TMTenant MOTStart

Frequently asked questions

If yours isn't here, email hello@tenantmot.co.uk and we'll add it.

Are you assessing against Cyber Essentials v3.3?+

Yes. v3.3 became the live standard on 26 April 2026. Every check in our scan quotes the relevant v3.3 paragraph directly so you can cross-reference our findings against the published requirements document at ncsc.gov.uk.

Is this an official Cyber Essentials assessment?+

No. Tenant MOT is an automated readiness scan that maps configuration evidence to the CE control set. Formal certification still has to be done through an IASME-accredited certification body. We aim to dramatically reduce the prep work, not replace certification.

What data do you actually pull?+

Configuration: Conditional Access policies, authorisation policies, group settings (banned password lists, smart lockout), directory roles and their members, role eligibility schedules, identity protection risk records, the most recent Microsoft Secure Score record, organisation profile, and licence details for admin accounts. We also resolve SPF, DKIM and DMARC records via public DNS as bonus best-practice checks.

Can I really exclude Microsoft 365 from my CE scope?+

Not under v3.3. The April 2026 version of the requirements document states explicitly: "Cloud services cannot be excluded from scope." If your data or services are hosted on M365, M365 is in scope. That's exactly the gap Tenant MOT exists to fill.

Do you read mail, files, or chats?+

No. We do not request, and could not use, scopes that would let us see mailbox content, OneDrive/SharePoint files, or Teams messages. The application permission set is strictly read-only directory and policy data.

How long does a scan take?+

Most tenants finish within five to ten minutes. Larger tenants (10,000+ users) can take a little longer because we paginate through user records to assess sign-in activity.

Can I re-scan?+

In the free tier, yes — sign up again with the same email and we will produce a fresh report. Scheduled re-scans (quarterly, with regression alerting) are part of the Pro tier.

What happens to the connection after the scan?+

The Tenant MOT enterprise application stays consented in your tenant so you can re-scan without re-consenting. To remove our access entirely, go to Entra → Enterprise applications → Tenant MOT → Delete.

Where is data stored?+

In a private PostgreSQL database hosted in the EU (UK / EEA region). Refresh tokens, where used, are encrypted at rest with AES-256.

Who is behind Tenant MOT?+

Tenant MOT is owned by Game On Solutions Ltd and operated by Mastercopy Limited under a trade mark licence. Both are UK-registered companies.