TenantBaseline is a free, open-source PowerShell module for Microsoft 365 security baseline monitoring and configuration drift detection. Created by Ugur Koc, TenantBaseline uses the Microsoft Graph API to monitor 249 resource types across 5 Microsoft 365 workloads: Entra ID, Exchange Online, Intune, Teams, and Security & Compliance.
The module provides 32 purpose-built PowerShell cmdlets for baseline management, drift detection, configuration snapshots, and compliance reporting. TenantBaseline includes 10 pre-built security templates such as CIS Microsoft 365 Foundations Benchmark Level 1 and Zero Trust Foundation configurations.
TenantBaseline is available on the PowerShell Gallery and can be installed using: Install-Module TenantBaseline -Scope CurrentUser. It runs on Windows, macOS, and Linux with PowerShell 7 or later. The source code is hosted on GitHub under the MIT License.
Key capabilities
Baseline management: define and enforce desired tenant configuration states
Drift detection: compare live configurations against baselines to catch unauthorized changes
Configuration snapshots: capture and export tenant state for audit trails
Compliance reporting: generate HTML dashboards and drift reports
Security templates: start with pre-built baselines for common security frameworks
Stop Microsoft 365 configuration drift before it becomes a breach
Someone changes a Conditional Access policy. An Intune compliance rule gets weakened. A mailbox forwarding rule slips through. By the time you notice, the damage is done.
TenantBaseline is a free, open-source PowerShell module that monitors your Microsoft 365 tenant configuration against security baselines across 5 workloads and 249 resource types, covering Entra ID, Exchange Online, Intune, Teams, and Security & Compliance. It provides drift detection, configuration snapshots, and compliance reporting through 32 purpose-built cmdlets.
Microsoft 365 tenants accumulate configuration changes daily. Without a baseline to compare against, drift goes undetected until something breaks.
Security gaps go unnoticed
A weakened Conditional Access policy or disabled compliance rule creates an opening. Without continuous monitoring, these changes stay invisible until an incident occurs.
Audits become fire drills
When auditors ask for evidence that your tenant matches your security baseline, you scramble to generate reports manually because configuration drift means documented policies no longer match reality.
Manual reviews do not scale
Microsoft 365 spans hundreds of settings across five workloads. Checking them one by one is slow, error-prone, and impossible to do consistently.
Supported Microsoft 365 Workloads
Entra ID
Exchange Online
Intune
Teams
Security & Compliance
32
PowerShell Cmdlets
249+
Resource Types Monitored
100%
Workload Coverage
Comprehensive Configuration Monitoring
Everything you need to maintain security baselines and detect drift across your Microsoft 365 tenant.
Baseline Management
Define your desired tenant state with pre-built templates or custom configurations. Import and export baselines as JSON for version control and share them across tenants.
Drift Detection
Compare live tenant configuration against baselines to catch unauthorized changes. Get per-resource drift reports showing exactly what changed and which monitor flagged it.
249 Resource Types
Monitor 249 Microsoft Graph resource types across all five workloads. Fewer blind spots, more complete coverage of your tenant security posture.
Get Started in Minutes
Three simple steps to monitor your Microsoft 365 tenant configuration.
Step 1
Install
Install TenantBaseline from the PowerShell Gallery.
TenantBaseline is a free, open-source PowerShell module that monitors Microsoft 365 tenant configurations against security baselines. It uses the Microsoft Graph API to cover 249 resource types across 5 workloads: Entra ID, Exchange Online, Intune, Teams, and Security & Compliance. It provides drift detection, configuration snapshots, compliance reporting, and pre-built security templates.
Install TenantBaseline from the PowerShell Gallery by running: Install-Module TenantBaseline -Scope CurrentUser. Then connect to your Microsoft 365 tenant with Connect-TBTenant. The module requires PowerShell 7 or later and works on Windows, macOS, and Linux.
TenantBaseline supports 5 Microsoft 365 workloads: Entra ID (identity and Conditional Access), Exchange Online (mail flow and anti-phishing), Intune (device compliance and configuration), Teams (messaging policies), and Security & Compliance (data loss prevention). Together, these cover 249 Microsoft Graph resource types.
Yes. TenantBaseline is completely free and open-source under the MIT License. The source code is available on GitHub and the module can be installed from the PowerShell Gallery at no cost.
TenantBaseline drift detection works by creating a monitor with a security baseline, then comparing your live tenant configuration against that baseline. When settings change, the module flags the drift. Use Get-TBDrift to list detected changes, Get-TBDriftSummary for an aggregated overview, and New-TBDriftReport to generate an HTML or JSON report.
TenantBaseline ships with 10 pre-built security templates, including CIS Microsoft 365 Foundations Benchmark Level 1, Zero Trust Foundation, Conditional Access MFA enforcement, legacy authentication blocking, anti-phishing policies, DKIM signing, Intune compliance baselines, and Entra ID hardening templates. Templates can be applied using Import-TBBaseline.
TenantBaseline provides 32 purpose-built PowerShell cmdlets organized into 8 categories: Connection (3 cmdlets), Setup (4), Monitors (8), Baselines (3), Drift (3), Snapshots (7), Reports (3), and Interactive (1). Each cmdlet follows PowerShell naming conventions with the TB prefix.