Everything you need to know about how EntraSight accesses your Microsoft environment — and what we never do.
EntraSight connects to your Microsoft Entra tenant using read-only Microsoft Graph API permissions. Here's exactly what we request and why:
| Permission | What it does | Why we need it |
|---|---|---|
| Application.Read.All | Read app registrations and their credentials | To detect expiring secrets and certificates |
| Directory.Read.All | Read basic tenant directory info | To resolve app display names and owner UPNs |
| AuditLog.Read.All | Read sign-in audit logs | To detect inactive/orphaned credentials (optional, can be skipped) |
| Mail.Send (our tenant only) | Send email from alerts@entrasight.com | To deliver expiry alert emails to your team |
We never create, modify, or delete any resource in your Entra environment.
We never see or store your users' passwords or your tenant admin credentials.
We only read app registrations, not user accounts, emails, or personal data.
Your tenant data is never shared with or sold to third parties.
All tenant data is deleted within 30 days of account closure.
We only use official Microsoft Graph API endpoints.
Scan results are stored in Azure Database for PostgreSQL, encrypted at rest with AES-256. Data is logically isolated per-customer.
All infrastructure runs in Azure West US 3 — the same cloud platform as your Microsoft 365 environment.
Credential scan data is retained for 30 days for trend analysis. Sign-in activity data mirrors Microsoft's 90-day audit log window.