Every scan produces a TenantSentinel Analysis Score with weighted sub-scores across identity, access control, and privileged security — so leadership sees exactly where exposure is highest. Scoring weights, penalty logic, and compliance framework mappings are fully documented on the Assessment Methodology page.
MFA coverage, Conditional Access validation, privileged role risk, enterprise app permissions, licensing cost analysis, security gaps, risk scenarios, baseline compliance, and historical trending — all in one self-contained HTML file.
Every risk scenario includes remediation runbooks with portal steps, PowerShell commands, verification steps, effort estimates, and/or rollback notes. No guessing what to do next.
Recurring scans track your health score over time with automatic drift markers. Regressions in MFA coverage, new risk scenarios, and score drops are flagged immediately so nothing slips through.
The TenantSentinel desktop app runs with context isolation and sandboxed rendering—no Node.js access from the UI layer. Authentication uses auto-generated X.509 certificates; no client secrets are stored on your machine. All system operations go through a locked-down IPC bridge.
TenantSentinel never uploads your Microsoft 365 tenant data. All scan results, reports, and history files are written to C:\ProgramData\TenantSentinel\ on your local machine and never transmitted to TenantSentinel servers.
The TenantSentinel licensing server retains only what is necessary to operate your license: your license key, Microsoft Entra tenant ID, certificate thumbprint, activation date, and the company name you provided during onboarding. No scan data, report content, or user information from your tenant is ever sent to or stored by TenantSentinel.
Beta and partner intake forms collect your name, company name, email address, and optional notes. This information is used solely for license issuance, onboarding communication, and service fulfillment. It is kept confidential and is never sold or shared with third parties.
TenantSentinel uses a small number of trusted subprocessors to operate the service. Contact email addresses and license details are transmitted to Resend solely for the purpose of delivering license keys and transactional service communications. No customer tenant data, scan results, or report content is ever shared with any third party.
In the event of a security incident affecting TenantSentinel systems, affected customers will be notified within 72 hours of discovery. Notifications will describe the nature of the incident, what information may have been affected, and steps taken to address it.
Licensing and onboarding records are retained for the duration of the service relationship plus 12 months. You may request deletion of your onboarding information at any time by contacting TenantSentinel support. Scan data and reports exist only on your machine and are deleted when you uninstall the application.
For privacy requests or data inquiries, contact TenantSentinel support through the established onboarding channel or the email address on your license confirmation.
TenantSentinel is available as a self-serve desktop application for Enterprise and MSP customers, or as an operator-managed assessment service. Enterprise customers install the app and run scans independently; Managed Assessment customers receive reports delivered by our team.
TenantSentinel is licensed for legitimate security assessment and operational planning of your own Microsoft 365 tenant or tenants you manage on behalf of clients. Use against tenants you are not authorized to assess is prohibited.
TenantSentinel aligns its internal controls with SOC 2 Type II principles as we mature toward formal certification. Our architecture is designed around the principle that customer tenant data never leaves the customer's environment, which substantially reduces the compliance scope of our licensing infrastructure. Enterprise customers requiring a Data Processing Agreement (DPA) or Business Associate Agreement (BAA) should contact us directly.
TenantSentinel products operate on the minimum Microsoft Graph API permissions required to function. Our assessment tools are strictly read-only and cannot modify your tenant configuration. The one exception is the one-time registration of a self-signed certificate on your Entra app registration, which is required for authentication. Future remediation features will explicitly request additional scopes and obtain administrator consent before any write operation is performed.
Service endpoints (licensing, certificate registration) may be updated as the platform matures. Changes that affect existing customers will be communicated in advance with adequate transition time.
These terms may be revised as the service evolves. Material changes will be communicated to active customers before taking effect.
The Service is provided on an AS IS and AS AVAILABLE basis without warranties of any kind, whether express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, accuracy, or non-infringement. TenantSentinel does not warrant that the Service will be uninterrupted, error-free, or produce results suitable for any specific decision or action.
To the maximum extent permitted by law, in no event shall TenantSentinel, its affiliates, or contributors be liable for any indirect, incidental, special, consequential, or punitive damages, or for any loss of profits, revenue, data, or business opportunity, arising out of or related to use of the Service. TenantSentinel's total aggregate liability for any claim shall not exceed the fees actually paid by Customer to TenantSentinel in the twelve (12) months immediately preceding the event giving rise to the claim. For users of the free tier, this amount is zero.
TenantSentinel maps tenant configuration to frameworks such as CIS Microsoft 365, NIST SP 800-171, SOC 2, and HIPAA for informational purposes only. Framework mappings, health scores, and remediation guidance are provided as tools to support your internal security program and do not constitute legal, regulatory, audit, or compliance advice. Customer is solely responsible for determining whether its use of Microsoft 365 satisfies applicable laws, regulations, and contractual obligations.
These terms are governed by the laws of the State of New Jersey, United States, without regard to its conflict of laws principles. Any dispute arising out of or related to these terms or the Service shall be resolved in the state or federal courts located in New Jersey, and the parties consent to the exclusive jurisdiction of those courts.