Everything you need to know before running a scan.
About the Scan
No. The Microsoft consent screen handles everything in one step. When you authenticate and click Accept, you are simultaneously logging in and granting the necessary permissions. ButWhy.Cloud will then appear automatically under Entra ID → Enterprise Applications — but you do not need to go there or do anything manually before or during the scan.
The only reason you would visit Enterprise Applications is to revoke access after your scan is complete.
We run a number of automated security checks across four modules:
Each check is mapped to CIS, Maester, SCUBA, ISO 27001, and NIST CSF frameworks.
Typically 20–30 minutes end to end. The scan runs in the background after you consent — you can close the browser tab. Your report will arrive by email when complete.
Most of the permissions we request require admin consent, which means a Global Administrator must grant consent on behalf of the tenant — either by running the scan themselves, or by pre-consenting the app for a delegated user. A Security Reader or Security Administrator role is not sufficient for the initial consent step.
Your report includes:
An overall security score out of 100.
An executive summary showing which areas passed and which have issues.
A finding for each of the checks — PASS, FAIL, or SKIP.
For paid tiers: evidence (what was found), step-by-step remediation, and ISO 27001 / NIST CSF mappings per finding.
For free tier: top-level results with limited evidence and remediation.
A check is skipped when it requires a feature or license your tenant does not have. For example, Intune checks are skipped if you have no Intune licence, and some Entra ID checks require an Entra ID P2 licence. Skipped checks do not count for or against your score.
Security & Access
This is Microsoft’s standard description for the offline_access scope — it is automatically included by Microsoft whenever any app requests delegated permissions. The wording is generic and misleading for our use case.
In practice it means our scanner can keep your token valid long enough to complete a 20–30 minute background scan without you needing to stay on the page. It does not grant access to any additional data beyond what the other listed permissions cover.
We still discard your token immediately when the scan completes — it is never stored, never reused, and expires automatically after one hour regardless. See our Data Integrity commitments for the full details.
No. Every permission we request is read-only. We cannot create, modify, or delete users, policies, resources, or any other object in your tenant or Azure subscription. This is enforced at the Microsoft API level — read-only permissions simply do not allow write operations.
We request 16 Microsoft Graph permissions and 1 Azure Service Management permission, all read-only. Each permission is documented with a plain-English explanation of exactly what it is used for. View the full permissions list →
Go to Entra ID → Enterprise Applications in the Azure portal, search for ButWhy.Cloud, and click Delete. This immediately and permanently removes our access from your tenant. The access token used during your scan has already expired by this point regardless.
No. The OAuth access token is held in memory during the scan only and is never written to disk or any storage. Once the scan completes the token is discarded. Microsoft access tokens expire after 1 hour regardless.
Microsoft Publisher Verification is in progress. Until verification is complete you may see an "unverified publisher" warning on the consent screen. This is a Microsoft process requirement and does not affect the security of the scan itself. You can review our exact permissions before consenting at butwhy.cloud/permissions.
Data & Privacy
Your scan report (check results and evidence) is stored in Azure Blob Storage for 5 days then permanently and automatically deleted. Your email address is used only to deliver the report and is not stored in any database. We do not store your OAuth token, passwords, or any other credentials.
Scan results are stored in Microsoft Azure Blob Storage in the East US region. Report delivery uses Mailgun, which may process your email address in the United States under Standard Contractual Clauses.
Yes. We process only the minimum personal data necessary to deliver the service, retain it for no longer than required (5 days), and have sub-processor agreements in place. Our full Privacy Policy and Data Processing Agreement are available for review. If you require a signed DPA for your organisation, contact hello@butwhy.cloud.
Yes. We operate under South African law and comply with the Protection of Personal Information Act (POPIA). Data is stored in Microsoft Azure (East US region). See our Privacy Policy for full details.
Not as a standalone document. The scan reflects what was accessible at the time based on the permissions and licences in your tenant — some checks may have been skipped due to missing licences or restricted permissions. We recommend using the report as a starting point for remediation and internal review, not as evidence for formal compliance submissions or regulatory filings without independent verification.
Pricing & Plans
The free scan runs all automated security checks and gives you your security score, executive summary, and top-level pass/fail results. Evidence details and remediation steps are limited and locked to paid tiers. You can run one free scan every 30 days.
ButWhy.Cloud is designed for organisations with fewer than 200 active users. Smaller environments get the most accurate and complete results. Larger tenants can still scan but some checks may take longer or return incomplete results. Contact us if you need options for larger environments.
Yes — you can scan any tenant you are authorised to assess. Each scan is tied to the tenant of the account used to sign in to Microsoft, not your own.
To scan a client tenant:
Sign in with an admin account that belongs to that client's tenant, or
Use a guest account in the client tenant that has been granted Global Administrator or equivalent delegated rights.
If you sign in with your own MSP account Microsoft will default to your home tenant, not your client's. Always sign in using an account from the client tenant directly.
Each client tenant requires a separate scan. If you manage multiple tenants run the flow once per tenant using the appropriate account each time.
Contact hello@butwhy.cloud if you need a multi-tenant or white-label arrangement.
Email us at hello@butwhy.cloud and we'll get back to you within one business day.