Here are my brainstorm ideas, in case anyone more hands on daily than I, can feed off a starting point.

Pull

public DNS server location

DNS name registrar location

Email domains configured

SPF check

DKIM check

DMARC check

If AD Connect is configured and in place (sync settings)

MFA configured (can it check for non-MS MFA)

MFA users enabled/disabled

Any conditional access settings (user risk conditional access policy?

Sign-in risk policy enabled

Legacy protocol authentication blocked?

GlobalAdmin user list (other privileged accounts?)

GlobalAdmin last password change

Users with Do not expire passwords set

Default Azure AD Password Policy (non integrated)

User ability to create app passwords

Check if GlobalAdmin is a daily email user

Safe attachment settings

Safe Link settings

Anti-phishing settings

External email tagging configured?

Any mail forwarding rules (or all mail flow rules)

Email encryption settings configured?

Preset security policies (standard, strict or custom)

Unified audit log enabled?

Alert Policy enabled?

Continuous access evaluation?

MS Teams policy settings

Shared mailbox sign-in blocked

Self-Service Password Reset configured

Idle session timeout enabled

List of OAuth applications

App discovery policy

Lockbox feature enabled

Enabled DLP policies/ retention labels

eDiscovery cases

InTune Compliance policy names and settings

Here are my brainstorm ideas, in case anyone more hands on daily than I, can feed off a starting point.

Pull

public DNS server location

DNS name registrar location

Email domains configured

SPF check

DKIM check

DMARC check

If AD Connect is configured and in place (sync settings)

MFA configured (can it check for non-MS MFA)

MFA users enabled/disabled

Any conditional access settings (user risk conditional access policy?

Sign-in risk policy enabled

Legacy protocol authentication blocked?

GlobalAdmin user list (other privileged accounts?)

GlobalAdmin last password change

Users with Do not expire passwords set

Default Azure AD Password Policy (non integrated)

User ability to create app passwords

Check if GlobalAdmin is a daily email user

Safe attachment settings

Safe Link settings

Anti-phishing settings

External email tagging configured?

Any mail forwarding rules (or all mail flow rules)

Email encryption settings configured?

Preset security policies (standard, strict or custom)

Unified audit log enabled?

Alert Policy enabled?

Continuous access evaluation?

MS Teams policy settings

Shared mailbox sign-in blocked

Self-Service Password Reset configured

Idle session timeout enabled

List of OAuth applications

App discovery policy

Lockbox feature enabled

Enabled DLP policies/ retention labels

eDiscovery cases

InTune Compliance policy names and settings

Here are my brainstorm ideas, in case anyone more hands on daily than I, can feed off a starting point.

Pull

public DNS server location

DNS name registrar location

Email domains configured

SPF check

DKIM check

DMARC check

If AD Connect is configured and in place (sync settings)

MFA configured (can it check for non-MS MFA)

MFA users enabled/disabled

Any conditional access settings (user risk conditional access policy?

Sign-in risk policy enabled

Legacy protocol authentication blocked?

GlobalAdmin user list (other privileged accounts?)

GlobalAdmin last password change

Users with Do not expire passwords set

Default Azure AD Password Policy (non integrated)

User ability to create app passwords

Check if GlobalAdmin is a daily email user

Safe attachment settings

Safe Link settings

Anti-phishing settings

External email tagging configured?

Any mail forwarding rules (or all mail flow rules)

Email encryption settings configured?

Preset security policies (standard, strict or custom)

Unified audit log enabled?

Alert Policy enabled?

Continuous access evaluation?

MS Teams policy settings

Shared mailbox sign-in blocked

Self-Service Password Reset configured

Idle session timeout enabled

List of OAuth applications

App discovery policy

Lockbox feature enabled

Enabled DLP policies/ retention labels

eDiscovery cases

InTune Compliance policy names and settings

Hi everyone, thank you for voting on this idea submission. We are currently in the process of reviewing this request, however we would like more information regarding functionality before moving forward. To help paint the picture, please feel free to comment expected data values and potential use cases below! This well help us determine any potential limitations, and create a feature that achieves your goals.