Compliance Scans
Maintained by: Aether365 Team Audience: Security administrators and compliance officers Scope: Compliance scan execution, frameworks covered, and result structure
Compliance scans evaluate your Microsoft 365 tenant against established security benchmarks. Each benchmark is maintained by a security authority and defines controls that organizations should implement to reduce risk.
Supported Frameworks
Benchmark versions
Aether365 always tracks the latest published version of each benchmark. The compliance engine is updated automatically as security authorities release new revisions, so your scans reflect the current standard without any action on your part. The version numbers below indicate the baseline in effect at the time of writing.
CIS Microsoft 365 Foundations Benchmark (v5.0)
Maintained by the Center for Internet Security, this benchmark is the most widely used M365 security standard. It covers:
- Account and Authentication - MFA requirements, password policies, legacy authentication
- Azure Active Directory / Entra ID - Conditional access, role assignments, privileged access
- Email Security - Anti-phishing, anti-spam, DKIM, DMARC, SPF
- Microsoft Teams - External access, guest settings, meeting policies
- Microsoft 365 Apps - Macro settings, add-in policies
- Audit Logging - Mailbox auditing, unified audit log
CIS controls are labeled Level 1 (L1) or Level 2 (L2):
| Level | Meaning |
|---|---|
| L1 | Recommended for all organizations. Minimal impact on operations. |
| L2 | Higher security, may impact usability. Recommended for security-sensitive environments. |
Check IDs follow the format CIS.M365.{section}.{subsection}.{item} - for example, CIS.M365.1.1.1.
EIDSCA (Entra ID Security Config Analyzer)
EIDSCA focuses specifically on Entra ID (formerly Azure Active Directory) configuration. It covers areas not fully addressed by CIS, including:
- Authentication methods (SSPR, MFA registration policies)
- Conditional access policy gaps
- Privileged Identity Management (PIM) settings
- Token lifetime and session controls
- Guest and external identity settings
CISA SCuBA M365 Security Baseline
Published by the U.S. Cybersecurity and Infrastructure Security Agency, SCuBA (Secure Cloud Business Applications) defines the federal government's security baseline for M365. It is structured by product:
- Microsoft Entra ID (AAD)
- Microsoft Defender for Office 365
- Exchange Online
- Microsoft Teams
- SharePoint Online and OneDrive
- Microsoft 365 Apps
SCuBA is particularly relevant for organizations in regulated industries or those working with US federal agencies.
NIS2
NIS2 is the EU Network and Information Systems Directive (2022/2502). Aether365 maps M365 configuration controls to relevant NIS2 technical requirements, helping organizations in the European Union demonstrate compliance with:
- Access control and authentication (Article 21)
- Incident handling and security event logging
- Business continuity controls
- Supply chain security settings
Result Categories
Each check returns one of three results:
| Result | Meaning |
|---|---|
| Passed | The control is correctly configured |
| Failed | The control is not met - remediation recommended |
| Skipped | The check is not applicable to your tenant's configuration or license |
Severity Labels
In addition to L1/L2 (CIS), each check has a severity assigned by Aether365:
| Severity | Description |
|---|---|
| Critical | Direct exploitation risk or common attack vector |
| High | Significant risk, should be remediated promptly |
| Medium | Risk exists but mitigated by other controls |
| Low | Best practice, lower immediate risk |
Remediation Guidance
Each failed check includes:
- A plain-language explanation of why the check failed
- Step-by-step instructions to fix it in the Microsoft 365 admin center or Azure portal
- A link to the official Microsoft documentation
Disclaimer
Aether365 compliance scan results are provided for informational and security improvement purposes. They are automated recommendations based on your Microsoft 365 configuration - they are not a certification, attestation, or legal guarantee of compliance with any framework, standard, or regulation (including CIS, EIDSCA, CISA SCuBA, NIS2, or GDPR).
- Aether365 reads only configuration metadata. It does not process, store, or analyse your business content, email, files, or end-user personal data to produce these results, and no customer data is ever sent to AI or machine-learning services.
- A passing result means a control was configured as expected at scan time. It does not certify that your organisation is compliant with any law or regulation.
- You remain solely responsible for your organisation's regulatory compliance, for interpreting and acting on scan results, and for any fines, penalties, or sanctions arising from your regulatory obligations.
For formal certification or a legal assessment of your compliance posture, consult a qualified auditor or legal advisor.