Microsoft 365 Identity Security

Your Microsoft 365 tenant
has identity gaps.
Find them in minutes.

Cloud Locksmith scans for MFA gaps, dormant accounts, admin overexposure, and policy failures — then shows you exactly what to fix. Read-only scan. No credentials stored. No changes made.

Run Free Security Scan Under 2 minutes  ·  Read-only  ·  No setup required
Read-only scanNo changes madeNo credentials storedFull audit log
Uses Microsoft OAuthStandard enterprise authentication — no password ever shared with us
Read-only preview modeThe scan cannot modify anything in your tenant
No emails or filesWe only read identity and policy data — never content
No changes without approvalWrite access requires an explicit admin upgrade after review

Why This Matters

Identity is how most attacks
get into Microsoft 365

Attackers target credentials, not infrastructure

Most Microsoft 365 breaches start with a compromised account — not malware or zero-days. Weak MFA, dormant accounts, and excess privileges are the real attack surface.

The controls exist — they're just not configured

Microsoft 365 includes Conditional Access, MFA enforcement, and audit logs. Most SMBs have them partially set up at best. The gaps are invisible until they're exploited.

Nobody monitors this continuously at SMB scale

Identity risks drift — new admins, dormant users, changed policies. A one-time setup is never enough. Most teams don't notice drift until an auditor or incident surfaces it.

Cloud Locksmith is not a replacement for Microsoft's own tools — it helps you get full value from the security controls already built into your subscription.

The Reality

Identity risks are invisible
until they're not.

The biggest threats to your Microsoft 365 tenant aren't sophisticated zero-days. They're the identity gaps already sitting inside it — MFA not enforced, former employees still active, admins with unchecked privileges.

These gaps rarely trigger alerts. They stay invisible until someone exploits them, an auditor finds them, or a policy mistake leaves you locked out with no fast path back.
  • AUTH
    Users without MFAA single unprotected account is all it takes for a full tenant compromise.
  • ACCESS
    Former employees with active accessOffboarded users still holding live credentials — often for months after leaving.
  • PRIV
    Too many Global AdminsPrivilege creep grows faster than any team can manually audit it.
  • OPS
    No rollback for config mistakesOne wrong policy change can lock out your team with no fast path back.

How It Works

From sign-in to findings
in under 2 minutes

No agents to install. No configuration required. Connect your tenant and see your real identity risks instantly.

01

Connect with Microsoft

Sign in using Microsoft's secure OAuth flow. We never see or store your password.

02

Scan your tenant

Cloud Locksmith reads your tenant in read-only mode — users, auth methods, policies, sign-in logs.

03

See your risks

MFA gaps, dormant accounts, admin overexposure, and policy gaps ranked by severity.

04

Fix if needed (optional)

Remediation requires an explicit admin upgrade. Nothing changes without your direct approval.

Run Free Security Scan

No installation  ·  No agents  ·  No setup  ·  Read-only

What We Check

Six risk categories.
All of them exploited in the wild.

These are the gaps attackers look for first. Most SMBs have at least three of them — and don't know it.

Users without MFA protectionOne unprotected account is enough for a full tenant breach. We surface every account missing MFA registration.
Former employees still holding accessOffboarded users often remain active for months. We flag every account with no recent sign-in activity.
Too many accounts with Global AdminEach Global Admin is a full-tenant takeover risk if compromised. Excess privileged roles are flagged immediately.
Users bypassing Conditional AccessAny user or app not covered by a policy authenticates without your org's access controls applying.
Third-party apps with excessive permissionsOAuth grants accumulate silently. We identify apps holding access far beyond what they need.
Guests and consent misconfigurationsGuest users and open consent settings quietly expand your attack surface over time.

Example Findings

This is what your scan returns

Findings are ranked by severity and include context — not just flags. Here's what a typical SMB tenant scan surfaces.

scan-results · contoso.onmicrosoft.com
HIGH3 issues
7 accounts have no MFA registeredEach can be compromised with only a password — no second factor required.
4 Global Admin accounts (expected: 1–2 for this tenant size)Every Global Admin is a full-tenant takeover risk if their account is breached.
Legacy authentication enabled tenant-wideBypasses Conditional Access entirely. Actively used in credential spray campaigns.
MEDIUM2 issues
12 inactive accounts — no sign-in in over 90 daysLikely former employees or unused service accounts still holding active access.
3 users not covered by any Conditional Access policyThese accounts bypass your org's login controls entirely.
LOW1 issue
8 guest users with no access review or expiry setGuests accumulate over time. Each represents potential exposure without active review.

Example output — representative of what we typically surface in a real scan.

See Your Real Findings

Read-only  ·  No changes made  ·  Under 2 minutes

Preview Mode

Safe to Try

The free scan is strictly read-only. See your real risks without any commitment or risk to your tenant.

