Skip to main content

FAQ

Microsoft 365 security questions every MSP asks, answered.

Straight answers on M365 security, compliance, Copilot readiness, and multi-tenant management, plus how CloudCapsule helps you assess and fix it all.

Frequently asked questions

The 50 questions MSPs and IT teams ask most about securing Microsoft 365, grouped by topic. Jump to a category or browse them all.

Microsoft 365 Security Essentials

What are the most important Microsoft 365 security settings to enable first?

Start with identity, because compromised accounts cause most Microsoft 365 breaches. Enforce multi-factor authentication for every user, block legacy authentication protocols that bypass MFA, remove standing Global Admin privileges, and turn on unified audit logging. After identity, harden email with anti-phishing, Safe Links, and Safe Attachments, then lock down SharePoint and OneDrive external sharing.

The hard part for an MSP is verifying these are actually in place across every client tenant and keeping them that way. CloudCapsule assesses any Microsoft 365 tenant against 250+ controls in about 60 seconds and flags exactly which of these foundational settings are missing, so you know where to focus before anything goes wrong.

What is the difference between Security Defaults and Conditional Access in Microsoft 365?

Security Defaults is a free, all-or-nothing baseline that forces MFA for every user and blocks legacy authentication, with no ability to customize. Conditional Access requires at least an Entra ID P1 license and lets you build granular policies based on user, application, location, device state, and sign-in risk. You cannot run both at once; turning Conditional Access on automatically disables Security Defaults.

Security Defaults is fine for very small tenants, but most clients on Microsoft 365 Business Premium or above should move to Conditional Access for real control. CloudCapsule detects whether a tenant is relying on Security Defaults, has properly scoped Conditional Access policies, or has dangerous gaps like excluded users or disabled policies.

Why is multi-factor authentication so important for Microsoft 365?

Multi-factor authentication (MFA) blocks the overwhelming majority of account-takeover attacks because a stolen password alone is no longer enough to sign in. Microsoft has reported that MFA stops more than 99% of automated account-compromise attempts, which is why it is now the single highest-impact control you can deploy. The key is that MFA must be enforced, not merely available, so users cannot opt out.

MFA gaps, such as excluded admin accounts or VIP exceptions, are among the most common findings in tenant assessments. CloudCapsule surfaces every account and policy where MFA is not fully enforced, so you can close the exact holes attackers look for.

What license do I need for Conditional Access and advanced Microsoft 365 security?

Conditional Access requires at least an Entra ID P1 license, which is available as a standalone add-on or included in Microsoft 365 Business Premium and above. Intune and Defender for Business, however, require Microsoft 365 Business Premium specifically — Entra ID P1 standalone does not include them. Risk-based Conditional Access, Privileged Identity Management, and Identity Protection require Entra ID P2, available in E5 or the E5 Security add-on for Business Premium. Business Basic and Business Standard lack these capabilities entirely.

Recommending a control a client cannot actually use erodes trust fast. CloudCapsule includes licensing-gap detection that maps each tenant's licenses to the security features it can and cannot enable, so your recommendations are always actionable.

How do I protect Microsoft 365 against phishing and email-based attacks?

Email is the most common attack vector, so layer Exchange Online Protection with Defender for Office 365 policies: enable Safe Links and Safe Attachments, configure anti-phishing with impersonation protection, and apply Microsoft's Standard or Strict preset security policies as a starting point. Then complete email authentication with SPF, DKIM, and DMARC so spoofed mail from your clients' domains is rejected.

Many tenants have these features licensed but left at defaults or never turned on. CloudCapsule checks the actual Defender for Office 365 and email-authentication configuration in each tenant and flags policies that are missing, disabled, or weaker than recommended baselines.

What is token theft and how do I prevent it in Microsoft 365?

