Continuous auditing for Microsoft 365 & Entra ID.
EntraGuard analyses your Microsoft 365 and Microsoft Entra ID environment to detect attack paths, dangerous permissions and configuration weaknesses. Security scoring, Neo4j graph explorer, contextual remediation tutorials — deployable via Docker, 100% on-premise.
Everything you need
Comprehensive security auditing with built-in best practices.
14 collectors (Graph API + LDAP)
Users, Groups, Directory Roles, Applications, Service Principals, Conditional Access Policies, Devices, Admin Units, PIM Policies, Scoped Role Members, Subscribed SKUs, Authentication Methods, Access Reviews, plus on-premise Active Directory via LDAP. Full or incremental (delta) mode.
Scoring & A-F grading
Global score /100 and per category with A-F grading. Stale accounts, dangerous permissions, CA gaps, PIM misconfig, attack paths.
Attack Path Analysis
Attack path detection via Neo4j graph queries: paths to Global Admin, privilege escalation, MFA and risk context enrichment.
Graph Explorer
Interactive Entra ID graph visualisation: nodes, edges, search, neighbours, shortest paths between two entities.
MITRE ATT&CK mapping
Each finding is mapped to relevant MITRE ATT&CK techniques, with severity, evidence and actionable recommendation.
Remediation Tutorials
Step-by-step contextual tutorials per finding, sorted by impact. Ready-to-run PowerShell scripts where applicable.
Built-in scheduling
Scheduled scans daily / weekly / monthly via Celery Beat. Smart rate limiting with exponential retry on 429/503.
Score Diff & trends
Comparison between audit runs: global and per-category score delta, new/resolved/changed findings, frontend trend chart.
Multi-format reports
Export to JSON, PDF, HTML and Markdown. Jinja2 template: executive summary, findings by severity, category scores, attack paths, recommendations.
Notifications
Email (SMTP/TLS), Slack, HTTP Webhook with HMAC-SHA256 signature. Events: scan complete, score drop, critical finding.
Export API (Enterprise)
Authenticated ega_ API keys. /findings, /scores, /audit-runs endpoints for SIEM (Splunk, Sentinel, Elastic) and ticketing (Jira, ServiceNow).
Multi-tenant (Enterprise)
Up to 10 Entra ID tenants from a single instance. AES-256-GCM encrypted credentials, Azure Key Vault or environment variables.
License-aware recommendations
Cross-checks your Microsoft licences (34 SKUs mapped) against the Zero Trust features they unlock. Flags capabilities you're paying for but never activated — PIM, Cloud PKI, Access Reviews, Defender, risk-based Conditional Access.
Feature Catalog
Built-in Zero Trust reference that maps 34 Microsoft SKUs to capabilities per pillar (Business, E3/E5, EMS, Education, Government, Defender, Intune, Governance, Copilot). Auto-updated weekly, with manual refresh and version tracking.
Compliance Reports
Generate compliance reports against CIS M365 v3.1, NIST 800-53 Rev5, ISO 27001:2022 and SOC 2 Type II. PDF export with coverage score per framework and per-control pass/fail detail.
Per-finding PDF export
Export any individual finding as a branded PDF with severity, evidence, MITRE mapping, framework references and step-by-step remediation.
LDAP Hybrid AD analysis
On-premise Active Directory collector via LDAP. 4 hybrid rules (HYB-001..004): privileged AD accounts not synced, cross-boundary escalation, stale computers, password never expires.
Realtime Monitoring (Enterprise)
Microsoft Graph change notifications with automatic incremental collection. Detects directory changes in near real-time via webhook receiver, Redis debouncing and Celery tasks.
Cloud IAM (Enterprise)
Multi-cloud identity audit across Azure RBAC, AWS IAM and GCP IAM. Detects over-privileged service principals, dangerous role assignments and cross-cloud privilege escalation paths.
AD Attack Surface
Detection of advanced Active Directory threats: DCSync rights, GPO anomalies, forest trust misconfiguration, Kerberoastable accounts and unconstrained delegation.
Varonis integration (Enterprise)
Native correlation with Varonis Data Security Platform: enrich findings with data classification context and trigger investigation workflows from EntraGuard alerts.
SOC-grade investigation reports
Tier-1/Tier-2 SOC analyst reports with timeline, IOCs, MITRE mapping and pre-formatted incident response playbook. Exportable to PDF for case management systems.
Graph permissions audit (Setup Wizard)
Interactive Graph API permissions audit during Setup Wizard. Verifies the application has the minimal required scopes and flags excessive permissions before first scan.
Installer EntraGuard
A single command. Docker support included.
Ready to secure your environment?
Free trial of EntraGuard for 14 days. No credit card required.