What is simiriki, exactly?
simiriki is an operational-infrastructure platform for Microsoft 365 focused on Mexican mid-market companies. It operates Microsoft 365 (Defender, Sentinel, Purview, Power Platform) that your business already licenses — configuring, automating, and maintaining those tools with 201 detection rules, 189 remediation playbooks, and regulatory mapping to LFPDPPP / CNBV / NOM-151. It does not replace Microsoft 365; it operates it consistently.
What does the free /scan do?
The free scan connects your Microsoft 365 tenant via read-only OAuth, runs the 155 Microsoft Graph rules of the 201-rule library and calculates an sIPO score (0–100) with grade A+ to F; the on-screen preview usually appears within a couple of minutes (larger tenants can take longer because Microsoft Graph is rate-limited) and the 3-page PDF Posture Brief is delivered in under an hour. No credit card required. The OAuth consent is strictly read-only — no rule writes to your tenant. The 46 Azure Resource Manager rules are added when you connect with admin consent and Reader role (Operación).
What data does the Auditoría actually read?
Only security configuration, never content. Via Microsoft Graph + Azure Resource Manager (read-only consent) we read: identity and conditional-access policies, MFA state and methods, privileged roles and assignments, application (OAuth) consents, Exchange/mail configuration (DKIM/DMARC/forwarding rules — not the mail itself), Purview DLP policies and labels, device/Intune configuration, SharePoint/OneDrive external sharing, and Azure resource configuration (NSGs, storage, encryption, Defender for Cloud). We never read the body of emails, files, chats, or calendars. You can revoke access anytime from your Microsoft 365 portal.
Where is my data stored?
Production data is stored in Azure region East US 2 with at-rest encryption (Microsoft-managed keys, optional customer-managed key on Business+). Scan results, findings, and monthly memos live in a dedicated Azure PostgreSQL instance. Access always through Entra ID identity, never via stored customer tokens. Retention and deletion follow your policy — all information is exportable in standard JSON format for portability.
Do I need Microsoft 365 E5 licenses?
Not for the Escaneo or the free Auditoría. Any Microsoft 365 Business Standard tenant or higher works; advanced remediations such as Conditional Access require Microsoft Entra ID P1 (Business Premium, E3 or E5). For Operación (agentic remediation) we do recommend E5 so the engagement uses the full Defender XDR + Microsoft Sentinel stack. If your current licensing is ambiguous, we'll confirm at no cost during the first scan.
Why are there 189 playbooks for 201 rules — and do they run on their own?
The 189 is FEWER than the 201 by design, not for lack of coverage: every one of the 201 detection rules has a remediation path. The playbook count is not 1:1 with rules — many rules share the same fix (an N:1 mapping): for example, a single Conditional Access policy remediates multiple MFA and legacy-authentication findings, and one alert investigation covers several Defender rules. That is why the 189-playbook library covers the full set of 201 rules, with fewer distinct fixes than rules because they are reused. And they do not run on their own — everything is under your approval, across three honest tiers: about 21 are auto-executable via Microsoft Graph (non-destructive, report-only writes that are safe once you grant remediation consent); the majority are "the agent prepares, you approve" (it reads your tenant state, derives the exact fix and stages it for one click); the rest are advisory recommendations an operator applies. Azure (ARM) fixes run only after you grant Azure consent and approve. We never claim to "automatically fix" beyond that small, non-destructive auto class.