Compliance Monitoring

1. What Is Compliance Scoring?

SPScan assigns each connected tenant a compliance score on a scale of 0 to 100. This score reflects the overall permission health of the tenant based on a weighted analysis of several security factors. A score of 100 means no permission issues were detected, while lower scores indicate areas where the tenant's SharePoint configuration deviates from security best practices.

The compliance score is designed to be a single, easy-to-understand metric that you can track over time. Rather than requiring you to manually review hundreds of individual permission entries, the score gives you an immediate sense of whether a tenant's security posture is improving or declining. This is particularly valuable for MSPs who need to report on security status to non-technical stakeholders.

It is important to understand that the compliance score is not a certification or guarantee of security. It is a practical indicator based on common SharePoint security best practices. A tenant with a score of 85 is not necessarily "compliant" with any specific regulatory framework, but it does have fewer permission issues than a tenant with a score of 60. The score helps you prioritise remediation efforts and track progress.

2. How Scores Are Calculated

The compliance score is calculated from several weighted factors that SPScan evaluates during each scan. The heaviest-weighted factors are external sharing and anonymous access links, as these represent the highest risk for data exposure. A tenant with no external sharing links and no anonymous access will score significantly higher than one with many active sharing links.

Other factors include the number of permission inheritance breaks, the ratio of sites with unique permissions versus inherited permissions, the presence of overly broad permission grants such as "Everyone" or "Everyone except external users", and whether guest accounts have access to sensitive sites. Each factor contributes to the overall score based on its relative risk weight.

The score is recalculated after every scan, so it reflects the current state of the tenant rather than a historical average. If you remediate a batch of external sharing links, your compliance score will improve on the next scan. Conversely, if users create new anonymous access links, the score will decrease. This real-time responsiveness makes the score a useful tool for tracking the impact of your security interventions.

3. Tracking Improvement

SPScan stores historical compliance snapshots for each tenant, allowing you to track how the score changes over time. The tenant detail page includes a compliance history chart that shows the score at each scan over the past 30, 60, or 90 days. This historical view makes trends visible and helps you identify whether your security management efforts are having the desired effect.

When you make changes to a tenant's SharePoint configuration, such as removing external sharing links or tightening sharing policies, the compliance score should improve on the next scan. By comparing the score before and after your intervention, you can quantify the impact of specific remediation actions. This is valuable both for internal tracking and for demonstrating value to clients.

For organisations with compliance obligations, the historical data also serves as evidence that you are actively monitoring and managing SharePoint permissions. The ability to show a consistent upward trend in compliance scores, or to demonstrate rapid response when scores drop, is a powerful asset during audits and security reviews.

4. Generating Compliance Reports

SPScan provides PDF compliance reports that summarise a tenant's permission health in a professional, shareable format. These reports include the current compliance score, a breakdown of the factors contributing to the score, a list of the most significant permission issues, and a historical score chart. They are designed to be shared with stakeholders who need a high-level understanding of SharePoint security without diving into the raw data.

To generate a compliance report, navigate to the Reports section of any tenant and click "Download Compliance Report". The report is generated as a PDF that you can save, email, or present during review meetings. For MSPs, these reports are an excellent way to communicate the value of your monitoring service and to document security posture for client governance purposes.

In addition to the PDF compliance report, SPScan offers CSV exports for permissions and storage data. These detailed exports are useful for deeper analysis in spreadsheet applications or for importing into other tools. The CSV exports include every permission entry and storage record that SPScan has discovered, giving you the raw data behind the compliance score.

5. Alerting on Compliance Issues

SPScan can alert you when compliance-related events occur, such as when a tenant's compliance score drops below a threshold, when new external sharing links are created, or when anonymous access is granted to a site. By configuring alert rules for these event types, you can respond to compliance issues as they arise rather than discovering them during periodic reviews.

The most important compliance-related alert types are external sharing link creation and anonymous access grants. These events represent immediate risk because they create new access paths to SharePoint content that may not have been authorised through your normal governance process. Receiving real-time notifications for these events allows you to review and revoke inappropriate access quickly.

For a comprehensive compliance monitoring setup, we recommend creating alert rules for all high-risk event types and routing them to a channel that your security team monitors actively. Combine this with weekly or monthly compliance reports to give stakeholders visibility into the overall trend. This proactive approach to compliance monitoring helps prevent incidents before they occur and demonstrates due diligence to auditors.