Glow Cloud M365 Security Assessment

Know who can reach what in your Microsoft 365 - and prove it.

A read-only security and governance assessment for Microsoft 365. We map every sharing link and permission path in your tenant, score your posture honestly, and hand you a report you own - no portal, no agent, and no changes to your environment.

Read-only, app-only Microsoft-verified publisher £1M professional indemnity

RBAC relationship map · read-only Sales · sample
Full Edit Read Band thickness = reach · dashed = direct grant
PRINCIPALS SITE UNIQUE SCOPES Sales Site SP Visitors Read · 11 scopes SP Members Edit · 8 scopes SP Owners Full · 11 scopes M365 Owners Full · 6 scopes k.reed (direct) Edit · 2 scopes Board pack.pptx File · changed FY26 forecast.xlsx File · changed Pricing model.xlsx File · changed Contract draft.docx File · changed Payroll export.csv File · changed Supplier list.xlsx File · changed

Pick any principal, site or scope to isolate its access. This is a static sample, the live report is fully interactive.

The permission map nobody else shows you

Not "this setting is wrong". Who can reach which file, and how.

Most audits stop at a misconfiguration. We show you the consequence: every external share, every broken-inheritance file, and a visual map of who can reach which document, through which site, and how they got that access.

It is the oversharing Microsoft 365 Copilot will surface to your staff on day one - found before it does. Nothing else in this space visualises access like this.

  • Per-user reverse lookup: pick a person, see everything they can reach and exactly how.
  • Every site ranked by external-sharing exposure, then drilled link by link.
  • Over-permissioned users, oversized groups and direct grants surfaced as the headline.
Sharing report · Tier 1 · per-site read-only

Melbrooke Ltd · SharePoint & OneDrive

Where the exposure is

1,284
Total links
37
Anyone (anon)
112
External / guest
9
Sites w/ anon
All sites Has anonymous Has external Tier 1 · per site
SiteAnyoneOrgGuest
Finance · Board papers 6 12 3
Projects · Project Halo 5 8 9
Sales · Pipeline 2 14 7
HR · Policies 0 21 1
IT · Onboarding 0 9 0
Prepared by Glow CloudTier 1 · per-site exposure

An honest score, not a flattering one

No false passes. No false fails. No padding.

If a control cannot be checked automatically, we say so and point you to exactly where to look. If your tenant is not licensed for a feature, you are not marked down for it. A regulated business needs the truth about its posture, so that is what we give you - worth more than a number that flatters.

Scored automatically

The checks that can be evidenced from your configuration, scored and shown with the evidence.

Flagged for manual review

The judgement calls, flagged with the exact portal page to check. Never a false auto-pass.

Not marked down unfairly

Licence-aware: features you do not own are marked not applicable, not failed.

Your report. Your data. No portal.

A report you own and keep - not a SaaS login.

We do not keep your configuration in a cloud you have to log into. The assessment runs read-only from our access and produces a single, self-contained report you own and keep. Nothing to subscribe to, nothing to leak.

A one-off assessment is purged after 30 days. Retainer clients keep prior reports only to compute quarter-over-quarter drift, held on our own secured storage and deletable on request.

Unlike portal-based governance platforms, your tenant data never becomes a standing dataset in someone else's cloud.

What lands in your inbox

  • A prioritised findings report, High to Low, in plain English
  • The sharing deep-dive: every site ranked, then every link drilled
  • The permission (RBAC) map: who can reach what, and how
  • A readout to walk you through it, not a PDF you decode alone

What you can request

One read-only engine, scoped to you.

From a free Copilot-readiness check to a recurring drift retainer. Every option is read-only and never writes to your tenant. Fixed-scope pricing and instant checkout are coming soon - for now, request an assessment and we will scope it to your tenant.

Free

Copilot-readiness health-check

Oversharing exposure and a Copilot-readiness verdict. The free way in.

Read-only · no crawl

Assessment

Full security assessment

Your whole tenant scored against the Glow Cloud M365 Security Framework: Entra, email, Teams, SharePoint, Purview, Intune and more.

Read-only · point-in-time

Add-on

Sharing deep-dive

Every site ranked by exposure, then every link: who can reach it, at what scope, and whether it ever expires.

Read-only · overnight crawl

Add-on

Permission (RBAC) map

Who can reach what in SharePoint, how they got that access, and who shouldn't. Least-privilege, proven.

Read-only · permission crawl

Full suite

Assessment + sharing

The full assessment plus the complete sharing crawl, in one run.

Read-only · overnight crawl

Retainer

Quarterly drift

The assessment re-run each quarter, with drift tracked against the prior run, before and after remediation.

Read-only · quarterly

Sample reports

Open the actual deliverables.

Melbrooke Ltd is a fictional company generated through the real engine - real, drillable reports in your browser, zero client data. No install, no email needed.

How it works

Four steps, nothing installed.

01

Connect (read-only)

You grant a read-only, least-privilege app. We never write to your tenant, ever.

02

Assess

We scan Entra, email, Teams, SharePoint, Purview, Intune and more. App-only, no agents, no disruption.

03

Receive your report

A self-contained, interactive report: prioritised findings, the sharing deep-dive and the permission map. Yours to keep.

04

Track drift (retainer)

Re-run each quarter and see exactly what improved, control by control.

Scored against the Glow Cloud M365 Security Framework - our own control set, refined across years of hands-on Microsoft 365 governance work.

Who it's for

Built for organisations that need the truth about their posture.

Security-conscious and regulated organisations - finance, legal, pharma, professional services - and any team rolling out Microsoft 365 Copilot who needs proof their data is not overshared.

Read-only, app-only

We never change your environment.

Microsoft-verified publisher

Verified on the consent screen.

£1M professional indemnity

Insured, boutique, accountable.

Your data stays yours

It never lives in a third-party portal.

Point-in-time assessment; not a certification or accredited audit; not legal advice. Assessments can be mapped to recognised industry security benchmarks on request.

Ready to see who can reach what?

Request a Microsoft 365 security assessment.

Tell us your tenant and we will arrange a read-only access window, or send you the sealed, read-only tool to run yourself. No sales call required, and no obligation.

  • Temporary, read-only access - you stay in control
  • We retain only the report we hand you
  • A report you own, walked through in a readout

Request your assessment

No cost to ask. No sales call required.

Prefer email? hello@glowcloud.uk