Security & Trust
Entra Analyzer is built for security-conscious organizations. Here is how we protect your data and respect your tenant.
Read-only access
We only request read-only Microsoft Graph permissions. Entra Analyzer will never modify settings, create users, roles, or policies, or write any data back to your tenant.
EU data residency
All data is stored and processed in the European Union. Our infrastructure runs on Azure in the EU West region.
No agents to install
Entra Analyzer connects via the Microsoft Graph API. There is nothing to deploy on-premises and no software to install on your devices.
Data deletion on disconnect
If you revoke consent or cancel your subscription, all stored scan data for your tenant is permanently deleted.
Encryption in transit and at rest
All connections use TLS 1.2+. Data at rest is encrypted using Azure-managed keys in our EU-hosted database.
Required permissions
All permissions below are read-only Microsoft Graph application permissions. Nothing is ever written back to your tenant.
| Permission | Purpose |
|---|
Directory.Read.All | Read directory data (users, groups, roles) |
User.Read.All | Read all user profiles and properties |
AuditLog.Read.All | Read sign-in activity and audit logs |
Group.Read.All | Read all groups and memberships |
Application.Read.All | Read all application registrations |
RoleManagement.Read.Directory | Read directory role assignments |
Policy.Read.All | Read Conditional Access and security policies |
UserAuthenticationMethod.Read.All | Read users' authentication methods (MFA) |
Device.Read.All | Read device objects and compliance state |
DeviceManagementManagedDevices.Read.All | Read Intune managed devices |
IdentityRiskEvent.Read.All | Read Identity Protection risk events |
AccessReview.Read.All | Read access reviews configuration |
EntitlementManagement.Read.All | Read entitlement management configuration |