Token theft is when an attacker steals a valid session token (often through an adversary-in-the-middle phishing page) and replays it to access Microsoft 365 without ever needing the password or MFA prompt. It is a rising threat precisely because it sidesteps traditional MFA. Mitigations include phishing-resistant MFA such as FIDO2 keys, Conditional Access token protection, continuous access evaluation, and shorter session lifetimes for unmanaged devices.

These controls are scattered across Entra ID and easy to overlook. CloudCapsule's assessment highlights whether token-protection and session controls are configured, so you can move clients beyond basic MFA toward phishing-resistant defenses.

How many Global Administrators should a Microsoft 365 tenant have?

Microsoft recommends keeping Global Administrators to a small number, generally between two and four, with all of them MFA-protected and ideally using just-in-time elevation through Privileged Identity Management rather than standing access. Excess standing Global Admin accounts are one of the most common and dangerous misconfigurations, because each one is a high-value target. Day-to-day work should use least-privilege roles like User Administrator or Exchange Administrator instead.

CloudCapsule enumerates every privileged role assignment in a tenant and flags excessive Global Admins, unprotected admin accounts, and standing privilege that should be moved to PIM.

Does Microsoft 365 Business Standard support advanced security?

No. Microsoft 365 Business Standard includes the desktop Office apps but offers the same minimal security as Business Basic, with no Conditional Access, no Intune, and no Defender for Business or Defender for Office 365. To deploy meaningful security controls you need Business Premium or higher, which adds Entra ID P1, Intune, and the Defender stack.

Because Business Standard lacks the Defender service principal, CloudCapsule cannot fully assess those tenants and works best with Business Premium or above (E3 and E5 are also supported). The fastest security win for a Business Standard client is usually the upgrade to Business Premium itself.

How do I secure SharePoint and OneDrive external sharing in Microsoft 365?

By default, Microsoft 365 often allows users to share files with anyone via anonymous links, which is a frequent source of data exposure. Tighten this in the SharePoint admin center by setting sharing to authenticated or specific people, applying link expiration, restricting who can share, and using sensitivity labels to protect confidential content. Pair this with access reviews so stale external access gets removed.

Overly permissive sharing also becomes a serious problem the moment you deploy Copilot, since it surfaces everything a user can reach. CloudCapsule flags permissive external-sharing settings as part of its tenant assessment so you can lock them down proactively.

Security Assessments & Client Reporting

How do I run a Microsoft 365 security assessment for a client?

A Microsoft 365 security assessment reviews a tenant's identity, email, device, data, and posture settings against a recognized baseline such as the CIS Microsoft 365 Foundations Benchmark, Microsoft's security defaults, or a framework like NIST CSF. You can do it manually with PowerShell and the admin portals, use Microsoft Secure Score as a starting point, or run a dedicated assessment platform that automates the checks and produces a report. The goal is a prioritized list of gaps with clear remediation steps.

CloudCapsule's Analyze product was built for exactly this: connect via a read-only Microsoft Graph app registration and get a full assessment of any tenant under 1,000 users in about 60 seconds, mapped to CIS Controls, NIST CSF 2.0, Essential 8, and Microsoft baselines, for a flat $250/month across unlimited tenants.

What is the best Microsoft 365 security assessment tool for MSPs?

The right tool depends on your workflow, but MSPs should look for fast multi-tenant assessment, mapping to recognized frameworks (CIS, NIST, Essential 8), client-ready reporting, licensing-aware recommendations, and a least-privilege connection model. Options range from free PowerShell tools like CISA's ScubaGear to commercial platforms that add reporting and remediation. Free tools require more manual effort and rarely produce client-facing deliverables.

CloudCapsule is purpose-built for MSPs: assess unlimited tenants for a flat $250/month, generate branded reports mapped to multiple frameworks, and connect through a least-privilege, read-only app registration. It complements rather than replaces native Microsoft tooling by adding speed, reporting, and multi-tenant context.

How long does a Microsoft 365 security assessment take?

