Free Microsoft 365 Audit for Nonprofits
Nonprofits deal with the same security threats as larger organizations, usually with a smaller IT team and a tighter budget. This free, read-only audit reviews your Microsoft 365 tenant and sends you a plain HTML report with the issues to fix first.
How it works
Free to use. No sales call. Built for Microsoft 365 admins who want answers quickly without changing anything in the tenant.
Accept the terms and sign in
Review the short consent form, then sign in with your organization's Global or Security Administrator account.
Grant read-only access
We review settings and security data only. Your tenant configuration stays untouched.
Get your report by email
Share results with your team, then sign in anytime to run an updated audit.
What we check for nonprofits
We look at the settings nonprofits most often need help with: email, shared accounts, sign-in protection, app access, and other common gaps.
Identity & MFA
User MFA coverage, inactive accounts, admin roles, and Conditional Access.
Email & Defender
Shared mailboxes, forwarding rules, phishing protection, and Safe Links where licensed.
Apps & shadow IT
Third-party apps, OAuth permissions, and tools connected to your tenant.
Sample report
A fictional example showing how findings are grouped. Your report includes action items, baseline checks, and sections you can share with staff or your IT provider.
Hope Community Foundation
- 47 active users
- 12 groups
- 3 verified domains
- 62% Microsoft Secure Score
Protect your organization's data with Conditional Access.
Review OAuth permissions. Unused app access is a common shadow IT problem.
Shared mailboxes should stay sign-in disabled and unlicensed.
Review forwarding rules that send mail outside your organization.
Reclaim licenses and reduce risk from stale accounts.
Consider Business Premium for stronger nonprofit security when budget allows.
Frequently asked questions
Common questions about the audit, permissions, and what to expect.
Is this audit really free?
Yes. M365 Audit is a free service from Good Heart Tech, a registered 501(c)(3) nonprofit. It is built and maintained by volunteers. There is no subscription, sales call, or upsell tied to running an audit.
Who can start an audit for our organization?
A Microsoft 365 Global Administrator or Security Administrator must sign in and approve access. These roles can grant the read-only permissions the audit needs and complete admin consent for your tenant.
Will this change anything in our Microsoft 365 tenant?
No. The audit is read-only. We collect configuration and security data to generate a report. We do not modify users, policies, mailboxes, files, licenses, or any other settings in your tenant.
Why are there two permission steps?
Microsoft requires two separate consent flows:
- Step 1: Sign-in (delegated): Lets an administrator sign in and grants basic read access for that account.
- Step 2: Admin consent (application): Grants tenant-wide read-only application permissions so the audit can run in the background.
Microsoft requires two separate prompts. That is a platform rule, not something we chose.
What does the audit check?
The report covers practical security areas for nonprofit Microsoft 365 tenants, including user MFA coverage, inactive accounts, admin roles, Conditional Access, shared mailboxes, mail forwarding, Microsoft Defender settings, third-party app consents, and other common risk patterns.
How long does an audit take?
Signing in and granting permissions usually takes a few minutes. After that, data collection runs in the background. Most organizations receive an HTML report by email within a short time; larger tenants may take longer depending on how much data is in scope.
What format is the report?
You receive an HTML report by email with prioritized findings grouped by severity (Critical, High, Medium, and Pass). You can open it in any browser, share it with your team, or print to PDF from your browser.
Can we run the audit again later?
Yes. Sign in to the dashboard to run an updated audit when your environment changes. There is a rate limit of one audit per tenant every 24 hours to keep the service available for everyone.
What Microsoft 365 plans are supported?
Any nonprofit tenant on Microsoft 365 or Office 365 cloud plans can use the service. Some checks (such as certain Defender or Intune features) only apply if those capabilities are licensed and enabled in your tenant.
What data do you access and store?
We read Microsoft 365 configuration and security metadata needed for the audit, not email bodies or file contents. We store tenant connection details, audit job status, and report delivery information so you can sign in and receive results. See our Privacy Policy for details.
We use an IT provider or MSP. Can they run this for us?
Yes, as long as the person signing in is a Global or Security Administrator in your nonprofit tenant and completes both permission steps on your behalf. The report can be sent to any email addresses you specify during setup.
Who runs M365 Audit?
M365 Audit is operated by volunteers at Good Heart Tech, a registered 501(c)(3) nonprofit that helps other nonprofits with technology. The service is 100% volunteer-run and is not a commercial product.
Do you provide support for M365 Audit?
No. We do not provide any support for this application. There is no help desk, contact email, chat, or other way to reach us about M365 Audit. Use the FAQs, sample report, and dashboard on your own. For hands-on help with your Microsoft 365 environment, work with your internal IT staff or MSP.
Is M365 Audit affiliated with Microsoft?
No. M365 Audit is an independent free service from Good Heart Tech. It uses official Microsoft sign-in and Graph APIs, but it is not affiliated with, endorsed by, or supported by Microsoft.
Check your Microsoft 365 security
Many nonprofits run email, files, and collaboration in Microsoft 365. This free audit helps you spot gaps early. There is no cost to your organization.
Start free auditA free, volunteer-run service from Good Heart Tech, a 501(c)(3) nonprofit helping nonprofits with technology.