PowerShell audit tool

15 M365 misconfigurations. One script. Under 10 minutes.

Sentinel Scout runs a weighted audit across 15 security controls in your Microsoft 365 tenant. You get a score, your top failures, and a JSON record for your files.

Request free access Book a WGC-M365 Health Check

What it checks

15 controls covering identity, data protection, and admin hygiene. Each is weighted by security impact.

Check ID	Control	Severity
SC-001	Legacy authentication protocols enabled	Critical
SC-002	MFA not enforced for all users	Critical
SC-003	Security defaults or Conditional Access absent	Critical
SC-004	Global Administrator count exceeds 2	High
SC-005	Privileged Identity Management not in use	High
SC-006	Microsoft Secure Score below 50%	High
SC-007	External sharing unrestricted in SharePoint	High
SC-008	Audit logging disabled or retention under 90 days	High
SC-009	Defender for Office 365 anti-phishing not configured	Medium
SC-010	Safe Links and Safe Attachments not enabled	Medium
SC-011	Self-service password reset not configured	Medium
SC-012	Guest user access not reviewed in last 90 days	Medium
SC-013	App consent not restricted to admins	Medium
SC-014	Sign-in risk policy absent	Low
SC-015	Named locations not defined for Conditional Access	Low

Prerequisites

PowerShell 7 or later
Microsoft Graph app registration with admin consent
Required scopes: Policy.Read.All, Directory.Read.All, AuditLog.Read.All, SecurityEvents.Read.All, Reports.Read.All
Global Reader or Security Reader role on the target tenant

Install and run

Free access. Enter your details to reveal the installation script and instructions instantly.

Access granted

Your details have been logged. Copy the installation content below.

You can review the repository and full documentation on GitHub: Sentinel Scout Repository.

To run the tool immediately, open PowerShell 7+ and execute the following command:

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/Westgate-Sentinel-Consulting/sentinel-scout/main/Get-SentinelScout.ps1" -OutFile "Get-SentinelScout.ps1"
.\Get-SentinelScout.ps1

Example output

Sentinel Scout v1.0 — M365 Security Audit
Tenant: contoso.onmicrosoft.com
Run completed: 2026-04-07 09:14:22 UTC

Controls assessed : 15
Controls passed   : 9
Controls failed   : 6

Weighted score    : 61 / 100

Top 3 failures:
  [CRITICAL] SC-001 — Legacy authentication still enabled
  [CRITICAL] SC-003 — No Conditional Access policies found
  [HIGH]     SC-008 — Audit log retention set to 30 days

Full results written to: sentinel-scout-20260407-091422.json

Average weighted score for mid-market M365 tenants

The most common failure: legacy authentication still enabled. It appears in over 60% of tenants audited during WGC-M365 engagements.

Free tool vs WGC-M365 Health Check

Sentinel Scout (free)	WGC-M365 Health Check
Weighted score across 15 controls	Remediation roadmap with priorities
Top failing controls identified	Leadership-ready report
JSON output for your records	Implementation support included
Free after a short enquiry	Paid engagement. Book a call

What a WGC-M365 engagement delivers

A full health check goes beyond the score. You receive a prioritised remediation plan, a leadership-ready summary with business risk framing, and documentation to support internal change approval. Where implementation support is in scope, we work alongside your team to close the identified gaps.

Ready to close the gaps?

A WGC-M365 Health Check turns your Sentinel Scout results into a prioritised action plan.

Typical output: ranked findings, board-ready summary, and 30/60/90-day actions.

Request free access Book WGC-M365 View M365 service

Disclaimer

Sentinel Scout produces indicative output based on read-only Graph API queries at the time of the run. It is not a formal security assessment and should not be used as evidence of compliance or certification. Results reflect configuration state at run time and may not capture all relevant controls for your organisation.