What permissions does the assessment need?

14 read-only Microsoft Graph scopes, admin-consented once. A scope-diff UI shows exactly which permissions are missing before you run the scan.

Microsoft 365 Assessment Suite — 6 read-only audits

Six Microsoft 365 audits. One read-only scan engine.

Copilot Readiness, Power Platform, SharePoint & OneDrive, Teams, M365 Security, plus the cross-cutting Microsoft 365 Complete report. Read-only Microsoft Graph scans that produce a 1.0–4.0 score with prioritized findings. CA$399 per single assessment, CA$1,599 for the bundle of all six with white-label PDF rights. One-time payment, 90-day access, locked to one tenant.

Run Free Snapshot → See all 9 tools

Read-only. No credit card. 1 free snapshot per tenant per month per product.

app.migrationfox.com/governance

Composite Readiness Score

contoso.onmicrosoft.com

NOT READY

1.2

/ 4.0

Top Must-Do Before Copilot

PUR-001 DLP does not protect Microsoft365Copilot as a workload

CRIT

SPO-004 14 sites with active "Anyone with the link" sharing

CRIT

IAM-002 9 Global Admins, no PIM, no MFA enforcement on 2

CRIT

Example output. Your score will vary by tenant.

The Verdict

One score. Four decisions.

Every scan ends with a number between 1.0 and 4.0 and one of four plain-English verdicts. No ambiguity. No "it depends".

1.0 – 1.9

NOT READY

Critical gaps in DLP, oversharing, or identity will leak sensitive data through Copilot. Do not enable Copilot — even for a pilot — until the Must Do Before Copilot items are resolved.

2.0 – 2.9

PARTIALLY READY

Run a tightly scoped pilot with 5–10 hand-picked users on non-sensitive workloads only.

3.0 – 3.4

MOSTLY READY

Internal pilot approved for any team. Resolve the remaining Must Do Before Full Rollout items before expanding.

3.5 – 4.0

READY

Full Copilot rollout approved. Maintain ongoing monitoring with quarterly assessments.

What We Scan

Seven modules. One composite score.

Each module reads a specific corner of your tenant through Microsoft Graph and contributes to the final 1.0–4.0 score.

Licensing & Infrastructure

Confirms the subscribed SKUs, OneDrive enablement, and M365 service health before anything else runs.

/subscribedSkus · /admin/serviceAnnouncement

Purview Current State

Inventories sensitivity labels, sensitive info types, and DLP policies — including whether Microsoft365Copilot is a protected workload.

/security/labels · /dataLossPreventionPolicies

Identity & Conditional Access

Audits CA policies, MFA enforcement, guest ratio, OAuth grants, Global Admins, and PIM coverage.

/conditionalAccess/policies · /directoryRoles

M365 Apps Readiness

Checks Office update channel adoption so users actually get Copilot features on the right build.

/deviceManagement · /reports/office365

Teams Governance

Per-team lifecycle audit: ownerless teams, single-owner risk, inactive teams, shared channels, guest concentration. Teams is a primary Copilot surface.

/teams · /groups/{id}/owners · /teams/{id}/channels

OneDrive Governance

Per-account drilldown: orphaned drives, stale 180d+ accounts, oversized drives, external-share exposure, Known Folder Move adoption.

/reports/getOneDriveUsageAccountDetail · /admin/sharepoint/settings

SharePoint Advanced Management

Tenant oversharing posture: default sharing link, Site Access Reviews, Inactive Site policy, Restricted Access Control, Block Download, EEEU posture.

/admin/sharepoint/settings · /sites · SAM policies

THE CRITICAL CHECK — PUR-001

Does your DLP actually protect Copilot as a workload?

Every other Copilot readiness tool on the market treats DLP as a boolean: "you have DLP policies, you're fine". That is wrong. Microsoft365Copilot is a distinct DLP workload. If your existing DLP policies don't explicitly list it in the workload scope, Copilot can surface labelled and regulated content to any user who can see the underlying file — through a chat response.

PUR-001 inspects every DLP policy in the tenant, parses the workload array, and flags any policy where Microsoft365Copilot is missing. It's the single highest-impact finding in the report — and the one nobody else surfaces.

Regulated industries (PHIPA/HIPAA, OSFI, GMP) cannot enable Copilot until this check passes.

// What PUR-001 looks for

{

"name": "Confidential DLP",

"workload": [

"Exchange",

"SharePoint",

"OneDriveForBusiness",

// Microsoft365Copilot ⚠

]

}

Verdict: MUST DO BEFORE COPILOT

Trust

Read-only by design.

