Frequently AskedQuestions

Absolutely not. O365Validator uses exclusively read-only permissions. We analyze your security configuration but never modify any settings, policies, or user data. You can verify this by reviewing the specific Graph API permissions we request — all end in '.Read' or '.Read.All', never '.ReadWrite'.

We store only the assessment results (pass/fail status, severity ratings, remediation recommendations). We do not store raw tenant data, user lists, or personal information. Access tokens are encrypted with AES-256-GCM and automatically expire.

You can revoke access anytime from the Microsoft Entra admin center. Go to Enterprise Applications, find O365Validator, and click 'Delete'. This immediately terminates all access to your tenant.

No. We do not request any permissions to access email content, calendar data, OneDrive files, SharePoint documents, or Teams messages. Our permissions are strictly limited to security configuration data.

Only users in your organization who authenticate via your tenant. If you're an MSP client, your designated MSP administrator can also view your results. We never share data between tenants or with third parties.

Your assessment data is encrypted at rest and in transit. We never store your credentials - we use OAuth tokens that you can revoke anytime. Assessment results are retained for 90 days unless you delete them sooner.

We request read-only permissions to assess your configuration. For IR mode, we may request additional permissions for threat containment. You can review all requested permissions before granting access.

ScubaGear is a free, open-source PowerShell tool from CISA that requires local installation and technical expertise. O365Validator is a SaaS platform with 270+ checks (vs ~80), guided remediation capabilities, MSP multi-tenant management, and no installation required. ScubaGear is great for government compliance; O365Validator is built for MSPs and businesses who need actionable results fast.

Soteria offers 200+ checks with enterprise-focused pricing and sales-driven onboarding. O365Validator provides 270+ checks with transparent pricing starting at $0, immediate self-service access, and unique guided remediation that Soteria doesn't offer. We also include incident response services that Soteria doesn't provide.

Free tools like ScubaGear require PowerShell expertise, manual interpretation of results, and don't help you fix issues. O365Validator gives you a web-based dashboard, prioritized remediation guidance, estimated fix times, and optional step-by-step remediation guidance. You'll save hours per assessment.

Yes. We map to CISA SCuBA baselines (same as ScubaGear), CIS Microsoft 365 Foundations Benchmark v3.1.0, and NIST 800-53 controls. Our 270+ checks cover Entra ID, Exchange, SharePoint, Teams, Defender, Intune, and Power Platform.

While Microsoft Secure Score provides basic recommendations, O365Validator offers deeper analysis with 270+ checks, attack detection capabilities, malicious OAuth app identification, and actionable remediation guidance with direct portal links.

Yes! Our checks are mapped to CIS Microsoft 365 Benchmarks, CISA SCuBA guidelines, and NIST frameworks. You can export detailed reports showing compliance status for each control.

Yes! Your first assessment is completely free with no credit card required. You get the full 270+-check assessment, prioritized findings, and remediation guidance — not a watered-down trial.

Free includes full assessment with prioritized findings and step-by-step remediation guides. Pro ($149/30 days or $49/month) adds guided remediation with detailed instructions, a remediation wizard, before/after comparison, unlimited re-scans, and priority support.

Yes! We offer flexible per-tenant pricing at $49/tenant/month (billed annually) or $59/tenant/month (billed monthly). This scales with your business — no arbitrary tenant limits. All MSP plans include white-label reports, bulk assessments, guided remediation, and dedicated support.

We offer emergency incident response for $1,500 — a one-time fee to investigate and evict attackers from a compromised M365 tenant. This is unique in the market and priced far below typical IR retainers.

Absolutely. There are no long-term contracts. You can cancel your subscription at any time, and your access will continue until the end of the current billing period.

We request read-only Microsoft Graph API permissions including Directory.Read.All, Policy.Read.All, SecurityEvents.Read.All, and similar. You need Global Administrator or Security Administrator rights to grant consent.

Most assessments complete in 2-3 minutes. The time depends on tenant size and the number of users, applications, and policies being analyzed.

This usually means we couldn't retrieve the necessary data due to licensing limitations (some features require E5 or Azure AD P2) or temporary API issues. The check will be re-evaluated on the next assessment.

API access is available for MSP Pro customers. Contact us for API documentation and integration support.

All OAuth tokens are encrypted using AES-256-GCM with unique salt and IV per token. Encryption keys are derived using scrypt, a memory-hard function that makes brute-force attacks computationally infeasible.

We recommend running assessments monthly for most organizations, or weekly for high-security environments. MSP partners typically run assessments after any major tenant changes.

Currently we support commercial Microsoft 365 tenants. GCC and GCC-High support is on our roadmap for Q2 2026.