Entra Documentation

Before you sign in

What happens when you connect your tenant

A quick overview of how your browser reads your tenant, and every Microsoft Graph permission it will ask for. All read-only.

How the architecture works

The short version: we have no backend that sees your data.

  • Runs entirely in your browser

    All Microsoft Graph calls are made from your browser directly to Microsoft. No backend, no proxy.

  • No servers, no storage

    We do not host any backend that receives your tenant data. Nothing is logged, cached, or persisted on our side.

  • PDF generated client-side

    The report is rendered in your browser with jsPDF and streamed straight to your downloads folder.

  • Standard OAuth 2.0 + MSAL

    We use the official Microsoft Authentication Library (MSAL). Tokens live in your browser's session storage and are scoped to read-only operations.

The 22 permissions we request

All read-only. An admin must consent once per tenant.

Read-onlyZero storage

Identity & Directory

4 scopes
  • User.ReadBasic profile of the signed-in user
  • Directory.Read.AllUsers, tenant properties, org structure
  • Group.Read.AllSecurity and Microsoft 365 groups
  • Domain.Read.AllVerified custom domains

Security & Access Control

5 scopes
  • Policy.Read.AllConditional Access and security policies
  • IdentityRiskyUser.Read.AllIdentity Protection monitoring
  • IdentityRiskEvent.Read.AllRisk detection events
  • AuditLog.Read.AllPIM activation history
  • RoleManagement.Read.DirectoryDirectory role assignments

Privileged Identity Management

6 scopes
  • RoleEligibilitySchedule.Read.DirectoryPIM role eligibility
  • RoleAssignmentSchedule.Read.DirectoryActive PIM role assignments
  • RoleManagementPolicy.Read.DirectoryPIM policies
  • PrivilegedEligibilitySchedule.Read.AzureADGroupPIM for Groups eligibility
  • PrivilegedAssignmentSchedule.Read.AzureADGroupPIM for Groups assignments
  • PrivilegedAccess.Read.AzureResourcesPIM for Azure resources

Identity Governance

4 scopes
  • EntitlementManagement.Read.AllAccess packages and catalogs
  • AccessReview.Read.AllAccess certification tracking
  • Agreement.Read.AllTerms of use agreements
  • AgreementAcceptance.Read.AllTerms of use acceptance records

Applications

2 scopes
  • Application.Read.AllApp registrations and service principals
  • Policy.Read.PermissionGrantOAuth2 grants and consent policies

External Identities

1 scope
  • IdentityProvider.Read.AllSAML/WS-Fed identity providers

Your data never leaves your Microsoft tenant. Reports are generated entirely in your browser — nothing is uploaded to or stored on our servers. Microsoft's official permissions reference.