Glow Cloud M365 Security Assessment

Know who can reach what in your Microsoft 365 - and prove it.

A read-only security and governance assessment for Microsoft 365. We map every sharing link and permission path in your tenant, score your posture honestly, and hand you a report you own - no portal, no agent, and no changes to your environment.

Read-only, app-only Microsoft-verified publisher £1M professional indemnity

RBAC relationship map · read-only Sales · sample
Full Edit Read Band thickness = reach · dashed = direct grant
PRINCIPALS SITE UNIQUE SCOPES Sales Site SP Visitors Read · 11 scopes SP Members Edit · 8 scopes SP Owners Full · 11 scopes M365 Owners Full · 6 scopes k.reed (direct) Edit · 2 scopes Board pack.pptx File · changed FY26 forecast.xlsx File · changed Pricing model.xlsx File · changed Contract draft.docx File · changed Payroll export.csv File · changed Supplier list.xlsx File · changed

Pick any principal, site or scope to isolate its access. This is a static sample, the live report is fully interactive.

The permission map nobody else shows you

Not "this setting is wrong". Who can reach which file, and how.

Most audits stop at a misconfiguration. We show you the consequence: every external share, every broken-inheritance file, and a visual map of who can reach which document, through which site, and how they got that access.

It is the oversharing Microsoft 365 Copilot will surface to your staff on day one - found before it does. Nothing else in this space visualises access like this.

  • Per-user reverse lookup: pick a person, see everything they can reach and exactly how.
  • Every site ranked by external-sharing exposure, then drilled link by link.
  • Over-permissioned users, oversized groups and direct grants surfaced as the headline.
Sharing report · Tier 1 · per-site read-only

Melbrooke Ltd · SharePoint & OneDrive

Where the exposure is

1,284
Total links
37
Anyone (anon)
112
External / guest
9
Sites w/ anon
All sites Has anonymous Has external Tier 1 · per site
SiteAnyoneOrgGuest
Finance · Board papers 6 12 3
Projects · Project Halo 5 8 9
Sales · Pipeline 2 14 7
HR · Policies 0 21 1
IT · Onboarding 0 9 0
Prepared by Glow CloudTier 1 · per-site exposure

An honest score, not a flattering one

No false passes. No false fails. No padding.

If a control cannot be checked automatically, we say so and point you to exactly where to look. If your tenant is not licensed for a feature, you are not marked down for it. A regulated business needs the truth about its posture, so that is what we give you - worth more than a number that flatters.

Scored automatically

The checks that can be evidenced from your configuration, scored and shown with the evidence.

Flagged for manual review

The judgement calls, flagged with the exact portal page to check. Never a false auto-pass.

Not marked down unfairly

Licence-aware: features you do not own are marked not applicable, not failed.

Your report. Your data. No portal.

A report you own and keep - not a SaaS login.

We do not keep your configuration in a cloud you have to log into. The assessment runs read-only from our access and produces a single, self-contained report you own and keep. Nothing to subscribe to, nothing to leak.

A one-off assessment is purged after 30 days. Retainer clients keep prior reports only to compute quarter-over-quarter drift, held on our own secured storage and deletable on request.

Unlike portal-based governance platforms, your tenant data never becomes a standing dataset in someone else's cloud.

What lands in your inbox

  • A prioritised findings report, High to Low, in plain English
  • The sharing deep-dive: every site ranked, then every link drilled
  • The permission (RBAC) map: who can reach what, and how
  • A readout to walk you through it, not a PDF you decode alone

What you can request

One read-only engine, scoped to you.

From a free Copilot-readiness check to a recurring drift retainer. Every option is read-only and never writes to your tenant. Fixed-scope pricing and instant checkout are coming soon - for now, request an assessment and we will scope it to your tenant.

Free

Copilot-readiness health-check

Oversharing exposure and a Copilot-readiness verdict. The free way in.

