Generate a Comprehensive Microsoft 365 Tenant Health Summary

A tenant health summary is a cross-domain snapshot of the signals that most commonly drive security incidents, license waste, and compliance findings in Microsoft 365. Rather than opening seven separate admin centers, this recipe aggregates the key indicators into a single report you can deliver to security, finance, and leadership stakeholders.

Run this recipe:

• Monthly as part of a standing governance review.
• Quarterly before license renewals to surface downgrade and reclamation opportunities.
• Ad hoc during M&A, audits (SOC 2 / ISO 27001), or after a security incident.
• On onboarding when you inherit a tenant and need a baseline.

The summary covers seven domains: license utilization efficiency, inactive users (90+ days), privileged account exposure, unmanaged/non-compliant devices, risky sign-ins (last 30 days), app registration certificate and secret expirations, and SharePoint storage growth trends.

After completing this recipe you will have:

• A structured JSON/CSV report file containing all seven health domains with timestamps and tenant identifier.
• Quantified license utilization per SKU and a list of downgrade/reclamation candidates.
• A list of enabled accounts with no sign-in in 90+ days (license waste and attack-surface candidates).
• A full inventory of Global Administrators and other privileged role holders, with counts benchmarked against Microsoft's recommendation (≤4 Global Admins).
• A reconciliation of Entra-registered vs. Intune-managed devices, with unmanaged devices called out.
• Every risky sign-in in the last 30 days with user, IP, location, risk level, and remediation state.
• App registrations whose certificates or client secrets expire in the next 30–90 days.
• SharePoint storage growth over the last 30 days, including any anomalous spikes.
• A prioritized list of remediation actions (High / Medium / Low).

⚠️ Warnings and Gotchas

• Read-only report — safe to run, but the data it exposes (admin lists, user sign-in data, IP addresses) is highly sensitive. Store the output in a controlled location and share only with authorized reviewers.
• signInActivity is only populated for Entra ID P1/P2 tenants. Free-tier tenants will not have lastSignInDateTime data and the inactive-users section will be empty.
• Identity Protection (riskyUsers / riskySignIns) requires Entra ID P2. Without P2, fall back to querying auditLogs/signIns with riskLevelDuringSignIn ne 'none'.
• Report anonymization: If displayConcealedNames is enabled in /admin/reportSettings, user and site names in usage reports will be hashed. Set it to false (temporarily) if you need readable names.
• Do NOT act on inactive-user data without verification. Service accounts, shared mailboxes, and break-glass admins may legitimately have no interactive sign-ins. Cross-reference with group membership and license assignment before disabling.
• Do NOT reduce Global Admin count below 2. Always retain at least two break-glass accounts that are cloud-only, excluded from Conditional Access, and have complex stored credentials.
• Compliance: Sign-in log data is subject to data residency and retention policies. Do not export it to uncontrolled storage (personal OneDrive, email).