Three independent guarantees that mean this scan cannot change anything in your tenant.

Write guard at the API client

Every Graph request goes through a client that rejects PATCH, POST, PUT, and DELETE before the wire. No write is physically possible — not even accidentally.

AES-256-GCM encryption at rest

All findings and raw evidence are encrypted with AES-256-GCM before they touch the database. Keys are managed separately from the data store.

14 read-only Graph scopes

Only .Read.All and equivalent read scopes — admin-consented once. A scope-diff UI shows you exactly what's missing before you run.

How It Works

Four steps. Five minutes.

STEP 01

Connect

Paste service-account credentials or use delegated OAuth. About 5 minutes of Azure AD setup the first time.

STEP 02

Verify

A scope-diff UI shows exactly which of the 14 read-only Graph permissions are present and which are missing, before anything runs.

STEP 03

Run

All seven modules execute in 3–5 minutes. Read-only Graph calls only — your tenant never notices.

STEP 04

Read

Score banner and module scorecard for all tiers. Insight unlocks the full remediation checklist and JSON / HTML exports. Partner adds CSV export to Microsoft Planner for consulting engagements; the Word and Excel client deliverables are coming in the next release.

Pricing

Pay once. Run for 90 days. One tenant.

All prices in CAD. No subscription. Each purchase is locked to one Microsoft 365 tenant at first scan and gives you unlimited re-runs of that assessment for 90 days.

Best Value · Save 33%

Tenant Suite — M365 Governance Suite

All 9 tools. Audit, plan, deploy, monitor — one tenant, one year.

The complete M365 governance lifecycle for one tenant. Six read-only audits, three planning tools (Restructuring, OneDrive Cleanup, Migration Rehearsal — plus Dependency Graph and Modernization Engine), Bulk Provisioning to deploy nav/themes/content types/term sets back into SharePoint, and Continuous Monitoring with monthly auto re-runs. White-label PDFs, commercial redistribution license. Built for teams running readiness engagements at $5K–$50K per tenant.

✓ All 9 governance tools — audit + plan + deploy + monitor
✓ Bulk Provisioning — navigation, themes, content types, term sets across SharePoint at scale
✓ Restructuring Wizard & OneDrive Cleanup — plan tools that produce signable client deliverables
✓ White-label PDF — your logo, no MigrationFox branding
✓ Commercial redistribution license — bill the report to your client
✓ 1 year of access, locked to one Microsoft 365 tenant

CA$1,599

one-time · 1 year

Buy Tenant Suite →

Save CA$396 vs 5 singles

Consultant Pro — Unlimited M365 Tenants

One licence. Every client tenant you work on.

Annual licence for one named consultant to run the full Governance Suite across UNLIMITED client tenants. The tier MSPs, M&A advisors, and governance consultants actually need — instead of buying $1,599 per client, one $2,499/year licence covers every engagement for the year. White-label PDFs and commercial redistribution license on every report.

✓ Unlimited M365 tenants per consultant per year — no per-tenant lock
✓ All 9 tools (audit + plan + deploy + monitor) on every tenant
✓ White-label PDFs + commercial redistribution on every report
✓ Priority support + early access to new tools
✓ Right for MSPs, governance consultants, M&A advisors

CA$2,499

annual · unlimited tenants

Buy Consultant Pro →

Pays for itself at 2 client engagements/yr

Or buy a single assessment

CA$399 each · 90-day access · locked to one Microsoft 365 tenant · MigrationFox-branded PDF · internal use license

Copilot Readiness

CA$399

DLP coverage, oversharing audit, Purview, Teams/OneDrive, SharePoint permissions, identity. 1.0–4.0 score with 4-state pilot verdict. The original assessment.

Read-only · ~5 min scan

Power Platform

CA$399

Environment inventory, maker concentration, DLP policies on connectors, premium connector usage, on-prem data gateway audit. For tenants with Power Apps and Power Automate sprawl.

Read-only · ~5 min scan

SharePoint & OneDrive

CA$399

Anyone-link audit across the top 30 SharePoint sites, external sharing posture, ownership gaps, OneDrive Known Folder Move adoption. Catches accidental data exposure.

Read-only · ~5 min scan

Teams

CA$399

Teams lifecycle health, orphaned teams, owner counts, external sharing capability, OneDrive Known Folder Move adoption. The collaboration health check.

Read-only · ~5 min scan

M365 Security

CA$399

Conditional Access policies, MFA coverage, Global Admin count, guest user ratio, Purview labels, audit log readiness. The security posture review.

