TMTenant MOTStart

What we check

Tenant MOT runs 17 checks per scan — 9 of them assess strict Cyber Essentials v3.3 requirements with direct quotes from the spec; the rest are best-practice add-ons that appear in the report but don't affect your headline readiness score.

Each finding is colour-coded — Ready, Partial, Gap, or Attestation Required — and links to the matching CE control reference where applicable.

User Access Control

The CE v3.3 theme that carries the most weight for Microsoft 365 — entirely the customer's responsibility per the v3.3 shared-responsibility table.

  • MFA enforced for all users
    "authentication to cloud services must always use MFA" — a Conditional Access policy targets all users and all cloud apps with an MFA grant control.
    CE v3.3 §4
  • Legacy authentication blocked
    Required to honour the MFA mandate — legacy protocols (IMAP/POP/SMTP AUTH) bypass MFA. A Conditional Access policy blocks them.
    CE v3.3 §4
  • MFA for admin roles
    "you should always use multi-factor authentication to give administrative accounts extra security" — admin roles must satisfy MFA on every sign-in.
    CE v3.3 §4
  • Separate admin accounts
    "use separate accounts to perform administrative activities only (no emailing, web browsing or other standard user activities)" — admin accounts must not hold productivity licences.
    CE v3.3 §4
  • Stale member accounts
    "remove or disable user accounts when they're no longer required (… or after a defined period of account inactivity)" — we use 90 days as the industry-standard default.
    CE v3.3 §4
  • Stale guest accounts
    Secure Configuration: "remove and disable unnecessary user accounts (such as guest accounts…)".
    CE v3.3 §2
  • Common-password deny list
    One acceptable password-protection path is "minimum password length of at least 8 characters … and use automatic blocking of common passwords using a deny list".
    CE v3.3 §4
  • Brute-force protection (smart lockout)
    "no more than 10 guesses in 5 minutes" or "locking devices after no more than 10 unsuccessful attempts". Microsoft's smart lockout defaults satisfy this.
    CE v3.3 §4
  • Conditional Access coverage
    Conditional Access is the mechanism Entra exposes for enforcing the v3.3 MFA, brute-force, and admin-separation requirements.
    CE v3.3 §4
  • Global Administrator countBonus
    CE v3.3 doesn't cap admin numbers but the principle of least privilege does. We flag tenants with more than 5 Global Administrators.
    Best practice
  • Self-service password resetBonus
    Not a CE v3.3 requirement, but reduces helpdesk-impersonation risk substantially.
    Best practice
  • Risky users triagedBonus
    Identity Protection isn't a CE control, but unresolved compromise indicators directly contradict the spirit of §4.
    Best practice
  • Privileged Identity ManagementBonus
    JIT elevation isn't in CE v3.3 but supports "remove or disable special access privileges when no longer required".
    Best practice

Secure Configuration

Joint responsibility for SaaS — Microsoft handles the infrastructure layer, you configure tenant-level policy.

  • Microsoft Secure Score baselineBonus
    Microsoft's own Secure Score is pulled and the top remaining recommendations are surfaced with their CE-theme mapping.
    CE v3.3 §2 / §4

Email security (bonus — not a CE theme)

SPF, DKIM and DMARC are not part of CE v3.3, but they're cheap, high-value defences against spoofing. We check them anyway and report them as bonus findings (they don't affect your headline score).

  • SPF published with hard failBonus
    A v=spf1 record is published with -all and lists all legitimate senders.
    Bonus
  • DKIM signingBonus
    Both selector1 and selector2 _domainkey CNAMEs resolve, meaning Microsoft can sign your outbound mail.
    Bonus
  • DMARC enforcementBonus
    A _dmarc TXT record is published with a policy of quarantine or reject.
    Bonus