EntraGuard Features

Complete list of modules and capabilities.

Collection (Microsoft Graph)

EntraGuard collects via 13 dedicated async collectors with pagination, retry and rate limiting.

UserCollector

UPN, account status, user type, creation date, last sign-in, MFA status via userRegistrationDetails, registered authentication methods.

GroupCollector

Security groups, M365 groups, dynamic groups, role-assignable groups, transitive memberships, nested group loop detection.

ApplicationCollector

App registrations, required resource access, secrets/certificates, redirect URIs, non-expiring secrets, public client flags.

ServicePrincipalCollector

Active service principals, OAuth2 permission grants, app role assignments, cross-ownership with apps.

DeviceCollector

Registered devices (Intune, AADJ, Hybrid Join), compliance state, OS, trust type.

RoleCollector

Directory roles, members (users, groups, SPs), PIM assignments (eligible/active, expiration), custom role definitions.

AdminUnitCollector

Administrative Units, scoped members, scoped role assignments (delegation).

ConditionalAccessCollector

All CA policies (on/off/report-only), conditions (users, apps, platforms, locations, risks), grant controls (MFA, compliance), session controls.

SubscribedSkusCollector 1.6.0

Microsoft licence SKUs owned by the tenant: plan ID, prepaid units, consumed units, capability status. Powers license-aware rules (LIC-001..005).

AuthenticationMethodsCollector 1.6.0

Tenant-level authentication methods policy: X509, FIDO2, Microsoft Authenticator, SMS, temporary access pass — enabled/disabled state per method.

AccessReviewsCollector 1.6.0

Active Access Review definitions: scope, reviewers, recurrence, auto-apply settings. Used by LIC-003 to detect unused entitlements.

License Optimization

5 license-aware rules cross-check your tenant's purchased Microsoft SKUs against the Zero Trust capabilities they unlock. Flags paid-for features that were never activated.

LIC-001 — PIM not configured HIGH

Tenant owns Entra ID P2, Microsoft 365 E5 or EMS E5 but PIM has no eligible role assignments. Privileged Identity Management is paid for but unused.

LIC-002 — Cloud PKI unused MEDIUM

Tenant owns Microsoft 365 E5 (ships Microsoft Cloud PKI) but X509Certificate authentication method is disabled.

LIC-003 — Access Reviews unused MEDIUM

Tenant owns P2/E5/EMS E5 but has no active Access Review definition. Periodic attestation is unconfigured.

LIC-004 — Premium seats under-utilised INFO

More than 50% of prepaid seats on a premium SKU (P2, M365 E5, EMS E5) are unassigned.

LIC-005 — Privileged user without PIM licence HIGH

A user holds a privileged directory role but lacks any licence granting PIM access (P2, M365 E5, EMS E5).

Feature Catalog

Built-in Zero Trust reference mapping Microsoft SKUs to capabilities per pillar (Verify Explicitly, Least Privilege, Assume Breach). Auto-updated weekly, manual refresh, semver-aware versioning. Available under Settings → Feature Catalog.

Compliance Reports

Generate compliance reports against 4 industry frameworks. Each report maps EntraGuard findings to framework controls with a coverage score and per-control pass/fail detail. Export as branded PDF.

CIS Microsoft 365 v3.1

15 controls covering identity, access management, authentication policies and conditional access.

NIST 800-53 Rev5

13 controls across access control (AC), identification & authentication (IA) and audit (AU) families.

ISO 27001:2022

14 controls from Annex A: access control, cryptography, operations security, identity management.

SOC 2 Type II

9 controls covering security, availability and confidentiality trust service criteria.

Per-finding PDF export

Export any individual finding as a branded PDF. Includes severity, evidence, affected resources, MITRE ATT&CK mapping, compliance framework references and step-by-step remediation (Entra admin center, PowerShell, Graph API). Useful for sharing specific findings with remediation owners without exposing the full audit report.

LDAP Hybrid AD Analysis

On-premise Active Directory collector via LDAP. Collects AD users, groups and computers, then correlates with Entra ID objects via SYNCED_TO_ENTRA bridge relationships in Neo4j.

HYB-001 — Privileged AD account not synced HIGH

On-prem AD account with Domain Admin or Enterprise Admin membership is not synced to Entra ID, creating a blind spot in cloud audit.

HYB-002 — Cross-boundary privilege escalation HIGH

A synced user holds privileged roles in both on-prem AD and Entra ID, creating cross-boundary escalation risk.

