CloudVenix builds two specialised tools that work as one platform. Analyzer shows you the truth about your tenants. Implement lets you act on it — automatically.
Each tool is purpose-built for its job — and together they cover every stage of M365 governance.
A 360° posture review of every Microsoft 365 tenant you manage — measured against Microsoft baselines, NIST, CIS, ISO 27001, MITRE, and ZeroTrust. Plug it in, get an honest score in under 60 seconds.
Run the day-to-day across every workload from one console. Offboarding workflows, travel-window access, oversharing remediation, alert rules with AI-generated playbooks — without bouncing between five admin portals.
Analyzer connects via Microsoft Graph in read-only mode and maps every signal that matters — MFA coverage, conditional access, sign-in risk, device compliance, mailbox forwarding, external sharing, suspicious enterprise apps — against the framework you care about.
Admins, MFA, risky sign-ins, dormant users.
Intune compliance, malware, encryption.
Forwarding rules, shared mailboxes, sharing posture.
NIST CSF / 800-171, CIS, ISO 27001, MITRE, ZeroTrust.
Every user, every admin, every MFA method, every dormant account. Analyzer turns identity into twelve live signals so you can prove who can sign in, with what, from where — and what they're allowed to touch.
Active, guest, disabled, dormant — auto-classified.
Roles, PIM eligibility, MFA method, last sign-in.
Strong / weak (SMS, voice, OTP) / none — per user.
Entra ID Protection flags + break-glass inventory.
From the first laptop a new hire enrols to the last device a contractor returns. Analyzer maps your fleet across Entra, Intune, and Defender — surfacing the devices nobody's watching.
Registered vs managed — 11 device-state signals.
Per-policy pass/fail with affected-device drilldown.
Live Defender for Endpoint detections feed.
BitLocker / FileVault, personal-device classification.
Inbox forwarding rules are the number-one quiet exfil vector — and they almost never appear in an admin's daily dashboard. Analyzer scans every mailbox for forwarding, shared use, quota pressure, and runs a Defender ThreatHunting KQL for the live mail-flow Sankey.
Storage, archive, quota — 9 live signals.
Inbox-rule AND mailbox-level forwarding.
Hidden risk surface from dormant accounts.
30-day inbound traffic via Defender hunting.
"Anyone with the link" — three words that own most data-leak incidents. Analyzer enumerates every workspace and tells you exactly where the doors are open: orphaned SharePoint sites, dormant Teams, externally-shared OneDrive folders.
Active, orphaned, inactive — 8 live signals.
Anyone-link audit + per-site sharing probe.
Per-user drive state + storage usage.
90-day usage trend per site.
14 policy + application checks, then GPT-4o reads them all and tells you the top three fixes that will move the needle most. Stop guessing what to do next — get a prioritised punch list, ready to ship.
Every policy + exclusion mapping.
Enterprise apps + suspicious permission detection.
"Where to start" — top-3 highest-impact fixes.
Board-ready report, generated in one click.
Implement is where intent becomes action. Schedule lifecycle workflows, fire alert rules with AI-generated remediation, and orchestrate every M365 admin portal from one place — no PowerShell tabs open, no half-finished checklists in Notion.
Offboarding, license reclaim, group cleanup.
Real-time audit triggers + AI remediation.
Auto-apply CA exclusions while abroad.
Oversharing, dormant sites, retention.
When someone resigns at 4pm, you don't want to remember 23 PowerShell commands at 4:01. Implement runs your offboarding checklist for you — license reclaim, group cleanup, mailbox conversion, OneDrive transfer — every step audited.
Re-usable per role — leaver, contractor, M&A.
Auto-reassign or hold for re-hires.
Shared mailbox + forwarding rule in one step.
Hand-off ownership to the manager automatically.
The CEO's in Tokyo. The CFO's in Singapore. Implement adds them to your geo-blocked Conditional Access exclusion list for the trip — and removes them automatically the moment they're back. No 3am paging when an exec can't sign in abroad.
Start, end, destination — per traveller.
Background worker fires every 5 minutes.
Never forgotten — exclusions revert on the dot.
CSV upload for board offsites and exec trips.
Build rules against any Microsoft Graph audit signal — admin-role grant, app consent, CA bypass, mass forwarding. Every triggered alert ships with a GPT-4o-generated remediation summary so junior analysts can act without escalating to tier-3.
Any Graph audit signal — visual, no scripting.
Common attack patterns — drop-in and tune.
GPT-4o writes the playbook per triggered alert.
Email + Microsoft Teams — severity-routed.
Drop specific users on the watchlist — VIPs, contractors, leavers — and Implement captures every sign-in and directory change for 7 rolling days, with raw forensic payloads archived in blob storage for the rare day you need to reconstruct what happened.
VIPs, contractors, leavers, high-risk roles.
Sign-ins + directory audits, 60-min refresh.
Raw Graph payloads stored 7 days in blob.
Bonus — Anyone-link audit + orphan-site cleanup.
