ENTRAGUARD

Observation and audit platform for your Microsoft Entra ID tenant.

01 Overview

Entra GUARD is a client-side security audit platform for Microsoft Entra ID and Microsoft 365. It runs entirely in your browser, signs you in with Microsoft OAuth 2.0 (read-only), runs up to 253 CIS controls against your tenant, and produces actionable reports.

Three things to know up front:

  • Nothing leaves your browser. No backend processes your data. No server-side logs of your audit.
  • Read-only permissions only. Entra GUARD cannot create, modify, or delete anything in your tenant.
  • One-shot model. No subscription. You audit when you need to. See the pricing page for details.

02 Requirements

Browser

Any modern browser with ES2020 support:

  • Microsoft Edge 90+ (recommended on Windows)
  • Google Chrome 90+
  • Firefox 88+
  • Safari 14+

Microsoft 365 tenant

You need an active Microsoft Entra ID tenant. To run a full audit:

  • A user account with at least the Global Reader role (recommended) or Security Reader role
  • The ability to grant consent to the required read-only Graph permissions (see section 04)
  • Working network access to graph.microsoft.com from your browser

Conditional Access note: if your tenant blocks third-party apps via CA policies, an administrator may need to allow the Entra GUARD app or grant tenant-wide consent.

03 Your first audit

From sign-in to your first report, in 5 steps:

  1. Sign in

    Click "Sign in with Microsoft" on the main screen. The standard Microsoft consent dialog will appear — review the requested read-only permissions and approve.

  2. Pick a baseline

    Go to "Start audit", then select one of the 5 baselines (Quick, CIS L1, CIS L2, Zero Trust, Full). For your first audit, we recommend CIS L1.

  3. Run the audit

    Click "Run audit". Controls execute in parallel. You'll see findings appear in real time as each control completes.

  4. Review findings

    Open "Recommendations" to see findings ranked by severity. Each item has a remediation summary and a link to Microsoft Learn.

  5. Export

    From any module, click "Export" and choose your format: PDF for management, XLSX for your team, JSON for SIEM integration.

04 Permissions

Entra GUARD requests the following Microsoft Graph permissions, all read-only:

User.Read.All
Application.Read.All
Directory.Read.All
AuditLog.Read.All
Policy.Read.All
RoleManagement.Read.Directory
UserAuthenticationMethod.Read.All
SecurityEvents.Read.All
Group.Read.All
Reports.Read.All
Organization.Read.All
AccessReview.Read.All

No write permissions are ever requested. You can verify this from the consent dialog before approving, and from the Microsoft Entra portal in "Enterprise applications" after first sign-in.

Revoking access

To revoke Entra GUARD's access at any time:

  1. Open Microsoft Entra admin center
  2. Go to Enterprise applications
  3. Find "Entra GUARD" in the list
  4. Click Delete or remove user consent

05 Choosing a baseline

The 5 baselines cover different audit scenarios. Pick based on your goal:

Quick (15 controls)

The 15 most essential CIS L1 controls. Use it for a first diagnostic, a periodic check, or to verify recent changes. ~5 minutes.

CIS L1 (197 controls)

The full CIS Microsoft 365 Benchmark Level 1. The recommended baseline for production M365 tenants. ~12 minutes.

CIS L2 (56 controls)

The CIS L2 hardening controls. Use it on top of L1 for regulated industries or sensitive environments. ~6 minutes.

Zero Trust (128 controls)

Identity-focused controls aligned with Microsoft's Zero Trust framework. Good for organizations driving a ZT initiative. ~9 minutes.

Full (253 controls)

The complete catalog. Run it when you need an exhaustive audit, e.g. for compliance evidence. ~15 minutes.

Baselines are additive. Selecting CIS L1 + CIS L2 enables both control sets in one audit (253 controls total).

06 Reports & exports

Each module can be exported in 6 formats. Choose based on your audience:

  • PDF — Executive report with score, top findings, remediation summary. Best for management presentations and auditor handovers.
  • XLSX — Full audit data in spreadsheet form. Pivot-table-ready. Best for IT teams tracking remediation.
  • HTML — Standalone interactive report with searchable findings and severity filters. Best for internal wikis or sharing with stakeholders.
  • JSON — Raw machine-readable output. Best for SIEM integration, ticketing automation, or compliance tracking platforms.
  • CSV — Flat tabular data. Universal compatibility. Best for custom analytics.
  • TXT — Plain text summary. Best for ticket descriptions or email attachments.

All exports are generated in your browser and downloaded directly to your computer. No data is ever uploaded to a server.

07 Supported standards

Entra GUARD aligns with recognized industry standards:

CIS M365 v6.0.1
CIS Microsoft 365 Benchmark
The reference standard for Microsoft 365 security configuration. 253 controls covering 12 services, Levels 1 and 2.
Implemented
MS ZERO TRUST
Microsoft Zero Trust
Identity-focused baseline aligned with Microsoft's Zero Trust framework. Subset of 128 controls.
Implemented (MVP)
CISA SCuBA
Secure Cloud Business Apps
U.S. CISA's secure configuration baselines for cloud business apps. Mapping in progress.
Roadmap
NIS 2
EU NIS 2 Directive
European Network and Information Security Directive. Control mapping planned.
Roadmap

08 Troubleshooting

"Need admin approval" on sign-in

Your tenant requires admin consent for third-party apps. Ask a Global Administrator to grant tenant-wide consent, or request a one-time consent for your user account.

"Forbidden" or "Insufficient privileges" errors during audit

Your user account doesn't have permission to read certain resources (typically audit logs or directory data). Ensure you have at least the Global Reader role assigned.

Audit hangs or controls fail to complete

Most often a network issue or Graph API throttling. Try again after a few minutes. If the problem persists, try a smaller baseline (Quick or CIS L1 instead of Full) or reach out to support.

Browser shows a blank page

Likely a JavaScript error caused by an outdated browser. Update to the latest version and clear cache. If using a corporate browser policy, ensure JavaScript and modern ES2020 features are not blocked.

09 FAQ

Does Entra GUARD store my audit data?

No. The audit runs in your browser, results are stored only in your browser's local storage, and exports are downloaded directly to your computer. We never see, transmit, or store your tenant data.

Can I audit a tenant I don't own?

You can audit any tenant for which your account has the necessary read permissions. For MSPs auditing customer tenants, multi-tenant support is on the roadmap.

How often is the CIS catalog updated?

We sync with each new CIS Microsoft 365 Benchmark release. The current version is v6.0.1.

What's the difference vs Microsoft Secure Score?

See the detailed comparison on the features page. Short version: Secure Score is for continuous baseline tracking; Entra GUARD is for in-depth audits with actionable remediation plans.

Where can I get help?

For paid audit customers, email support is included. For general questions or demo issues, use the contact page.