A manual assessment across identity, email, devices, and data can take anywhere from several hours to a few days per tenant, depending on depth and the tools used. Automated platforms collect the same data through the Microsoft Graph API and reduce this to minutes. For an MSP managing dozens of tenants, automation is the only way to assess at scale without burning billable hours.

CloudCapsule assesses a tenant in roughly 60 seconds once connected, so you can run an assessment live on a discovery call or refresh an entire portfolio quickly instead of scheduling days of manual review.

How can MSPs create client-ready security reports from Microsoft 365 data?

Client-ready reporting means translating raw technical findings into a clear narrative a non-technical stakeholder can act on: current posture, top risks, what each gap means in business terms, and a prioritized remediation roadmap. Mapping findings to recognized frameworks (CIS, NIST CSF, Essential 8) adds credibility, and tracking progress over time demonstrates the value of your service. Raw Secure Score screenshots are not enough.

CloudCapsule generates client-ready reports mapped to CIS Controls, NIST CSF 2.0, Essential 8, and Microsoft baselines, so you can hand a polished, framework-aligned deliverable to clients and prospects without building reports by hand.

How do I assess Microsoft 365 security across multiple client tenants at once?

Multi-tenant assessment requires a way to connect to each customer tenant securely (typically through GDAP and a delegated or app-based connection) and a tool that can run consistent checks and aggregate results. Native options like Microsoft 365 Lighthouse give some cross-tenant visibility, but they are limited in framework mapping and reporting. Doing it manually per tenant does not scale past a handful of clients.

CloudCapsule is designed for portfolios: Analyze covers unlimited tenants under 1,000 users each for a flat $250/month, letting you assess and compare every client's posture from one place instead of logging into each tenant individually.

Can I use a Microsoft 365 security assessment to win new clients?

Yes, a fast security assessment is one of the most effective sales tools an MSP has, because it turns an abstract pitch into a concrete, personalized risk report. Running an assessment during a discovery meeting shows prospects exactly where their current provider has left gaps and gives you a credible, data-backed reason to recommend changes. It reframes the conversation from price to risk.

Because CloudCapsule assesses a tenant in about 60 seconds and produces a client-ready report, MSPs routinely use it live in sales conversations to demonstrate value and create urgency without a lengthy engagement.

What permissions does a Microsoft 365 security assessment tool need?

A trustworthy assessment tool should request read-only access scoped to exactly what it needs to read configuration and posture data, rather than broad write or Global Admin rights. The most secure model is a least-privilege Microsoft Graph app registration (or delegated GDAP roles) that can read settings but cannot change them. Always review the permissions an assessment tool requests before consenting.

CloudCapsule's Analyze connects through a least-privilege, read-only Microsoft Graph app registration, so it can assess a tenant without the ability to modify anything, which is an easy point to reassure security-conscious clients about.

How often should MSPs reassess Microsoft 365 security posture?

Security posture drifts continuously as admins make changes, users get added, and Microsoft ships new features, so a one-time assessment goes stale quickly. Most MSPs benefit from a recurring cadence: a quick check monthly, a deeper review quarterly, and an assessment any time a tenant is onboarded or significantly changed. Continuous monitoring is better still, because it catches regressions in near real time.

CloudCapsule makes frequent reassessment practical, since each scan takes about 60 seconds, and its Manage product adds continuous drift detection so posture changes are caught automatically between formal reviews.

Compliance, Frameworks & Cyber Insurance

What Microsoft 365 security controls do cyber insurance providers require?

Cyber insurers now treat enforced MFA as non-negotiable, and most require it across email, remote access, all admin accounts, and cloud platforms like Microsoft 365. Beyond MFA, common requirements include EDR on endpoints, regular backups with tested recovery, email filtering, security awareness training, removal of legacy authentication, and least-privilege admin access. Insurers increasingly ask whether MFA is enforced, not merely available, and answering inaccurately can void a claim.

CloudCapsule provides cyber-insurance readiness visibility, mapping a tenant's actual configuration against the controls underwriters look for, so you can answer insurance questionnaires accurately and close gaps before renewal.

