[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80127":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":14,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":17,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":34,"readmeContent":35,"aiSummary":36,"trendingCount":15,"starSnapshotCount":15,"syncStatus":16,"lastSyncTime":37,"discoverSource":38},80127,"M365-Assessment-Toolkit","malcolmmcdonald1982\u002FM365-Assessment-Toolkit","malcolmmcdonald1982","Free, open-source Microsoft 365 security assessment tool. Evaluates 23 findings, auto-remediates with rollback, generates professional reports, and simulates attack chains. Windows, local, no data leaves your machine.","",null,"Python",58,14,1,0,2,3,46.83,"MIT License",false,"main",true,[24,25,26,27,28,29,30,31,32,33],"conditional-access","entra-id","intune","m365","microsoft-365","open-source","powershell","remediation","security-assessment","windows","2026-06-12 04:01:26","# M365 Assessment Toolkit\n\nA free, open-source Microsoft 365 security assessment tool for IT consultants and administrators. Runs locally on Windows — no data leaves your machine.\n\nThis tool is not intended to replace enterprise security platforms. It fills a gap for IT professionals who need practical assessments without enterprise licensing costs.\n\n## What it does\n\n- Runs a security assessment against any M365 tenant across 6 workloads\n- Evaluates 30 findings covering identity, conditional access, Exchange, Teams, SharePoint and Intune\n- Scores the tenant based on real attack paths — not just Microsoft Secure Score\n- Remediates findings with one click, with full rollback capability\n- Produces professional Word reports (Assessment Report, Remediation Report, Comparison Report)\n- Simulates attack chains to show which findings enable which attacks\n- Compares two assessments to track improvement over time\n\n## What it looks like\n\n### Assessment Dashboard\nThe dashboard shows a live risk score, colour-coded findings by severity, and module run status.\n\n![Dashboard](docs\u002Fscreenshots\u002Fdashboard.png)\n\n### Findings with Investigation Scripts\nEach finding card includes an inline PowerShell investigation script you can run directly to dig into the detail behind the finding.\n\n![Findings panel with investigation script](docs\u002Fscreenshots\u002Ffindings-investigate.png)\n\n### Generated Reports\nOne click produces a professionally formatted Word document ready to hand to a client.\n\n![Word report sample](docs\u002Fscreenshots\u002Freport-sample.png)\n\n### Attack Simulation\nMaps your open findings to real attack chains — showing exactly which combination of misconfigurations an attacker would exploit, in sequence.\n\n![Attack simulation](docs\u002Fscreenshots\u002Fattack-simulation.png)\n\n## Prerequisites\n\nThe installer handles all of these automatically:\n\n| Prerequisite | Version | Purpose |\n|---|---|---|\n| Python | 3.11+ | Backend server |\n| Flask | Latest | Web framework |\n| Node.js | 18+ | Report generator |\n| docx (npm) | Latest | Word document creation |\n| Microsoft.Graph | 2.0+ | Identity, Security, Intune |\n| ExchangeOnlineManagement | 3.0+ | Exchange Online |\n| MicrosoftTeams | 5.0+ | Microsoft Teams |\n| Microsoft.Online.SharePoint.PowerShell | 16.0+ | SharePoint Online |\n\n## Installation\n\n### Option 1 — One-line install (quickest)\n\nOpen PowerShell as Administrator and run:\n\n```powershell\nirm https:\u002F\u002Fraw.githubusercontent.com\u002Fmalcolmmcdonald1982\u002FM365-Assessment-Toolkit\u002Fmain\u002Finstall.ps1 | iex\n```\n\nThe installer downloads all files from GitHub, installs all prerequisites, and creates a desktop shortcut. Nothing else needed.\n\n### Option 2 — Download and run\n\n1. Click the green **Code** button on this page and select **Download ZIP**\n2. Extract the ZIP — you should have a folder containing `install.ps1`, `backend.py`, `index.html` etc.\n3. Open PowerShell as Administrator\n4. Run:\n\n```powershell\ncd \"C:\\path\\to\\extracted-folder\"\n.\\install.ps1\n```\n\n### Option 3 — Clone the repo\n\nIf you have Git installed:\n\n```powershell\ngit clone https:\u002F\u002Fgithub.com\u002Fmalcolmmcdonald1982\u002FM365-Assessment-Toolkit.git C:\\AssetTool\ncd C:\\AssetTool\n.