New Client Setup
Grant permissions for your Microsoft 365 tenant
M365 Security Advisor is a multi-tenant application. A Microsoft 365 administrator must grant organization-wide consent before your team can run security scans against your tenant.
Confirm you are a Global Administrator
Only a Global Administrator (or a role with permission to grant admin consent) can approve access for the entire organization. If you are not an admin, forward this page to your IT team.
Grant admin consent
Sign in, then start admin consent from this server-protected flow. Microsoft will return to this page with callback parameters that are validated against your signed-in session before any success message is shown.
Sign in with Microsoft before starting admin consent.
Sign in and run your first scan
After validated consent succeeds, sign in with a work account from the same tenant. Open the dashboard and start a new security scan. Scan history is stored separately for each Microsoft 365 tenant.
Go to dashboard →Permissions requested
The app reads Microsoft 365 configuration and security posture data via Microsoft Graph — including identity, Exchange, SharePoint, Teams, Intune, Defender, audit logs, and Microsoft Purview data protection (DLP policies and sensitivity labels). No data is modified during a scan.
- InformationProtectionPolicy.Read.All (Application) — required for DLP policy and sensitivity label checks
- SecurityComplianceCenter.Read.All (Application, if available) — optional for extended Purview compliance APIs
Application (client) ID: 544b9598-79f9-4e91-ba2b-c4c97f8c7533
Admin consent redirect URI
Consent is initiated server-side at /api/admin-consent/initiate. The redirect URI registered in Entra remains:
https://audit-app-kappa-ten.vercel.app/onboarding