What is the CIS Microsoft 365 Foundations Benchmark?

The CIS Microsoft 365 Foundations Benchmark is a community-consensus set of prescriptive security configuration recommendations for Microsoft 365, maintained by the Center for Internet Security. It is organized by service (Entra ID, Exchange, SharePoint, Teams, Defender, Intune) and split into Level 1 (essential, low-friction) and Level 2 (enhanced, higher-security) profiles. It is one of the most widely used baselines for hardening and auditing M365 tenants.

Implementing and tracking the benchmark by hand across many tenants is tedious. CloudCapsule maps each tenant's posture to CIS Controls automatically, so you can see benchmark alignment and remediate gaps without manually checking every recommendation.

What is a good Microsoft Secure Score, and is a higher score always better?

There is no universal target Secure Score, because the score is license-dependent and weighted by Microsoft's own model, so a tenant on Business Premium literally cannot reach the same score as one on E5. More importantly, a Secure Score percentage is not a compliance percentage; a 75% score does not mean you are 75% compliant with CIS or any framework. Treat Secure Score as one signal among many and focus on the specific high-impact recommendations behind it.

CloudCapsule presents Secure Score in context alongside 250+ controls and framework mappings, so you can see which recommendations actually matter for a given tenant rather than chasing a number you can never max out.

How does Microsoft 365 map to the Essential Eight?

The Essential Eight is the Australian Cyber Security Centre's set of eight mitigation strategies, and several map directly to Microsoft 365 controls: multi-factor authentication, restricting administrative privileges, patching applications and operating systems (via Intune and Autopatch), application control and macro hardening (via Defender and Intune policies), and regular backups. Maturity levels then dictate how rigorously each is implemented.

CloudCapsule maps tenant findings to Essential 8 alongside CIS Controls and NIST CSF 2.0, which is especially useful for MSPs serving Australian clients or any organization that has adopted the framework.

How do I map Microsoft 365 security to the NIST Cybersecurity Framework?

NIST CSF 2.0 organizes cybersecurity into six functions (Govern, Identify, Protect, Detect, Respond, Recover), and Microsoft 365 controls map across all of them: identity and access controls support Protect, audit logging and Defender alerting support Detect, and backup and retention support Recover. The framework is outcome-based, so the mapping is about demonstrating that each function is addressed rather than checking specific settings. It is widely used by vCISOs and compliance-focused clients.

CloudCapsule maps tenant posture to NIST CSF 2.0 out of the box, giving MSPs a credible, framework-aligned way to report security to clients who speak in NIST terms.

Does enabling MFA on Microsoft 365 satisfy cyber insurance requirements?

Enabling MFA is necessary but usually not sufficient. Insurers want MFA enforced for all users including admins and across all access paths (email, VPN, RDP, and cloud apps), and they also typically require EDR, tested backups, email filtering, and least-privilege admin access. MFA that is available but optional, or that excludes certain accounts, often fails to satisfy underwriters and can jeopardize a claim.

CloudCapsule shows whether MFA is genuinely enforced everywhere it should be, plus the other controls insurers ask about, so you can validate insurance readiness rather than assuming a single setting covers it.

What is CISA SCuBA and how does it relate to Microsoft 365?

CISA SCuBA (Secure Cloud Business Applications) is a set of security configuration baselines for Microsoft 365 published by the U.S. Cybersecurity and Infrastructure Security Agency, originally aimed at federal agencies but useful for any organization. CISA also provides ScubaGear, a free PowerShell tool that assesses a tenant against the SCuBA baselines. It overlaps significantly with the CIS Benchmark but is maintained by a government body.

ScubaGear is powerful but produces technical output and runs one tenant at a time. CloudCapsule offers a faster, multi-tenant alternative with client-ready reporting and broader framework mapping, while still aligning to the same underlying Microsoft security baselines.

How do MSPs prove Microsoft 365 security compliance to clients and auditors?

