top of page
Search

Microsoft’s Zero Trust Assessment Tool: Valuable, but Only Covers About 25% of CIS M365 v6

  • Writer: Kyle Cira
    Kyle Cira
  • Dec 17, 2025
  • 3 min read

Microsoft offers a free Zero Trust Assessment tool that organizations can use as a starting point to evaluate their Microsoft 365 security posture. It’s accessible, easy to run, and provides meaningful insight—but it’s important to understand what it does and what it doesn’t do.


When measured against the CIS Microsoft 365 Benchmark v6, Microsoft’s Zero Trust Assessment covers roughly 25% of the controls. That doesn’t make it useless—but it does mean it should be viewed as a first step, not a complete security assessment.


What the Zero Trust Assessment Tool Is Built On

Microsoft’s Zero Trust Assessment is grounded in a solid foundation. It was developed using:

  • Industry standards from organizations like NIST, CISA, and CIS

  • Microsoft’s internal security baselines, which are used to protect Microsoft’s own infrastructure

  • Real-world customer insights gathered from thousands of Microsoft security implementations

This makes the tool credible and relevant, especially for organizations that are early in their Microsoft 365 security journey.


What the Tool Actually Checks

The Zero Trust Assessment evaluates 134 individual security controls across identity and devices. It aligned the controls with the Secure Future Initiative (SFI) and Zero Trust pillars.

Out of those:

  • 40 controls map directly to CIS Microsoft 365 Benchmark v6

  • CIS M365 v6 includes 140 total controls

That means the Zero Trust Assessment covers approximately 25% of the CIS benchmark.

This is not a flaw—it’s simply a scope difference. Microsoft designed the tool to validate baseline Zero Trust alignment, not full benchmark compliance.


Where the Tool Provides Value

Used correctly, the Zero Trust Assessment offers several benefits:

  • ✅ A good baseline check for fundamental security hygiene

  • Risk scoring to highlight higher-risk findings

  • ✅ A clean, consumable HTML report that’s easy to review and share

  • ✅ No cost and minimal setup

For organizations that have never assessed their Microsoft 365 environment before, this can be a helpful starting point.


Where the Tool Falls Short

There are important limitations to understand:

  • ❌ It does not cover the majority of CIS M365 v6 controls

  • ❌ It does not prioritize controls into a remediation roadmap

  • ❌ It cannot evaluate manual, contextual, or operational controls

The result is that organizations may receive a report showing “good” results—while still having significant unaddressed security gaps.


Why This Matters

CIS benchmarks are designed to be defense-in-depth frameworks, not simple configuration checklists. Many of the most important controls require:

  • Human validation

  • Contextual judgment

  • Understanding of business workflows

  • Experience with real-world attack patterns

No free scanning tool—Microsoft’s included—can fully replace that expertise.


Using the Tool the Right Way

At Redeemer Cyber, we encourage organizations to use Microsoft’s Zero Trust Assessment as a starting point, not a replacement for expert led professional services.


We even link to the tool directly on our website—along with guidance explaining its limitations and where professional services add value:


The page provides:

  • Direct access to Microsoft’s free assessment tools

  • Clear explanation of what they do well

  • Honest guidance on why they are not a replacement for expert-led security assessments


Final Thoughts

Microsoft’s Zero Trust Assessment is useful, credible, and free—but it only covers about one quarter of the CIS Microsoft 365 Benchmark v6.


If your goal is:

  • Full CIS alignment

  • A prioritized remediation roadmap

  • Validation of both automated and manual controls

  • Confidence that nothing critical was missed

Then an expert-driven Microsoft 365 Security Assessment is still essential.


At Redeemer Cyber, we combine automation, manual validation, and deep benchmark expertise to assess 161 security controls from CIS and in-house Redeemer Cyber controls—not just the ones a scanner can see.


If you’ve run Microsoft’s Zero Trust Assessment and want to understand what’s still missing, we’re happy to help.

 
 
 
bottom of page