Read-only · no crawl

Assessment

Full security assessment

Your whole tenant scored against the Glow Cloud M365 Security Framework: Entra, email, Teams, SharePoint, Purview, Intune and more.

Read-only · point-in-time

Add-on

Sharing deep-dive

Every site ranked by exposure, then every link: who can reach it, at what scope, and whether it ever expires.

Read-only · overnight crawl

Add-on

Permission (RBAC) map

Who can reach what in SharePoint, how they got that access, and who shouldn't. Least-privilege, proven.

Read-only · permission crawl

Full suite

Assessment + sharing

The full assessment plus the complete sharing crawl, in one run.

Read-only · overnight crawl

Retainer

Quarterly drift

The assessment re-run each quarter, with drift tracked against the prior run, before and after remediation.

Read-only · quarterly

Sample reports

Open the actual deliverables.

Melbrooke Ltd is a fictional company generated through the real engine - real, drillable reports in your browser, zero client data. No install, no email needed.

Inside the reports

The receipts, control by control, link by link, and permission by permission.

Clear, interactive reports from one read-only run. The visuals below mirror the Melbrooke Ltd demo: fictional company, real engine.

Compliance by domain GC Framework

Melbrooke Ltd · Glow Cloud M365 Security Framework

Account & Authentication 77% · 10/13
Licensing 100% · 4/4
Email Security 50% · 5/10
Auditing 50% · 1/2
Copilot Readiness 0% · 0/4
Storage 0% · 0/4
Application Permissions 0% · 0/2
Lifecycle 0% · 0/2
Mobile Device Management n/a · 0/0
Data Management n/a · 0/0
PassPartialFailManualN/A

Compliance by domain

Every domain, scored. Not one blunt number.

Entra, Intune, SharePoint, email, data and auditing, each control marked Pass, Partial, Fail or Manual across the whole Glow Cloud M365 Security Framework, so you see precisely where the gaps are.

Glow Cloud M365 Security Assessment confidential

Melbrooke Ltd · July 2026

Executive summary

Significant gaps

Multiple high-severity controls are failing. Address the priorities below before enabling Copilot or broad collaboration.

87%
Controls scored
7
High priority
11
Medium
5
Low

Top priorities

  1. 01 Conditional Access policy inventory High
  2. 02 Guests can reshare items they do not own High
  3. 03 Content-exposure surface for Copilot High
  4. 04 No Safe Links policy High
  5. 05 No Safe Attachments policy High
Prepared by Glow CloudGlow Cloud M365 Security Framework · read-only

Executive summary

The verdict, the numbers, what to fix first.

A clear verdict and the High-severity priorities to act on first, so the readout takes minutes, not a wade through a spreadsheet.

✕ Fail High

Conditional Access policy inventory

Glow Cloud Framework · Identity › Conditional Access

What we found

No Conditional Access policies exist, so access is not conditionally controlled.

Why it matters

Weak identity controls are the primary path to account takeover and lateral movement.

Recommended action

Maintain a baseline CA set (all-users MFA, block legacy auth, risk-based, device compliance) and move report-only policies to enabled.

Evidence · GET /identity/conditionalAccess/policies (state per policy)

Every finding, in full

Actionable, not a vague flag.

Each finding carries its framework control reference, what we found, why it matters, a recommended action and the evidence behind it. See a complete sample report, filterable by platform, domain, type, severity and status.

The sharing deep-dive

Site by site, then link by link. Two reports.

Every site ranked by exposure (per-site), then every individual link drilled down to who can reach it, what it exposes and whether it ever expires (per-link), delivered as two separate reports.

