How do I read the Microsoft 365 Cloud Security scan results?
- PASS: The tenant's configuration matches the baseline.
- FAIL: The configuration does not match the baseline. The finding includes the observed value, the required value, and a direct link to the relevant page in the Microsoft admin centre.
- Manual verification required: The check cannot be automated.
Every finding carries the baseline control ID so the upstream rationale can be looked up at any time.
Why some checks require manual verification?
Currently, 13 of the 118 checks are marked Manual verification required. This is deliberate and occurs for one of two reasons.
The data is not exposed by any Microsoft API.
A small set of settings are only visible in the admin portal itself, with no supported Graph or PowerShell endpoint to query. For those, the scanner reports the control as manual and provides the exact path through the admin centre to verify it, rather than attempting to screen-scrape or produce an unverifiable result. Examples:
- Confirming that high-risk-user notifications are sent to a named admin mailbox.
- Confirming audit logs are forwarded to a SIEM or equivalent monitoring system.
- Confirming audit log retention meets the organisation's internal compliance requirements.
The control concerns a third-party product.
Several baseline controls apply only if a non-Microsoft product is in use, for example, "if a third-party anti-phishing product is used instead of Microsoft Defender, verify it provides equivalent protection." The scanner cannot inspect external systems from inside Microsoft 365, so the check is marked manual for environments where a third-party product applies. Examples:
- A third-party anti-malware product for Exchange.
- A third-party DLP solution.
- A third-party SIEM receiving Microsoft 365 alerts.
Manual-verification findings in the report include a plain description of what to verify and where to find the setting in the Microsoft admin centre..