Ctrl+K
tatersecurity.com Open App

Predict the Unknown

Reduce the opaque grey area of Manual Review controls by predicting whether each one is likely passing or failing based on Microsoft 365 default settings — giving you a more realistic view of your actual compliance posture.

Why Manual Review Controls Matter

TATER scans your Microsoft 365 environment and evaluates hundreds of compliance controls automatically. Most controls return a definitive result: Pass, Fail, or Skip. But some controls cannot be automatically evaluated. They require a human to review a setting, read a policy document, interview a team member, or inspect a configuration that is not exposed through an API.

These controls are marked Manual Review. In a typical M365 scan, anywhere from 20 to 40 percent of controls may fall into this category depending on the frameworks you use.

The problem is that Manual Review controls contribute nothing to your compliance score. From the dashboard's perspective, they are a blank — no signal in either direction. An organization with 200 Manual Review controls genuinely does not know whether those controls represent 200 potential pass items or 200 potential fail items. The compliance score shown on the dashboard is therefore an incomplete picture: it reflects only what has been automatically verified, not the full truth of your posture.

How Predict the Unknown Works

Microsoft 365 ships with default settings. For many compliance controls, the answer to "does a default M365 tenant meet this control?" is knowable. Some defaults are secure (MFA enforcement is off by default — Fail). Others are reasonable starting points (audit log retention enabled by default — Pass).

TATER's catalog allows each control to carry a defaultCompliance value that records this known default behavior:

  • pass — A freshly provisioned M365 tenant meets this control by default, without any additional configuration.
  • fail — A freshly provisioned M365 tenant does NOT meet this control by default. Explicit configuration is required.
  • (none) — The default behavior is unknown, ambiguous, environment-dependent, or not applicable. No prediction is made.

When you enable Predict the Unknown for your organization, TATER applies the following logic at display time: if a control resolves to Manual Review, and that control has a defaultCompliance value set, the display overrides the status to show either Predicted Pass (teal) or Predicted Fail (pink).

These Are Predictions, Not Facts

A Predicted Pass does not mean you are passing this control. It means that if your tenant has not been modified from its defaults, you are likely passing. Your organization may have changed the relevant setting — in either direction. Manual Review status means you still need to verify. Predictions are a prioritization tool, not a compliance certification.

Enabling Predict the Unknown

The feature is controlled per organization and is off by default. There are two ways to enable it:

Via Settings (OrgAdmin and above)

  1. Navigate to Settings in the left sidebar (the gear icon at the bottom)
  2. Click Features from the Settings submenu
  3. Find the Predict the Unknown card at the top of the Features page
  4. Check the checkbox to enable the feature
  5. The setting saves automatically — no Save button needed

The status text next to the checkbox updates immediately to show either "Predictions active" or "Predictions off". Predictions take effect on the next page load — navigate away and back to any compliance page to see the updated display.

Via Organization Detail (SuperAdmin and Admin)

  1. Navigate to Admin > Organizations
  2. Click on the organization name to open the detail panel
  3. Scroll to the Predict the Unknown section
  4. Read the description and use the toggle to enable or disable
  5. Click Save

The organization detail method is useful for SuperAdmins who are managing multiple organizations and want to enable the feature on behalf of a client without navigating to that organization's context.

Reading Predictions on the Dashboard

When predictions are active for your organization, the dashboard gains several new elements:

Prediction Stat Cards

Two new KPI cards appear on the dashboard, but only when at least one prediction exists for the current scan:

  • Predicted Pass (teal) — The number of Manual Review controls predicted to be passing based on M365 defaults
  • Predicted Fail (pink) — The number of Manual Review controls predicted to be failing based on M365 defaults

These cards are shown separately from the main Pass and Fail counts. Your official compliance score — the percentage shown prominently at the top of the dashboard — is never affected by predictions. It continues to reflect only definitively evaluated controls.

The Compliance Bar

The horizontal compliance bar that visualizes pass, fail, manual, and skip proportions gains two additional segments when predictions are active:

  • A teal segment following the green pass segment, representing predicted passes
  • A pink segment following the red fail segment, representing predicted fails

The legend below the bar shows a "◌ N predicted" entry for each prediction type to distinguish predictions from definitive results. The hollow circle icon (◌) visually signals that these are estimates.

Application Compliance Bars

Each compliance zone (Exchange, SharePoint, Teams, etc.) shown on the dashboard also reflects predictions. The per-app bars show teal and pink segments proportional to the number of predicted controls in that application scope, with count indicators using the same "◌N" notation.