\\install.ps1\n```\n\nAll three options install to `C:\\M365 Assessment Toolkit` and create a desktop shortcut.\n\n## After installation\n\nDouble-click the **M365 Assessment Toolkit** shortcut on your desktop. The tool opens automatically in your browser at `http:\u002F\u002Flocalhost:5000`. Keep the black PowerShell window open while using the tool — closing it stops the backend.\n\n## Authentication\n\n**Interactive Login** — No setup required. The tool prompts for credentials when each module runs. Suitable for one-off assessments.\n\n**App Registration** — Requires setup in Entra ID. Silent authentication for Graph-based modules. Recommended for repeat assessments.\n\n**Certificate** — Uses a certificate installed in the local Windows certificate store. No client secret stored in the UI. Recommended for recurring assessments where security policy prohibits stored secrets.\n\n### Setting up App Registration\n\n1. Go to [Entra ID > App registrations](https:\u002F\u002Fentra.microsoft.com\u002F#view\u002FMicrosoft_AAD_IAM\u002FActiveDirectoryMenuBlade\u002F~\u002FRegisteredApps)\n2. Click **New registration** — name it `M365 Assessment Toolkit`\n3. Copy the **Application (client) ID** and **Directory (tenant) ID**\n4. Go to **Certificates & secrets** > **New client secret** — copy the **Value**\n5. Go to **API permissions** > **Add a permission** > **Microsoft Graph** > **Application permissions**\n6. Add these permissions:\n\n```\nUser.Read.All\nDirectory.Read.All\nRoleManagement.Read.Directory\nUserAuthenticationMethod.Read.All\nReports.Read.All\nPolicy.Read.All\nSecurityEvents.Read.All\nOrganization.Read.All\nApplication.Read.All\nDeviceManagementManagedDevices.Read.All\nDeviceManagementConfiguration.Read.All\nAuditLog.Read.All\nIdentityRiskyUser.Read.All\n```\n\n7. Click **Grant admin consent**\n\n> Exchange, Teams and SharePoint always use interactive login — these PowerShell modules do not support app-only authentication.\n\n### Setting up Certificate Authentication\n\nCertificate authentication uses a certificate installed in your local Windows certificate store instead of a client secret. No secret is ever stored in the tool UI, making it suitable for environments where security policy prohibits stored credentials.\n\n> The same Graph API permissions apply as App Registration. Exchange, Teams and SharePoint always use interactive login regardless of auth method.\n\n#### Step 1 — Create an App Registration\n\n1. Go to [Entra ID > App registrations](https:\u002F\u002Fentra.microsoft.com\u002F#view\u002FMicrosoft_AAD_IAM\u002FActiveDirectoryMenuBlade\u002F~\u002FRegisteredApps)\n2. Click **New registration** — name it `M365 Assessment Toolkit`\n3. Supported account types → **Single tenant**\n4. Click **Register**\n5. Copy the **Application (client) ID** and **Directory (tenant) ID** — you will need both\n\n#### Step 2 — Grant API permissions\n\n1. Go to **API permissions** > **Add a permission** > **Microsoft Graph** > **Application permissions**\n2. Add the following permissions:\n\n```\nUser.Read.All\nDirectory.Read.All\nRoleManagement.Read.Directory\nAuditLog.Read.All\nOrganization.Read.All\nPolicy.Read.All\nSecurityEvents.Read.All\nApplication.Read.All\nIdentityRiskyUser.Read.All\nDeviceManagementManagedDevices.Read.All\nDeviceManagementConfiguration.Read.All\n```\n\n3. Click **Grant admin consent** — required, the tool will not work without this\n\n#### Step 3 — Generate a self-signed certificate\n\nRun the following in PowerShell on the machine that will run the tool:\n\n```powershell\n$cert = New-SelfSignedCertificate `\n    -Subject \"CN=M365AssessmentTool\" `\n    -CertStoreLocation \"Cert:\\CurrentUser\\My\" `\n    -KeyExportPolicy Exportable `\n    -KeySpec Signature `\n    -KeyLength 2048 `\n    -HashAlgorithm SHA256 `\n    -NotAfter (Get-Date).AddYears(2)\n\nWrite-Host \"Thumbprint: $($cert.Thumbprint)\"\n```\n\nCopy the thumbprint from the output — this goes in the tool later.\n\nThe certificate is automatically installed in **Current User > Personal** (the correct store for this tool).