← Back to home

New Client Setup

Grant permissions for your Microsoft 365 tenant

M365 Security Advisor is a multi-tenant application. A Microsoft 365 administrator must grant organization-wide consent before your team can run security scans against your tenant.

1

Confirm you are a Global Administrator

Only a Global Administrator (or a role with permission to grant admin consent) can approve access for the entire organization. If you are not an admin, forward this page to your IT team.

2

Grant admin consent

Sign in, then start admin consent from this server-protected flow. Microsoft will return to this page with callback parameters that are validated against your signed-in session before any success message is shown.

Sign in with Microsoft before starting admin consent.

3

Sign in and run your first scan

After validated consent succeeds, sign in with a work account from the same tenant. Open the dashboard and start a new security scan. Scan history is stored separately for each Microsoft 365 tenant.

Go to dashboard →

Permissions requested

The app reads Microsoft 365 configuration and security posture data via Microsoft Graph — including identity, Exchange, SharePoint, Teams, Intune, Defender, audit logs, and Microsoft Purview data protection (DLP policies and sensitivity labels). No data is modified during a scan.

  • InformationProtectionPolicy.Read.All (Application) — required for DLP policy and sensitivity label checks
  • SecurityComplianceCenter.Read.All (Application, if available) — optional for extended Purview compliance APIs

Application (client) ID: 544b9598-79f9-4e91-ba2b-c4c97f8c7533

Admin consent redirect URI

Consent is initiated server-side at /api/admin-consent/initiate. The redirect URI registered in Entra remains:

https://audit-app-kappa-ten.vercel.app/onboarding