EntraGuard FAQ

A self-hosted security auditor for Microsoft Entra ID. It collects via Microsoft Graph, builds an attack graph, detects findings (dangerous permissions, PIM misconfigurations, Conditional Access gaps, stale accounts, attack paths) and produces actionable reports (PDF, HTML, JSON).

Read-only Microsoft Graph Application permissions: Directory.Read.All, User.Read.All, Group.Read.All, Application.Read.All, RoleManagement.Read.Directory, Policy.Read.All, AuditLog.Read.All, Device.Read.All, UserAuthenticationMethod.Read.All, AdministrativeUnit.Read.All. EntraGuard never writes to your tenant.

No. All permissions are .Read.All — EntraGuard is strictly read-only. No configuration, user, group or policy is ever modified.

Under 500 users: 1-2 minutes. 500-5,000 users: 3-7 minutes. 5,000-50,000 users: 10-25 minutes. 50,000+ users: 30-60 minutes. Enterprise incremental mode is 3-5x faster after the first audit.

Yes, with the Enterprise plan (up to 10 tenants with row-level isolation). The Standard plan is limited to 1 tenant.

Nowhere outside your infrastructure. EntraGuard only contacts graph.microsoft.com (collection), login.microsoftonline.com (auth) and license.coderaft.io (licence validation every 48h). No telemetry, no reports uploaded.

Yes. The client secret is encrypted AES-GCM in PostgreSQL with a derived key. Logs never contain secrets (automatic redaction).

Yes. EntraGuard runs as part of the CodeRaft Docker Compose stack (API server, Celery worker, PostgreSQL, Neo4j, Redis, frontend). Install using curl -fsSL https://install.coderaft.io | bash (or irm https://install.coderaft.io/win | iex on Windows), then activate your licence in the Setup Wizard. Docker Desktop with WSL2 is supported on Windows.

4 GB RAM (8 GB recommended for large tenants), 2 vCPU, 10 GB disk space.

Yes, like any app calling Graph. EntraGuard respects rate limits (HTTP 429 with exponential backoff). A 50k-user tenant uses approximately 30,000 Graph API calls per full audit.

PDF, HTML, JSON, Markdown. CSV in Enterprise. All can be generated via the UI or the REST API.

Yes. Via the REST API, external cron, or the built-in scheduler (Enterprise plan) with webhook notifications on completion or regression.

The licence is cached locally (AES-256-GCM encrypted, 48h TTL). Audits continue during the cache window. After 48h without validation, audits are blocked until the server is reachable again.

EntraGuard reads /subscribedSkus via Microsoft Graph to list every licence SKU your tenant owns (P2, M365 E5, EMS E5, etc.). It then cross-references these SKUs with an auto-updated Feature Catalog (Settings → Feature Catalog) that maps each SKU to the Zero Trust capabilities it unlocks. The 5 LIC-* rules flag paid-for features that are not activated (PIM, Cloud PKI, Access Reviews, Defender, risk-based CA).

EntraGuard generates compliance reports against CIS Microsoft 365 v3.1 (15 controls), NIST 800-53 Rev5 (13 controls), ISO 27001:2022 (14 controls) and SOC 2 Type II (9 controls). Each report shows a coverage score and per-control pass/fail detail, exportable as a branded PDF.

Yes. EntraGuard includes an LDAP collector that connects to your on-premise Active Directory, collects users, groups and computers, and correlates them with Entra ID objects. 4 hybrid rules (HYB-001..004) detect blind spots: privileged AD accounts not synced, cross-boundary escalation, stale synced computers, and passwords that never expire. Configure LDAP in the Setup Wizard (collapsible section with test connection).

An Enterprise feature that uses Microsoft Graph change notifications to detect directory changes in near real-time. When a user, group, role or app is modified, EntraGuard automatically triggers an incremental collection — no need to wait for a scheduled full scan. Requires a webhook endpoint reachable by Microsoft Graph.

Run the installer (curl -fsSL https://install.coderaft.io | bash), start the dashboard (cd coderaft && ./start.sh), then activate your licence key in the Setup Wizard at http://localhost:3000.

Entra ID credentials were not persisted correctly. Re-run the Setup Wizard or check the AZURE_* variables in .env.

Neo4j takes ~20 seconds to start. Docker Compose healthchecks handle the wait. If it persists after a partial restart: docker compose restart neo4j.

The Celery worker is not running. Check docker compose ps — the celery service must be Up. Logs: docker compose logs celery.