Veri-Guard
Professional
Veri-Guard is the compliance scanning and remediation engine for Microsoft 365. It assesses your tenant against 548 security controls across twelve compliance frameworks, produces weighted compliance scores, and can automatically remediate 330+ controls with full safety controls.
How Veri-Guard Works
Step-by-step walkthrough from start to finish
Run Compliance Assessment
From the Compliance Hub, click "Run Assessment." Veri-Guard reads your tenant configuration via the Graph API and evaluates it against 548 controls across 12 frameworks including CISA, CIS, NIST 800-53, NIST CSF, ISO 27001, SOC 2, HIPAA, and GDPR. Scans typically complete in 1-3 minutes.
Review Your Compliance Score
Your dashboard shows an overall weighted compliance score and per-domain breakdowns across Identity, Intune, Exchange, Teams, SharePoint, and Defender. Each control shows pass/fail status, severity, framework mappings, and remediation guidance.
Analyze Risk & Prioritize
Use the What-If Simulator to project score improvements, Compliance Debt Calculator to quantify financial risk, Blast Radius Analysis for incident mapping, and Quick Win Bundles to find high-impact, low-effort fixes.
Remediate Compliance Gaps (Enterprise)
Select failing controls and click "Remediate." Veri-Guard requests JIT write permissions, applies fixes (Conditional Access in report-only mode, break-glass exclusions enforced), and auto-revokes write permissions when done. Every action is logged in the audit trail.
Generate Evidence & Reports
Generate Board-Ready Executive Reports, Compliance Certificates with public verification URLs, and compliance evidence packages with SHA-256 signed manifests. All designed for auditors, board presentations, and partner verification.
Monitor Drift & Alert
Set up scheduled scans (daily/weekly/monthly) and compliance alerts. Get notified when your score drops below a threshold via email or HMAC-signed webhooks to Slack, Teams, PagerDuty, or custom tools.
Data Handling
What data is collected, processed, stored, and what is never accessed
Data collected during compliance scans
- →Microsoft 365 policy configurations across all six domains (read-only, via Graph API)
- →Entra ID Conditional Access policies, named locations, and authentication methods
- →Exchange transport rules, connectors, and anti-spam/anti-malware settings
- →Teams meeting policies, messaging policies, and external access settings
- →SharePoint sharing settings, site collection configurations, and external collaboration policies
- →Defender for Office 365 Safe Links, Safe Attachments, and anti-phishing policies
- →Intune device compliance policies and configuration profile settings
How data is processed
- →Tenant configuration is evaluated against 548 control definitions from the Veri-Guard registry
- →Each control is scored pass/fail with severity weighting (Critical > High > Medium > Low)
- →Cross-framework mappings are applied (NIST, ISO 27001, SOC 2, HIPAA, CIS, CISA)
- →AI Insights and Remediation Plans (Professional+) use anonymized compliance metadata only — see AI Features page for full details
- →Remediation (Enterprise) applies changes via Graph API with JIT write permissions
What is stored after assessment
- →Compliance scores (overall, per-domain, per-framework) in Azure Table Storage
- →Per-control pass/fail results with metadata (control ID, severity, framework tags)
- →Generated reports (HTML, PDF) in Azure Blob Storage (encrypted at rest)
- →Remediation audit trail entries (timestamp, control, action, before/after values)
- →Retention: 90 days (Professional), 3 years (Enterprise/MSP)
Data Veri-Guard never accesses
- ✗Email message content, attachments, or mailbox data
- ✗File contents in SharePoint, OneDrive, or Teams channels
- ✗User passwords, MFA secrets, or security keys
- ✗Sign-in logs, audit logs, or individual user activity
- ✗Azure AD / Entra ID user profile photos or personal data beyond display names
- ✗Device hardware inventories or installed application lists
Permissions
Every Graph API permission used, when it's requested, and why
Permission Model
Read permissions are granted during initial admin consent and remain active. Write permissions use a Just-In-Time (JIT) model — they are requested immediately before a remediation job, used to apply changes, and automatically revoked when the job completes. Your tenant never has standing write access. You can also manually revoke at any time.
Policy.Read.AllRead Conditional Access policies, named locations, and authentication methods
Directory.Read.AllRead directory objects (users, groups, roles) for policy evaluation
SecurityEvents.Read.AllRead Defender for Office 365 threat data and security configurations
Organization.Read.AllRead tenant metadata and license information
Policy.ReadWrite.ConditionalAccessCreate/update Conditional Access policies (always in report-only mode)
RoleManagement.ReadWrite.DirectoryAssign required roles for remediation actions
Application.ReadWrite.AllUpdate app registration settings for remediation
Safety Controls
- ✓Conditional Access policies are always deployed in report-only mode — enforcement requires manual action
- ✓Break-glass (emergency access) accounts are excluded from all deployed policies — required before any write operation
- ✓JIT write permissions — granted before remediation, auto-revoked after
- ✓Disruption risk ratings (None/Low/Medium/High/Critical) shown before every remediation
- ✓Prerequisite checks — controls requiring specific licenses are automatically skipped
- ✓Dependency-aware execution ordering — controls are remediated in the correct sequence
- ✓Remediation rollback — undo changes within 24 hours (Enterprise)
- ✓Full audit trail — every remediation action is logged with before/after values