Free Microsoft 365 Audit for Nonprofits
Nonprofits deal with the same security threats as larger organizations, usually with a smaller IT team and a tighter budget. This free, read-only audit reviews your Microsoft 365 tenant and sends you a plain HTML report with the issues to fix first.
Your nonprofit's Global or Security Administrator signs in once to grant read-only access. We never change anything in your tenant.
How it works
Free to use. No sales call. Built for Microsoft 365 admins who want answers quickly without changing anything in the tenant.
Accept the terms and sign in
Review the short consent form, then sign in with your organization's Global or Security Administrator account.
Grant read-only access
We review settings and security data only. Your tenant configuration stays untouched.
Get your report by email
Share results with your team, then sign in anytime to run an updated audit.
What we check for nonprofits
We look at the settings nonprofits most often need help with: email, shared accounts, sign-in protection, app access, and other common gaps.
Identity & MFA
User MFA coverage, inactive accounts, admin roles, and Conditional Access.
Email & Defender
Shared mailboxes, forwarding rules, phishing protection, and Safe Links where licensed.
Apps & shadow IT
Third-party apps, OAuth permissions, and tools connected to your tenant.
Sample report
A fictional example showing how findings are grouped. Your report includes action items, baseline checks, and sections you can share with staff or your IT provider.
Hope Community Foundation
- 47 active users
- 12 groups
- 3 verified domains
- 62% Microsoft Secure Score
Protect your organization's data with Conditional Access.
Review OAuth permissions. Unused app access is a common shadow IT problem.
Shared mailboxes should stay sign-in disabled and unlicensed.
Review forwarding rules that send mail outside your organization.
Reclaim licenses and reduce risk from stale accounts.
Consider Business Premium for stronger nonprofit security when budget allows.
Frequently asked questions
Common questions about the audit, permissions, and what to expect. Still stuck? Contact Good Heart Tech.
Is this audit really free?
Yes. M365 Audit is a free service from Good Heart Tech for nonprofit Microsoft 365 tenants. There is no subscription, sales call, or upsell tied to running an audit.
Who can start an audit for our organization?
A Microsoft 365 Global Administrator or Security Administrator must sign in and approve access. These roles can grant the read-only permissions the audit needs and complete admin consent for your tenant.
Will this change anything in our Microsoft 365 tenant?
No. The audit is read-only. We collect configuration and security data to generate a report. We do not modify users, policies, mailboxes, files, licenses, or any other settings in your tenant.
Why are there two permission steps?
Microsoft requires two separate consent flows:
- Step 1: Sign-in (delegated): Lets an administrator sign in and grants basic read access for that account.
- Step 2: Admin consent (application): Grants tenant-wide read-only application permissions so the audit can run in the background.
Microsoft requires two separate prompts. That is a platform rule, not something we chose.
What does the audit check?
The report covers practical security areas for nonprofit Microsoft 365 tenants, including user MFA coverage, inactive accounts, admin roles, Conditional Access, shared mailboxes, mail forwarding, Microsoft Defender settings, third-party app consents, and other common risk patterns.
How long does an audit take?
Signing in and granting permissions usually takes a few minutes. After that, data collection runs in the background. Most organizations receive an HTML report by email within a short time; larger tenants may take longer depending on how much data is in scope.
What format is the report?
You receive an HTML report by email with prioritized findings grouped by severity (Critical, High, Medium, and Pass). You can open it in any browser, share it with your team, or print to PDF from your browser.
Can we run the audit again later?
Yes. Sign in to the dashboard to run an updated audit when your environment changes. There is a rate limit of one audit per tenant every 24 hours to keep the service available for everyone.
What Microsoft 365 plans are supported?
Any nonprofit tenant on Microsoft 365 or Office 365 cloud plans can use the service. Some checks (such as certain Defender or Intune features) only apply if those capabilities are licensed and enabled in your tenant.
What data do you access and store?
We read Microsoft 365 configuration and security metadata needed for the audit, not email bodies or file contents. We store tenant connection details, audit job status, and report delivery information so you can sign in and receive results. See our Privacy Policy for details.
We use an IT provider or MSP. Can they run this for us?
Yes, as long as the person signing in is a Global or Security Administrator in your nonprofit tenant and completes both permission steps on your behalf. The report can be sent to any email addresses you specify during setup.
Is M365 Audit affiliated with Microsoft?
No. M365 Audit is an independent free service from Good Heart Tech. It uses official Microsoft sign-in and Graph APIs, but it is not affiliated with, endorsed by, or supported by Microsoft.
Check your Microsoft 365 security
Many nonprofits run email, files, and collaboration in Microsoft 365. This free audit helps you spot gaps early. There is no cost to your organization.
Start free auditA free service from Good Heart Tech, a nonprofit helping nonprofits with technology.