Admin consent requiredMicrosoft's OAuth prompts your admin to review the exact permissions before the scan starts — you see exactly what's being requested.
Technically read-onlyAll scopes requested are read-only. The scan cannot modify your tenant — this is enforced at the API level, not just policy.
Findings only — no actions takenThe scan surfaces what's wrong. Acting on it requires a separate admin upgrade. Nothing happens automatically.
No credentials storedWe use Microsoft OAuth. Your password never touches our systems. Access is scoped to the session only.
Run Free Security Scan Read-only  ·  No setup  ·  Under 2 minutes

Your Data & Permissions

Exactly what we access —
and what we don't

The exact Microsoft Graph API scopes requested in Preview Mode — nothing more. If a scope isn't listed here, we don't have it.

Preview Mode reads

User.Read.AllEnumerate user accounts

Detects MFA gaps and identifies inactive or unmanaged users.

Directory.Read.AllRead tenant structure

Reads groups, organizational units, and directory objects.

UserAuthenticationMethod.Read.AllCheck MFA status per user

Reads which authentication methods each account has registered.

Policy.Read.AllRead access policies

Checks Conditional Access policy coverage and configuration gaps.

RoleManagement.Read.DirectoryAudit role assignments

Identifies accounts holding privileged admin roles.

AuditLog.Read.AllRead sign-in logs

Detects dormant accounts and suspicious sign-in activity.

We never access

Your Microsoft passwordOAuth tokens only — password never passes through our system
Emails or messagesNo Mail.Read or similar content scopes are requested
Files or documentsNo Files.Read, Sites.Read, or SharePoint permissions
Chat or Teams contentNo access to Teams conversations or channels
Third-party data sharingYour tenant data is never sold or shared
Data beyond the sessionNo tenant data is retained after you sign out
Remediation and write access require a separate admin upgrade after reviewing your scan results. Preview Mode cannot make changes — by design.

Why Cloud Locksmith

Detect, fix, and roll back —
without the complexity

Other tools surface problems and leave the fix to you. Cloud Locksmith applies safe remediations with one click and gives you a path back if anything goes wrong — built specifically for SMBs and MSPs who can't afford to get this wrong.

Every Remediation Creates a Snapshot

Before any change is applied, Cloud Locksmith captures the previous state of your configuration — automatically, with no extra steps required.

One-Click Rollback Restores Previous State

If a fix causes unintended side effects, you can reverse it instantly. No tickets. No scripts. No waiting. Your tenant is back in under 60 seconds.

Safe Automation Without Risk of Lockouts

Built-in guardrails detect and block changes that could lock out admins or break critical access. Automation that protects your environment.

Without Cloud Locksmith

Manual audits. Spreadsheets. No fast way to undo a mistake.

Security checks happen occasionally. Risks build between reviews. When something breaks, remediation turns into ad hoc scripts and tickets — with no fast path back to a known good state.

With Cloud Locksmith

Continuous. Automated. Auditable.

Risks are surfaced in real time, ranked by severity, and fixed with a single action. Every change is logged, reversible, and protected by built-in guardrails that prevent lockouts.

What's Your Exposure?

What Are Your Identity Risks Costing You?

Enter your numbers to see the real cost of manual incident recovery — before the next mistake happens.

$100/hr
$/hr
4
020
5 hrs
1 hr8 hrs
How this is calculated

Each misconfiguration — a wrong permission, a missed offboarding, an accidental policy change — takes your admin hours to diagnose and manually reverse. Multiply that across a year and the cost adds up fast.

Annual admin cost of identity incidents

$2,000

Does not include downtime, breaches, or audit failures.

Recovery Time: Manual vs. Cloud Locksmith
5 hrs
Manual
remediation
<60s
Cloud Locksmith
with rollback
300× faster than manual remediation (5 hrs vs 60 sec)
Run Free Security Scan

See your real Microsoft 365 security gaps in 60 seconds

Who It's For

Built for teams that need to
move fast on security

01

SMBs on Microsoft 365

50–300 employee teams that need stronger identity hygiene without a dedicated security function.

02

Managed Service Providers

MSPs managing multiple client tenants who need a scalable way to enforce security standards.

03

Audit-Prep Teams

Organizations preparing for compliance reviews, cyber insurance renewals, or customer scrutiny.

04

Teams Without a Security Hire

Companies that need immediate coverage for identity risk without building a full security team first.

Contact Us

Have questions?
Let's talk.

Have questions or want to learn more about how Cloud Locksmith works for your team?

  • Talk through your Microsoft 365 identity risks
  • Learn how remediation and rollback work
  • See how Cloud Locksmith fits SMB and MSP workflows
  • Get started with the right next step for your team

Contact Us

We only use this information to respond to your inquiry.

Find out what's exposed
in your Microsoft 365 tenant

Connect your tenant and get a full identity risk report in under 2 minutes. Read-only scan — no changes made, no credentials stored.

Run Free Security Scan
No installationNo agentsNo setupRead-only

Want full remediation access? Sign in with admin access instead