EntraGuard

EntraGuard

Self-hosted security auditor for Microsoft Entra ID. Map your tenant, detect attack paths, prioritise remediation — without sending data to the cloud.

What EntraGuard does

EntraGuard collects configuration from your Entra ID tenant via Microsoft Graph, builds an attack graph (Neo4j), computes a security score (0–100, grade A–F) and delivers an actionable report with prioritised findings, attack paths and remediation tutorials.

Who is it for?

  • CISOs / Security leads — continuous visibility into Entra ID posture, drift detection
  • MSPs / Managed IT — regular client audits, ready-to-deliver PDF/HTML reports
  • Pentest consultants — quick tenant mapping before engagement, privilege escalation path detection
  • IAM teams — post-change verification (new role, new app, new CA policy)
  • SMBs on Microsoft 365 — affordable alternative to premium tools, self-hosted

How it works

EntraGuard authenticates via Client Credentials flow (App Registration with read-only Graph permissions) and collects data through 13 dedicated async collectors:

  • Users & accounts — hygiene, stale accounts, MFA registration status
  • Groups & memberships — nested groups, dynamic rules, ownership
  • Roles & PIM — active/eligible assignments, permanent role detection
  • Applications — App Registrations, Service Principals, dangerous API permissions
  • Conditional Access — policies, gaps, bypassed users, legacy auth
  • Devices — join type, compliance state, trust type
  • Administrative Units — scoped members and role assignments
  • Sign-in activity — last login, risky sign-ins
  • Subscribed SKUs — licence assignments, unused capabilities (LIC rules)
  • Authentication methods — MFA methods, passwordless readiness
  • Access reviews — review status, stale approvals

Data is pushed into a local Neo4j graph database where the rule engine evaluates 50+ detection rules. Findings are mapped to MITRE ATT&CK techniques and scored to produce an overall security grade.

Architecture

Frontend (React/TypeScript)
    |  REST /api/v1 + /export/v1
Server (FastAPI + Celery)
    |-- Postgres  (state, findings, reports)
    |-- Neo4j     (attack graph)
    |-- Redis     (Celery broker)
    |
    v
Microsoft Graph API
  • Backend: Python (FastAPI + Celery)
  • Frontend: React/TypeScript (Vite)
  • Licence: RSA-2048 signed (offline + online fallback)

Quick start

  1. Install the CodeRaft Dashboard
    Linux / macOS
    $ curl -fsSL https://install.coderaft.io | bash
    Windows (PowerShell)
    $ irm https://install.coderaft.io/win | iex
  2. Start
    Start
    $ cd coderaft && ./start.sh
  3. Setup Wizard — Open http://localhost:3000, activate your licence and enter your Entra ID credentials (App Registration guide)
  4. Scan — Click "Start Scan" and review the score, findings and attack paths

Comparison

EntraGuard MS Secure Score BloodHound CE PingCastle
Self-hosted Yes No Yes Yes
Attack graph Yes No Yes No
Aggregated scoring Yes Yes No Yes
Remediation tutorials Yes Partial No Partial
SIEM export Yes No No Partial
Installation guide Entra ID configuration