-
Notifications
You must be signed in to change notification settings - Fork 247
Extract Microsoft 365 Secure Score information
directorcia edited this page Jan 22, 2026
·
1 revision
o365-secure-score-extract.ps1 is a PowerShell script designed to extract Microsoft 365 Secure Score data, control profiles, Conditional Access policies, Security Defaults status, and MFA registration summary for a specified tenant. The script outputs this data to a JSON file for analysis, reporting, or integration with other tools. It also supports generating a compact summary file for AI or data-limited scenarios.
- PowerShell 5.1+ (Windows) or PowerShell Core (cross-platform)
-
Microsoft.Graph PowerShell Module
- Install with:
Install-Module Microsoft.Graph -Scope CurrentUser
- Install with:
-
Permissions
- The script requires the following Microsoft Graph API permissions:
SecurityEvents.Read.AllPolicy.Read.AllReports.Read.AllDirectory.Read.All
- The script requires the following Microsoft Graph API permissions:
-
Microsoft 365 Tenant
- You must have access to the target tenant and appropriate admin rights.
| Parameter | Type | Required | Description |
|---|---|---|---|
| TenantDomain | string | Yes | The primary domain of the target Microsoft 365 tenant. |
| DataFile | string | No | Optional output file path for the JSON data. Auto-generated if not specified. |
| Compact | switch | No | If set, also outputs a compact summary file for AI/analysis. |
-
Initialization
- Validates parameters and checks for required modules.
- Connects to Microsoft Graph with the necessary scopes.
- Verifies connection to the correct tenant.
-
Data Collection Steps
- Secure Score: Retrieves the latest Secure Score and history.
- Secure Score Controls: Fetches all Secure Score control profiles, highlighting open/important controls.
- Conditional Access Policies: Collects all Conditional Access policies, removing verbose fields for clarity.
- Security Defaults: Checks if Security Defaults are enabled for the tenant.
- MFA Registration Summary: Retrieves MFA registration summary for the last 30 days.
-
Output Generation
- Builds a comprehensive security data object.
- Saves the full data to a JSON file (auto-named if not specified).
- If
-Compactis specified, creates a summarized version for AI/data-limited use cases.
-
Completion
- Displays summary information, including file paths and sizes.
- Provides guidance on which file to use for different scenarios.
-
Full Data File: JSON file containing all collected security data.
- Filename:
[Tenant]_ss_[timestamp].json(auto-generated if not specified)
- Filename:
-
Compact Data File (optional): Summarized JSON file for AI/analysis.
- Filename:
[Tenant]_ss_[timestamp]_compact.json
- Filename:
- The script uses
Write-Hostand custom functions for info, warning, and error messages. - Debug output is available for troubleshooting (enable with
$DebugPreference = 'Continue'). - Handles Graph API errors gracefully, providing actionable messages for permission issues.
# Basic usage (auto-generates output file)
./o365-secure-score-extract.ps1 -TenantDomain "contoso.com"
# Specify output file
./o365-secure-score-extract.ps1 -TenantDomain "contoso.com" -DataFile "C:\Reports\contoso_secure_score.json"
# Generate compact summary as well
./o365-secure-score-extract.ps1 -TenantDomain "contoso.com" -Compact- Security: Do not share output files containing sensitive tenant information without proper review.
- Performance: Data collection time depends on tenant size and network speed.
- Extensibility: The script is modular and can be extended to collect additional data as needed.
- Support: For issues with Microsoft Graph permissions, ensure your account has the required roles and consented scopes.
For further customization or troubleshooting, review the script's inline comments and debug output.