\n\n#### Step 4 — Export the public key\n\n```powershell\nExport-Certificate `\n    -Cert \"Cert:\\CurrentUser\\My\\$($cert.Thumbprint)\" `\n    -FilePath \"$env:USERPROFILE\\Desktop\\M365AssessmentTool.cer\"\n```\n\nThis saves a `.cer` file to your desktop. This is the public key only — safe to upload to Entra.\n\n#### Step 5 — Upload the certificate to Entra\n\n1. Go to your App Registration in Entra\n2. Click **Certificates & secrets** > **Certificates** tab\n3. Click **Upload certificate**\n4. Select the `.cer` file from your desktop\n5. Click **Add**\n\nYou should see the certificate listed with its thumbprint. Confirm it matches the one from Step 3.\n\n#### Step 6 — Run an assessment\n\nIn the tool:\n\n- Select **Certificate** as the authentication method\n- Enter your **Tenant ID** (Directory ID from Step 1)\n- Enter your **Client ID** (Application ID from Step 1)\n- Enter the **Certificate Thumbprint** from Step 3\n\nClick **Run Assessment**. Graph-based modules (Identity, Security, Intune) will authenticate silently. Exchange, Teams and SharePoint will prompt interactively as normal.\n\n#### Verifying the certificate is installed\n\nIf you need to check the certificate is present on the machine, open PowerShell and run:\n\n```powershell\nGet-ChildItem Cert:\\CurrentUser\\My | Where-Object { $_.Subject -like \"*M365AssessmentTool*\" } | Select-Object Subject, Thumbprint, NotAfter\n```\n\n#### Certificate expiry\n\nThe self-signed certificate created in Step 3 is valid for 2 years. When it expires, repeat Steps 3–5 to generate a new certificate and upload it to the App Registration. The Client ID and Tenant ID remain the same — only the thumbprint changes.\n\n## Understanding the Score\n\nThe tool's score is **not the same as Microsoft Secure Score**.\n\n| | This Tool | Microsoft Secure Score |\n|---|---|---|\n| Measures | Real attack path exposure | Configuration compliance |\n| A high score means | Low attack surface | Settings follow Microsoft recommendations |\n| A low score means | Specific attack paths are open | Some recommended settings are off |\n\nThe tool scores 0–100 based on severity-weighted findings:\n- **Critical** findings: -8 points each (capped at -32)\n- **High** findings: -5 points each (capped at -20)\n- **Medium** findings: -3 points each (capped at -12)\n- **Low** findings: -1 point each (capped at -4)\n- **Floor:** 10 (never shows zero)\n\nA tenant can have a high Microsoft Secure Score and still score poorly here — because Secure Score rewards enabling features, not blocking attack paths.\n\n## Auto Update Checker\n\nThe tool silently checks GitHub for a newer version each time it starts. If a newer version is available a banner appears at the top of the UI offering to update.\n\n**What is and is not transmitted during this check:**\n\n- The tool makes a single request to `https:\u002F\u002Fraw.githubusercontent.com\u002Fmalcolmmcdonald1982\u002FM365-Assessment-Toolkit\u002Fmain\u002FVERSION` to read the latest version number\n- No tenant data, credentials, scan results, assessment sessions or any user content is transmitted\n- No analytics, no telemetry, no tracking of any kind\n- The check is read-only and outbound only — nothing is written to GitHub\n- Updates require explicit user approval — the tool never auto-updates silently\n- Clicking **Update Now** runs the local `update.ps1` script which downloads replacement files from GitHub — the same script available to run manually at any time\n- If the check fails for any reason (no internet, firewall, timeout) the tool continues normally — no banner appears and nothing is affected\n\n## Updating\n\n```powershell\nInvoke-WebRequest -Uri \"https:\u002F\u002Fraw.githubusercontent.com\u002Fmalcolmmcdonald1982\u002FM365-Assessment-Toolkit\u002Fmain\u002Fupdate.ps1\" -OutFile \"$env:TEMP\\update.ps1\"; & \"$env:TEMP\\update.ps1\"\n```\n\nThe updater downloads the latest files from GitHub and applies them. Your saved sessions, reports and output files are never touched.\n\n## Uninstalling\n\n```powershell\nInvoke-WebRequest -Uri \"https:\u002F\u002Fraw.githubusercontent.com\u002Fmalcolmmcdonald1982\u002FM365-Assessment-Toolkit\u002Fmain\u002Funinstall.ps1\" -OutFile \"$env:TEMP\\uninstall.ps1\"; & \"$env:TEMP\\uninstall.ps1\"\n```\n\nThe uninstaller offers to back up your saved sessions and reports before removing.