TRANSPARENCY · UPDATED 2026-04-18

What we check. What we don't.

Every governance tool makes a choice about what to detect. Most vendors don't publish that list because it exposes gaps. We publish ours because governance tools are sold on trust, not feature-count. Below is a complete, honest inventory of the 74 specific signals our 6 assessments detect, and the 18 things we do not currently check.

Our principle

Under-promise coverage. Over-deliver on accuracy. If we're not confident a finding is real, we either raise the confidence threshold or we don't surface it at all.

Jump to

Licensing (10) Purview (9) Identity & CA (14) M365 Apps (7) Teams & OneDrive (7) SharePoint Permissions (14) Power Platform (14) What we don't check

What we check (74 signals across 6 modules)

Each module is a read-only Microsoft Graph + SharePoint REST + Power Platform BAP scan. No writes. No impersonation. No long-lived tokens stored outside encrypted credential store.

Licensing & Infrastructure

10 signals · LIC-000..LIC-009

· Tenant Copilot license coverage (full + per-SKU)
· Copilot assignment eligibility (active mailbox, M365 license)
· E3/E5 base license distribution
· Trial/preview license detection (expiry dates)
· Service plan activation (OneDrive, Purview, Teams, SharePoint Online)
· Tenant region (data residency for Copilot)
· MFA license coverage (free vs P1 vs P2)
· Defender for Office 365 coverage
· Exchange Online mailbox provisioning status
· License waste detection (unassigned paid licenses)

Purview · Compliance & DLP

9 signals · PUR-000..PUR-008

· Sensitivity label deployment + usage %
· Auto-labeling policy detection
· Retention policy coverage
· DLP policy count + status
· DLP rule effectiveness (blocked vs allowed)
· Communication compliance policy presence
· Insider risk management posture
· Audit log retention setting
· Data loss prevention manual-verification checklist (for tenants without Purview read access)

Identity & Conditional Access

14 signals · IDN-000..IDN-013

· MFA coverage across user base
· Conditional Access policy presence + scope
· Legacy auth status (blocked / allowed)
· Guest user inventory + external sharing risk
· Privileged identity management (PIM) adoption
· Global Admin count (too few/too many)
· Stale guest users (90+ days inactive)
· Service principal OAuth grants audit
· Risky sign-in detection enabled
· Password expiration policy
· Self-service password reset enablement
· Device compliance enforcement
· Break-glass account presence
· Named locations / trusted IPs config

M365 Apps Readiness

7 signals · APP-000..APP-006

· Microsoft 365 Apps channel + version distribution
· Copilot-supported Office version coverage
· Outlook new-client adoption
· Teams classic vs new client
· Edge for Business enforcement
· Office 365 service health baseline
· Office Apps update channel policy

Teams & OneDrive Governance

7 signals · TMS-000..TMS-006

· Teams lifecycle health (orphaned owners, guest sprawl)
· Team creation policy + expiration
· Channel count per team (mega-team detection)
· Teams external sharing capability
· OneDrive Known Folder Move adoption
· OneDrive storage concentration (top-user analysis)
· Inactive OneDrive accounts (90+ day stale)

SharePoint Permissions

14 signals · SPO-000..SPO-013

· "Anyone" link exposure (tenant-wide + per-site)
· External sharing posture per site
· Broken permission inheritance at folder level
· Everyone / Everyone Except External Users group usage
· Site ownership gaps (0 owners, 1 owner, too many)
· Classic vs modern site count
· Mega-site detection (>300K items, >5000 root items)
· Stale sites (90+ days no modification)
· Storage concentration (top-5 sites as % of tenant)
· Sharing link type distribution (view vs edit)
· Sensitive sites (HR/Finance/Legal keyword heuristic)
· Restricted Content Discovery (RCD) status
· Hub site structure inventory
· SharePoint root site default sharing link behavior

Power Platform Governance

14 signals · PP-001..PP-014

· Environment inventory (Default, Production, Sandbox, Trial, Developer)
· Stale trial environments (>30 days old)
· DLP policies on connectors (tenant + environment scope)
· Known-bad connector placements (Twitter in BusinessData, etc.)
· Premium connector usage + maker licensing gap
· Maker concentration ("bus factor" analysis)
· Flow count + status distribution per environment
· Power App count + type (canvas vs model-driven)
· On-premises data gateway audit (clustering, version, status)
· Dataverse linkage per environment
· Migration complexity scoring (Low / Medium / High per artifact)
· Service-principal role posture (Power Platform Admin vs Env Admin)
· BAP API accessibility check (tenant management app registration)
· Custom connector inventory

What we don't check (and why)

These gaps are intentional. Most are planned for future releases; some we've decided are better handled by specialized tools you already own.