Proving compliance means showing evidence: a documented baseline, an assessment of current configuration against it, a remediation history, and ongoing monitoring. Mapping findings to a recognized framework (CIS, NIST CSF, Essential 8, or SCuBA) gives auditors and clients a common language, and trend reporting demonstrates continuous improvement rather than a point-in-time snapshot. Screenshots and ad-hoc notes do not hold up well in an audit.

CloudCapsule produces framework-mapped, client-ready reports and tracks posture over time, giving MSPs repeatable evidence of compliance work without assembling documentation manually for each client.

AI & Microsoft Copilot Readiness

How do I prepare a Microsoft 365 tenant for Copilot?

Copilot readiness is primarily a data-governance exercise, because Copilot can surface anything a user already has permission to access. Before deploying, audit and tighten SharePoint and OneDrive permissions, remove anonymous and overly broad sharing links, apply sensitivity labels and DLP to protect confidential content, run access reviews, and confirm audit logging is on. Only after the data foundation is clean should you enable Copilot broadly, ideally starting with a pilot group on low-risk content.

CloudCapsule helps establish that foundation by flagging permissive sharing, missing data-protection controls, and identity gaps as part of its assessment, so you can fix the conditions that lead to Copilot oversharing before you turn it on.

What are the security risks of Microsoft 365 Copilot?

The primary risk is oversharing: Copilot does not break permissions, it exposes the permissions that already exist, so years of accumulated over-permissioned sites, inherited access, and broad sharing links suddenly become easy for any user to discover. Other risks include sensitive data being summarized into responses without sensitivity labels, and prompts or outputs that need auditing and DLP coverage. The underlying issue is usually weak data governance, not Copilot itself.

CloudCapsule's assessment highlights the exact governance gaps that amplify Copilot risk (permissive external sharing, missing labels and DLP, excessive access), so MSPs can remediate them before clients are exposed.

Does Microsoft 365 Copilot create data security or oversharing problems?

Copilot itself respects existing permissions, but it makes pre-existing oversharing dramatically more visible. Where users previously would have had to know a file existed to find it, Copilot can surface and summarize it on demand, so a single overshared HR or finance folder becomes a tenant-wide exposure. This is why Microsoft recommends remediating oversharing with tools like Purview and SharePoint Advanced Management before broad deployment.

Identifying which sites and files are overshared is the first step, and CloudCapsule's posture assessment flags the permission and sharing misconfigurations that drive this risk so you can prioritize cleanup.

What license is required for Microsoft 365 Copilot?

Microsoft 365 Copilot is a per-user add-on that requires an eligible base license such as Microsoft 365 Business Standard, Business Premium, E3, or E5. Beyond the license, the practical prerequisite is a well-governed tenant: clean permissions, sensitivity labels, and DLP, because the base license does not address the oversharing risk. Some advanced data-protection controls (like certain Purview capabilities) themselves require higher tiers.

CloudCapsule's licensing-gap detection and posture assessment help you confirm both that a tenant is appropriately licensed and that its data-governance controls are ready before adding Copilot.

What is a Copilot readiness assessment?

A Copilot readiness assessment is a systematic review of a Microsoft 365 environment that checks licensing eligibility, identity and access hygiene, and especially data governance before Copilot is enabled. It looks for over-permissioned sites, anonymous sharing links, missing sensitivity labels, weak DLP, and stale access, then produces a remediation plan. The aim is to ensure Copilot will not surface data users should not see.

CloudCapsule supports this work by assessing identity, sharing, and data-protection posture in about 60 seconds and flagging the governance gaps that matter most for a safe Copilot rollout.

How do MSPs help clients deploy Microsoft 365 Copilot securely?

MSPs add the most value by treating Copilot as a governance project, not just a license activation. The pattern is: assess the tenant's permissions and data-protection posture, remediate oversharing and apply sensitivity labels and DLP, pilot Copilot with a small group on low-risk content, monitor with audit logs, then expand. Packaging this as a Copilot readiness service is a strong revenue opportunity.