Reading Predictions in Control Tables

On the Controls pages and in scan result views, predicted controls display a distinctive status badge. Instead of a single grey "Manual Review" badge, you will see either:

  • A teal "Predicted Pass" badge — styled distinctly from the green "Pass" badge to signal that this is a prediction, not a verified result
  • A pink "Predicted Fail" badge — styled distinctly from the red "Fail" badge for the same reason

Both badges include a tooltip or label that reads "Predicted" to further distinguish them. A control that is definitively passing shows a solid green Pass badge; a control that is predicted to be passing shows a teal Predicted Pass badge. The visual distinction is deliberate: you should never mistake a prediction for a verified finding.

Manual Review Controls Without a Prediction

Controls where defaultCompliance is null (not set) continue to show the standard grey Manual Review badge regardless of whether Predict the Unknown is enabled. Predictions only apply to controls with an explicit defaultCompliance value. Controls that have ambiguous defaults, or where the default varies based on licensing or tenant type, are intentionally left without a prediction.

Setting defaultCompliance Values

The quality of predictions is determined by the accuracy of the defaultCompliance values on each catalog control. These values are set by platform administrators — not computed automatically from scans.

Who Can Set defaultCompliance

Control TypeWho Can Set defaultCompliance
Default controls (isDefault: true) SuperAdmin only. Changes affect all organizations that use this control.
Org-specific controls OrgAdmin and above for their own organization. Changes affect only that organization's controls.

How to Set defaultCompliance

  1. Navigate to Catalog in the left sidebar
  2. Find the control you want to update. Use the search bar or filter by framework to narrow the list.
  3. Click the control to open its detail panel, then click Edit
  4. Locate the Default Compliance dropdown in the edit form
  5. Select Pass, Fail, or leave it blank (no prediction)
  6. Click Save

The change takes effect on the next time scan results are evaluated for any organization. For organizations with Predict the Unknown enabled, the updated prediction will appear immediately on the next page load.

Researching M365 Defaults

When deciding whether to set a control's defaultCompliance to pass or fail, consult:

  • Microsoft's official documentation for the specific setting, which typically documents the default value
  • The Microsoft 365 admin center on a freshly provisioned developer tenant (Microsoft provides free developer tenants through the Microsoft 365 Developer Program)
  • The control's audit procedure in TATER, which often describes how to check the current value and what the compliant value should be
  • The CIS Benchmark or CISA SCuBA baseline document, which frequently includes a "Default Value" field in each control's description
Tip

When in doubt, leave defaultCompliance blank rather than guessing. An incorrect prediction (e.g., marking a control as Predicted Pass when it actually fails by default) trains users to deprioritize those controls during manual review — the opposite of the intended effect. Accurate predictions are more valuable than comprehensive ones.

When to Use This Feature

Predict the Unknown is most useful in these scenarios:

New Organizations or Tenants

When onboarding a new client or setting up a fresh M365 tenant, the very first scan will have a high number of Manual Review controls. Before any manual verification has been done, predictions give the security team a realistic starting hypothesis about where problems are likely to exist. This helps prioritize the initial review effort.

Prioritizing Manual Review Work

If a compliance team has limited time to conduct manual verification, predictions help allocate that time effectively. Start with the Predicted Fail controls — these are the ones most likely to need remediation. Predicted Pass controls can be verified later or deferred to the next audit cycle.

Executive-Level Reporting

Predictions provide a more complete narrative for leadership reporting. Instead of saying "We are 74% compliant, but 30% of controls are in an unknown Manual Review state," you can say "We are 74% verified compliant. Our predictions suggest an additional 12% are likely passing and 18% are likely failing based on known M365 defaults — we are working to verify those now."

Limitations and Caveats

Understanding what predictions cannot tell you is as important as understanding what they can:

  • Predictions reflect defaults, not your configuration. If your organization has been using M365 for years and has customized many settings, the default values may be meaningless for most controls. A Predicted Pass could easily be a real Fail if your organization disabled that setting years ago.
  • Predictions do not update automatically when you make changes. Changing a setting in M365 does not update the prediction in TATER. Only running a new scan — or completing a manual review — can change a control's status from predicted to verified.
  • Predictions do not count toward your compliance score. This is by design and is not a limitation. Official compliance percentages must reflect only verified results to be meaningful for audit purposes.
  • The feature has no effect if defaultCompliance values are not set. Enabling Predict the Unknown on an organization that has no defaultCompliance values on its catalog controls will show no predictions. The feature depends entirely on the quality and coverage of the catalog data.
  • Licensing and configuration variations affect defaults. Some M365 settings behave differently depending on the tenant's license tier (E3 vs. E5) or whether certain features have been activated. Controls with license-dependent defaults may not have a reliable single "default" value and should be left without a prediction.
Audit Integrity

Predictions are clearly distinguished in both the UI and any exported reports. Auditors reviewing TATER output will see the hollow-circle notation and "Predicted" labels that distinguish estimates from verified findings. You should never present predictions as verified compliance evidence in a formal audit without completing the underlying manual review.

Was this page helpful?