Microsoft 365 assessment

Most M365 tenants are misconfigured. Is yours?

Microsoft 365 is the backbone of most NZ businesses — email, Teams, SharePoint, OneDrive. It's also the most common entry point for phishing, ransomware, and business email compromise. A KIS M365 assessment reviews your entire tenant configuration against Microsoft security best practices and NIST CSF 2.0 Protect controls, giving you a clear remediation plan. Most businesses are surprised by what we find.

What's included

Full Microsoft Secure Score review benchmarked against NIST CSF 2.0
Exchange Online and email security configuration (SPF, DKIM, DMARC)
MFA coverage review and gap identification
Conditional access policy review
SharePoint and OneDrive sharing settings audit
Teams security configuration and external access controls
Admin privilege and service account review
Plain-English report with prioritised remediation steps

Quick turnaround: Most M365 assessments are completed within 2–3 business days and require read-only access via Microsoft's native Secure Score API — no admin credentials required, no ability to make changes, no disruption to your team.

Book an M365 assessment →

Common findings in M365 tenants we assess

MFA not enforced for all users — especially admins and finance staff

No DMARC record — attackers can spoof your domain in phishing emails

SharePoint sharing set to "Anyone" — files accessible without login

Excessive global admins — more full-control accounts than necessary

Audit logging disabled — no record of who accessed what, when

Legacy authentication enabled — bypasses modern MFA policies

These appear in the majority of M365 tenants we assess — based on KIS M365 assessment data. Each is fixable, usually within hours.

How access works

You stay in control. Always.

A common concern about M365 assessments is what access we need. The honest answer is very little — and we explain exactly what we use before we start.

Read-only delegated permissions

We use Microsoft's native Secure Score API with read-only delegated permissions. We cannot send emails, access message content, or make any changes to your tenant.

No admin credentials required

You grant access through Microsoft's own permission system. You can revoke it at any time during or after the assessment.

No disruption to your team

The assessment runs in the background. Your staff won't notice anything different — no outages, no alerts, no interruptions.

Clear documentation before we start

We provide a written scope of access before beginning. You know exactly what we can see and what we cannot.

Related services

Security training

Hardening M365 catches technical gaps — training catches the human ones. Both are needed.

View service →

Managed monitoring

Once M365 is secured, we can monitor it around the clock for login anomalies and threats.

View service →

Cloud security

Running Azure alongside M365? Assess both together for complete Microsoft environment coverage.

View service →

Our Workflow…

Free conversation
We talk about your business, your concerns, and your goals. No sales pitch.
We scope and quote
A clear proposal arrives within two business days. Exact scope, fixed price — no surprises.
We get to work
We handle the heavy lifting. We’ll only contact you when we need something or have something to show you.
We debrief clearly
Every engagement ends with a plain-English walkthrough of findings, recommendations, and next steps.

What you need to provide…

About an hour of your time
For the initial conversation and the final debrief. We do the rest.
Access to the right people
Usually your IT contact (or you, if that’s the same person) and whoever owns the systems in scope.
Read-only access where needed
For most assessments, we only ever need read access — never admin credentials or the ability to make changes.
An honest picture of where you are
The more candid you are about your current setup, the more useful our findings will be. There’s no judgement here.

That’s genuinely it. You don’t need a dedicated IT team, a security background, or any preparation beyond booking the first call.

Not sure which service you need?

Start here.

A free 30-minute conversation. We’ll tell you honestly what your business needs — and what it doesn’t.

Book a free conversation

What others say about us…

We’d always had a family member looking after our IT, and while we trusted them completely, we hadn’t realised how much risk we were quietly carrying. KIS came in and overhauled our entire security setup, got us properly configured with multi-factor authentication, and went through our Microsoft 365 environment to make sure the right people had the right access and licensing. It wasn’t just a technical fix, it was genuine peace of mind. We now know our systems are actually secure, not just looked after by someone who means well.

Jeremy T.Owner, Auto Services

As a financial services firm, protecting client data isn’t optional. We had no formal security management framework in place and knew we needed to get serious. KIS assessed where we stood and mapped out a practical path toward NIST and ISO 27001 compliance, grounded in what was realistic for our size and structure. Their advice was prioritised and clear, and we came away with a credible roadmap and the confidence that we’re taking the right steps in the right order.

Pam K.CIO, Financial Services Firm

We were rolling out AI across the organisation and our internal IT team is great, but this was new territory. We needed someone to close the gaps fast and set us up to manage things ourselves going forward. KIS delivered on all of it. They implemented data loss prevention, a document classification scheme, and Microsoft Purview, and the uplift in our security and compliance posture has been significant. The best part? They didn’t just fix things and leave. We came out of it actually understanding the system and capable of running it ourselves.

Abby S.Compliance Officer, Telecommunications Company

We’re a small non-profit focused on young people, and like many organisations like ours, we were running largely on goodwill and volunteers. We had a website collecting significant personal information and, honestly, we hadn’t fully grasped the risk we were sitting on. KIS conducted a penetration test, walked us through every finding, and worked through remediation of all critical vulnerabilities with our budget in mind the whole time. They treated our mission as if it mattered to them too, and that made all the difference.

Elizabeth C.Senior Leader, Youth Organisation

Most M365 tenants are misconfigured. Is yours?

You stay in control. Always.

Read-only delegated permissions

No admin credentials required

No disruption to your team

Clear documentation before we start

Security training

Managed monitoring

Cloud security

Our Workflow…

What you need to provide…

Not sure which service you need?

What others say about us…

KIS

Services

Company

Useful links