Protection Sets Assessment

A safe, read‑only checkup of your Microsoft 365 security and compliance settings. You’ll get clear findings and an easy report—no changes made to your tenant.

How it works What you get

Why run this?

  • Spot gaps in identity, email, collaboration, and device protections

  • Validate best‑practice settings without manual digging

  • Get a prioritized, human‑readable report to act on

What we don’t do

  • No changes to your policies or data

  • No passwords or tokens stored

  • No data sent outside your environment

It ran, now what?

  • You contact us in the form below, this way we can securely receive the reports and see what matches in the Protection Sets and provide you with a quote.

What we do (in short)

We connect to your tenant with read permissions, run a library of checks (Maester), and export findings to a friendly report.

🔍 Read‑only

🧪 ~Hundreds of checks

📄 CSV + HTML reports

Where to get it

GitHub: YoniMeeus/PSMaester: PSMaester

Here you can download the PowerShell scripts, review them before running. This helps you with the security aspect so you are sure nothing is doing wrong actions in the PowerShell code.

How it works

  1. One‑time setup (your side): install Microsoft‑signed tools that can read your M365 settings.

  2. Sign‑in (your admin): An admin signs in interactively. It request read scopes only.

  3. Assessment run: The tool (Maester) checks areas like conditional access, risk policies, mailbox settings, Teams and SharePoint tenant options, and more.

  4. Report generation: Results are saved as spreadsheets and an HTML summary, organized by severity and category.

  5. Review & plan: a custom report is created, when you deliver the bundle we can then map them to the Protection Sets and plan for strategic improvements.

What is checked

  • Identity & access (sign‑in risks, conditional access, MFA posture)

  • Email & collaboration (Exchange, Teams, SharePoint tenant settings)

  • Device posture (where applicable) and security recommendations

The exact list may vary based on your licenses and enabled features.

Data handling & privacy

Local and controlled. Findings are stored in a customer‑specific folder on your approved workstation or server.

  • No customer content is accessed—only configuration metadata

  • No data leaves your environment unless you choose to share the report

  • You can delete the report set at any time

Permissions required

To read settings broadly, we recommend:

  • Global Reader, Security Reader, Reports Reader

  • View‑Only Organization Management (Exchange)

  • Teams Administrator (read‑focused) and SharePoint Administrator

  • Optional: Conditional Access Administrator (only if CA reads are restricted)

We can scope access down if you prefer—some checks may then be skipped.

What you get

Clear, actionable outputs

  • Summary HTML – a readable overview you can review in a browser

  • Detailed CSVs – spreadsheets with each finding, tags, links to docs, and a severity level

Where we store it

C:\M365Factory\Customers\ProtectionSets\ReportMapper\

  • maester_failed_detailed.csv – items that need attention

  • maester_skipped_detailed.csv – items not checked (e.g., not licensed or no permission)

  • MaesterResults.html and MaesterResults.json – quick view and full detail

How to read the results

  • Severity: Critical → High → Medium → Low → Informational

  • Tags & codes: Help you map each finding to a best practice or standard

  • Doc link: Each item links to background documentation for context

Security & Compliance notes

  • We use Microsoft’s Graph and service admin endpoints with read‑only scopes.

  • Admin approval is required at sign‑in; nothing runs “headless” without your consent.

  • You can revoke our session at any time (standard Microsoft sign‑out and token revocation).

Frequently asked questions

Will this change anything in our tenant?

No. The assessment is read‑only. We only read configuration settings.

Do you access our emails or files?

No. This only query tenant and policy settings—not user content.

What if we can’t grant all the recommended roles?

That’s okay. We can run with fewer permissions; some checks will be skipped and clearly labeled.

How long does it take?

Most tenants complete within 20–60 minutes, depending on size and available services.

What happens after the run?

We review the results with you, agree on quick wins, and plan any follow‑up changes you’d like to make.