Sample · illustrative dataProfile: mid-market manufacturing · ~250 employees · Microsoft 365 E3 + Azure · Monterrey

POSTURE AUDIT · SAMPLE

The report you get — free

You connect Microsoft 365 read-only and, within minutes, this is exactly the deliverable that lands in your inbox. No card, no commitment.

Tenant: contoso-mfg.onmicrosoft.com
Generated: 2026-06-04
Controls: 197

54/ 100C · At risk

Your score is calculated relative to your industry and size.

197controls evaluated151 via Microsoft Graph + 46 via Azure Resource Manager8 categories

01 · OVERVIEW

Findings by category

19 controls flagged of 197 evaluated. The bar shows each category's severity mix.

IAM4

Identity & Access

EML3

Email Security

DLP3

Data Protection

MDM2

Device Management

AUD2

Audit & Compliance

APP3

Application Control

INF1

Infrastructure

OPS1

Operational Maturity

02 · TOP FINDINGS

What we surface first

The most common and most dangerous Microsoft 365 misconfigurations in companies your size. Each finding carries its rule, its impact, and how Operación fixes it.

IAM-001CRITICAL
Legacy authentication enabled
Legacy protocols (basic SMTP, POP, IMAP, EWS) bypass MFA by design. An attacker with a leaked credential gets in without a second factor — the number-one account-takeover vector in Microsoft 365.
How Operación fixes itConditional Access policy blocking legacy-auth clients for all users, rolled out in rings with before/after traffic evidence.
IAM-004CRITICAL
MFA not enforced for administrators
Privileged-role accounts (Global Admin, Exchange Admin) operate without enforced MFA. Compromising one grants full control of the tenant.
How Operación fixes itConditional Access requiring phishing-resistant MFA for every admin role, with break-glass account coverage verified.
EML-002HIGH
DMARC at p=none (no quarantine)
Your domain publishes DMARC but in monitor-only mode. Anyone can spoof your domain in fraud email (fake invoices, BEC) and recipients deliver it to the inbox.
How Operación fixes itHarden DMARC to p=quarantine then p=reject after validating SPF/DKIM alignment from aggregate reports, without breaking legitimate senders.
DLP-003HIGH
Anonymous external sharing in SharePoint/OneDrive
Anyone-with-the-link sharing is allowed. Sensitive documents become accessible with no authentication and no expiry — silent data leakage invisible to access logs.
How Operación fixes itRestrict sharing to authenticated users, enforce link expiry, and apply sensitivity labels to critical containers.
APP-005HIGH
Ungoverned OAuth app consent
Users can grant permissions to third-party apps without review. Over-permissioned apps (Mail.ReadWrite, Files.ReadWrite.All) are a persistent backdoor that survives password resets.
How Operación fixes itEnable the admin-consent workflow, restrict user consent to low-risk permissions, and review existing over-privileged grants.
AUD-002MEDIUM
Unified audit log gaps
The unified audit log does not capture every workload or has insufficient retention. In an incident, there is no forensic trail to reconstruct what happened — a direct compliance gap (LFPDPPP, CNBV).
How Operación fixes itEnable audit logging across every workload and extend retention to the window required by your regulatory framework.

+ 13 additional findings in the full report, each with its evidence and remediation plan.

03 · REMEDIATION

We don’t just tell you what’s wrong. We fix it.

Every fix runs on your own tenant via Microsoft Graph, under your approval, with before-and-after evidence. You approve; the agent executes; the report proves it.

You approve

You review every proposed change. Nothing executes without your explicit consent.

The agent executes

Remediation applies to your tenant through Microsoft Graph, read-write only for the approved change.

Evidence proves it

We capture before-and-after state for each control. The re-scan confirms the risk dropped.

$39,900 MXN to start, then $24,900/mo · cancel anytime

This is a sample. Yours is real, complete, and free — in minutes.

Get my free Audit Explore Operación

Microsoft 365 connection in read-only mode. No credit card.

Cargando…

We don’t just tell you what’s wrong. We fix it.

Every fix runs on your own tenant via Microsoft Graph, under your approval, with before-and-after evidence. You approve; the agent executes; the report proves it.

You approve

You review every proposed change. Nothing executes without your explicit consent.

The agent executes

Remediation applies to your tenant through Microsoft Graph, read-write only for the approved change.

Evidence proves it

We capture before-and-after state for each control. The re-scan confirms the risk dropped.

$39,900 MXN to start, then $24,900/mo · cancel anytime

The report you get — free

Identity & Access

Email Security

Data Protection

Device Management

Audit & Compliance

Application Control

Infrastructure

Operational Maturity

Legacy authentication enabled

MFA not enforced for administrators

DMARC at p=none (no quarantine)

Anonymous external sharing in SharePoint/OneDrive

Ungoverned OAuth app consent

Unified audit log gaps

We don’t just tell you what’s wrong. We fix it.

You approve

The agent executes

Evidence proves it

This is a sample. Yours is real, complete, and free — in minutes.

The report you get — free

Identity & Access

Email Security

Data Protection

Device Management

Audit & Compliance

Application Control

Infrastructure

Operational Maturity

Legacy authentication enabled

MFA not enforced for administrators

DMARC at p=none (no quarantine)

Anonymous external sharing in SharePoint/OneDrive

Ungoverned OAuth app consent

Unified audit log gaps

We don’t just tell you what’s wrong. We fix it.

You approve

The agent executes

Evidence proves it

This is a sample. Yours is real, complete, and free — in minutes.