Veri-Tech
Products/Veri-Guard

Veri-Guard

Professional

Veri-Guard is the compliance scanning, runbook generation, and remediation engine for Microsoft 365. It assesses your tenant against 548 security controls across twelve compliance frameworks, produces weighted compliance scores, and generates step-by-step runbooks (admin portal UI / PowerShell / Graph) for closing every failing gap. On Professional and Enterprise, 330+ of those controls can also one-click auto-remediate with full safety controls as an alternative to runbook execution.

548M365 controls
12Frameworks
330+Auto-remediable
6Workloads

Long-form walkthrough

Read the Veri-Guard Guide

Page-by-page walkthrough of every Veri-Guard surface in the portal — from your first scan through to the auditor-ready evidence.

How Veri-Guard Works

Step-by-step walkthrough from start to finish

1

Run Compliance Assessment

From the Compliance Hub, click "Run Assessment." Veri-Guard reads your tenant configuration via the Graph API and evaluates it against 548 controls across 12 frameworks including CISA, CIS, NIST 800-53, NIST CSF, ISO 27001, SOC 2, HIPAA, and GDPR. Scans typically complete in 1-3 minutes.

2

Review Your Compliance Score

Your dashboard shows an overall weighted compliance score and per-domain breakdowns across Identity, Intune, Exchange, Teams, SharePoint, and Defender. Each control shows pass/fail status, severity, framework mappings, and remediation guidance.

3

Analyze Risk & Prioritize

Use the What-If Simulator to project score improvements, Compliance Debt Calculator to quantify financial risk, Blast Radius Analysis for incident mapping, and Quick Win Bundles to find high-impact, low-effort fixes.

4

Close Compliance Gaps

Every failing control generates a step-by-step runbook in your choice of admin portal UI click-through, PowerShell, or Graph API — with expected output and rollback steps. Your team executes the runbook by hand at any plan tier. On Professional or Enterprise, 330+ of those controls can also auto-remediate: click "Remediate," Veri-Guard requests JIT write permissions, applies the fix (Conditional Access in report-only mode, break-glass exclusions enforced), and auto-revokes when done. Every action is logged in the audit trail either way.

5

Generate Evidence & Reports

Generate Board-Ready Executive Reports, Compliance Certificates with public verification URLs, and compliance evidence packages with SHA-256 signed manifests. All designed for auditors, board presentations, and partner verification.

6

Monitor Drift & Alert

Set up scheduled scans (daily/weekly/monthly) and compliance alerts. Get notified when your score drops below a threshold via email or HMAC-signed webhooks to Slack, Teams, PagerDuty, or custom tools.

Data Handling

What data is collected, processed, stored, and what is never accessed

Data collected during compliance scans

  • Microsoft 365 policy configurations across all six domains (read-only, via Graph API)
  • Entra ID Conditional Access policies, named locations, and authentication methods
  • Exchange transport rules, connectors, and anti-spam/anti-malware settings
  • Teams meeting policies, messaging policies, and external access settings
  • SharePoint sharing settings, site collection configurations, and external collaboration policies
  • Defender for Office 365 Safe Links, Safe Attachments, and anti-phishing policies
  • Intune device compliance policies and configuration profile settings

How data is processed

  • Tenant configuration is evaluated against 548 control definitions from the Veri-Guard registry
  • Each control is scored pass/fail with severity weighting (Critical > High > Medium > Low)
  • Cross-framework mappings are applied (NIST, ISO 27001, SOC 2, HIPAA, CIS, CISA)
  • AI Insights and Remediation Plans (Professional+) use anonymized compliance metadata only — see AI Features page for full details
  • Auto-remediation (Professional and Enterprise) applies changes via Graph API with JIT write permissions; runbook execution is performed by hand and not bound to a tier

What is stored after assessment

  • Compliance scores (overall, per-domain, per-framework) in Azure Table Storage
  • Per-control pass/fail results with metadata (control ID, severity, framework tags)
  • Generated reports (HTML, PDF) in Azure Blob Storage (encrypted at rest)
  • Remediation audit trail entries (timestamp, control, action, before/after values)
  • Retention: 90 days (Professional), 3 years (Enterprise/MSP)