CloudCapsule gives MSPs the assessment and remediation visibility to run that service repeatably across clients, identifying the governance gaps to fix before each rollout.

How do I detect and control shadow AI usage in Microsoft 365?

Shadow AI is employees using unsanctioned AI tools (such as consumer chatbots) that can leak sensitive data outside the organization. In a Microsoft environment, Defender for Cloud Apps can discover which AI applications are in use, assess their risk, and block or restrict unsanctioned ones, while DLP and sensitivity labels help prevent sensitive data from being pasted into them. Establishing an acceptable-use policy and approved-tool list is the governance complement.

Controlling AI usage starts with knowing your overall posture and where data is exposed. CloudCapsule's assessment of identity, app, and data-protection settings gives MSPs the baseline visibility needed to advise clients on safe AI adoption.

Is client data used to train AI models in security tools like CloudCapsule?

Reputable security platforms should never use customer data to train models, and you should confirm this in any vendor's data-handling commitments before connecting a tenant. Data residency, encryption, retention limits, and clear deletion rights are equally important when evaluating an AI-era security tool. Always read the security and privacy documentation rather than assuming.

CloudCapsule does not use customer data to train models. It is SOC 2 Type II compliant, encrypts data at rest and in transit, offers US, EU, and Australia data residency, retains data for one year with on-demand deletion, and enforces role-based access with MFA.

Remediation, Drift & Multi-Tenant Management

What is Microsoft 365 configuration drift and how do I detect it?

Configuration drift is the gradual divergence of a tenant's settings from its intended secure baseline, caused by admins making one-off changes, users being added, exceptions piling up, or Microsoft introducing new defaults. Examples include a disabled audit log, an MFA exclusion added for convenience, or an over-permissive app consent. You can detect it manually by re-auditing against a baseline, or continuously with tooling that compares current state to the desired state and alerts on changes.

CloudCapsule's Manage product provides continuous drift detection and auto-correction, so when a tenant deviates from its secure baseline you are alerted (and in many cases it is fixed automatically) instead of discovering the gap at the next manual review.

How can MSPs remediate Microsoft 365 security issues efficiently across many tenants?

Efficient remediation at scale requires repeatable, templated fixes rather than clicking through each tenant's admin center by hand. Approaches include PowerShell scripting, Microsoft 365 Lighthouse deployment plans, and dedicated multi-tenant platforms that apply standardized configurations and track results. The challenge is doing this safely, with the right scoped permissions and the ability to roll back.

CloudCapsule's Manage product adds 100+ one-click Quick Fixes, guided remediation workflows, and Capsules (deployable security configuration bundles you can apply across tenants), so you can fix common issues consistently. It requests only the narrow write scopes needed for fixes you approve.

What is the best way to manage security across multiple Microsoft 365 tenants?

Effective multi-tenant security management combines secure delegated access (GDAP with least-privilege roles), centralized visibility into every tenant's posture, standardized configuration baselines, and continuous monitoring for drift. Native tools like Microsoft 365 Lighthouse provide cross-tenant management but are limited in framework mapping, reporting, and remediation depth. Most growing MSPs add a dedicated platform once they pass a handful of tenants.

CloudCapsule is built for this: Analyze gives unlimited-tenant assessment for a flat $250/month, and Manage adds per-tenant remediation, deployable Capsules, drift detection, and co-managed client access so you can run security as a service across an entire portfolio.

What is GDAP and why does it matter for MSP security?

GDAP (Granular Delegated Admin Privileges) is the Microsoft model that lets MSPs request only the specific, time-bound admin roles they need in each customer tenant, replacing the old all-or-nothing Delegated Admin Privileges (DAP). It matters because standing Global Admin access into every client is a massive attack surface; if the MSP is breached, every client is exposed. GDAP enforces least privilege and is now a prerequisite for tools like Microsoft 365 Lighthouse.

