Policy Management
Scans tell you which checks passed or failed across a full security baseline. Policy Management zooms in on a handful of the highest-impact tenant policies and gives you a live, always-current view of them: what each one is set to right now, what the secure value is, and a one-click way to fix the writable ones.
Policy Management reads the live state of your tenant, so it always reflects the current configuration rather than the result of an older scan.
Requires an AI Pilot connection
Policy Management uses your AI Pilot connection. Reading the policies and applying the one-click fix both go through it. If you only have a read-only scanning connection, set up AI Pilot first - see AI Pilot.
The live policy view
The Policy Management page lists each covered policy as a row. For every policy you see:
- The policy name and a short description of what it controls.
- The current value in your tenant right now.
- The secure value Aether365 recommends.
- Whether it is already secure, so you can tell at a glance what still needs attention.
Because the view is live, a policy you fix here updates immediately the next time you load the page, and a change someone makes elsewhere in Microsoft 365 shows up here too.
Current value versus secure value
Each policy is shown as a side-by-side comparison: what your tenant uses today next to what a hardened tenant should use. When the two match, the policy is already secure and there is nothing to do. When they differ, the row makes the gap obvious and, for writable policies, offers the fix.
This makes Policy Management a quick health check: open the page, scan down the rows, and anything not yet at its secure value stands out.
One-click toggle to secure
For policies that Aether365 can change, each row that is not yet at its secure value shows a control to switch it to the recommended setting.
- Open Policy Management from the sidebar.
- Find a policy whose current value differs from the secure value.
- Click the control to set it to the secure value and confirm.
- Aether365 applies the change through your AI Pilot connection, then refreshes the row so you can see it is now secure.
Not every policy can be toggled this way. Some are read-only here because they are informational or are better managed with a dedicated policy in your tenant. Those rows still show you the current versus secure comparison so you know where you stand, even when the one-click fix is not offered.
Confirm with a fresh scan
A one-click fix changes the live setting straight away. To confirm the change in the context of your full baseline, run a scan afterwards. The scan reads your tenant's actual state independently, so it is the authoritative confirmation that the policy is now where you want it.
Which policies are covered
Policy Management focuses on a small set of high-impact tenant security policies, including:
- Security Defaults - the baseline protection toggle for the tenant.
- Authorization policy - tenant-wide settings that govern what users are allowed to do, such as default user permissions.
- Authentication methods - which sign-in and multi-factor methods are enabled, including stronger options like FIDO2.
- Conditional Access summary - an overview of your Conditional Access posture, so you can see at a glance whether key protections are in place.
This is intentionally a curated, high-signal list rather than your entire policy surface. For a complete baseline across CIS, EIDSCA, and CISA frameworks, run a scan and work through the findings - see Remediating Findings.
Related
- AI Pilot - the write connection that powers Policy Management
- Threat Alerts - live identity risk and one-click breach response
- Remediating Findings - work through your full scan baseline
- Security Model - read-only default and optional write access
- Microsoft Permissions - permissions Aether365 requests