How SimpleEntra scans
your tenant.

SimpleEntra is registered as a multi-tenant application in its own Entra ID tenant. When your administrator clicks the admin-consent link, Microsoft creates a service principal in your tenant — one object, read-only permissions.

The service principal is the only thing we have 'inside' your tenant. You can inspect it at any time under Entra → Enterprise applications → SimpleEntra. You can disable or delete it at any time. Deletion is immediate and permanent — our next Graph call returns 401 Unauthorized.

We use application permissions (app-only), not delegated permissions. This means SimpleEntra signs in as itself — it cannot impersonate a user, act on a user's behalf, or access anything that requires a user token (mail, files, Teams messages).

Immediately after consent the fast scan runs synchronously in the browser request. It makes 6 targeted Microsoft Graph calls and returns:

• MFA coverage

  What % of your users have completed MFA registration. Separate: admins vs. regular users.
• Legacy authentication

  Is legacy auth (Basic, SMTP AUTH) blocked at tenant level? Are there Conditional Access policies closing the gap?
• Global Admin count

  How many accounts have the Global Administrator role. Benchmark: max 2.
• Expiring application secrets

  App registrations with secrets expiring within 30 or 90 days.
• Device status

  % of Intune-managed devices in a compliant state.
• Risky users

  Accounts flagged as high or medium risk by Entra ID Protection.

The full scan is triggered on-demand by the MSP operator. It runs in a separate worker process and uses Maester — an open-source PowerShell test suite maintained by the Microsoft identity community.

Maester runs against your tenant with the same app-only credentials and returns structured pass/fail results for each test. We parse the output into structured findings and store them in our database tagged with framework:

• CIS Controls v8 — 170+ controls covering basic security hygiene
• CISA SCuBA — 120+ controls from the US cybersecurity baseline for M365
• EIDSCA — 80+ Entra ID Security Config Analyzer controls
• Maester community tests — 38+ additional open-source checks

Total: 408+ controls. Every check is mapped to a published control in a named framework. We do not invent severity levels — they come from the sources.

All data lands in a Supabase Postgres database in eu-central-1 (AWS Frankfurt). The Next.js frontend reads it via Row Level Security policies — each MSP's data is strictly isolated from others.

The dashboard shows:

• Overall posture score + maturity per pillar (Identity, Devices, Apps, Access)
• Sign-in trends and anomalies (heatmap, geo, peak hours)
• Conditional Access coverage and policy-by-policy overview
• App registrations with expiring secrets or broad OAuth permissions
• Full findings list, filterable by framework, risk level and pillar
• Remediation queue with status, priority, deadline and audit trail
• Explanations per finding via Claude (optional, requires API key)

This list is worth stating explicitly. SimpleEntra will never:

• Write to your tenant (no ReadWrite permissions exist in our manifest)
• Read email, calendar, OneDrive files, Teams messages or SharePoint content
• Create or modify users, groups or roles
• Change or enable/disable Conditional Access policies
• Send emails on your behalf (Mail.Send is not in our permission set)
• Store your Graph tokens permanently (they are fetched fresh on each call via client credentials flow)
• Store the actual values of application secrets — we only read metadata (name, expiry, key ID)

If you want to be sure, open the admin-consent URL before you approve it — Microsoft shows all permissions we request. If you see anything other than .Read permissions, do not approve and contact us.