Frequently Asked Questions

TenantSight is an automated Microsoft 365 security audit platform built specifically for Managed Service Providers (MSPs). It connects to your clients' M365 tenancies via read-only access, scans their entire environment, and produces a professional white-labelled HTML security report that you deliver to your client under your own branding.

1. Log in to your TenantSight dashboard and click Add Tenant
2. Enter your client's company name
3. Click Generate Consent Link to get a unique URL
4. Send that link to your client's Global Admin
5. Once they click it and approve, the tenant appears as Active in your dashboard

The client doesn't need to install any software or agents. It's a single-click consent process.

No. TenantSight is entirely cloud-based. Your client's Global Admin simply clicks a consent link and approves read-only access. There are no agents, scripts, or software to deploy on the client's side.

It depends on the tenant size:

• Small tenants (under 20 users) — typically 1-3 minutes
• Medium tenants (20-100 users) — typically 3-8 minutes
• Large tenants (100+ users, many SharePoint sites) — can take 10-20 minutes

SharePoint permission scanning is the longest phase as it recursively checks every folder. You can watch progress in real time.

Yes. TenantSight uses read-only permissions only. It cannot modify, delete, or access any emails, files, or user data beyond what's needed for the security audit. The permissions allow reading directory information, sign-in activity, and SharePoint structure — not file contents. Consent can be revoked at any time by the client's Global Admin in Azure Portal under Enterprise Applications.

TenantSight uses these Application permissions (not Delegated):

• User.Read.All — Read user profiles and sign-in activity
• Directory.Read.All — Read directory roles and group memberships
• Reports.Read.All — Read MFA registration status
• AuditLog.Read.All — Read sign-in logs for stale account detection
• Sites.Read.All — Read SharePoint site and permission structure

Important: We deliberately use Sites.Read.All (not Sites.FullControl.All) — TenantSight cannot access, open, or modify any files.

No. TenantSight does not request Mail.Read or any mail-related permissions. It also does not request Files.Read — it uses Sites.Read.All which allows it to see who has access to what in SharePoint, but it cannot open, download, or read the contents of any files or emails.

Yes, at any time. The client's Global Admin can go to Azure Portal > Enterprise Applications, find TenantSight, and remove it. This immediately revokes all access. You can also unlink the tenant from your TenantSight dashboard.

Audit data and reports are stored securely on our servers. All communication uses HTTPS/TLS encryption. Passwords are hashed with bcrypt and sessions use httpOnly JWT cookies. No client credentials are stored — we use Microsoft's standard OAuth admin consent flow with client credentials authentication.

TenantSight performs a comprehensive security scan covering:

• MFA status — Which users have MFA registered and which don't
• Admin roles — Global Admin count, admin MFA status, stale admin accounts
• Conditional Access — Active policies, MFA enforcement, legacy auth blocking
• Account hygiene — Inactive accounts (30/90 day), never-signed-in accounts, disabled accounts
• SharePoint permissions — External sharing, anonymous links, disabled accounts with access, full folder-level permission breakdown with group member resolution
• Licence utilisation — Assigned vs unassigned licence seats

The overall score is a weighted average of five categories:

• Identity & Access (30%) — MFA adoption, Conditional Access policies
• Privileged Access (25%) — Global Admin count, admin MFA status
• Collaboration (20%) — External sharing, anonymous links
• Account Hygiene (15%) — Inactive/stale accounts
• Licence Efficiency (10%) — Unused licence seats

Scores of 80+ are rated Good, 60-79 Needs Attention, and below 60 Action Required.

Yes. Reports are self-contained HTML files that open in a new browser tab. You can save them as PDF using your browser's print function, or save the HTML file directly. They're designed to be presentation-ready — you can email them to clients, attach them to proposals, or include them in quarterly business reviews.

Yes. All completed audit reports remain available in your dashboard. Go to the tenant's detail page or find it in Recent Audits on the dashboard — the Report button is always available for completed audits.

Yes, on Starter and Pro plans. Go to Settings > Branding to upload your logo, set your company name, and choose your brand colour. All reports will be generated with your branding — your client sees your company name, not TenantSight. Free-tier reports carry TenantSight branding.

PNG, JPG, SVG, and WebP files up to 2 MB. We recommend a logo with a height of around 60px for best results in the report header. SVG files will give the sharpest results at any size.

On paid plans, the report is fully white-labelled with your branding. The consent link does reference TenantSight (as it's our Azure app registration), but the audit report itself shows only your company name, logo, and colours. Your client sees the report as coming entirely from you.

• Free — 1 audit/month, 1 tenant, TenantSight branding
• Starter ($49/mo AUD) — 10 audits/month, 5 tenants, white-label reports
• Pro ($149/mo AUD) — 50 audits/month, unlimited tenants, full white-label, priority support

All plans include the full security audit — no features are locked behind tiers except branding and volume.

Yes. There are no contracts or lock-in periods. You can cancel your subscription at any time from Settings > Manage Billing. Your account will revert to the Free tier at the end of your current billing period. Your tenants and past reports remain accessible.

You won't be able to run new audits until your limit resets at the start of the next billing month. You can upgrade your plan at any time to get more audits immediately. Past reports remain available regardless of your current limit.

The Free tier is effectively a permanent trial — you get 1 full audit per month at no cost, forever. This lets you experience the complete audit and report before committing to a paid plan. When you're ready, upgrade from Settings.

Common causes of audit failures:

• Consent expired or was revoked — Check the tenant status in your dashboard. If it shows "Pending Consent", the client's admin needs to re-approve the consent link.
• Insufficient permissions — Ensure all five Application permissions are granted with admin consent (User.Read.All, Directory.Read.All, Reports.Read.All, AuditLog.Read.All, Sites.Read.All).
• Temporary Microsoft Graph outage — Microsoft's API occasionally experiences issues. Wait a few minutes and try again.

The licence data comes from Microsoft's subscribedSkus API endpoint, which may require the Organization.Read.All permission in some tenants. If licences aren't showing, add this permission to the Azure app registration and have the client's admin re-consent. The audit will still complete successfully — the licence section will just be empty until the permission is granted.

This can happen if the consent callback didn't complete properly (e.g. the admin closed the browser before the redirect finished). Try generating a new consent link from the Tenants page and have the admin approve again. If the issue persists, remove the tenant and re-add it.

This was a known issue that has been resolved. If you're seeing this on an older report, simply re-run the audit to generate a new report with the fix applied. All folder trees should now expand and collapse correctly.