Skip to content
  • There are no suggestions because the search field is empty.

How do I read the Microsoft 365 Security assessment results?

After a Microsoft 365 Security assessment ís completed, each check in the report ends with one of three outcomes:

Outcome: Meaning: Recommended action:
Pass The tenant's configuration matches the baseline. None
Fail The configuration does not match the baseline. The finding includes the observed value, the required value, and a direct link to the relevant page in the Microsoft admin center. Remediate using the  Solution tab on the finding.
Warn The configuration partially meets the baseline, or matches a weaker setting that is still permitted.

Review and decide whether to harden further. 
Unknown This check must be verified manually in the Microsoft admin center. Verify manually using the Solution steps; record the outcome. 

Every finding carries the baseline control ID so the upstream rationale can be looked up at any time.

Why do some checks require manual verification?

Currently, 13 of the 118 checks are marked Manual verification required. This is deliberate and occurs for one of two reasons.

1. The data is not exposed by any Microsoft API

A small set of settings is only visible in the admin portal itself, with no supported Graph or PowerShell endpoint to query. For those, the assessment reports the control as manual and provides the exact path through the admin center to verify it, rather than attempting to screen-scrape or produce an unverifiable result. Examples:

  • Confirming that high-risk-user notifications are sent to a named admin mailbox.
  • Confirming audit logs are forwarded to a SIEM or equivalent monitoring system.
  • Confirming audit log retention meets the organization's internal compliance requirements.

2. The control concerns a third-party product

Several baseline controls apply only if a non-Microsoft product is in use, for example, "if a third-party anti-phishing product is used instead of Microsoft Defender, verify it provides equivalent protection." The assessment cannot inspect external systems from inside Microsoft 365, so the check is marked as manual for environments where a third-party product applies. Examples:

  • A third-party anti-malware product for Exchange.
  • A third-party DLP solution.
  • A third-party SIEM receiving Microsoft 365 alerts.

Manual verification findings in the report include a plain description of what to verify and where to find the setting in the Microsoft admin center.