Demo Mode

Every screen, flow, export, and remediation path is the real Veri-Guard product. The specific findings, scores, and runbooks shown are curated to illustrate a typical before/after story. Your tenant scan produces your own numbers.

Get started
Veri-Tech
← Assessment Results

Remediation PlanningEnterprise

Plan which failed controls to remediate automatically. Export for leadership review before deploying. All CA policies deploy as report-only.

AI Remediation Plan
AI

Generate an AI-powered remediation plan that prioritises controls by risk and groups them into logical deployment phases.

174 failed controls100 to auto-deploy73 runbook only1 acceptedBreak-glass:
100 auto-deploy74 runbook only
Export Plan:
|
ControlAction

Block legacy authentication protocols

CIS-1.1.2

Configure sign-in risk Conditional Access policy

CIS-1.2.1

Block legacy auth endpoints at the authentication methods policy

EIDSCA-AP03

Require MFA for Global Administrator sign-ins

CIS-1.1.10

Enforce Conditional Access for unmanaged devices

CIS-1.1.16

Enforce guest user access review cadence

CIS-1.3.1

Block legacy POP3 authentication to mailboxes

CIS-1.3.7

Disable voice call as a primary authentication method

CIS-1.3.13

Enforce authenticator app lockout policy

CIS-1.4.5

Enforce persistent browser sessions off for unmanaged devices

CIS-1.4.11

Enforce maximum eligible assignment duration for privileged roles

EIDSCA-CR13

Require MFA for Exchange Administrator sign-ins

EIDSCA-CR19

Block authentication from anonymous IP ranges

EIDSCA-CR25

Restrict guest user invitation to specific admin roles

NIST-IA-3

Block legacy IMAP authentication to mailboxes

NIST-IA-9

Enforce firewall policy on Windows endpoints

VT-INTUNE-044

Require biometric authentication for mobile devices

VT-INTUNE-APP-MACOS-MAIL

Enable spoofing prevention for hybrid deployments

CIS-3.6.14

Configure mailbox audit actions to log admin and delegate activity

CISA-EXO.1.1

Configure SPF hard-fail for all accepted domains

CISA-EXO.3.1

Disable EWS (Exchange Web Services) legacy auth

NIST-AU-2

Configure Safe Attachments policy for all recipients

NIST-AU-8

Disable PowerShell remote connections for non-admin mailboxes

NIST-SI-4

Restrict external direct-send relay via receive connectors

NIST-SI-10

Disable anonymous calendar sharing

ISO-A.8.39

Disable Basic Auth for POP3 at mailbox level

SOC2-CC7.1

Enable communication compliance policy for Teams

ISO-A.5.31

Configure spam confidence level thresholds

CIS-2.4.11

Enable automated investigation for URL compromises

CIS-2.5.4

Enable standard preset security policy for all users

CIS-2.5.10

Enable external-sender tagging in Outlook

NIST-IR-11

Require expiration dates on anonymous share links

CIS-5.6.9

Configure user-risk Conditional Access policy

CIS-1.2.2

Block external mail auto-forwarding org-wide

CIS-3.3.1

Enable Conditional Access for SharePoint access by unmanaged devices

CIS-5.4.1

Require MFA for Exchange Administrator sign-ins

CIS-1.1.11

Require MFA for SharePoint Administrator sign-ins

CIS-1.1.12

Block authentication from anonymous IP ranges

CIS-1.1.17

Require compliant device for privileged role activation

CIS-1.1.18

Restrict guest user invitation to specific admin roles

CIS-1.3.2

Block legacy IMAP authentication to mailboxes

CIS-1.3.8

Block legacy SMTP AUTH authentication

CIS-1.3.9

Enforce Authenticator app for passwordless sign-in

CIS-1.3.14

Enforce FIDO2 security keys for privileged users

CIS-1.3.15

Configure privileged access workstations for tier-0 admins

CIS-1.4.6

Require compliant device for admin access to Microsoft 365 admin center

CIS-1.4.7

Configure Identity Protection weekly digest to Security Operations

CIS-1.4.12

Investigate every flagged-for-review sign-in within 24 hours

CIS-1.4.13

Require approval workflow for privileged role activation

EIDSCA-AF14

Notify role administrators on privileged role assignment changes

EIDSCA-PS15

Require MFA for SharePoint Administrator sign-ins

EIDSCA-AF20

Require MFA for Teams Administrator sign-ins

EIDSCA-PS21

