92/100
Healthy Tenant Example
Identity: A
Access Control: A
Data Protection: A
Operations: B+
Know your Microsoft 365 risk in plain English—before it becomes a costly incident.
TenantSentinel gives business leaders a single health score backed by a 10-tab executive report covering MFA coverage, Conditional Access policy validation, privileged role risk, enterprise app permissions, licensing cost optimization, security gaps, risk scenarios, baseline compliance, and historical trending.
No canned reports with static filler language. If your environment is secure, we'll say so. If it isn't, we'll show you exactly where the gaps are, what they cost, and how to close them. Every assessment is tailored to your actual tenant configuration.
Your Tenant Sentinel Analysis Score
Every scan produces a single number that tells you where you stand. Sub-scores across four dimensions give your team a clear starting point for improvement.
47/100
High-Risk Tenant Example
Identity: D
Access Control: C
Data Protection: F
Operations: D
How It Works
Three steps from start to executive report. No agents to deploy, no firewall changes, no tenant modifications.
1
Activate Your License
Install the TenantSentinel desktop app and enter your license key. The app automatically generates a security certificate, registers it with Microsoft Entra ID, and sets up your scan credentials—all in one step, no manual configuration required.
2
Grant Read-Only Access
Your Global Admin clicks a consent link and approves read-only Microsoft Graph permissions. Takes under 2 minutes. No secrets or credentials are stored on your machine.
3
Run Your Scan
Click “Run Scan” in the app. TenantSentinel collects your tenant’s security posture via the Graph API and generates a self-contained HTML executive report with your health score, 10 assessment tabs, remediation runbooks, and licensing savings.
Why Organizations Trust TenantSentinel
Consent Governance
- Admin consent is managed during license activation.
- Certificate-based authentication—no client secrets stored on your machine.
Clear Evidence
- See compliance mapping for all findings (CIS, NIST, HIPAA, SOC 2).
- Findings are aligned to business impact and actionability.
Operational Readiness
- Executive report output is generated per scan run.
- Recurring scans support measurable trend tracking.
How We Compare
TenantSentinel replaces spreadsheet audits and generic dashboards with a purpose-built executive assessment.
| Capability | TenantSentinel | Manual Audit | Microsoft Secure Score | SaaS Management Platforms |
|---|---|---|---|---|
| Executive-ready HTML report | ✓ | — | — | — |
| Single health score with sub-scores | ✓ | — | Score only | — |
| Self-contained offline report | ✓ | — | — | — |
| No SaaS portal or cloud dependency | ✓ | ✓ | — | — |
| License cost optimization | ✓ | — | — | Some |
| Per-user MFA analysis | ✓ | Partial | — | Partial |
| CA policy validation & baselines | ✓ | Partial | — | — |
| Remediation runbooks with Fix It steps | ✓ | — | Generic tips | — |
| Historical trending & drift detection | ✓ | — | Limited | Some |
| Risk scenario mapping | ✓ | — | — | — |
| Tenant data never leaves your machine | ✓ | ✓ | — | — |
| No agents or firewall changes | ✓ | ✓ | ✓ | Varies |
Explore the Report
Every assessment produces a single self-contained HTML file with 10 interactive tabs. Click any tab below to see what it covers.
Your Tenant Sentinel Analysis Score with sub-scores across Identity, Access Control, Data Protection, and Operations. KPI cards show MFA coverage percentage, Conditional Access policy count, admin risk level, and license utilization at a glance. Prioritized contributing factors tell you exactly what moved the score up or down.
Health ScoreSub-Scores & GradesKPI CardsContributing Factors
Per-user authentication method breakdown showing which methods each user has registered. Coverage percentages by method type, a method-distribution chart, and click-through drill-down to individual user details.
Per-User BreakdownCoverage MetricsMethod DistributionUser Drill-Down
Full policy inventory, including AI-generated definitions, enforcement state (enabled, report-only, or disabled), user and application coverage, baseline evaluation against seven recommended policies, and automated validation findings for every policy in the tenant.
Policy InventoryBaseline EvaluationAutomated ValidationEnforcement State
Admin account inventory with MFA registration status, daily-use account detection, role assignments across all directory roles, and blast-radius analysis showing the potential impact of each privileged user being compromised.
Admin InventoryMFA StatusRole AssignmentsBlast-Radius Analysis
Third-party application catalog with automated risk classification, last-activity timestamps, and click-through permission drill-down showing both delegated and application-level Microsoft Graph grants for every registered app.
Risk ClassificationActivity StatusPermission Drill-DownGraph Grants
Per-SKU cost breakdown using Microsoft retail pricing, inactive user detection (30+ days without sign-in), license utilization rates per SKU, and annualized savings calculations showing exactly how much can be recovered.
Cost BreakdownInactive UsersUtilization RatesSavings Calculations
Unprotected user populations not covered by any Conditional Access policy, plus exclusion analysis identifying privileged users who have been explicitly exempted from security controls.
Unprotected UsersExclusion AnalysisGap Detection
Categorized risk findings (Critical, High, Medium) with business-impact descriptions, affected user counts, and inline remediation runbooks providing step-by-step portal instructions and PowerShell commands.
Risk CategoriesImpact DescriptionsAffected UsersRemediation Runbooks
Seven recommended Conditional Access baseline policies with pass, fail, or partial status. Plus automated validation of every CA policy against best-practice criteria with detailed descriptions of each gap found.
7 BaselinesPass/Fail StatusPolicy ValidationGap Descriptions
Health score, MFA coverage, and risk scenario count plotted over time with embedded SVG line charts. Automatic drift markers flag regressions between scans so nothing slips through the cracks.
SVG ChartsDrift DetectionScore HistoryRegression Alerts
What We Typically Find
Real findings from real assessments. These are the kinds of issues TenantSentinel surfaces in the first scan.
25% of users have no MFA
Password-only accounts are the #1 entry point for credential-based breaches. Microsoft data shows MFA blocks 99.9% of automated attacks.
$900/year in unused licenses
Users who haven't signed in for 30+ days still have active paid licenses assigned. Reclaiming them funds other security priorities.
2 admin accounts without MFA
One compromised Global Admin account gives an attacker full tenant access. Every privileged role holder should have phishing-resistant MFA.
2 high-risk enterprise apps
Third-party apps with broad permissions and no recent activity. Dormant apps expand the blast radius of a breach and should be reviewed or removed.
No baseline CA policies in place
Microsoft recommends 7 foundational Conditional Access policies. Most tenants we scan are missing at least 3 of them on the first assessment.
Global Admins using daily accounts
Admins signing in to check email with their privileged accounts expose your most powerful credentials to everyday phishing risk.
Sample Reports
Explore interactive sample outputs using demo data. No signup required.
Ready to see your score?
Free for organizations with up to 50 licensed users. No credit card, no expiry, no review.