Data Veri-Guard never accesses

  • Email message content, attachments, or mailbox data
  • File contents in SharePoint, OneDrive, or Teams channels
  • User passwords, MFA secrets, or security keys
  • Sign-in logs, audit logs, or individual user activity
  • Azure AD / Entra ID user profile photos or personal data beyond display names
  • Device hardware inventories or installed application lists

Permissions

Every Graph API permission used, when it's requested, and why

Permission Model

Read permissions are granted during initial admin consent and remain active. Write permissions use a Just-In-Time (JIT) model — they are requested immediately before a remediation job, used to apply changes, and automatically revoked when the job completes. Your tenant never has standing write access. You can also manually revoke at any time.

Policy.Read.All
Read
Always

Read Conditional Access policies, named locations, and authentication methods

Directory.Read.All
Read
Always

Read directory objects (users, groups, roles) for policy evaluation

SecurityEvents.Read.All
Read
Always

Read Defender for Office 365 threat data and security configurations

Organization.Read.All
Read
Always

Read tenant metadata and license information

Policy.ReadWrite.ConditionalAccess
Write
JIT only

Create/update Conditional Access policies (always in report-only mode)

RoleManagement.ReadWrite.Directory
Write
JIT only

Assign required roles for remediation actions

Application.ReadWrite.All
Write
JIT only

Update app registration settings for remediation

Safety Controls

  • Conditional Access policies are always deployed in report-only mode — enforcement requires manual action
  • Break-glass (emergency access) accounts are excluded from all deployed policies — required before any write operation
  • JIT write permissions — granted before remediation, auto-revoked after
  • Disruption risk ratings (None/Low/Medium/High/Critical) shown before every remediation
  • Prerequisite checks — controls requiring specific licenses are automatically skipped
  • Dependency-aware execution ordering — controls are remediated in the correct sequence
  • Remediation rollback — undo changes within 24 hours (Enterprise)
  • Full audit trail — every remediation action is logged with before/after values

Capabilities

548 M365 security controls across CISA, CIS, NIST 800-53, NIST CSF, ISO 27001, SOC 2, HIPAA, GDPR, and more
Six assessment domains: Identity, Intune, Exchange, Teams, SharePoint, Defender
Weighted scoring with severity-based impact on your overall score
Cross-framework mapping to NIST, ISO 27001, SOC 2, HIPAA, and more
Step-by-step runbooks for every failing control — admin portal UI / PowerShell / Graph paths, expected output, rollback steps (default workflow, available at any plan tier)
Optional one-click auto-remediation for 330+ controls (Professional and Enterprise) as an alternative to runbook execution
What-If Simulator, Compliance Debt Calculator, Blast Radius Analysis, Quick Win Bundles
Board-Ready Executive Reports and Compliance Certificates
Scheduled scans (daily/weekly/monthly) and compliance alerts (email + webhook)
AI Insights and Remediation Plans (Professional+), full Compliance Copilot (Enterprise)
Remediation rollback within 24 hours (Enterprise)

Frequently Asked Questions

How long does a compliance scan take?
A typical scan completes in 1-3 minutes. Exchange and Teams workloads may add additional time as they use PowerShell-based checks.
Can remediation break my tenant?
Veri-Guard has multiple safety controls to prevent disruption. Conditional Access policies are always deployed in report-only mode (they log but don't enforce). Break-glass accounts are always excluded. Every control has a disruption risk rating shown before deployment. And rollback is available within 24 hours on Enterprise plans.
What happens to write permissions after remediation?
Write permissions are automatically revoked by the worker after the remediation job completes. This typically happens within seconds of job completion. You can also manually revoke at any time from Settings → Permissions.
How does the What-If Simulator work?
The What-If Simulator lets you select any combination of failing controls and see how your compliance score would change if you remediated them — before making any changes. It runs entirely client-side for instant results.
What is the Compliance Debt Calculator?
The Compliance Debt Calculator translates compliance gaps into dollar risk exposure using data from 15 real-world breach incidents and regulatory actions. It helps quantify the financial risk of inaction for executive and board presentations.

All Products · Full Permission Reference · AI Features & Privacy · Control Frameworks

Questions? Submit a ticket · Email support