Glow Cloud M365 Security Assessment
A read-only security and governance assessment for Microsoft 365. We map every sharing link and permission path in your tenant, score your posture honestly, and hand you a report you own - no portal, no agent, and no changes to your environment.
Read-only, app-only Microsoft-verified publisher £1M professional indemnity
Pick any principal, site or scope to isolate its access. This is a static sample, the live report is fully interactive.
The permission map nobody else shows you
Most audits stop at a misconfiguration. We show you the consequence: every external share, every broken-inheritance file, and a visual map of who can reach which document, through which site, and how they got that access.
It is the oversharing Microsoft 365 Copilot will surface to your staff on day one - found before it does. Nothing else in this space visualises access like this.
Melbrooke Ltd · SharePoint & OneDrive
An honest score, not a flattering one
If a control cannot be checked automatically, we say so and point you to exactly where to look. If your tenant is not licensed for a feature, you are not marked down for it. A regulated business needs the truth about its posture, so that is what we give you - worth more than a number that flatters.
The checks that can be evidenced from your configuration, scored and shown with the evidence.
The judgement calls, flagged with the exact portal page to check. Never a false auto-pass.
Licence-aware: features you do not own are marked not applicable, not failed.
Your report. Your data. No portal.
We do not keep your configuration in a cloud you have to log into. The assessment runs read-only from our access and produces a single, self-contained report you own and keep. Nothing to subscribe to, nothing to leak.
A one-off assessment is purged after 30 days. Retainer clients keep prior reports only to compute quarter-over-quarter drift, held on our own secured storage and deletable on request.
Unlike portal-based governance platforms, your tenant data never becomes a standing dataset in someone else's cloud.
What lands in your inbox
What you can request
From a free Copilot-readiness check to a recurring drift retainer. Every option is read-only and never writes to your tenant. Fixed-scope pricing and instant checkout are coming soon - for now, request an assessment and we will scope it to your tenant.
Free
Oversharing exposure and a Copilot-readiness verdict. The free way in.
Read-only · no crawl
Assessment
Your whole tenant scored against the Glow Cloud M365 Security Framework: Entra, email, Teams, SharePoint, Purview, Intune and more.
Read-only · point-in-time
Add-on
Every site ranked by exposure, then every link: who can reach it, at what scope, and whether it ever expires.
Read-only · overnight crawl
Add-on
Who can reach what in SharePoint, how they got that access, and who shouldn't. Least-privilege, proven.
Read-only · permission crawl
Full suite
The full assessment plus the complete sharing crawl, in one run.
Read-only · overnight crawl
Retainer
The assessment re-run each quarter, with drift tracked against the prior run, before and after remediation.
Read-only · quarterly
Sample reports
Melbrooke Ltd is a fictional company generated through the real engine - real, drillable reports in your browser, zero client data. No install, no email needed.
Inside the reports
Clear, interactive reports from one read-only run. The visuals below mirror the Melbrooke Ltd demo: fictional company, real engine.
Melbrooke Ltd · Glow Cloud M365 Security Framework
Compliance by domain
Entra, Intune, SharePoint, email, data and auditing, each control marked Pass, Partial, Fail or Manual across the whole Glow Cloud M365 Security Framework, so you see precisely where the gaps are.
Melbrooke Ltd · July 2026
Significant gaps
Multiple high-severity controls are failing. Address the priorities below before enabling Copilot or broad collaboration.
Top priorities
Executive summary
A clear verdict and the High-severity priorities to act on first, so the readout takes minutes, not a wade through a spreadsheet.
Glow Cloud Framework · Identity › Conditional Access
What we found
No Conditional Access policies exist, so access is not conditionally controlled.
Why it matters
Weak identity controls are the primary path to account takeover and lateral movement.
Recommended action
Maintain a baseline CA set (all-users MFA, block legacy auth, risk-based, device compliance) and move report-only policies to enabled.
Evidence · GET /identity/conditionalAccess/policies (state per policy)
Every finding, in full
Each finding carries its framework control reference, what we found, why it matters, a recommended action and the evidence behind it. See a complete sample report, filterable by platform, domain, type, severity and status.
The sharing deep-dive
Every site ranked by exposure (per-site), then every individual link drilled down to who can reach it, what it exposes and whether it ever expires (per-link), delivered as two separate reports.
Melbrooke Ltd · SharePoint & OneDrive
Melbrooke Ltd · SharePoint & OneDrive
Highest risk: /Finance/FY26-forecast.xlsx, an anyone-link with no expiry, created 14 months ago. The exact file Copilot could surface.
How it works
You grant a read-only, least-privilege app. We never write to your tenant, ever.
We scan Entra, email, Teams, SharePoint, Purview, Intune and more. App-only, no agents, no disruption.
A self-contained, interactive report: prioritised findings, the sharing deep-dive and the permission map. Yours to keep.
Re-run each quarter and see exactly what improved, control by control.
Scored against the Glow Cloud M365 Security Framework - our own control set, refined across years of hands-on Microsoft 365 governance work.
Who it's for
Security-conscious and regulated organisations - finance, legal, pharma, professional services - and any team rolling out Microsoft 365 Copilot who needs proof their data is not overshared.
Read-only, app-only
We never change your environment.
Microsoft-verified publisher
Verified on the consent screen.
£1M professional indemnity
Insured, boutique, accountable.
Your data stays yours
It never lives in a third-party portal.
Point-in-time assessment; not a certification or accredited audit; not legal advice. Assessments can be mapped to recognised industry security benchmarks on request.
Questions, answered
You grant a read-only, least-privilege app - app-only, no standing admin - and we never write to your tenant. Access is revocable at any time, and every read shows in your own audit log. Prefer to run it yourself? We can supply a sealed, read-only script.
Nowhere you have to log into. The assessment produces a single, self-contained report you own and keep. A one-off run is purged after 30 days; retainer clients keep prior reports only to compute quarter-over-quarter drift, on our own secured storage and deletable on request.
Your posture across Entra, email, Teams, SharePoint, Purview, Intune and more, scored against the Glow Cloud M365 Security Framework, plus a link-by-link sharing deep-dive and an RBAC permission map. Scoring is honest: features you are not licensed for are not marked down.
Yes. We surface the oversharing and broad access Copilot would expose to staff on day one, so you can fix it before switching Copilot on.
No. It is a point-in-time assessment, not a certification or accredited audit, and not legal advice. Assessments can be mapped to recognised industry security benchmarks on request.
Ready to see who can reach what?
Tell us your tenant and we will arrange a read-only access window, or send you the sealed, read-only tool to run yourself. No sales call required, and no obligation.