01 Overview
Entra GUARD is a client-side security audit platform for Microsoft Entra ID and Microsoft 365. It runs entirely in your browser, signs you in with Microsoft OAuth 2.0 (read-only), runs up to 253 CIS controls against your tenant, and produces actionable reports.
Three things to know up front:
- Nothing leaves your browser. No backend processes your data. No server-side logs of your audit.
- Read-only permissions only. Entra GUARD cannot create, modify, or delete anything in your tenant.
- One-shot model. No subscription. You audit when you need to. See the pricing page for details.
02 Requirements
Browser
Any modern browser with ES2020 support:
- Microsoft Edge 90+ (recommended on Windows)
- Google Chrome 90+
- Firefox 88+
- Safari 14+
Microsoft 365 tenant
You need an active Microsoft Entra ID tenant. To run a full audit:
- A user account with at least the Global Reader role (recommended) or Security Reader role
- The ability to grant consent to the required read-only Graph permissions (see section 04)
- Working network access to
graph.microsoft.comfrom your browser
Conditional Access note: if your tenant blocks third-party apps via CA policies, an administrator may need to allow the Entra GUARD app or grant tenant-wide consent.
03 Your first audit
From sign-in to your first report, in 5 steps:
-
Sign in
Click "Sign in with Microsoft" on the main screen. The standard Microsoft consent dialog will appear — review the requested read-only permissions and approve.
-
Pick a baseline
Go to "Start audit", then select one of the 5 baselines (Quick, CIS L1, CIS L2, Zero Trust, Full). For your first audit, we recommend CIS L1.
-
Run the audit
Click "Run audit". Controls execute in parallel. You'll see findings appear in real time as each control completes.
-
Review findings
Open "Recommendations" to see findings ranked by severity. Each item has a remediation summary and a link to Microsoft Learn.
-
Export
From any module, click "Export" and choose your format: PDF for management, XLSX for your team, JSON for SIEM integration.
04 Permissions
Entra GUARD requests the following Microsoft Graph permissions, all read-only:
User.Read.All Application.Read.All Directory.Read.All AuditLog.Read.All Policy.Read.All RoleManagement.Read.Directory UserAuthenticationMethod.Read.All SecurityEvents.Read.All Group.Read.All Reports.Read.All Organization.Read.All AccessReview.Read.All
No write permissions are ever requested. You can verify this from the consent dialog before approving, and from the Microsoft Entra portal in "Enterprise applications" after first sign-in.
Revoking access
To revoke Entra GUARD's access at any time:
- Open Microsoft Entra admin center
- Go to Enterprise applications
- Find "Entra GUARD" in the list
- Click Delete or remove user consent
05 Choosing a baseline
The 5 baselines cover different audit scenarios. Pick based on your goal:
Quick (15 controls)
The 15 most essential CIS L1 controls. Use it for a first diagnostic, a periodic check, or to verify recent changes. ~5 minutes.
CIS L1 (197 controls)
The full CIS Microsoft 365 Benchmark Level 1. The recommended baseline for production M365 tenants. ~12 minutes.
CIS L2 (56 controls)
The CIS L2 hardening controls. Use it on top of L1 for regulated industries or sensitive environments. ~6 minutes.
Zero Trust (128 controls)
Identity-focused controls aligned with Microsoft's Zero Trust framework. Good for organizations driving a ZT initiative. ~9 minutes.
Full (253 controls)
The complete catalog. Run it when you need an exhaustive audit, e.g. for compliance evidence. ~15 minutes.
Baselines are additive. Selecting CIS L1 + CIS L2 enables both control sets in one audit (253 controls total).
06 Reports & exports
Each module can be exported in 6 formats. Choose based on your audience:
- PDF — Executive report with score, top findings, remediation summary. Best for management presentations and auditor handovers.
- XLSX — Full audit data in spreadsheet form. Pivot-table-ready. Best for IT teams tracking remediation.
- HTML — Standalone interactive report with searchable findings and severity filters. Best for internal wikis or sharing with stakeholders.
- JSON — Raw machine-readable output. Best for SIEM integration, ticketing automation, or compliance tracking platforms.
- CSV — Flat tabular data. Universal compatibility. Best for custom analytics.
- TXT — Plain text summary. Best for ticket descriptions or email attachments.
All exports are generated in your browser and downloaded directly to your computer. No data is ever uploaded to a server.
07 Supported standards
Entra GUARD aligns with recognized industry standards:
08 Troubleshooting
"Need admin approval" on sign-in
Your tenant requires admin consent for third-party apps. Ask a Global Administrator to grant tenant-wide consent, or request a one-time consent for your user account.
"Forbidden" or "Insufficient privileges" errors during audit
Your user account doesn't have permission to read certain resources (typically audit logs or directory data). Ensure you have at least the Global Reader role assigned.
Audit hangs or controls fail to complete
Most often a network issue or Graph API throttling. Try again after a few minutes. If the problem persists, try a smaller baseline (Quick or CIS L1 instead of Full) or reach out to support.
Browser shows a blank page
Likely a JavaScript error caused by an outdated browser. Update to the latest version and clear cache. If using a corporate browser policy, ensure JavaScript and modern ES2020 features are not blocked.
09 FAQ
Does Entra GUARD store my audit data?
No. The audit runs in your browser, results are stored only in your browser's local storage, and exports are downloaded directly to your computer. We never see, transmit, or store your tenant data.
Can I audit a tenant I don't own?
You can audit any tenant for which your account has the necessary read permissions. For MSPs auditing customer tenants, multi-tenant support is on the roadmap.
How often is the CIS catalog updated?
We sync with each new CIS Microsoft 365 Benchmark release. The current version is v6.0.1.
What's the difference vs Microsoft Secure Score?
See the detailed comparison on the features page. Short version: Secure Score is for continuous baseline tracking; Entra GUARD is for in-depth audits with actionable remediation plans.
Where can I get help?
For paid audit customers, email support is included. For general questions or demo issues, use the contact page.