The Microsoft 365 / Azure integration performs a read-only posture scan of your tenant and maps the results to your framework controls. It is the most complete of the cloud scanners and is available now. Connecting it does not store a per-tenant secret in Venvera: it uses Microsoft admin consent.

Connecting your tenant

Start the connection

From the Integrations hub, open the Microsoft 365 / Azure card and start setup. You are sent to the Microsoft admin-consent screen. A Global Administrator of your Microsoft 365 tenant must approve the request.

Grant admin consent

Microsoft returns you to Venvera. Venvera verifies that consent was granted for your tenant, tests connectivity, and records the integration as connected. No client secret from your tenant is kept.

Run the first scan

Start a scan from the setup page. Progress and results appear on the Scans, Findings, and Resources sub-pages.

What the scan checks

The Microsoft Graph security scan runs a set of checks across your identity and collaboration posture, grouped below.

GroupExamples of what is checked
Identity and MFAUsers without MFA, number of Global Admins above four, guest accounts, stale or inactive accounts, risky users, Secure Score
Conditional AccessWhether Conditional Access policies exist, legacy authentication blocking, Security Defaults
App securityApplication registration hygiene and credential practices
M365 configurationSharePoint external sharing, who can create Microsoft 365 groups
Email securityMailbox auto-forwarding, SPF and DKIM records
Cross-tenantCross-tenant access and trust settings

Defender for Cloud and resource discovery

Alongside the Graph checks, the scan pulls Microsoft Defender for Cloud recommendations and turns them into findings, and discovers your Azure resources through the Azure Resource Graph so they are inventoried against your controls.

Turning findings into evidence

Each finding is mapped by category to controls in your active frameworks. A finding that passed comes back as informational and can be attached to the mapped control as evidence, so a clean scan builds your evidence library for you.

ℹ️
Some checks depend on your Microsoft licensing. Conditional Access checks need Entra ID P1 and risky-user checks need P2. Where a licence is missing, the check is skipped cleanly rather than reported as a failure, and a fetch-failed marker prevents a skipped check from being mistaken for a resolved one.