CIS · SCuBANIS2 · ISO 27001EIDSCA · DORA

Know your Microsoft 365 risk —
before the board asks.

Zero to full visibility in one day. SimpleEntra delivers board reports, NIS2 and ISO mapping, and a continuous posture trend — without changing anything in your Microsoft 365 environment.

Book a demoOpen live demo →
Read-only access·EU data·NIS2 mapping·GDPR DPA·SOC 2 Type II (under audit)
demo-tenant · last synced 2s ago
last synced · 2s ago
Posture
67/100
Critical risk
2
findings
Pending
14
of 127
NIS2 mapping
84%
of art. 21 covered
Trend
↑ 4
since Q1
Board flags
3
require action
Latest findings408 controls · CIS · SCuBA · EIDSCA
  • Account takeover — 2 admins without MFAhigh
  • Compliance drift — NIS2 coverage dropped 3% since Q1med
  • Board flag — 3 Global Admins (recommended max 2)med
  • Access hygiene — 5 apps losing access in 30 daysmed
  • Conditional Access — 94% of users coveredPass

The problem

Leadership and auditors ask the same questions.
You have technical answers — not business answers.

Microsoft 365 is the backbone of most mid-sized organisations. And it is one of the most frequently attacked surfaces in modern cybersecurity. The problem is rarely a lack of technical knowledge — it is a lack of visibility in the language that boards, CISOs and auditors understand.

The board asks about your risk. You have a Secure Score number, not an answer.

Microsoft Secure Score is an internal IT metric. It has not been translated into business risk, compliance status, or what it would cost if things go wrong. Board and management reporting requires a different language.

The auditor asks for NIS2/ISO 27001 documentation. You kick off a €5,000 consulting engagement.

An external security review costs €5,000–10,000 and takes weeks to schedule. You get a PDF. Three months later the configuration changes — and you start over at the next audit.

Configuration changes every day. You find out after a breach — or when the auditor asks.

Microsoft 365 has 200+ security settings. Updates, new policies and administrator changes can shift your posture without anyone noticing — until it is too late.

2.8×
more expensive to handle a breach than to prevent it with ongoing posture checks

Source: IBM Cost of a Data Breach Report 2024.

How it works

From admin consent to board report
in under 10 minutes.

Step 01

Your IT admin approves the connection in 10 minutes — read-only access only.

A standard Microsoft admin-consent link. No passwords, no software to install. SimpleEntra gets one read-only connection to your Entra ID — nothing more.

Step 02

Six most important risk indicators in 60 seconds. Full board report ready in 5 minutes.

Within a minute the six key KPIs are ready: MFA coverage, legacy protocol blocking, number of Global Admins, expiring application secrets. The full analysis with all 408+ controls and the board report is complete in 3–5 minutes.

Step 03

Quarterly posture trend with risk ranking.

Findings are ranked by business risk (High / Medium / Low) and tagged with compliance framework. Each finding has an explanation of business consequences and a concrete action description. The trend is shown over time — you can see whether you are improving.

Step 04

Audit-ready documentation for NIS2, ISO 27001 and board.

Export a structured report that maps your findings to compliance frameworks. Use it for auditors, board meetings, or as the basis for your ROPA and risk assessment.

Built on open standards

Language your auditor and board understand.

Every finding is mapped to recognised compliance frameworks. You can cite specifically — not just "we use best practice".

170+
CIS Controls v8
Center for Internet Security — foundational security controls
NIS2-mappingISO 27001-mapping
120+
CISA SCuBA
US Cybersecurity Agency — baseline for Microsoft 365
NIS2-mappingDORA-mapping
80+
EIDSCA
Entra ID Security Config Analyzer — identity controls
ISO 27001-mapping
38+
Maester
Open-source Entra ID test suite — maintained by community
NIS2-mappingISO 27001-mapping
Included deliverables
  • NIS2 coverage report (PDF)
  • ISO 27001 Annex A mapping (XLSX)
  • Board executive summary (PDF)
  • Quarterly posture trend

Why you can trust the results

No black box. No marketing.

Every finding we show comes from a named control in a named framework. We do not invent severity levels. We do not pad the list to look impressive. If a check passes, we write that it passes.

  • All 408+ controls cross-checked against public CVE databases
  • Every finding links to official Microsoft documentation
  • Framework tags so you know which compliance baseline each check addresses
  • Maester is open source — you can inspect every single test we run
Implementation basis

The frameworks above are the technical foundation behind the deliverables. Auditors and board see outputs — NIS2 coverage, ISO Annex A status, posture score over time. The IT team sees the underlying control IDs and can drill into each finding.

Powered by Maester (open source)

The full scan runs Maester — a publicly auditable PowerShell test suite maintained by the Microsoft identity community. You can read every single test we run.

Security and privacy

We built it in from the start.
Not bolted on afterwards.

A security tool that is careless with your data would be embarrassing. Here is exactly how we handle yours.

Read-only. Always.

All Graph permissions we request end in .Read. We have no write access to your tenant. We cannot create users, change policies, send emails or touch any configuration. If in doubt, review the full permission list before you approve.

EU data. Nothing else.

All tenant data lives in Supabase eu-central-1 (AWS Frankfurt). It never leaves the EU. Supabase is certified under SOC 2 Type II and HIPAA. We chose EU hosting from day one — not because anyone asked.

12 months retention, then deleted.

We retain your scan data for 12 months from last activity. Then an automated job deletes everything — logins, findings, devices, all of it. No soft-delete, no shadow copies.

DPA ready to sign within 24 hours.

Legal friction is a real blocker. Our Data Processing Agreement (following the Danish Data Protection Authority's standard template) is ready and can be signed within 24 hours of enquiry — it is mandatory before production use.

Revoke access in two clicks.

Go to Entra → Enterprise Applications → SimpleEntra → Delete. Done. Access is gone instantly. Our next Graph call returns a 401. We cannot re-establish access without you re-running admin consent.

Full audit trail in your Entra portal.

Microsoft logs every single Graph call SimpleEntra makes in your Sign-in log under Service Principal sign-ins, and in your Audit log. That is the primary verification source — a log we cannot edit.

Under audit

SOC 2 Type II — under audit, expected Q3 2026.

We are in the SOC 2 Type II certification process. The report is not complete yet — we are open about that. Delivery: Q3 2026. Supabase (our data provider) is already SOC 2 Type II certified.

Sub-processors

The complete list of third parties that may process your data.

ProviderPurpose
SupabasePostgres database + auth
Anthropic (optional)Explanations per finding
Microsoft GraphRead-only data collection

Ready to see your posture?

Know your Entra ID risk
before the board asks.

Book a 30-minute demo. We connect to a test tenant, run a live scan and show you what SimpleEntra finds — no slides, no sales pitch.

Book en demoPrøv live-demoen →

No commitment. No credit card. We show you findings on a real tenant.