Owners cannot get a straight answer about their tenant.
If you are a managing partner, a founder, or an ops lead at a small firm, here is the conversation I have with you over and over again.
You ask your IT provider whether your Microsoft 365 environment is secure. You get back a confident yes, sometimes with a Secure Score number you cannot interpret, sometimes with a list of acronyms. You ask whether all your people have two step login turned on. You get a partial answer. You ask whether anyone outside your firm could be reading your email through some app you forgot you approved. You get a long pause.
The frustrating part is that none of this should be hard. The information is sitting inside your Microsoft tenant. Microsoft already knows the answers. The problem is that getting at those answers requires either a Global Administrator who knows where to click, or a security consultant who charges a few thousand dollars, or a self-assessment that just asks you to tell them what you think is happening.
None of those actually answers the question for the owner. The owner needs a report they can read in plain English, written for someone who runs a business, not someone who runs a server.
The owner needs a report they can read in plain English, written for someone who runs a business, not someone who runs a server.
That is what TenantScan does.
A free Microsoft 365 security check, built for the owner.
TenantScan is a read only scan of your Microsoft 365 tenant. You sign in with your admin account on Microsoft's own login page, give it permission to read your settings (it cannot change anything, ever), and a PDF report shows up in your inbox in about five minutes.
The whole report is written for the business owner, not the IT staff. Every finding has two parts. A plain English explanation of what it means for your firm, and a clear "what to do." A separate "for your IT team" appendix at the back carries the technical evidence so your provider can verify and act.
Here is what the report tells you, in the order it shows up.
Who can sign in without two step login
By name. Not "your MFA coverage is 87 percent." A list of the specific people in your firm who can still sign in to Microsoft 365 with just a password, and a recommendation on which of those accounts to fix first.
Whether someone outside can impersonate your email domain
Three records (DMARC, DKIM, and SPF) determine whether a stranger on the internet can send email that looks like it came from your firm. The report tells you which ones are in place, which ones are not, and what your exposure looks like if they are missing.
Which outside apps can already read your staff mail and files
Every time someone on your team clicked "Allow" on a third party app, they granted that app access to something inside your tenant. Most owners have no idea what is on this list. The report shows you, ranked by how much access each app has.
Your Microsoft Secure Score and the top three fixes
Microsoft's own scoring of your tenant security, benchmarked against the average tenant your size, with the three highest impact actions you (or your IT provider) can take this month to move it.
License seats you are paying for but nobody uses
Disabled accounts that still have a license assigned. Shared mailboxes paying for Premium when they do not need a license at all. Service accounts on Business Premium when Business Basic would do the job. Each one shown with a dollar estimate, so you can see what the waste actually costs.
How many Global Administrators you have
Microsoft recommends a small number of accounts have full administrative control over your tenant, with two of them set aside as emergency "break glass" accounts. Most small business tenants have too many Global Admins, used for daily work, with no break glass account configured. The report shows you exactly where you stand.
Whether your tenant is ready for Microsoft 365 Copilot
If you are thinking about turning on Copilot, or you already have, the report scores your tenant's readiness and flags the data hygiene issues that would expose confidential information to AI prompts before you switch it on.
Roughly twenty other findings cover the rest of the obvious gaps: legacy authentication paths still active, stale guest accounts in Teams, login policy rules running in report-only mode, external sharing scope on SharePoint and OneDrive, and so on. If you want a deeper read on which of these show up most often, I wrote up the pattern in five M365 security gaps I find in almost every small business tenant.
Five minutes. No install. Nothing stored.
There is no software to install. There is no portal to manage. The flow is built around how busy an owner actually is.
Step one: fill out a short intake form so the report knows your firm name, your industry, and where to send the PDF. Step two: click "Sign in with Microsoft." You land on Microsoft's own login page (not mine), enter your admin credentials there, and approve the read only permissions. Step three: wait about five minutes. The PDF lands in your inbox.
The OAuth access token that lets TenantScan read your tenant is held in memory only during your scan, and discarded the moment your report is built. Your tenant data is never written to disk. The report is the only artifact, and it goes to your inbox, not mine.
You can remove TenantScan from your approved apps any time at myapps.microsoft.com. One click. Done.
There is no catch. The report stands alone.
The honest answer about why TenantScan is free is that I run a managed IT and security consultancy, and most of the small firms who run TenantScan eventually want help closing the findings. Some of them call me. That is the business model.
What that does not mean: there is no follow up sales call. There is no email sequence trying to upsell you. The report is the deliverable. If you want help, the contact information is in the report. If you do not, the report is still useful, and you can hand it to your existing IT provider and ask them to verify and act on the findings.
I would rather have you read an honest report and decide for yourself than dress it up as a free trial of something else. The tool earns its keep by being useful on its own.
What the Marketplace listing means.
TenantScan is now listed on the Microsoft Marketplace. The badge matters less than what the process is for getting there.
To list a Microsoft 365 application on the Marketplace, the publisher has to go through Microsoft's Partner Center vetting. Microsoft reviews what permissions the app asks for, what the app does with the tenant data it reads, and the publisher's privacy and security practices. It is not a rubber stamp. For owners who have never heard of Lowery Solutions, the listing is independent confirmation that another set of eyes vetted what TenantScan does and what happens to your data after the report is built.
You can find the listing at marketplace.microsoft.com. The same product, free, vetted by Microsoft.
Built for owners. Useful for everyone.
The audience I had in mind when I built TenantScan was the managing partner at a five person law firm, the founder of a fifteen person CPA practice, the operations lead at a thirty person title company. The kind of person who has to answer a cyber insurance questionnaire honestly, who is thinking about turning on Copilot but has not, who knows there are gaps in their Microsoft 365 environment and cannot get a straight answer about what they are.
But TenantScan turns out to be useful for a few other audiences too. IT providers run it on their own clients to get a fast second opinion. Internal IT staff at slightly larger firms run it as a free baseline before a formal audit. Cyber insurance brokers point clients at it before a renewal so the questionnaire answers actually match the tenant, which connects directly to what cyber insurance carriers are asking for in 2026.
If you have the admin password and five minutes, you can run it. Whether you act on the report yourself, hand it to your IT provider, or call me, the report is yours. That is the whole point.
See exactly where your tenant stands.
Five minutes. No install. Nothing stored. The PDF goes to your inbox, written in plain English with a "for your IT team" appendix at the back.
Run TenantScanView on the Microsoft Marketplace · Built by Lowery Solutions, Cedar Park, TX