Free Microsoft 365 Audit for Nonprofits
Nonprofits face the same cyber threats as large enterprises — often with smaller IT teams and tighter budgets. Run a free, read-only audit of your Microsoft 365 tenant and get a plain-language HTML report with prioritized fixes for your mission-critical data.
Your nonprofit's Global or Security Administrator signs in once to grant read-only access. We never change anything in your tenant.
How it works
No cost, no sales call required. Designed for Microsoft 365 administrators who need answers fast — without risking accidental changes to email, files, or accounts.
Sign in with your nonprofit admin account
Use your organization's Microsoft 365 Global or Security Administrator credentials.
Grant read-only access
We review settings and security data only. Your tenant configuration stays untouched.
Get your report by email
Share results with your team, then sign in anytime to run an updated audit.
What we check for nonprofits
Practical coverage aligned with how nonprofits actually use Microsoft 365 — email, shared accounts, shadow IT, login behaviors, application access, and more.
Identity & MFA
User MFA coverage, inactive accounts, admin roles, and Conditional Access.
Email & Defender
Shared mailboxes, forwarding rules, phishing protection, and Safe Links where licensed.
Apps & shadow IT
Consented apps, risky permissions, and AI tools connected to your nonprofit tenant.
Sample report
A fictional nonprofit example showing how findings are prioritized. Your report includes action items, baseline checks, and detailed sections you can share with your team.
Hope Community Foundation
- 47 active users
- 12 groups
- 3 verified domains
- 62% Microsoft Secure Score
Protect your organization's data with Conditional Access.
Review OAuth consents — common shadow IT risk for nonprofits.
Shared mailboxes should stay sign-in disabled and unlicensed.
Review forwarding rules that send mail outside your organization.
Reclaim licenses and reduce risk from stale accounts.
Consider Business Premium for stronger nonprofit security when budget allows.
Frequently asked questions
Common questions about the audit, permissions, and what to expect. Still stuck? Contact Good Heart Tech.
Is this audit really free?
Yes. M365 Audit is a free service from Good Heart Tech for nonprofit Microsoft 365 tenants. There is no subscription, sales call, or upsell tied to running an audit.
Who can start an audit for our organization?
A Microsoft 365 Global Administrator or Security Administrator must sign in and approve access. These roles can grant the read-only permissions the audit needs and complete admin consent for your tenant.
Will this change anything in our Microsoft 365 tenant?
No. The audit is read-only. We collect configuration and security data to generate a report. We do not modify users, policies, mailboxes, files, licenses, or any other settings in your tenant.
Why are there two permission steps?
Microsoft requires two separate consent flows:
- Step 1 — Sign-in (delegated): Lets an administrator authenticate and confirms basic read access for your signed-in account.
- Step 2 — Admin consent (application): Grants tenant-wide read-only application permissions so the audit can run in the background and collect data across your organization.
They cannot be combined into a single Microsoft prompt — that is a platform requirement, not a choice made by this service.
What does the audit check?
The report covers practical security areas for nonprofit Microsoft 365 tenants, including user MFA coverage, inactive accounts, admin roles, Conditional Access, shared mailboxes, mail forwarding, Microsoft Defender settings, third-party app consents, and other common risk patterns.
How long does an audit take?
Signing in and granting permissions usually takes a few minutes. After that, data collection runs in the background. Most organizations receive an HTML report by email within a short time; larger tenants may take longer depending on how much data is in scope.
What format is the report?
You receive an HTML report by email with prioritized findings grouped by severity (Critical, High, Medium, and Pass). You can open it in any browser, share it with your team, or print to PDF from your browser.
Can we run the audit again later?
Yes. Sign in to the dashboard to run an updated audit when your environment changes. There is a rate limit of one audit per tenant every 24 hours to keep the service available for everyone.
What Microsoft 365 plans are supported?
Any nonprofit tenant on Microsoft 365 or Office 365 cloud plans can use the service. Some checks (such as certain Defender or Intune features) only apply if those capabilities are licensed and enabled in your tenant.
What data do you access and store?
We read Microsoft 365 configuration and security metadata needed for the audit — not email content or file contents. We store tenant connection details, audit job status, and report delivery information so you can sign in and receive results. See our Privacy Policy for details.
We use an IT provider or MSP — can they run this for us?
Yes, as long as the person signing in is a Global or Security Administrator in your nonprofit tenant and completes both permission steps on your behalf. The report can be sent to any email addresses you specify during setup.
Is M365 Audit affiliated with Microsoft?
No. M365 Audit is an independent free service from Good Heart Tech. It uses official Microsoft sign-in and Graph APIs, but it is not affiliated with, endorsed by, or supported by Microsoft.
Protect your mission's data
Thousands of nonprofits rely on Microsoft 365 for email, documents, and collaboration. This free audit helps you see gaps before they become incidents — at no cost to your organization.
Start free auditA free service from Good Heart Tech, a nonprofit helping nonprofits with technology.