Know your M365
compliance posture.
Audit your Microsoft 365 tenant against CIS benchmarks and see how your configuration maps to ISO 27001, DORA, NIS2, and NIST CSF 2.0. Honest coverage, trade-off scoring, and actionable remediation.
61
Posture controls
381
Device hardening settings
6
Frameworks evaluated
15min
Time to first scores
Why SMEs struggle with M365 compliance.
Enterprise tools are overkill. Free scanners are too narrow. PostureIQ fills the gap — real regulatory mapping, not just a checklist.
Enterprise GRC
€50k+ per year. Designed for 10,000-seat deployments with dedicated compliance teams. Overkill and unaffordable for SMEs.
Free scanners
Check CIS benchmarks only. No regulatory mapping to DORA or NIS2. No remediation guidance. No trade-off analysis.
PostureIQ
CIS benchmarks mapped to four regulatory frameworks. Honest coverage, trade-off scoring, remediation guidance. Free to use.
From export to compliance scores in 15 minutes.
No agents. No connectors. No Azure AD app registrations required.
Run the PowerShell script
Our script collects M365 configuration from Graph, Exchange, SharePoint, Teams, and Purview — exports to JSON on your machine.
Upload your JSON export
PostureIQ evaluates 61 posture controls and 381 device hardening settings against all 6 frameworks instantly.
See your compliance scores
Framework gauges, quick wins ranking, clause-by-clause breakdowns, and auditor-ready evidence packs.
Findings triage
Every fail, every partial — with the evidence behind it.
Filter by status, click a control to see the exact configuration that tripped it, and open remediation from the same pane.
- Consequence-first evidence on every row
- Trade-off scoring: gain, impact, effort, risk
- Missing data shown honestly — never padded
- One-click jump to remediation wizard
Remediation guidance
Know what to fix. Know what it costs.
Every failing control comes with a step-by-step runbook and a trade-off score on four dimensions — so you can fix what matters most without triggering a helpdesk storm.
- Queue ranked by net benefit, not alphabetical
- Focus mode walks you through one at a time
- Projected score after each fix shown upfront
- Progress persists across sessions
Quick wins & trending
Prioritise by impact. Track over time.
The Quick Wins panel ranks your failing controls by estimated score improvement. The trend chart shows framework scores across audits so you can prove progress to stakeholders.
Auditor-ready evidence
Clause-by-clause. Evidence-backed.
Drill into any framework to see which clauses are covered, which controls map to each clause, and what the actual tenant configuration looks like. Export evidence packs as CSV for your auditor.
Platform Pillars
Built for compliance officers and MSPs.
Not just a scanner. PostureIQ gives you the context to make decisions.
Trade-off scoring
Security gain, user impact, effort, and disruption risk on every remediation. Fix what matters first — no surprise tickets.
Honest coverage
Every score has a visible denominator. Unscored settings shown transparently. Missing data shows N/A — never padded.
EU-first design
Built for organisations subject to DORA and NIS2. Data processed and stored in Frankfurt. EUR pricing. No US replication.
Multi-tenant ready
MSPs: manage multiple tenants, compare scores side-by-side, share read-only client portals. Included in the €3 coffee tier.
Auditor evidence packs
Clause-by-clause CSV exports, framework crosswalk maps, and risk registers. Ready for your ISO 27001 or DORA auditor.
Results in 15 minutes
PowerShell script collects data. Upload JSON. See scores. No agents, connectors, or app registrations anywhere.
Framework Coverage
One scan. Six frameworks.
PostureIQ runs your M365 configuration against CIS benchmarks, then maps every finding to the regulatory framework that matters to you.
Technical baselines
CIS M365 v6.0.1
36 recommendations mappedMicrosoft 365 Foundations Benchmark — the industry-standard configuration hardening checklist. Identity, device compliance, SharePoint and Teams substantially covered; see per-section coverage.
CIS Intune Win11
381 settingsWindows 11 Enterprise device hardening benchmarks for Intune-managed endpoints.
Regulatory mappings
ISO 27001:2022
Information Security Management System
Annex A.8 technological controls
DORA
EU Digital Operational Resilience Act
Arts 8–12 (Chapter II)
NIS2
EU Network & Information Security Directive
Art. 21(2)(a–j)
NIST CSF 2.0
US Cybersecurity Framework
Protect & Detect functions
CIS benchmarks provide the technical assessment. Regulatory frameworks show how each finding maps to the compliance obligations that apply to your organisation.
Pricing
No paywalls. Just compliance.
Full compliance scoring for free. No credit card. No trial countdown. If you find PostureIQ useful, buy us a coffee.
Free
No strings attached
- Upload and scan your M365 tenant
- All 6 compliance frameworks
- Up to 3 audits per month
- Dashboard, findings & remediation
- Framework deep-dives & crosswalk
- Device hardening analysis
- 1 tenant
Buy me a coffee
One-time payment. No subscription. No auto-renewal.
- Everything in Free, plus:
- Unlimited audits
- PDF compliance reports
- Multi-tenant management (up to 10)
- Side-by-side tenant comparison
- Read-only client portal
- Audit history & trending
Frequently asked questions.
Built for trust.
Your compliance data is sensitive. Here's how we handle it.
EU data residency
All data processed and stored in Frankfurt (eu-central-1). Zero replication outside the EU.
No direct tenant access
You control the export. PostureIQ never connects to your M365 tenant or stores your credentials.
GDPR compliant
Article 17 right to erasure. Full data export and account deletion available in Settings at any time.
Transparent policies
Privacy policy and sub-processor list published before account creation. Read-only, no surprises.