Operating on least-privilege principles is core to how CloudCapsule connects, too: Analyze uses a read-only Graph app registration, and Manage requests only the narrow write scopes required for the specific fixes you approve.

Can I automatically fix Microsoft 365 security misconfigurations?

Yes, many common Microsoft 365 misconfigurations can be remediated automatically through scripting or platforms that apply known-good settings, such as enforcing MFA, disabling legacy authentication, enabling audit logging, or tightening sharing. The important safeguards are change approval, scoped write permissions, and the ability to roll back, so automation never makes an unexpected change to a production tenant. Auto-correction of drift keeps tenants aligned to baseline over time.

CloudCapsule's Manage product offers 100+ one-click Quick Fixes plus drift auto-correction, applying remediations only with the narrow write scopes you approve, so you get automation without surrendering control.

What are deployable security configuration bundles for Microsoft 365?

Deployable security configuration bundles are pre-built collections of hardening settings (for identity, email, sharing, and more) that you can apply consistently across multiple tenants, rather than configuring each setting individually per client. They let an MSP standardize a security baseline, deploy it quickly during onboarding, and keep tenants uniform. This turns ad-hoc hardening into a repeatable product.

In CloudCapsule's Manage product these are called Capsules: deployable security configuration bundles you can push across tenants, so your secure baseline becomes a one-click standard instead of manual work in each environment.

How does Microsoft 365 Lighthouse compare to third-party multi-tenant security tools?

Microsoft 365 Lighthouse is a free, native portal for MSPs to onboard tenants, view alerts, and deploy baseline configurations across customers, and it integrates tightly with GDAP. Its limitations are shallower framework mapping, limited client-ready reporting, and less depth in assessment and remediation than purpose-built platforms. Many MSPs use Lighthouse for basic management and add a third-party tool for assessment, framework alignment, and richer remediation.

CloudCapsule complements Lighthouse by adding fast multi-framework assessment, client-ready reporting, and deeper remediation through Quick Fixes, Capsules, and drift detection, all priced flat for unlimited tenants on Analyze.

How do MSPs give clients visibility into their own Microsoft 365 security posture?

Co-managed visibility lets clients (especially those with internal IT or a vCISO) see their own security posture and progress without giving them full administrative control. The usual approach is scoped, role-based access to dashboards and reports, so clients understand the value being delivered and can participate in decisions. Transparency strengthens the relationship and supports compliance reporting.

CloudCapsule's Manage product includes co-managed client access alongside client-ready reporting, so you can share posture and remediation progress with stakeholders in a controlled, role-appropriate way.

CloudCapsule: Pricing, Security & Getting Started

What is CloudCapsule and what does it do?

CloudCapsule is a Microsoft 365 security posture platform built for MSPs and IT teams. It has two products: Analyze, which assesses any Microsoft 365 tenant in about 60 seconds and produces client-ready reports mapped to CIS Controls, NIST CSF 2.0, Essential 8, and Microsoft baselines; and Manage, which adds one-click remediation, deployable configuration bundles, drift detection, and guided security investigations.

It connects through a least-privilege Microsoft Graph app registration (read-only for Analyze, with narrow write scopes only for approved fixes in Manage) and was built by MSP and Microsoft veterans, including 3x Microsoft MVP and CEO Nick Ross of T-Minus365.

How much does CloudCapsule cost?

CloudCapsule Analyze is a flat $250 per month and covers unlimited tenants, as long as each tenant is under 1,000 users. CloudCapsule Manage adds $250 per month per enabled tenant, which includes 250 users and then $1 per user per month beyond that, and you can enable or disable Manage per tenant. Billing is monthly with no contracts, so you can cancel anytime.

For tenants over 1,000 users, large portfolios, or academic and nonprofit organizations, CloudCapsule offers custom pricing.

What is the difference between CloudCapsule Analyze and Manage?

