators, MFA, Conditional Access, risky sign-ins

Email Security

Safe Links, Safe Attachments, SPF, DKIM, DMARC

Data Protection

DLP policies, sensitivity labels, audit logging

Collaboration

Teams meetings, guest access, external domains

File Sharing

SharePoint and OneDrive external sharing

Device Security

Intune enrollment and compliance policies

Privileged Access

PIM, role activation and access reviews

Application Security

OAuth consent, app credentials and certificates

Analytics

Microsoft Fabric tenant security

Automation coverage

What we can collect — and what we refuse to guess

CIS Automated/Manual labels describe the benchmark method. Trusteed reports what can actually be collected from your tenant — without marking incomplete evidence as Passed.

65
Controls with full native API collection
3
Controls with partial API collection
80
Controls supported through specialized collector workflows
12
Controls managed through evidence workflows

Coverage spans Microsoft Graph plus Exchange Online, Purview, SharePoint tenant policy, Teams policy, Defender, and Fabric collectors where Graph alone is incomplete.

What you receive

Every assessment produces

1 overall compliance score
4 result states: Compliant, Non-compliant, Not applicable, Unknown
Control-level evidence
Risk-based findings
Step-by-step remediation guidance
Framework mappings
Downloadable audit report
Historical configuration tracking

Four result states — not Pass/Fail guesses

Compliant

All required conditions were verified.

Non-compliant

At least one required condition was not met.

Not applicable

The control is outside the documented scope.

Unknown

Data or permission was insufficient — the result was not guessed.

Example findings

What assessments actually surface

Global Administrator Count Exceeds Recommended Limit

7 global administrator accounts detected. Recommended range: 2–4.

Legacy Authentication Is Not Blocked

One or more Conditional Access policies allow legacy authentication flows.

DMARC Is Not Enforced

2 of 4 mail-enabled domains do not have an enforced DMARC policy.

Anonymous Users Can Join Teams Meetings

The current meeting policy permits anonymous participants.

Example findings shown for demonstration purposes.

How it works

Connect, assess, remediate

01

Connect

Authorize read-only access using delegated OAuth or service credentials.

Guided read-only connection
02

Assess

Trusteed collects configuration, identity, policy and activity evidence from the connected environment.

Up to 160 checks per Microsoft 365 tenant
03

Remediate

Review prioritized findings, evidence and remediation steps from a single dashboard.

1 remediation workflow per failed control

Framework mapping

Map technical findings to the frameworks your customers and auditors care about.

One technical check. Multiple compliance frameworks.

CIS Controls v8SOC 2ISO/IEC 27001NIST CSFHIPAAPCI DSSFedRAMP

Secure by design

Least privilege. Read-only. No guessed Pass.

Read-only by default
0 customer passwords stored
4 result states — no false Pass on missing evidence
Least-privilege OAuth scopes
Tenant-isolated data processing
Complete evidence timestamps

Microsoft Graph, Exchange Online and service-specific collectors are separated by required scope.

Benchmark reference

Version and coverage details

Benchmark
CIS Microsoft 365 Foundations Benchmark
Version
v7.0.0
Published
May 20, 2026
Control count
160
Supported profiles
E3 L1, E3 L2, E5 L1, E5 L2
Integration version
Trusteed Integration v1.x
Last updated
July 2026

Start assessing Microsoft 365 continuously

Connect read-only access, run the full control set, and get evidence-backed results — Compliant, Non-compliant, Not applicable, or Unknown.