Checklist templates that run across all your tenants. The Score-Boost playbook that applies baseline best-practices in bulk. A staged deploy queue so a typo doesn't break 50 customers at once. Engineer once, ship everywhere — the MSP superpower.
Per role, per scenario, per customer tier.
Apply baseline best-practices in bulk.
Staged multi-tenant rollout with rollback.
Customise without forking the template.
Pick the framework your auditor cares about — Analyzer evaluates every applicable control against live tenant data.
Govern · Identify · Protect · Detect · Respond · Recover. Mapped to every M365 control.
All 14 CUI control families — Access Control, Audit, Config Mgmt, IA, IR, MP, PS, RA, SC, SI.
L1 (Account & Auth, App Permissions, Data Mgmt, Email, Auditing, Storage, Mobile, Teams) + L2 hardening.
Organisational, People, Physical, Technological — 93 Annex A controls assessed.
FAR 52.204-21 (17 practices) and NIST SP 800-171 (110 practices) for DoD contractors.
Initial Access, Execution, Persistence, Priv-Esc, Defense Evasion, Credential Access, Discovery, Exfil, Impact.
Identity, Endpoint, Application, Data, Infrastructure, Network, Visibility, Automation pillars.
The "official" score, live from Microsoft — plus the actions Microsoft recommends to raise it.
One sign-in, every customer tenant. White-labelled reports under your brand. GDAP-aware. Per-customer scheduled assessments — never miss a QBR.
Single tenant, deep instrumentation. Continuous posture monitoring. Trend your score over time and prove security maturity to leadership.
Live framework-mapped evidence on demand. Export auditor-ready PDFs. Track baseline drift over time and prove control effectiveness.
Self-serve workflows for the common 80%: travel windows, license reassignments, group cleanups, password resets — without escalating to tier-3.
Forged in the field, not on a slide. Every feature solves a problem we've personally watched cost MSPs sleep.
Multi-tenant from day one. Switch between customers in a click, white-label reports with your brand, scope every action to a single tenant.
Analyzer takes zero write permissions. You can run an assessment on a brand-new customer in 60 seconds without signing a single risk acceptance.
GPT-4o powers the "where to start" recommendations in Analyzer and the alert-remediation summaries in Implement — not chat for chat's sake.
Analyzer surfaces a risk. Implement fixes it. The same tenant inventory, the same identity, the same theme — no context switching tax.
NIST CSF, NIST 800-171, CIS Microsoft 365, ISO 27001 Annex A, CMMC L1 & L2, MITRE ATT&CK, ZeroTrust — all mapped, all live.
You'll talk to a CloudVenix engineer — not a tier-one script. Most enquiries close in under an hour during business hours.
Grant the Microsoft Graph read-only consent. No agent, no PowerShell, no firewall changes.
Analyzer runs in 30–60 seconds. You see your Secure Score, your gaps, your "where to start" list.
Schedule offboardings, configure alert rules, fix oversharing — every action audited, every change reversible.
Re-run Analyzer next week. Watch the score climb. Export the PDF for your customer or the board.
Tenant data lives in your Microsoft 365. We never copy users, mailboxes, or files into our database.
Analyzer requests the minimum Graph scopes and uses none with write permission.
Implement actions are audited and run under your admin's token — no service-principal back-doors.
Every check maps to NIST CSF, NIST 800-171, CIS, ISO 27001, CMMC L1/L2, MITRE ATT&CK, and Zero Trust — ready for your auditor.
Disconnect at any time and we delete every reference within 30 days. Export anything before you go.
Every release runs through dependency scanning, secret detection, and a manual security review.
No. Many customers start with Analyzer to scope the gaps and add Implement once they're ready to remediate at scale. They share the same login and tenant inventory.
No. It requests only read-only Microsoft Graph scopes. You can verify the granted permissions in your Entra admin centre.
Yes — upload your logo, set your brand colour, and every PDF / Excel export carries your wordmark instead of ours.
30 to 60 seconds for small tenants, up to ~3 minutes for tenants with 10K+ users. Subsequent syncs reuse the cache and are near-instant.
Per-tenant monthly, with volume discounts for MSPs. Get in touch and we'll send a quote within a day.
Most Analyzer checks work with any plan that grants Microsoft Graph access. Specific advanced checks (risky-user signal, Conditional Access, MFA Registration report, Intune) require Entra ID P1/P2 or M365 Business Premium. Analyzer surfaces which checks are gated by licence so you can see exactly what's missing.
One sign-in to CloudVenix gives you an inventory of every Microsoft 365 tenant you've consented to. Click any tenant → see its full assessment / management surface. GDAP relationships are auto-discovered for Cloud Solution Providers.
Tenant data lives in your Microsoft 365 — we read it live via Graph API. Our only persistence is small metadata (your saved-tenants list, theme preference, scheduled-sync timestamps) in Azure Table Storage hosted in your chosen region. Zero customer-user / customer-mail / customer-file data is ever copied.
Yes — both Analyzer and Implement come with a 14-day free trial on a single tenant. No credit card needed. Email hello@cloudvenix.in to start.