Production AI Institute · PSF v1.1 open standard

AI Right-To-Know AI Data Use Index Check My AI Tools Policy Change Watch Agent Readiness Public Benchmark ContactGlobal standard · Worldwide

MSP ToolkitCertified IntegratorsClient readiness

M365 Tenant Discovery.
Scripts. Not guesswork.

Use structured tenant discovery to identify Copilot readiness gaps, governance blockers, security risks, and the first AI engagement your MSP can scope with confidence.

Why this matters: Baseline data collection should be structured and repeatable. These scripts reduce the time spent gathering tenant facts so the assessment can focus on interpretation, stakeholder interviews, and remediation planning.

View starter scripts ↓Assessment facilitation guide →Get the launch pack →PSF standard →MSP AI certification guide →

Before you start

Install these PowerShell modules on the engineer machine running the discovery. You need a work account with Global Reader + Security Reader + Exchange View-Only in the client tenant — temporary assignment, remove after engagement.

Microsoft.Graph

Install-Module Microsoft.Graph -Scope CurrentUser

Core Graph API access — users, groups, apps, policies

ExchangeOnlineManagement

Install-Module ExchangeOnlineManagement -Scope CurrentUser

Mailbox config, transport rules, mail flow settings

MicrosoftTeams

Install-Module MicrosoftTeams -Scope CurrentUser

Teams policies, app permissions, meeting settings

Az.Accounts

Install-Module Az.Accounts -Scope CurrentUser

Azure subscription and resource discovery

SharePointPnPPowerShellOnline

Install-Module PnP.PowerShell -Scope CurrentUser

SharePoint site inventory and sensitivity label status

Required tenant permissions

Role	Required?	Notes
Global Reader	Required	Minimum for read-only discovery. Can be temporary — remove after engagement.
Exchange View-Only Organization Management	Required	Required for Exchange Online discovery.
Teams Administrator	Optional	Needed if scoping Teams governance. Can use Global Reader for basic Teams config.
SharePoint Administrator	Optional	Needed for full SharePoint site-level data. PnP requires explicit site access.
Security Reader	Required	Needed for Defender, Secure Score, and Conditional Access policy reads.

Discovery scripts

Start with tenant setup and profile discovery to frame the client conversation. The Integrator toolkit extends this into Copilot footprint, security posture, data governance, usage, automation readiness, report compilation, workbook, and client report templates.

01

Prerequisites setup

Install all required PowerShell modules and connect to the tenant. Run this first — everything else depends on it.

⏱ 5–10 min📄 Output: Session tokens for Graph, Exchange, Teams. Confirm all modules loaded.

# PAI MSP Toolkit — Prerequisite Setup Script
# Run as: .\01-prereq.ps1 -TenantDomain "contoso.onmicrosoft.com"
# Purpose: Install modules and authenticate to Microsoft 365 tenant

param(
  [Parameter(Mandatory=$true)]
  [string]$TenantDomain,
  [string]$OutputPath = ".\discovery-output"
)

Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"

Write-Host "PAI MSP Toolkit — Tenant Discovery Prereq Setup" -ForegroundColor Cyan
Write-Host "Tenant: $TenantDomain" -ForegroundColor Yellow
Write-Host ""

# Create output directory
if (-not (Test-Path $OutputPath)) {
  New-Item -ItemType Directory -Path $OutputPath | Out-Null
  Write-Host "Created output directory: $OutputPath" -ForegroundColor Green
}

# Module installation
$modules = @(
  "Microsoft.Graph",
  "ExchangeOnlineManagement",
  "MicrosoftTeams",
  "Az.Accounts",
  "PnP.PowerShell"
)

foreach ($mod in $modules) {
  if (-not (Get-Module -ListAvailable -Name $mod)) {
    Write-Host "Installing $mod..." -ForegroundColor Yellow
    Install-Module -Name $mod -Scope CurrentUser -Force -AllowClobber
    Write-Host "  $mod installed." -ForegroundColor Green
  } else {
    Write-Host "  $mod already installed." -ForegroundColor Gray
  }
}

