TMTenant MOTStart

How it works

Six steps. Most customers go from sign-up to a finished report in under fifteen minutes — and the only person who has to do anything inside Microsoft is your Global Administrator.

Cyber Essentials v3.3 (effective 26 April 2026) explicitly states that cloud services cannot be excluded from scope — Microsoft 365 is named as an example. Every CE applicant running M365 needs a defensible posture for it.

  1. 1

    Tell us how to reach you

    Enter your name, work email, company name, and the primary domain of your Microsoft 365 tenant (the one your users sign in with). Takes about 30 seconds.

  2. 2

    Sign in as a Global Admin

    You'll be redirected to Microsoft's consent page. You must be signed in as a Global Administrator of the tenant you want to scan — if you're not, forward the consent link to someone who is.

  3. 3

    Grant read-only access

    Microsoft will list every permission Tenant MOT is asking for. They are all read-only — Directory.Read.All, Policy.Read.All, User.Read.All, AuditLog.Read.All, Reports.Read.All, IdentityRiskyUser.Read.All, RoleManagement.Read.Directory, SecurityEvents.Read.All. No write scopes are requested.

  4. 4

    We run the scan

    Behind the scenes we pull configuration and signals from Microsoft Graph: Conditional Access policies, admin role memberships, sign-in activity, identity protection events, and the most recent Microsoft Secure Score. We also resolve your domain's SPF, DKIM and DMARC records over public DNS.

  5. 5

    Read your report

    Within ten minutes you receive an email with a private link to your readiness dashboard and a downloadable PDF. Each finding is colour-coded (Ready, Partial, Gap, Attestation Required) with a recommendation and the matching CE control reference.

  6. 6

    Disconnect when you're done

    You can revoke the Tenant MOT app at any time from Entra → Enterprise applications → Tenant MOT → Properties → Delete. We will no longer be able to read anything from your tenant after that.

Frequently asked at this point

Will this change anything in our tenant?

No. Every permission we request is read-only. We literally cannot create, modify, or delete anything — Microsoft enforces that at the API layer.

Do you store our data?

We store the findings (e.g. “your CA policy excludes 12 users”) so we can build the report. We do not store user lists, mailbox contents, files, passwords, or anything from inside your tenant beyond the configuration signals needed for the assessment.

Who needs to do the consent step?

A Global Administrator of the tenant being scanned. If that’s not you, the start form will give you a link you can forward to whoever it is.

What if we don't have Entra ID P1 or P2?

Most checks still run. A handful that depend on premium features (sign-in activity, Identity Protection, PIM) will be reported as “attestation required” rather than passed or failed — meaning we couldn’t test them automatically and you’ll need to confirm manually.

Start your free scan