Require compliant device for privileged role activation

EIDSCA-AF26

Enforce maximum sign-in frequency for privileged sessions

EIDSCA-PS27

Prohibit user consent to unverified publisher apps

NIST-IA-4

Require admin approval for app consent requests

NIST-IA-5

Block legacy SMTP AUTH authentication

NIST-IA-10

Disable self-service sign-up for guest users

CISA-AAD.12.3

Require device lock password policy on Android

CIS-6.8.1

Require BitLocker encryption on Windows endpoints

VT-INTUNE-APP-ANDROID-MAIL

Require FileVault encryption on macOS endpoints

VT-INTUNE-APP-MACOS-BROWSER

Block personal OneDrive sync on corporate Windows

VT-INTUNE-APP-WINDOWS-BROWSER

Require Windows Update for Business ring assignment

VT-INTUNE-APP-ANDROID-OFFICE

Block external USB storage on corporate devices

VT-INTUNE-COMP-010

Configure app configuration policy for Edge (managed)

VT-INTUNE-CFG-112

Require device lock password policy on Android

NIST-CM-11

Enforce Microsoft Defender for Endpoint on macOS devices

ISO-A.8.25

Deploy Microsoft Edge baseline security profile

HIPAA-164.310.1.A

Enable mailbox audit logging on all mailboxes

CIS-3.2.2

Configure mailbox audit actions to log admin and delegate activity

CIS-3.2.3

Configure SPF hard-fail for all accepted domains

CIS-3.4.3

Disable EWS (Exchange Web Services) legacy auth

CIS-3.6.4

Require quarantine on detected malware attachments

CIS-3.6.9

Configure Safe Attachments policy for all recipients

CIS-3.6.10

Configure mail flow rule to append external-sender banner

CIS-3.7.11

Restrict external direct-send relay via receive connectors

CIS-3.7.12

Require MFA for Exchange administrators

CISA-EXO.1.2

Configure DMARC with p=reject for all accepted domains

CISA-EXO.3.2

Disable Basic Auth for POP3 at mailbox level

CISA-EXO.3.3

Restrict mailbox delegation to approved roles

NIST-SI-5

Enable Unified Audit Log tenant-wide

ISO-A.8.35

Disable Basic Auth for SMTP AUTH at mailbox level

SOC2-CC7.3

Restrict anti-malware bypass list to approved senders

SOC2-CC7.9

Require lobby admission for external meeting participants

CIS-4.1.3

Enable Safe Links scanning in Teams messages

CIS-4.3.3

Disable Teams guest access tenant-wide when not needed

CIS-4.5.2

Block screen sharing from anonymous meeting participants

CIS-4.5.3

Disable recording for anonymous meeting participants

CIS-4.6.10

Restrict recording transcription to organizers and presenters

CISA-TEAMS.1.1

Enable DLP policy for Teams chats and channels

ISO-A.5.32

Enable automatic investigation and remediation (AIR)

CIS-2.3.3

Configure email authentication alert rule to SOC

CIS-2.5.2

Enable Attack Simulation Training user outcome tracking

CIS-2.4.6

Configure incident response playbook for mailbox takeover

CIS-2.5.5

Configure incident response playbook for BEC attempts

CIS-2.5.6

Enable anti-phishing impersonation protection for VIPs

CIS-2.5.11

Configure DKIM alignment enforcement

CIS-2.5.12

Enable Defender for Cloud Apps integration with Defender

CISA-DEFENDER.2.2

Enable Defender for Identity integration with Entra ID

CISA-DEFENDER.2.3

Disable SharePoint App Catalog self-service

CIS-5.5.3

Extend Unified Audit Log retention to 12 months

CIS-3.1.2

Block iCloud keychain sync on corporate iOS devices

VT-INTUNE-831

Review access privileges via Access Reviews

NIST-AC-2.5

Require MFA for Teams Administrator sign-ins

CIS-1.1.13

Require MFA for Compliance Administrator sign-ins

CIS-1.1.14

Enforce maximum sign-in frequency for privileged sessions

CIS-1.1.19

Require password change on high user risk

CIS-1.1.20

Require admin approval for app consent requests

CIS-1.3.4

Block unmanaged browser access to SharePoint and OneDrive

CIS-1.3.5

Block authentication attempts from countries not on allowlist

CIS-1.3.10

Require number matching for Microsoft Authenticator push

CIS-1.3.11

Require temporary access passes to expire within 24 hours

CIS-1.4.2

Configure password protection banned-password list

CIS-1.4.3

Configure named locations for trusted IP ranges

CIS-1.4.8

Require MFA for external partner tenant access (B2B)

