You can lock down Microsoft 365 and still leave another door open to the internet.
That is the distinction many dashboards miss. Tightening MFA, Conditional Access and admin roles does not close anything reachable over the public internet. Attackers, insurers, customers and auditors may each have a reason to care about what your organisation presents externally, and that concern is separate from how your identity controls look inside Microsoft.
Microsoft posture covers a specific scope
Microsoft 365 and Entra posture work covers identity, access policy, audit configuration, collaboration settings and cloud controls within the Microsoft environment.
Microsoft Secure Score can be useful, but it is not a complete view of your organisation's security posture. It scores recommended actions against Microsoft's own configuration model. That is a valid signal, but it says nothing about what sits outside the tenant.
ScanPosture assesses that same Microsoft space: authentication and MFA, privileged access, Conditional Access, account hygiene, non-human identity, tenant configuration, monitoring and risk, logging and audit, device security, SharePoint, Teams and Exchange.
It is a read-only posture assessment of your Microsoft 365 and Entra environment. External Exposure is a separate view, and ScanPosture treats it as one.
What external exposure actually means
External exposure is what your public domains, hosts and IP addresses present to anyone on the internet.
That includes websites and web services, remote access gateways, VPN or network device management interfaces, mail services, admin panels, development or test systems left running, database services, monitoring interfaces, and hosts stood up for a project and never decommissioned.
Not every reachable service is a problem. A web server on port 443 may be entirely expected.
The concern starts with services that should not be public: remote desktop exposed to the internet, old FTP servers, admin tools with no authentication in front of them, database services bound to external interfaces, or forgotten systems nobody has reviewed.
The real risk is rarely that a port is open. It is that nobody in the business knows it is there, cannot confirm whether it is expected, has no record of when it appeared, and has no evidence to show anyone who asks.
Why this matters
The National Cyber Security Centre advises organisations to protect administration interfaces and to use strong multi-factor authentication for corporate online services. CISA maintains Internet Exposure Reduction guidance because internet-accessible assets and remote access technologies can increase operational and security risk when left exposed or unsecured. The CIS Controls open with asset inventory because you cannot manage what you do not know you have.
An organisation that has done solid Microsoft 365 hardening but still has an exposed admin interface, forgotten service or unreviewed remote access endpoint has a gap.
The two problems live in different places and take different tools to find.
What ScanPosture External Exposure does
External Exposure is a feature within ScanPosture. It requires a verified ScanPosture account. There is no anonymous path into it, and that is deliberate.
When you run a check, you confirm that you own, administer or are otherwise authorised to assess the target. ScanPosture then runs an authorised external check against your specified public domains, hosts or IP addresses. It records what is reachable and the service evidence observed, and stores that as structured evidence tied to your account.
Results show observed internet-facing services with plain-English risk context. Services that warrant attention are flagged for review or as high concern.
The External Exposure view sits separately from your Microsoft 365 posture scoring. Both contribute to your overall picture. They are not combined into a single score at this stage.
Why account verification is a strength
Requiring a verified account before any external check can run is a security decision, not an obstacle.
ScanPosture is not an anonymous scanning tool. Every check is tied to an accountable user, the authorisation is recorded, and the result history is attached to a real account.
That matters for several reasons. It prevents misuse. It creates a record of who authorised each check and when. And it builds the foundation for scheduled rescans and historical evidence, both of which need checks tied to an account with persistent access.
Free checks versus the full platform
A free verified ScanPosture account gives you manual External Exposure checks. You can run a check, see the observed services and their plain-English risk context, and access the results available to your account.
It is a clear free tier for manual use, limited to those basic features.
A free account does not schedule External Exposure scans, does not schedule reports, does not set alerts for changes, does not access Microsoft 365 and Entra posture monitoring, and does not use full exports or governance features.
A 28-day ScanPosture trial or a paid subscription adds scheduled External Exposure scans, scheduled reports, alerting, Microsoft 365 and Entra posture monitoring, posture drift detection, remediation prioritisation, framework readiness views, and reporting and export.
With a ScanPosture subscription, External Exposure checks can run on a regular schedule, such as daily, so newly exposed services are surfaced rather than missed.
When a ScanPosture trial ends, the account returns to the free account and its basic features. ScanPosture is one platform across both Microsoft posture and external exposure.
What External Exposure does not claim
External Exposure is not a penetration test. It does not confirm exploitability, test for specific vulnerabilities, or produce findings that stand in for formal assessment.
It shows what is externally reachable from the public internet and records the service evidence. That is a distinct and useful thing. It is not everything.
ScanPosture shows alignment and readiness against selected technical controls related to recognised frameworks. It does not itself certify compliance or replace formal assessment, certification, or legal advice.
The complete picture needs both views
A strong Microsoft 365 posture is worth the investment and the ongoing attention. But it is one part of the picture.
External Exposure gives you the other part: what the internet can see.
Together they form a more complete view of where your organisation's posture actually stands.
Run an External Exposure check on your public domains, hosts or IP addresses at scanner.scanposture.com.
Start a free 28-day ScanPosture trial when you are ready to bring Microsoft posture monitoring and external exposure into a single assurance picture.