# Connect to Microsoft Graph
Write-Host ""
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Cyan
$scopes = @(
  "Directory.Read.All",
  "Policy.Read.All",
  "AuditLog.Read.All",
  "SecurityEvents.Read.All",
  "Reports.Read.All",
  "RoleManagement.Read.Directory",
  "Organization.Read.All",
  "User.Read.All",
  "Group.Read.All",
  "Application.Read.All",
  "DeviceManagementConfiguration.Read.All"
)
Connect-MgGraph -Scopes $scopes -TenantId $TenantDomain

# Connect to Exchange Online
Write-Host "Connecting to Exchange Online..." -ForegroundColor Cyan
Connect-ExchangeOnline -Organization $TenantDomain -ShowBanner:$false

# Connect to Teams
Write-Host "Connecting to Microsoft Teams..." -ForegroundColor Cyan
Connect-MicrosoftTeams -TenantId $TenantDomain | Out-Null

Write-Host ""
Write-Host "All connections established. Ready to run discovery scripts." -ForegroundColor Green
Write-Host "Output will be written to: $OutputPath" -ForegroundColor Yellow

02

Tenant profile and licensing

Collect the tenant's licence inventory, SKUs, assigned vs available seats, and identify which Microsoft AI products are licensed.

⏱ 2–5 min📄 Output: CSV: licence inventory with AI-relevant SKUs highlighted. JSON: tenant org profile.

# PAI MSP Toolkit — Tenant Profile and Licensing
# Run as: .\02-tenant-profile.ps1 -OutputPath ".\discovery-output"
# Requires: Microsoft.Graph connected (run 01-prereq.ps1 first)

param(
  [string]$OutputPath = ".\discovery-output"
)

Set-StrictMode -Version Latest
Write-Host "Script 02: Tenant Profile and Licensing" -ForegroundColor Cyan

# AI-relevant SKU patterns to flag
$aiSkuPatterns = @(
  "COPILOT",
  "M365_COPILOT",
  "MICROSOFT_365_COPILOT",
  "VIVA",
  "POWER_AUTOMATE",
  "POWER_BI",
  "AZURE_AI",
  "COGNITIVE_SERVICES",
  "OPENAI",
  "SYNTEX"
)

# Org profile
$org = Get-MgOrganization
$orgProfile = [PSCustomObject]@{
  TenantId         = $org.Id
  DisplayName      = $org.DisplayName
  Domain           = ($org.VerifiedDomains | Where-Object { $_.IsDefault }).Name
  Country          = $org.CountryLetterCode
  CreatedDateTime  = $org.CreatedDateTime
  TenantType       = $org.TenantType
}
$orgProfile | ConvertTo-Json | Out-File "$OutputPath	enant-profile.json" -Encoding UTF8
Write-Host "  Tenant: $($org.DisplayName) | $($orgProfile.Domain)" -ForegroundColor Green

# Total user count
$userCount = (Get-MgUser -Count -ConsistencyLevel eventual -Filter "accountEnabled eq true").Length
Write-Host "  Active users: $userCount" -ForegroundColor Green

# Licence inventory
Write-Host "  Collecting licence data..." -ForegroundColor Yellow
$subscriptions = Get-MgSubscribedSku
$licenceRows = @()

foreach ($sub in $subscriptions) {
  $skuName = $sub.SkuPartNumber
  $isAiRelevant = $false
  foreach ($pattern in $aiSkuPatterns) {
    if ($skuName -like "*$pattern*") { $isAiRelevant = $true; break }
  }

  $licenceRows += [PSCustomObject]@{
    SKU              = $skuName
    FriendlyName     = $sub.SkuId  # Graph doesn't return friendly name; map manually
    TotalLicences    = $sub.PrepaidUnits.Enabled
    AssignedLicences = $sub.ConsumedUnits
    AvailableLicences = ($sub.PrepaidUnits.Enabled - $sub.ConsumedUnits)
    CapabilityStatus  = $sub.CapabilityStatus
    AIRelevant        = $isAiRelevant
  }
}

