A TenantSentinel license key
You’ll receive this in the format TS-XXXX-XXXX-XXXX-XXXX when your license is issued. Get a free license key instantly — no review required.
Technical Setup Guide
This page covers everything you need to know before and during TenantSentinel setup: what it accesses, how it authenticates, and how to get your first scan running. The whole process takes about 10 minutes.
Before You Start
Make sure you have these four things ready. If you’re the Global Admin, you can do the entire setup yourself. If not, you’ll need your GA for one step (granting consent).
Your Microsoft 365 Tenant ID
A GUID that identifies your organization’s Microsoft 365 environment. This is usually included in your license key and populated automatically. If prompted, find it in Azure Portal → Microsoft Entra ID → Overview → Tenant ID.
A Global Administrator
Someone with the Global Administrator role in your Microsoft 365 tenant needs to click a consent link once to authorize TenantSentinel’s read-only access. If that’s you, great. If not, you’ll send them a link from the setup wizard.
A Windows 10 or 11 machine
64-bit, with administrator rights to install the app. Windows PowerShell 5.1 is built into every supported version of Windows—nothing extra to install. PowerShell 7 works too if you have it.
How TenantSentinel Connects to Your Tenant
TenantSentinel uses the Microsoft Graph API with application permissions and certificate-based authentication. Here’s what that means in practice.
Authentication: certificate-based, no secrets on your machine
During setup, the desktop app generates a self-signed X.509 certificate in your Windows certificate store. The public key is registered automatically on the TenantSentinel app registration in Microsoft Entra ID. When a scan runs, it uses this certificate to authenticate—the private key never leaves your machine, and there are no client secrets, PFX files, or passwords involved.
App registration: multi-tenant, managed by TenantSentinel
TenantSentinel maintains a single multi-tenant app registration. When your Global Admin grants consent, your tenant is added to that registration. You don’t create or manage any app registrations yourself. If you ever want to revoke access, remove the enterprise application from your Entra ID → Enterprise Applications list.
Verified Microsoft publisher
TenantSentinel is a verified Microsoft ISV. When your Global Administrator opens the consent prompt, they’ll see a Verified badge next to the publisher name—Microsoft’s confirmation that the app registration has been validated against our business identity. If anyone on your team has questions about the consent prompt, that badge is the fastest way to confirm they’re looking at the real TenantSentinel application.
Permissions: read-only, listed below
TenantSentinel requests only read-only Microsoft Graph permissions. It does not modify any settings, policies, users, or configurations in your tenant. Every permission is an application-level .Read scope.
Directory.Read.All
Read tenant organization info, domains, and directory structure
User.Read.All
Read user profiles to assess MFA coverage and license assignments
AuditLog.Read.All
Read sign-in activity to detect daily-use admin accounts
Reports.Read.All
Read Secure Score and usage reports for trending analysis
UserAuthenticationMethod.Read.All
Read MFA registration methods per user for coverage analysis
RoleManagement.Read.Directory
Read directory role assignments to identify privileged accounts
Policy.Read.All
Read Conditional Access policies for baseline and gap analysis
SecurityEvents.Read.All
Read security alerts for risk scenario identification
Application.Read.All
Read enterprise app registrations for permission risk analysis
Data stays on your machine
Scan data is never uploaded to TenantSentinel servers. Reports are generated locally and saved as self-contained HTML files in C:\ProgramData\TenantSentinel\Reports\. The only network calls are to the Microsoft Graph API (to read your tenant data) and to the TenantSentinel licensing server (to validate your license key).
Setup Walkthrough
The desktop app has a 3-step wizard that handles everything. Here’s what happens at each step so there are no surprises.
1
Download & install
Download the installer and run it as administrator. The app installs to Program Files and creates a desktop shortcut. When you launch it for the first time, the setup wizard starts automatically.
2
Activate your license
Paste your TS-XXXX-XXXX-XXXX-XXXX license key and click Activate License. The app validates your key, automatically generates a self-signed X.509 certificate in your Windows certificate store, registers the public key with the TenantSentinel app registration in Entra ID, and sets up your scan credentials—all in one step. The private key never leaves your machine.
3
Grant permissions
The wizard shows a consent link with a Copy button. This is a standard Microsoft admin consent URL. Send it to your Global Administrator (or open it yourself if you are the GA). Microsoft shows the list of read-only permissions above and asks for approval—you’ll see a Verified publisher badge confirming the app is from TenantSentinel. Click Accept, and you’re done—you’ll be redirected to the TenantSentinel home page to confirm it worked.
This is a one-time step. You won’t need to do it again unless you revoke consent.
4
Run your first scan
Click Open TenantSentinel in the wizard. From the dashboard, click Run Scan. The app authenticates with your certificate, reads your tenant’s security configuration through the Graph API, and generates a complete executive report. It usually takes 2–5 minutes depending on tenant size.
