Run the same security tests Microsoft MVPs trust —
against your own tenant.
SimpleEntra runs Maester (MIT-licensed, open source) against your Microsoft 365 environment via a read-only connection. 150+ verified configuration checks across CIS Microsoft 365 Benchmark, CISA SCuBA, EIDSCA and Maester's own community tests. Results in a board-ready report — in under 10 minutes.
- Account takeover — 2 admins without MFAhigh
- Access hygiene — 5 application secrets expire within 30 daysmed
- Board flag — 3 Global Admins (recommended max 2)med
- Legacy auth — 8 sign-ins via basic authentication last 7 daysmed
- Conditional Access — 94% of users coveredPass
The problem
Leadership and auditors ask the same questions.
You have technical answers — not business answers.
Microsoft 365 is the backbone of most mid-sized organisations. And it is one of the most frequently attacked surfaces in modern cybersecurity. The problem is rarely a lack of technical knowledge — it is a lack of visibility in the language that boards, CISOs and auditors understand.
The board asks about your risk. You have a Secure Score number, not an answer.
Microsoft Secure Score is an internal IT metric. It has not been translated into business risk, compliance status, or what it would cost if things go wrong. Board and management reporting requires a different language.
The auditor asks for NIS2/ISO 27001 documentation. You kick off a €5,000 consulting engagement.
An external security review costs €5,000–10,000 and takes weeks to schedule. You get a PDF. Three months later the configuration changes — and you start over at the next audit.
Configuration changes every day. You find out after a breach — or when the auditor asks.
Microsoft 365 has 200+ security settings. Updates, new policies and administrator changes can shift your posture without anyone noticing — until it is too late.
Source: IBM Cost of a Data Breach Report 2024.
average time to detect a breach. SimpleEntra surfaces the configuration weaknesses that make this possible — before they're used.
IBM Cost of a Data Breach Report 2024of cloud breaches involve identity-based attacks. Your Entra ID posture isn't part of the problem — it IS the problem.
Verizon Data Breach Investigations Report 2024account compromise risk reduction when MFA is enforced. SimpleEntra tells you exactly which users and apps lack it.
Microsoft Digital Defense Report 2024maximum NIS2 non-compliance fine — whichever is higher. Documentation is no longer optional.
NIS2 Directive (EU) 2022/2555, Article 34initial attack vector across all reported breaches: stolen or compromised credentials.
IBM Cost of a Data Breach Report 2024per breach for organisations using extensive security automation.
IBM Cost of a Data Breach Report 2024How it works
From admin consent to board report
in under 10 minutes.
Your IT admin approves the connection in 10 minutes — read-only access only.
A standard Microsoft admin-consent link. No passwords, no software to install. SimpleEntra gets one read-only connection to your Entra ID — nothing more.
Six most important risk indicators in 60 seconds. Full board report ready in 5 minutes.
Within a minute the six key KPIs are ready: MFA coverage, legacy protocol blocking, number of Global Admins, expiring application secrets. The full analysis with all 150+ security checks and the board report is complete in 3–5 minutes.
On-demand posture trend with risk ranking.
Findings are ranked by business risk (High / Medium / Low) and tagged with compliance framework. Each finding has an explanation of business consequences and a concrete action description. Every scan is saved with a timestamp, so the trend builds up as you run scans (scheduled scans are on the roadmap — Q3 2026).
Auditor-friendly documentation as input for NIS2, ISO 27001 and board.
Export a structured report that draft-maps your findings to compliance frameworks. Use it as auditor input, in board meetings, or as the basis for your ROPA and risk assessment. (The mapping is curated by us — final audit responsibility remains with you and your auditor.)
Built on open standards
Language your auditor and board understand.
Every finding is mapped to recognised compliance frameworks. You can cite specifically — not just "we use best practice".
- NIS2 draft-coverage report (PDF)
- ISO 27001 Annex A draft-mapping (XLSX)
- Board executive summary (PDF)
- On-demand posture trend with history
Why you can trust the results
No black box. No marketing.
Every finding we show comes from a named control in a named framework. We do not invent severity levels. We do not pad the list to look impressive. If a check passes, we write that it passes.
- All 150+ security checks cross-checked against public CVE databases
- Every finding links to official Microsoft documentation
- Framework tags so you know which compliance baseline each check addresses
- Maester is open source — you can inspect every single test we run
The frameworks above are the technical foundation behind the deliverables. Auditors and board see outputs — NIS2 coverage, ISO Annex A status, posture score over time. The IT team sees the underlying control IDs and can drill into each finding.
The full scan runs Maester — a publicly auditable PowerShell test suite maintained by the Microsoft identity community. You can read every single test we run.
Security and privacy
We built it in from the start.
Not bolted on afterwards.
A security tool that is careless with your data would be embarrassing. Here is exactly how we handle yours.
Read-only. Always.
All Graph permissions we request end in .Read. We have no write access to your tenant. We cannot create users, change policies, send emails or touch any configuration. If in doubt, review the full permission list before you approve.
EU data. Nothing else.
All tenant data lives in Supabase eu-central-1 (AWS Frankfurt). It never leaves the EU. Supabase is certified under SOC 2 Type II and HIPAA. We chose EU hosting from day one — not because anyone asked.
12 months retention, then deleted.
We retain your scan data for 12 months from last activity. Then an automated job deletes everything — logins, findings, devices, all of it. No soft-delete, no shadow copies.
DPA ready to sign within 24 hours.
Legal friction is a real blocker. Our Data Processing Agreement (following the Danish Data Protection Authority's standard template) is ready and can be signed within 24 hours of enquiry — it is mandatory before production use.
Revoke access in two clicks.
Go to Entra → Enterprise Applications → SimpleEntra → Delete. Done. Access is gone instantly. Our next Graph call returns a 401. We cannot re-establish access without you re-running admin consent.
Full audit trail in your Entra portal.
Microsoft logs every single Graph call SimpleEntra makes in your Sign-in log under Service Principal sign-ins, and in your Audit log. That is the primary verification source — a log we cannot edit.
SOC 2 Type II — under audit, expected Q3 2026.
We are in the SOC 2 Type II certification process. The report is not complete yet — we are open about that. Delivery: Q3 2026. Supabase (our data provider) is already SOC 2 Type II certified. Until SOC 2 certification, we offer extended technical reference and on-request architecture review under NDA.
Sub-processors
The complete list of third parties that may process your data.
| Provider | Purpose |
|---|---|
| Supabase | Postgres database + auth |
| Anthropic (optional) | Explanations per finding |
| Microsoft Graph | Read-only data collection |
Ready to see your posture?
Know your Entra ID risk
before the board asks.
Book a 30-minute demo. We connect to a test tenant, run a live scan and show you what SimpleEntra finds — no slides, no sales pitch.
No commitment. No credit card. We show you findings on a real tenant.