Sharing report · Tier 1 · per-site read-only

Melbrooke Ltd · SharePoint & OneDrive

Where the exposure is

1,284
Total links
37
Anyone (anon)
112
External / guest
9
Sites w/ anon
All sites Has anonymous Has external Tier 1 · per site
SiteAnyoneOrgGuest
Finance · Board papers 6 12 3
Projects · Project Halo 5 8 9
Sales · Pipeline 2 14 7
HR · Policies 0 21 1
IT · Onboarding 0 9 0
Prepared by Glow CloudTier 1 · per-site exposure
Per-site, open sample →
Sharing report · Tier 2 · per-link read-only

Melbrooke Ltd · SharePoint & OneDrive

Every link, and who can reach it

1,284
Links reviewed
37
Anyone-links
58
No expiry
112
External / guest
LinkReachable byExpiry
/Finance/FY26-forecast.xlsx Anyone with link No expiry
/Projects/Halo/board-brief.docx Guest · law firm 30 days
/Sales/Pipeline-Q3.xlsx Whole org No expiry
/HR/Salary-bands.xlsx Guest · PR agency No expiry
/IT/Onboarding-kit.zip Anyone with link 90 days

Highest risk: /Finance/FY26-forecast.xlsx, an anyone-link with no expiry, created 14 months ago. The exact file Copilot could surface.

Prepared by Glow CloudTier 2 · link-by-link
Per-link, open sample →

How it works

Four steps, nothing installed.

01

Connect (read-only)

You grant a read-only, least-privilege app. We never write to your tenant, ever.

02

Assess

We scan Entra, email, Teams, SharePoint, Purview, Intune and more. App-only, no agents, no disruption.

03

Receive your report

A self-contained, interactive report: prioritised findings, the sharing deep-dive and the permission map. Yours to keep.

04

Track drift (retainer)

Re-run each quarter and see exactly what improved, control by control.

Scored against the Glow Cloud M365 Security Framework - our own control set, refined across years of hands-on Microsoft 365 governance work.

Who it's for

Built for organisations that need the truth about their posture.

Security-conscious and regulated organisations - finance, legal, pharma, professional services - and any team rolling out Microsoft 365 Copilot who needs proof their data is not overshared.

Read-only, app-only

We never change your environment.

Microsoft-verified publisher

Verified on the consent screen.

£1M professional indemnity

Insured, boutique, accountable.

Your data stays yours

It never lives in a third-party portal.

Point-in-time assessment; not a certification or accredited audit; not legal advice. Assessments can be mapped to recognised industry security benchmarks on request.

Questions, answered

The bits people ask first.

How do you access my Microsoft 365 tenant? +

You grant a read-only, least-privilege app - app-only, no standing admin - and we never write to your tenant. Access is revocable at any time, and every read shows in your own audit log. Prefer to run it yourself? We can supply a sealed, read-only script.

Where does my data go? +

Nowhere you have to log into. The assessment produces a single, self-contained report you own and keep. A one-off run is purged after 30 days; retainer clients keep prior reports only to compute quarter-over-quarter drift, on our own secured storage and deletable on request.

What does the assessment cover? +

Your posture across Entra, email, Teams, SharePoint, Purview, Intune and more, scored against the Glow Cloud M365 Security Framework, plus a link-by-link sharing deep-dive and an RBAC permission map. Scoring is honest: features you are not licensed for are not marked down.

Will it show whether we are ready for Microsoft 365 Copilot? +

Yes. We surface the oversharing and broad access Copilot would expose to staff on day one, so you can fix it before switching Copilot on.

Is this a certification or an accredited audit? +

No. It is a point-in-time assessment, not a certification or accredited audit, and not legal advice. Assessments can be mapped to recognised industry security benchmarks on request.

Ready to see who can reach what?

Request a Microsoft 365 security assessment.

Tell us your tenant and we will arrange a read-only access window, or send you the sealed, read-only tool to run yourself. No sales call required, and no obligation.

  • Temporary, read-only access - you stay in control
  • We retain only the report we hand you
  • A report you own, walked through in a readout

Request your assessment

No cost to ask. No sales call required.

Prefer email? hello@glowcloud.uk