HYB-003 — Stale synced computers MEDIUM

AD computer accounts synced to Entra ID that have not logged in for 90+ days.

HYB-004 — Password never expires MEDIUM

AD user accounts synced to Entra ID with “password never expires” flag set.

Realtime Monitoring Enterprise

Microsoft Graph change notifications detect directory changes (user, group, role, app modifications) in near real-time. Webhook receiver with Redis debouncing triggers automatic incremental collection via Celery tasks. Subscription renewal is managed by Celery Beat. Enables continuous security posture monitoring without scheduled full scans.

Analysis — rule engines

DangerousPermissionsRule

Apps with Directory.ReadWrite.All or RoleManagement.ReadWrite.Directory, service principals with dangerous scopes, non-admin users with elevated roles, non-expiring secrets.

PIMMisconfigRule

Permanent assignments on privileged roles, roles without PIM, too many active holders, role-assignable groups with non-PIM membership.

CAGapsRule

Admin accounts without mandatory MFA, CA policies stuck in report-only, excessive user exemptions, missing "block legacy auth" and "require MFA for risky sign-ins" policies.

StaleAccountsRule

Active users not signed in for 90/180/365 days, inactive guest accounts, unused service principals, apps with expired secrets.

AttackPathsRule

Privilege escalation chains via Neo4j graph traversal: User → OwnedApp → PrivilegedGroup → GlobalAdmin, Guest → Group → Role, SP → Directory.ReadWrite.All → GA, device compliance abuse → CA bypass.

MITRE ATT&CK mapping

Every finding is mapped to MITRE ATT&CK Cloud Matrix tactics and techniques:

  • TA0001 Initial Access (T1078.004 Cloud Accounts)
  • TA0003 Persistence (T1098.001, T1098.003)
  • TA0004 Privilege Escalation (T1484.002, T1098.005)
  • TA0005 Defense Evasion (T1548.005)
  • TA0008 Lateral Movement (T1550.001 Application Access Token)

Attack graph (Neo4j)

Node types

User, Group, Application, ServicePrincipal, Role, Device, AdminUnit, Tenant

Edge types

MEMBER_OF, OWNS, ASSIGNED_ROLE, HAS_PERMISSION, IN_AU, SCOPED_ADMIN, RESETS_PASSWORD_OF, CAN_IMPERSONATE

Built-in queries: all paths to Global Admin, transitive access to sensitive apps, role-assignable groups with guests, shortest path between nodes. Interactive viewer with Cypher query builder and PNG/SVG export.

Scoring & grading

  • Score 0–100 weighted on: finding criticality (Critical x10, High x5, Medium x2, Low x1), viable attack paths, admin surface, MFA posture, CA posture
  • Grade: A (≥90), B (≥75), C (≥60), D (≥40), F (<40)
  • Breakdown by category: Identity, Privileged Access, Conditional Access, Applications, Devices, Governance
  • Score delta: difference between two audits — new findings, resolved findings, score drift, attack path evolution

Reports

Formats

  • PDF — executive summary + detailed findings
  • HTML — portable, inline CSS
  • JSON — SIEM / ticketing integration
  • Markdown — internal documentation
  • CSV (Enterprise) — Excel / Power BI

Content

  • Cover page (date, tenant, grade)
  • Executive summary
  • Top risks prioritised
  • Findings by severity / category
  • Attack paths with MITRE mapping
  • Remediation steps per finding

Remediation tutorials

Each finding includes step-by-step remediation via the Entra admin center, PowerShell / Microsoft Graph SDK equivalent, Graph API (HTTP method + payload) and references to Microsoft docs, CIS benchmarks and MITRE.

API & automation

  • REST API/api/v1 (internal) + /export/v1 (Enterprise exports)
  • Scheduler (Enterprise) — cron-based recurring audits with notifications
  • Webhooks (Enterprise) — Slack, Microsoft Teams, generic HTTP JSON
  • Multi-tenant (Enterprise) — up to 10 Entra ID tenants, row-level isolation, aggregated MSP scores
  • SIEM integrations (Enterprise) — Splunk, Sentinel, Elastic, QRadar

Product security

  • Non-root users in containers
  • API keys stored as SHA-256 hashes, timing-safe comparison
  • Entra ID credentials encrypted AES-GCM in database
  • Licence signed RSA-2048 PKCS1v15 SHA-256
  • No telemetry — structured logs with secret redaction