$licenceRows | Export-Csv "$OutputPathlicence-inventory.csv" -NoTypeInformation
Write-Host "  Licence inventory saved. AI-relevant SKUs found:" -ForegroundColor Green
$licenceRows | Where-Object { $_.AIRelevant } | ForEach-Object {
  Write-Host "    * $($_.SKU): $($_.AssignedLicences) / $($_.TotalLicences) assigned" -ForegroundColor Magenta
}

Write-Host "Script 02 complete." -ForegroundColor Green

Partner bundle

Client-ready discovery system

The complete system turns raw tenant findings into a client-ready readiness report, roadmap, and scoped follow-on engagement.

Access with Integrator →

03. Copilot configuration and AI tool footprint

TOOLKIT

CSV: Copilot-licensed users. CSV: third-party AI apps. JSON: Copilot Studio agents.

04. Security posture and Conditional Access

TOOLKIT

JSON: Secure Score breakdown. CSV: privileged role members. CSV: Conditional Access policy summary.

05. Data governance and sensitivity labels

TOOLKIT

CSV: sensitivity label list. CSV: DLP policies. JSON: SharePoint external sharing summary.

06. User activity and productivity signals

TOOLKIT

CSV: M365 app usage by user. CSV: Teams activity summary. CSV: email volume by department.

07. Automation readiness — Power Platform and connectors

TOOLKIT

JSON: Power Platform environment summary. CSV: connector policy list. TXT: automation opportunity signals.

08. Compile discovery report

TOOLKIT

JSON: discovery-report.json. HTML: discovery-summary.html (client-ready).

After the scripts run

You now have structured data. Here is what to do with it before the client presentation.

Review discovery-summary.html

Open the HTML report first. RED findings need to be resolved before any AI deployment. AMBER findings go into the roadmap. Share this internally with your delivery lead before the readout.

Map to PSF domains

Use the risk register output to map each finding to the eight PSF domains. This gives your readout structure and connects every finding to a recognised governance framework.

Prepare the stakeholder interview guide

The scripts get the technical picture. The interviews get the human one. Use the Assessment Facilitation Guide to run structured conversations with business owners before presenting.

Build the roadmap

Sort findings by RAG status and business impact. Red findings = immediate blockers. Amber = 30-day targets. Green = baseline to maintain. Each finding becomes a scoped deliverable.

Package the deliverable

The discovery report, risk register, roadmap, and ROI model together form the readout deck. Use the assessment report template from the toolkit and the ROI calculator to complete the package.

Transition to delivery

Every finding should resolve to a concrete next step. The next scope may cover remediation, policy work, or deployment depending on what the client prioritises.

Accompanying templates

These engagement artefacts help delivery teams turn discovery output into a board-ready readout, roadmap, and proposal.

PS1

run-all-discovery.ps1

Wrapper script that runs scripts 01–08 in sequence with a single command.

XLSX

discovery-output-template.xlsx

Pre-formatted Excel workbook to paste CSV outputs into for client-ready presentation.

DOCX

discovery-report-template.docx

Word template for the written discovery summary report. Maps to the HTML output.

PDF

discovery-checklist.pdf

Print-ready checklist for the on-site discovery day. Sign off each item as you go.

Ready to run your first assessment?

Use this discovery path to identify blockers, shape the roadmap, and package a credible first AI engagement for the client.

Assessment facilitation guide →ROI calculator →Get the launch pack →

Start here — production AI

Foundational reference pages for practitioners and teams evaluating production AI safety, agent readiness, and certification paths.

What is production AI? →AI agent production ready checklist →AI certification compared →AI-proof your career →WorkflowOS open-source PSF studio →PSF standard →

M365 Tenant Discovery.Scripts. Not guesswork.

Before you start

Required tenant permissions

Discovery scripts

Prerequisites setup

Tenant profile and licensing

Client-ready discovery system

After the scripts run

Accompanying templates

Ready to run your first assessment?

M365 Tenant Discovery.
Scripts. Not guesswork.