Analyze is the assessment and reporting product: it evaluates any tenant in about 60 seconds, puts Microsoft Secure Score in context with 250+ controls, maps findings to CIS, NIST CSF 2.0, Essential 8, and Microsoft baselines, surfaces cyber-insurance readiness and licensing gaps, and connects read-only. Manage builds on Analyze by adding action: 100+ one-click Quick Fixes, guided remediation workflows, deployable Capsules, drift detection and auto-correction, deep guided investigations, and co-managed client access.

Analyze is $250/month flat for unlimited tenants; Manage is +$250/month per enabled tenant and can be turned on only for the clients where you actively remediate, so you can assess broadly and manage selectively.

How does CloudCapsule connect to a Microsoft 365 tenant, and is it secure?

CloudCapsule connects through a Microsoft Graph app registration using least-privilege scopes. Analyze is read-only, meaning it can assess a tenant's configuration but cannot change anything, and Manage requests only the narrow write permissions needed for the specific fixes you approve. There is no need to grant broad or standing Global Admin access.

On the platform side, CloudCapsule is SOC 2 Type II compliant, encrypts data at rest and in transit, enforces role-based access with row-level controls behind MFA, and does not use customer data to train models.

What Microsoft 365 licenses does CloudCapsule require to work?

CloudCapsule works best with Microsoft 365 Business Premium or above, because it needs the capabilities those tiers provide, specifically Entra ID P1, Intune, and Defender. E3 and E5 are also fully supported. Business Standard does not work, because it lacks the Defender service principal CloudCapsule relies on to assess endpoint and threat-protection posture.

If a client is on Business Standard, the most impactful security recommendation is usually upgrading to Business Premium, which also unlocks Conditional Access, Intune, and the Defender stack that CloudCapsule assesses.

Where does CloudCapsule store data, and what about data residency?

CloudCapsule offers three data-residency regions: United States (Google Cloud, East US), European Union (Google Cloud, Belgium), and Australia (Google Cloud, Sydney). Data is encrypted both at rest and in transit, retained for one year, and deletable on demand. Access is controlled with role-based, row-level permissions gated behind MFA.

CloudCapsule is SOC 2 Type II compliant and does not use customer data to train models, which helps MSPs satisfy data-handling and sovereignty requirements for clients in those regions.

How do I get started with CloudCapsule?

Getting started begins with Analyze: connect a tenant through the least-privilege, read-only Microsoft Graph app registration and run an assessment, which takes about 60 seconds and returns a client-ready report mapped to CIS, NIST CSF 2.0, Essential 8, and Microsoft baselines. Because Analyze is a flat $250/month for unlimited tenants under 1,000 users each, you can connect and assess your whole portfolio right away.

When you are ready to remediate, enable Manage on the specific tenants where you want one-click fixes, deployable Capsules, and drift detection. Billing is monthly with no contracts, so you can cancel anytime.

Is CloudCapsule a backup or an antivirus product?

No. CloudCapsule is a security posture and configuration platform; it assesses and remediates how a Microsoft 365 tenant is configured, rather than backing up data or providing endpoint antivirus. It complements those tools by making sure the security controls around them (identity, access, email protection, sharing, and Defender configuration) are correctly set and stay that way. Backup and antivirus remain separate, necessary layers.

In practice CloudCapsule helps you verify that the Defender protections a client is already paying for are actually turned on and configured well, and that the broader tenant configuration matches a secure baseline.

Who built CloudCapsule, and is it designed for MSPs?

CloudCapsule was built specifically for MSPs and IT teams by people who have lived the problem: MSP and Microsoft veterans, including CEO Nick Ross, a 3x Microsoft MVP known for the T-Minus365 channel. Every part of the product, from flat unlimited-tenant assessment pricing to multi-tenant remediation, deployable Capsules, and co-managed client access, reflects how MSPs actually deliver security at scale.

That MSP-first design is why CloudCapsule emphasizes client-ready reporting, least-privilege connections, and per-tenant control rather than enterprise tooling retrofitted for the channel.