Read-only · ~5 min scan

OneDrive Cleanup Wizard

New

Scan OneDrive accounts for oversized storage, stale content, departed users, and external sharing exposure.

Read-only · ~5 min scan

Free Snapshot

CA$0

View-only sneak peek for any one assessment. 1 per month per tenant. Score + verdict + 1 sample finding. No exports.

Try Free Snapshot →

License terms

Single Assessment is licensed for internal use on one Microsoft 365 tenant. The PDF is MigrationFox-branded and cannot be re-delivered to a third party as a paid work product. The Microsoft 365 Complete Bundle includes a commercial redistribution license and a white-label PDF, so the report can be delivered to a paying client as your own engagement deliverable. Each purchase is locked to one Microsoft 365 tenant at first scan and is not transferable.

FAQ

Frequently asked questions

Is this safe to run in a production tenant?

Yes. The assessment is 100% read-only. A write guard enforced at the Graph API client level makes PATCH, POST, PUT and DELETE physically impossible — not just policy, but code. It only consumes read-only Graph scopes and cannot alter tenant state even if we wanted it to.

What permissions does it need?

14 read-only Microsoft Graph scopes (all .Read.All or equivalent), admin-consented once. Before any scan runs, the scope-diff UI shows you exactly which are present and which are missing, so you never hit a mid-run permission failure.

How long does a scan take?

Three to five minutes for a typical tenant. The SharePoint permissions module is the slowest because it audits up to 30 sites for Anyone-link exposure — the exact surface area Copilot will index.

Can I run it on a customer's tenant and bill them for it?

Yes — the Microsoft 365 Complete Bundle at CA$1,599 is built exactly for this. The bundle is the only tier that includes white-label PDF rights (your logo, no MigrationFox branding) and a commercial redistribution license — the legal coverage you need to deliver the report to a paying client as your own engagement work product. One bundle = one client tenant. The per-tenant lock at first scan is the technical enforcement of the per-engagement billing model. Reference points: ProArch's similar engagement starts at $15K, Spyglass at $45K. Same artifact at 3.2–9.6% of the price.

What's the difference between a Single Assessment and the Bundle?

A Single Tool at CA$399 unlocks one specific audit tool (Copilot Readiness, Power Platform, SharePoint & OneDrive, Teams, or M365 Security) for one Microsoft 365 tenant for 90 days, with a MigrationFox-branded PDF licensed for internal use only. The Tenant Suite at CA$1,599 unlocks all 9 governance tools (audit + plan + deploy + monitor — including Bulk Provisioning, Restructuring Wizard, OneDrive Cleanup, and Continuous Monitoring) for one tenant for 1 year, with a white-label PDF and a commercial redistribution license. Consultant Pro at CA$2,499/year covers UNLIMITED tenants for one named consultant — designed for MSPs, M&A advisors, and governance consultants who'd otherwise pay $1,599 per client.

What does "per-tenant lock" mean?

Each purchase has a target Microsoft 365 tenant ID that is null until the first scan, then immutably stamped at run time. Subsequent scans must use the same target tenant. An MSP scanning ten client tenants needs ten purchases. This is the technical enforcement of the per-engagement pricing model and prevents the "buy once, scan many clients" arbitrage. Once locked, the purchase gives you 90 days of unlimited re-runs against that one tenant.

How is this different from Microsoft Secure Score?

Secure Score is a generic security posture tool — it will tell you to enable MFA and patch things. The Microsoft 365 Assessment Suite is six purpose-built audits, each focused on a specific governance question. The clearest example is PUR-001 in the Copilot Readiness Assessment: checking whether Microsoft365Copilot is a protected DLP workload. Secure Score doesn't look at that. Nobody else does.

Will this slow down my tenant?

No. The scan issues read-only Graph calls only, throttled by Microsoft's own published limits. For users of the tenant, it's indistinguishable from not running.

What if I don't have Microsoft Purview?

The assessment handles it gracefully. Missing Purview endpoints return a 404, which is surfaced as "endpoint not available in this tenant" rather than a crash or a scope error — and is itself recorded as a gap in the score.

How is this different from running the checks manually?

Depth, speed, and repeatability. A manual walkthrough of all seven modules typically takes half a day and produces seven disconnected reports; this runs in 3–5 minutes and produces one composite score plus a single prioritized backlog you can track quarter over quarter.

Audit, plan, deploy, monitor. One workspace.

Free Snapshot. No credit card required. Read-only by design. Nine governance tools, one tenant, one click to start.

Run Free Snapshot → Book a 15-min demo