Known gaps

Defender XDR telemetry. We don't pull signals from Defender for Endpoint, Defender for Cloud Apps, or Defender for Identity. You already have the Defender portal for this. Mixing our signal with Defender's would double-count.
Exchange Online mail flow rules. We detect DLP coverage and mailbox provisioning but do not audit transport rules, journaling, or anti-spam policies. A dedicated mail compliance review covers this better.
Intune device posture. We report whether Conditional Access enforces device compliance, but do not inspect per-device compliance state, app protection policies, or enrollment mode. Intune Admin Center is authoritative here.
Restricted Content Discovery (RCD) propagation. We detect whether RCD is enabled, but Microsoft's API does not expose propagation progress for sites >500K items. We report the flag; we cannot report whether it has actually taken effect on every site.
Power BI admin details. Dataset + workspace inventory requires Power BI admin API access separate from BAP. We flag this as "v2" in the Dependency Graph output. Current scan does not include Power BI.
Microsoft Forms. Forms API does not expose form-to-SP linkage centrally. Flagged as "v2" — we rely on SharePoint-side detection only.
Viva Connections dashboard cards. No public API coverage. Flagged as "v2".
SharePoint term store & site scripts. We detect classic pages and workflows, not managed metadata service consumption or site-script usage. Modernization Engine is getting this in a future release.
Email journaling / EV / Mimecast archives. Outside current scope. Planned as a dedicated assessment.
Content classification accuracy. We detect whether sensitivity labels are deployed. We do NOT attempt to audit whether any given document is correctly classified. That requires content inspection beyond governance-posture scope.
Specific compliance certifications. We do not audit HIPAA, FedRAMP, PCI-DSS, SOX, or other regulatory framework adherence. Microsoft's Compliance Manager is designed for this.
Application dependencies outside M365. We scan Power Automate flows and Power Apps. We do NOT scan third-party SaaS integrations, SCIM provisioning targets, or non-Microsoft OAuth consumers.
License cost optimization. We detect waste (unassigned paid licenses) but do not produce "you could save $X by downgrading Y" cost-optimization reports. Dedicated M365 cost tools do this better.
End-user Copilot usage analytics. We measure readiness, not usage. Microsoft's Copilot adoption dashboard in the admin center covers per-user usage once enabled.
Real-time tenant monitoring. Continuous Monitoring runs monthly, not in real time. Expect 24+ hours between when a change happens and when our next scheduled scan reflects it.
Remediation execution. Except for SharePoint restructuring and OneDrive cleanup wizards, we do not auto-apply fixes. Findings tell you what to do; your admin runs the PowerShell.
Multi-tenant federation / Entra External ID. We scan a single tenant at a time. Cross-tenant federation health (B2B trust direction, outbound sharing posture to federated partners) is not in scope.
Azure infrastructure beyond M365. We are M365-scoped. Azure subscription inventory, VNet peering, Key Vault policy — out of scope.

How we handle uncertainty

When a signal requires a permission the scanning service principal doesn't have (e.g., Power Platform Admin but missing Env Admin), we emit a manual-verification finding with a deep link to the admin portal. We don't fabricate a result. Same for Microsoft APIs that are unreliable or under-documented — we'd rather flag "we couldn't verify this" than guess.

Every finding will eventually carry a Confidence Score (High / Medium / Low) based on the underlying API reliability, scope of evidence, and known edge cases. Tracked issue; shipping in the next governance release.

What we don't sell

Your data. Scan results are stored encrypted per-tenant. We do not train models on them, share them with partners, or use them in aggregate analytics. Ever.
Contact-us pricing. CA$399 single assessment. CA$1,599 bundle. Published. One-time. No renewals you'll forget.
Upsell calls. There is no sales motion. You buy with a credit card. You email support@migrationfox.com if you have a question.
Multi-year commits. 90-day access window per purchase. Buy again if you need another scan.

Ready to run a free snapshot?

View-only, 1 scan/month per product. No credit card. See exactly what we detect on your own tenant.

Start free snapshot →

Last updated: April 18, 2026 · Spot something missing or inaccurate? Email support@migrationfox.com