Something Not Working?

This is expected for any new application that hasn’t yet built up reputation with Microsoft. It does not mean the file is unsafe. Click More info, then Run anyway. The warning goes away on its own as more people install the app. If your organization blocks unsigned executables by policy, your IT team can whitelist the installer hash.

Make sure you’re running the installer as Administrator on a 64-bit Windows 10 or 11 machine. If your antivirus quarantined the file, add an exception for the TenantSentinel installer. The app installs to C:\Program Files\TenantSentinel and needs write access to C:\ProgramData\TenantSentinel.

License keys look like TS-ABCD-EFGH-IJKL-MNOP — four groups of four characters after the TS- prefix. They use letters A–Z and digits 2–9 (no zeroes, no ones, no lowercase). If you’re pasting from an email, make sure no extra spaces or line breaks snuck in.

This means the key you entered doesn’t exist in our system. Double-check the spelling — a single wrong character will cause this. If you applied for the beta and haven’t received your key yet, please allow a few business days for your application to be reviewed. You’ll receive your key by email once approved.

Licenses have an expiration date set when they’re issued (typically one year). If yours has expired, contact the partner who issued it to renew. A revoked license means it was manually deactivated — reach out to your account contact for a replacement.

The app needs to reach ts-licensing.tenantsentinel.com over HTTPS (port 443) to activate. If you’re behind a corporate firewall or proxy, make sure that domain is whitelisted. See the network requirements section below for the full list of domains TenantSentinel needs to reach.

During setup, the app uses PowerShell’s New-SelfSignedCertificate to create a certificate in your Windows certificate store. If this fails, try running TenantSentinel as Administrator. The certificate store lives in your user profile (Cert:\CurrentUser\My), and some locked-down environments restrict access to it. If you’re on a domain-managed machine, your IT team may need to allow certificate creation for your user account.

This usually means the certificate was deleted from your certificate store after setup, or it was imported without its private key. The easiest fix is to re-run the setup wizard — it will generate a fresh certificate and register it automatically. You can verify what’s in your store by opening certmgr.msc and looking under Personal → Certificates for one with the subject “TenantSentinel”.

After the certificate is registered on the Azure app registration, Azure AD can take 30 seconds to 2 minutes to propagate the change. The setup wizard retries automatically, but if it times out, wait a couple of minutes and try running a scan. If it still doesn’t work, the most likely cause is that admin consent hasn’t been granted yet — see the next item.

The consent link is a standard Microsoft URL that opens an Azure AD prompt. For it to work, the person clicking it must have the Global Administrator role in your Microsoft 365 tenant. If you see “Need admin approval” or “You don’t have permission”, have your GA try it instead. If the GA sees an error, verify that the Tenant ID in your setup matches your actual Azure tenant (Azure Portal → Microsoft Entra ID → Overview).

Each premium module (Device, SharePoint, Exchange, Copilot) requires its own set of additional Graph permissions. If a module scan is skipped or shows errors, open the desktop app’s Settings page and click Upgrade Permissions for that module. This generates a new admin consent link with the extra permissions included. Your Global Administrator needs to click Accept on that link — it’s the same one-click flow as initial setup, just with additional scopes.

The scan engine reads a key file from C:\ProgramData\TenantSentinel\Keys\ that contains your Tenant ID, Application ID, certificate thumbprint, and license file path. If this file is missing or corrupted, the scan can’t start. Re-running the setup wizard will regenerate it. If you moved or renamed the file, point the dashboard back to the correct path in Settings.

This means the license.json file on your machine doesn’t match the cryptographic signature we generated when your license was issued. The most common cause is that the file was accidentally edited or replaced. Re-activate your license from the setup screen to download a fresh copy. Also make sure your system clock is set correctly — a wildly wrong date can cause validation to fail.

A 403 from the Microsoft Graph API means your Azure AD app registration doesn’t have the required permissions — or that admin consent was granted but hasn’t fully propagated. Go back to the consent link in your setup wizard and have your Global Admin click through it again. Azure sometimes requires a second consent after permissions are updated. If the 403 only affects a premium module, use Upgrade Permissions for that specific module.

Scans typically take 2–5 minutes for most tenants. Larger organizations (5,000+ users) with all premium modules enabled can take 15–30 minutes. If you see progress in the log window, the scan is working — Graph API calls on large datasets just take time. If nothing has moved in 10+ minutes, the most likely cause is a network timeout. Check that graph.microsoft.com is reachable and try again.

Graph API access tokens are valid for 60 minutes. If your scan takes longer than that — which can happen on very large tenants with all modules enabled — the token expires and the remaining API calls fail. The fix is simply to run the scan again; the engine handles partial failures gracefully and the second run usually completes within the window. Automatic token refresh is coming in a future release.

TenantSentinel uses Windows Task Scheduler for recurring scans. Open Task Scheduler and look for the “TenantSentinel Scheduled Scan” task. Common issues: the task is disabled, the user account it runs under doesn’t have the right permissions, or the certificate has expired (certificates are valid for 2 years). Try running the task manually from Task Scheduler to see the error output.

Reports are self-contained HTML files with all data embedded. If a section is empty, it usually means the corresponding Graph API call returned no data — either because the permission wasn’t granted or the feature isn’t in use in your tenant (for example, if no one has Conditional Access policies, that tab will be empty). Open the report in your browser and check the browser console (F12) for any JavaScript errors. If you see errors, please share them when contacting support.

Reports are saved to C:\ProgramData\TenantSentinel\Reports\ with a filename that includes the tenant name and date. You can also access them from the desktop app’s Executive Summary page. Each scan generates one HTML file for the Executive Dashboard, plus one per premium module that’s licensed and scanned.

License activation, certificate registration, license validation during scans, and permission upgrades.

Admin consent redirect target. Also used for version checks and downloads.

Azure AD authentication. The app exchanges a certificate-signed JWT for an access token here.

Microsoft Graph API. All tenant data (users, policies, devices, mailboxes, etc.) is read from here.