\n\n## Data and Privacy\n\n- All data stays on your local machine — nothing is sent to external servers\n- Assessment results are saved to `C:\\M365 Assessment Toolkit\\output\\`\n- The tool reads tenant data but never writes to it during assessment\n- Remediation scripts write to the tenant only when you explicitly click Apply Fix\n- Each remediation change is snapshotted before it is made\n- There is no backend server, no cloud component, no third party in the data flow — just you, your machine and Microsoft's APIs\n\n**Tenant authentication:** The tool authenticates against your Microsoft 365 tenant using whatever credentials or permissions you provide — Interactive login, App Registration, or Certificate. It connects directly to Microsoft's APIs in the same way any PowerShell module or Graph client does. No credentials are stored to disk. No data is transmitted to any third party.\n\nFor client engagements, ensure you have a Data Processing Agreement in place before running assessments against a client tenant.\n\n## Minimum Permissions Required\n\nThe tool follows the principle of least privilege. Use the minimum role that covers what you need.\n\n### Assessment (Read)\n\n| Module | Minimum Role |\n|---|---|\n| Identity & MFA | Global Reader |\n| Security & CA | Global Reader |\n| Exchange Online | Global Reader or Exchange Administrator |\n| Teams | Global Reader or Teams Administrator |\n| SharePoint | Global Reader or SharePoint Administrator |\n| Intune \u002F Devices | Global Reader or Intune Administrator |\n\n> Global Reader covers all assessment modules. No write permissions are required to run an assessment.\n\n### Remediation (Write)\n\n| Finding Type | Minimum Role |\n|---|---|\n| Conditional Access policies | Conditional Access Administrator |\n| Exchange settings | Exchange Administrator |\n| Teams settings | Teams Administrator |\n| SharePoint settings | SharePoint Administrator |\n| Intune \u002F device policies | Intune Administrator |\n\n> Remediation requires explicit write permissions. Always obtain written approval before applying changes to a live tenant.\n\n### App Registration permissions\n\nFor App Registration and Certificate auth, the following Graph API application permissions are required for assessment:\n\n```\nUser.Read.All\nDirectory.Read.All\nRoleManagement.Read.Directory\nUserAuthenticationMethod.Read.All\nReports.Read.All\nPolicy.Read.All\nSecurityEvents.Read.All\nOrganization.Read.All\nApplication.Read.All\nDeviceManagementManagedDevices.Read.All\nDeviceManagementConfiguration.Read.All\nAuditLog.Read.All\nIdentityRiskyUser.Read.All\n```\n\n> Exchange, Teams and SharePoint always use interactive login — these PowerShell modules do not support app-only authentication.\n\n## Read\u002FWrite Permission Separation\n\nThe tool separates assessment (read) and remediation (write) credentials. This follows the principle of least privilege — the account used to gather data during an assessment does not need write permissions.\n\n### How it works\n\nIn the sidebar under **Remediation Authentication**:\n\n- **Same as Assessment** (default) — remediation uses the same credentials as the assessment. The account must have sufficient write permissions for the findings you intend to remediate\n- **Separate** — a dedicated write account is configured independently. The assessment account remains read-only throughout\n\nThe write account supports the same three authentication methods as the assessment account — Interactive, App Registration, or Certificate.\n\n### What happens if the account lacks write permissions\n\nIf you attempt to remediate using an account without sufficient write permissions:\n\n- The remediation script runs and Microsoft's API returns an access denied error\n- The error is surfaced in the remediation card\n- Nothing changes in the tenant — no partial changes, no damage\n- A snapshot is saved before every attempt so rollback is available regardless\n\n**To resolve:** either elevate the assessment account to include the required write role, or switch to **Separate** and configure a dedicated write account with the minimum role for the finding type. See the Remediation (Write) permissions table above.