CIS-1.4.9

Route Identity Protection alerts to the SIEM

EIDSCA-AG10

Enforce just-in-time access for Exchange Administrator role

EIDSCA-AP11

Require justification for privileged role activation

EIDSCA-AG16

Configure activation notification recipients for all privileged roles

EIDSCA-AP17

Require MFA for Compliance Administrator sign-ins

EIDSCA-AG22

Require MFA for Security Administrator sign-ins

EIDSCA-AP23

Disable self-service sign-up for guest users

EIDSCA-AP29

Block unmanaged browser access to SharePoint and OneDrive

NIST-IA-6

Restrict local administrator accounts on Windows

VT-INTUNE-048

Block personal OneDrive sync on corporate Windows

ISO-A.8.22

Deploy Office 365 app baseline security profile

HIPAA-164.310.2.B

Restrict local administrator accounts on Windows

HIPAA-164.310.3.C

Configure DMARC with p=reject for all accepted domains

CIS-3.5.1

Disable Basic Auth for POP3 at mailbox level

CIS-3.5.2

Block mail forwarding to external domains by transport rule

CIS-3.6.6

Configure Safe Links policy with click-time protection

CIS-3.6.11

Enable anti-phishing policy with impersonation protection

CIS-3.6.12

Enforce litigation hold retention for 365 days minimum

CIS-3.7.8

Disable Basic Auth for SMTP AUTH at mailbox level

CISA-EXO.4.2

Block automatic mail forwarding at mailbox level

NIST-AU-5

Enable anti-phishing mailbox intelligence

NIST-AU-11

Enable DLP policy for Teams chats and channels

CIS-4.5.10

Restrict Teams federation to allow-listed domains

CIS-4.6.7

Block consumer OneDrive access in Teams channels

CISA-TEAMS.1.3

Restrict guest access to specific team channels

CISA-TEAMS.3.3

Block Teams live events creation to approved producers only

ISO-A.5.28

Configure Teams data residency for in-region tenants

ISO-A.5.34

Enable anti-phishing impersonation protection for VIPs

CIS-2.2.2

Configure Explorer search persistent queries for IR

CIS-2.4.8

Enable Defender for Office 365 Plan 2 AIR investigations

CIS-2.4.9

Configure spam confidence level thresholds

NIST-IR-8

Enable bulk complaint level (BCL) filtering

NIST-IR-9

Require MFA for Security Administrator sign-ins

CIS-1.1.15

Disable self-service sign-up for guest users

CIS-1.1.21

Enforce sign-in session lifetime for browser-based access

CIS-1.3.6

Disable SMS as a primary authentication method

CIS-1.3.12

Require on-premises password protection agent

CIS-1.4.4

Disable cross-tenant inbound B2B invitations by default

CIS-1.4.10

Enforce just-in-time access for Global Reader role

EIDSCA-AM12

Require MFA for Global Administrator sign-ins

EIDSCA-AM18

Enforce Conditional Access for unmanaged devices

EIDSCA-AM24

Enforce guest user access review cadence

NIST-IA-2

Block legacy POP3 authentication to mailboxes

NIST-IA-8

Require MFA for SharePoint Administrator sign-ins

CSF-ID.AM-8

Restrict cut-copy-paste outside managed apps

VT-INTUNE-061

Deploy Microsoft Edge baseline security profile

VT-INTUNE-COMP-013

Block personal iCloud drive on corporate iOS

NIST-CM-3

Block external USB storage on corporate devices

ISO-A.8.29

Restrict calendar sharing to internal users only

CIS-3.3.3

Enforce retention policy on Exchange mailboxes

CIS-3.7.9

Configure DKIM signing for all accepted domains

CISA-EXO.2.3

Disable Exchange ActiveSync legacy authentication

CISA-EXO.4.3

Block authentication from high-risk IP ranges

NIST-SI-3

Disable OAB (Offline Address Book) legacy auth

SOC2-CC7.6

Block Teams live events creation to approved producers only

CIS-4.5.6

Configure Teams data residency for in-region tenants

CIS-4.6.2

Disable Teams guest access tenant-wide when not needed

CISA-TEAMS.4.1

Configure DKIM alignment enforcement

CIS-2.2.3

Enable intra-organization spoof protection

NIST-IR-10

Run this remediation planner against your own findings

After a read-only scan we can walk through your remediation plan together, answer questions about each control, and hand off a leadership-ready export.

Get startedBook a call