What’s in the Report
Each scan produces a single self-contained HTML file—no external dependencies, works offline, safe to email. Open it in any browser. Here’s what the 10 tabs cover.
Overview
Your Tenant Sentinel Analysis Score (0–100) with sub-scores across four dimensions, letter grades, and the specific factors pulling your score up or down.
MFA Analysis
Per-user MFA method breakdown, registration coverage percentages, and method distribution across your organization.
Conditional Access
Every CA policy inventoried, evaluated against 7 baseline policies, with automated validation and detailed gap analysis.
Privileged Roles
All admin accounts with their role assignments, MFA status, and whether they’re being used for daily work (a common risk signal).
Enterprise Applications
Third-party app permission drill-down with risk classification, consent type, and last-activity detection for stale apps.
Licensing Analysis
Per-SKU cost breakdown using Microsoft retail pricing, inactive user detection, and annualized savings calculations.
Security Gaps
Users and groups excluded from Conditional Access policies—the people your security rules aren’t protecting.
Risk Scenarios
Categorized risks (Critical/High/Medium) each with a Fix It panel containing portal steps, PowerShell commands, and rollback notes.
Baselines
7 Conditional Access baseline policies with pass/fail/partial results and specific guidance on what’s missing.
Trending
Historical health score over time with drift detection markers when MFA coverage, risk counts, or overall posture change.
Renewing Your Certificate
The certificate TenantSentinel generates during setup is valid for two years. When it gets close to expiring, the app shows a warning on the dashboard. Here’s what to do when that happens.
1
Open Settings and renew
Go to Settings → Certificate & Authentication. You’ll see your current certificate’s thumbprint and expiry date. Click Renew Certificate. The app generates a new certificate in your Windows certificate store, registers the new public key with the TenantSentinel service, and updates your scan credentials. The whole process takes less than a minute.
2
No other steps required
Your admin consent grant stays in place. You don’t need to involve your Global Administrator or re-approve any permissions—only the certificate key is changing, not the application registration or its permission scope. Scans will continue normally as soon as renewal completes.
If the certificate has already expired
Scans will fail until you renew. Go to Settings → Certificate & Authentication and click Renew Certificate. The process is the same as a standard renewal. You may see an error on the Dashboard in the meantime—it will clear after the first successful scan post-renewal.
Moving to a new machine?
There’s nothing to transfer. Install TenantSentinel on the new machine, activate your existing license key, and a fresh certificate is generated automatically during setup. The old machine’s certificate can be left to expire or removed manually from its Windows certificate store (Cert:\CurrentUser\My).
Common Questions from IT Teams
Does TenantSentinel modify anything in my tenant?
No. Every Graph API permission is read-only. TenantSentinel does not create, update, or delete any users, policies, settings, or configurations. The only write operation is registering its authentication certificate on the TenantSentinel-managed app registration—not on anything in your tenant.
Where does my scan data go?
Nowhere. Reports are generated locally on your machine and saved as HTML files in C:\ProgramData\TenantSentinel\Reports\. Scan history is stored as JSON in C:\ProgramData\TenantSentinel\History\. No tenant data is ever sent to TenantSentinel servers.
Do I need to open any firewall ports or allow any URLs?
The app makes outbound HTTPS calls to graph.microsoft.com (to read your tenant data) and www.tenantsentinel.com (for license activation and certificate registration). Both are standard port 443. No inbound ports are required.
Can I revoke access later?
Yes. Go to Azure Portal → Microsoft Entra ID → Enterprise Applications, find “TenantSentinel”, and delete it. This immediately revokes all access. You can also remove the certificate from your local certificate store (Cert:\CurrentUser\My) to prevent scans from the machine.
Do I need PowerShell 7?
No. TenantSentinel works with Windows PowerShell 5.1, which is included with every supported version of Windows 10 and 11. If you have PowerShell 7 installed, the app will use it automatically, but it’s not required.
What if I’m not the Global Admin?
You can do every step of setup except granting consent. At step 4, the wizard gives you a consent link to copy and send. Your GA opens the link, reviews the permissions, and clicks Accept. That’s their only involvement—they don’t need to install anything or create an account.
A Note on Tenant Size
TenantSentinel is built and tested for the vast majority of Microsoft 365 organizations. There are a couple of things worth knowing if you run a very large tenant.
Long-running scans
Graph API access tokens are valid for 60 minutes. Most scans complete in under 5 minutes, but very large tenants (tens of thousands of users) may take longer. If a scan fails partway through, simply run it again—report generation picks up cleanly.
Ready to go? Download TenantSentinel and run your first scan in about 10 minutes.
Something not working? Check the Troubleshooting page.