\n\n### Recommended approach for client engagements\n\n| Scenario | Recommendation |\n|---|---|\n| Quick one-off assessment, no remediation | Interactive login, Global Reader |\n| Assessment with planned remediation | Separate accounts — Global Reader for read, minimum write role per finding |\n| Recurring assessments | App Registration or Certificate for read, Interactive for write |\n\n## Data Flow\n\nWhen you run an assessment:\n\n1. PowerShell scripts run locally on your machine\n2. They connect directly to Microsoft's APIs using your credentials or app registration — the same as any Microsoft PowerShell module\n3. Results are returned as JSON and saved locally to `C:\\M365 Assessment Toolkit\\output\\`\n4. The local Flask backend processes the results and displays them in your browser\n5. Nothing is transmitted to any external server at any point\n\n## AI Disclosure\n\nThis tool was developed with AI assistance. The security logic, findings, scoring model, attack path mapping and architecture were designed by the author based on real-world M365 assessment experience. AI was used as a development aid to help bring it to life. All code is fully open source and publicly auditable on GitHub.\n\n## Folder Structure\n\n```\nC:\\M365 Assessment Toolkit\\\n├── backend.py              # Flask backend\n├── index.html              # Frontend (served at localhost:5000)\n├── generate-report.js      # Word report generator\n├── package.json            # npm dependencies\n├── scripts\\                # Assessment PowerShell scripts\n├── remediation\\            # Remediation + rollback scripts\n├── output\\                 # Sessions, CSVs, remediation logs\n└── reports\\                # Generated Word documents\n```\n\n## Modules\n\n| Module | Tag | Auth | Findings |\n|---|---|---|---|\n| Identity & MFA | ENTRA | App Reg, Certificate or Interactive | 7 |\n| Security & CA | SEC | App Reg, Certificate or Interactive | 8 |\n| Exchange Online | EXO | Interactive only | 5 |\n| Teams | TEAMS | Interactive only | 2 |\n| SharePoint | SPO | Interactive only | 2 |\n| Intune \u002F Devices | MDM | App Reg, Certificate or Interactive | 6 |\n\n## Troubleshooting\n\n| Problem | Cause | Fix |\n|---|---|---|\n| Module fails silently, no results | Auth failed or insufficient permissions | Check the Run Log for the error. Verify the account has at least Global Reader |\n| Remediation returns access denied | Account lacks write permissions | Elevate the account or use Separate remediation auth with a dedicated write account |\n| SharePoint module fails with OAuth error | SharePoint Admin URL not set or incorrect | Enter the correct URL in the format `https:\u002F\u002Fyourtenant-admin.sharepoint.com` |\n| Certificate auth fails | Certificate not installed in the correct store | Verify the certificate is in `Cert:\\CurrentUser\\My` — see certificate setup guide above |\n| Banner shows wrong version | Backend still running old version | Restart the backend after updating |\n| Load Assessment button not clickable | Page needs a refresh after backend restart | Hard refresh with `Ctrl+Shift+R` |\n| Report fields blank | Consultant or assessment details not filled in | Fill in the Assessment Details and Consultant sections before downloading the report |\n\n## Author\n\nBuilt and maintained by **Malcolm McDonald** — IT Infrastructure Consultant with real-world M365 assessment and deployment experience.\n\nIf you are looking for M365 consultancy, security assessments or infrastructure support, feel free to connect on [LinkedIn](https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fmalcolm-mcdonald-87228b48).\n\n## Licence\n\nMIT — free to use, modify and distribute. See [LICENSE](LICENSE).\n\n## Disclaimer\n\nThis tool is provided as-is for educational and professional use. Always obtain written approval before remediating any tenant. The authors accept no liability for changes made to live environments.\n","M365 Assessment Toolkit 是一款免费开源的Microsoft 365安全评估工具，专为IT顾问和管理员设计。该工具可以针对M365租户中的6个工作负载执行安全评估，涵盖身份验证、条件访问、Exchange、Teams、SharePoint和Intune等30个检查项，并基于实际攻击路径对租户进行评分。它提供一键式修复功能且支持回滚，生成专业的Word报告（包括评估报告、修复报告、对比报告），并能模拟攻击链以展示哪些配置漏洞可能导致攻击。此外，所有操作都在本地Windows环境下完成，确保数据不会离开用户的机器。适用于需要在没有企业级安全平台的情况下进行实用安全评估的场景。","2026-06-11 03:59:21","CREATED_QUERY"]