What a Microsoft 365 Assessment Reveals

A Microsoft 365 assessment is a structured review of a business's M365 tenant against current best practice. Done well, it surfaces three things in roughly equal measure: money you are wasting on licensing, security settings that should have been on from day one, and quiet exposure in how files and accounts are shared. We run these regularly at ClayGen and the findings are remarkably consistent across the businesses we onboard.

This piece walks through what an assessment typically reveals, why findings repeat across most Canadian SMBs, and why running an assessment once a year is not the same as having the picture in front of you continuously.

Why the Assessment Exists

Microsoft 365 is a deep platform with hundreds of settings, dozens of admin centers, and configuration choices that compound over years. Tenants accumulate technical debt the same way a kitchen junk drawer accumulates pens that no longer work. Things were configured for a reason at the time, then the reason left when the person who configured them did. No one revisits the choice because nothing visibly broke.

The assessment is the structured visit to the junk drawer. It looks at every setting that matters, compares against current best practice and your stated business needs, and produces a prioritized list of fixes. For most businesses it pays for itself in license savings alone before any other value lands.

License Findings

License waste is the easiest finding to quantify and the most surprising for owners looking at it for the first time. Common patterns:

• Terminated employees still licensed. Microsoft 365 keeps charging for licenses assigned to disabled accounts until you actively remove them. We regularly find businesses paying for 5 to 20 percent more seats than they have active employees.
• Business Premium for users who never touch the desktop apps.Frontline workers, shared kiosks, and warehouse staff often have Business Premium licenses at CAD $30.80 per user per month when a Frontline F1 or F3 license at a fraction of the cost would deliver everything they need.
• Duplicate functionality elsewhere. Businesses paying for Defender for Endpoint as an add-on while already entitled to it through Business Premium. Or paying for a third-party MFA tool when Azure AD Premium P1 (included in Business Premium) provides it natively.
• Unused premium features. A handful of users on E5 because someone needed advanced compliance features once, with the rest of the team on the significantly cheaper E3.

Across the businesses we have assessed, license optimization recoveries run in the low to mid four figures per year for a 25 to 50 person business, and into five figures once you cross 100 employees. None of it requires changing the user experience.

Security Configuration Gaps

The security side of an assessment compares your tenant against the seven Microsoft 365 security settings every business should enable plus a deeper checklist that covers conditional access, mailbox audit, anti-phishing impersonation protection, DMARC enforcement, and Microsoft Secure Score baseline targets.

The findings here are also consistent across most tenants:

• Security Defaults disabled (sometimes deliberately, often by accident) without conditional access in place to replace them
• Legacy authentication protocols still enabled, allowing MFA bypasses
• Mailbox audit logging off on a subset of mailboxes (typical on tenants migrated from older configurations)
• Anti-phishing policies running at default sensitivity with no impersonation protection on finance and executive staff
• DMARC at monitor-only rather than quarantine or reject
• External sharing of OneDrive and SharePoint set to "Anyone with the link" by default
• Microsoft Secure Score sitting at 30 to 45 out of 100 when reachable targets are 65 to 80

Each of these is a one-time fix that takes minutes once identified. Together they shift your security posture meaningfully without changing what your users see.

Sharing and Access Exposure

The third finding category is harder to quantify but often the most concerning. An assessment audits what is currently shared externally from SharePoint and OneDrive, who has guest access into the tenant, what apps have been granted permissions to your data, and what mailbox forwarding rules exist.

Common findings:

• Hundreds or thousands of OneDrive and SharePoint links shared with "Anyone with the link" that no longer need to be
• External guests in Teams from contractors who finished engagements two years ago
• Third-party app permissions granted to apps no one in the business currently uses
• Mailbox forwarding rules quietly sending copies of mail to external addresses (a classic attacker persistence mechanism)
• Shared mailboxes with sign-in enabled (they should be sign-in disabled and accessed via delegation)

This category is where one-time assessments fall shortest. Sharing exposure accumulates daily. A clean tenant in January is a messy one by June if nobody is watching.

Identity and MFA Coverage

Identity is the highest-leverage area for cyber insurance and for actual security. The assessment maps MFA coverage across every user and every login pathway:

• Are admins on hardware-based MFA, or still on SMS?
• Are service accounts excluded from MFA via exemptions that should have expired?
• Are guest accounts MFA-enforced or relying on the partner organization?
• Are shared mailbox owners covered correctly?
• Are legacy SMTP basic auth flows disabled?

We compare findings against what cyber insurance underwriters now require and against the broader cybersecurity baseline for Canadian SMBs. The output is a one-page identity heat map that owners can hand to their broker at renewal time.

Why One-Time Assessments Fall Short

A point-in-time assessment finds yesterday's problems. The most damaging M365 misconfigurations creep back in over days and weeks as employees onboard, projects spin up, and admins respond to one-off requests by clicking the convenient option.

Three months after a perfect assessment, most tenants have new "Anyone with the link" shares, new guest accounts, new app permission grants, and new mailbox rules nobody approved. By twelve months it looks much like it did before the assessment.

This is the structural problem with the traditional one-time assessment. The value is real but it depreciates fast. Cyber insurers know this and increasingly ask not just "have you been assessed" but "what is your continuous monitoring."

Continuous Assessment Inside ClayGen Connect

ClayGen Connect includes an integrated Microsoft 365 view that runs the same assessment continuously rather than once a year. The dashboard surfaces:

• Current Microsoft Secure Score, with the specific actions that would move it most
• License utilization with flagged optimization opportunities
• New external shares created in the last 7 days
• Guest accounts that have been inactive for over 90 days
• New app permission grants since the last review
• Mailbox rules that auto-forward to external addresses
• MFA coverage gaps across users, admins, and service accounts

The point is not the dashboard itself. Microsoft already publishes most of this data across half a dozen admin centers. The point is that one place rolls it up so the owner sees the picture without learning the M365 admin model, and so the MSP managing the tenant cannot quietly let things drift. Visibility is the control. For the broader view of how Connect handles M365 management end to end, see our complete Microsoft 365 management guide or explore the platform.

Getting Started

If you have never had a structured M365 assessment, a single one will pay for itself. If you are getting cyber insurance quotes or renewing existing coverage, doing the assessment first puts you in a much stronger position. Our Microsoft 365 management service includes the initial assessment in onboarding, with continuous assessment after that through ClayGen Connect.

Book a discovery call below if you want to walk through your tenant together.