Most Microsoft 365 problems I have seen were not caused by a bad command. They were caused by a reasonable command run against a tenant that nobody fully understood at the time. The setting looked isolated on one admin screen, but it was part of a bigger story: an old forwarding rule that a workflow depended on, a role assignment nobody remembered granting, a Conditional Access exclusion that existed for a reason nobody wrote down.
The habit this site is built on
Before a change window, run the read-only checks first. Export the current state. Read the output. Write down what looks expected and what needs an owner to explain it. Only then plan the change.
That habit sounds obvious, but under ticket pressure it is the first thing that gets skipped — usually because the checks are scattered across admin portals, half-remembered PowerShell, and browser bookmarks. Making the first review repeatable is the whole point of turning these checks into playbooks.
What a good first check looks like
- It reads and exports. It does not change anything, so it is safe to run early and often.
- It names the permissions it needs, so consent can be reviewed instead of rubber-stamped.
- It produces output you can attach to a ticket, a change record, or a handoff document.
- It says what it proves and, just as important, what it does not prove.
Why “what it does not prove” matters
An MFA registration export does not prove MFA is enforced. A forwarding export does not prove the forwarding is malicious. A role export does not show every eligible PIM assignment. Treating an export as the end of the review, instead of the start, is how false confidence gets built. Every playbook on this site carries a limitations section for that reason.
Where this goes next
The starter playbooks cover MFA registration, external mailbox forwarding, and privileged role assignments — three checks I would want in front of me before almost any tenant change. More read-only checks are planned, and the same review-first workflow shaped Script Library LITE, a free desktop app with 15 read-only reporting scripts.
If this way of working matches how you want to run a tenant, start with the playbook library or the M365 Admin Quick-Check Pack.