Last updated: March 2026
By using ButWhy.Cloud you agree to these terms. Please read them. They are written to be clear, not to hide anything.
ButWhy.Cloud provides automated security scanning of Microsoft 365 and Azure tenants ("the Service"). The Service uses read-only Microsoft Graph API and Azure Resource Manager permissions to assess your tenant's security configuration and produce a report.
You must be authorised to grant OAuth consent on behalf of your Microsoft tenant. By initiating a scan you confirm that you have the authority to do so — either as a Global Administrator or through explicit delegated consent from one.
You may use the Service only to scan tenants you own or are authorised to assess. You may not:
Our app registration requests read-only permissions only. We cannot make changes to your tenant, create users, modify policies, or take any write action. The permissions requested are documented at butwhy.cloud/permissions.
The Service is provided "as is". Security scanning is inherently limited — we can only assess configurations visible through the APIs we query. A passing score does not guarantee your tenant is secure. We make no warranty that our checks are exhaustive, error-free, or that following our remediation guidance will prevent a security incident.
ButWhy.Cloud performs automated security assessments based on the permissions granted and licences available in your Microsoft 365 and Azure tenant at the time of scan. Results may be incomplete where permissions are restricted, features are not licenced, or checks are skipped due to missing prerequisites. This Service is provided for informational purposes only. Results should not be used as the sole basis for compliance reporting, audit submissions, or regulatory filings without independent verification.
To the maximum extent permitted by law, ButWhy.Cloud shall not be liable for any indirect, incidental, consequential, or punitive damages arising from your use of the Service, including but not limited to security incidents that occur despite a scan showing passing results.
Our total liability for any claim arising from use of the Service shall not exceed the amount paid by you for the Service in the 3 months preceding the claim.
Scan results are stored for 5 days and then permanently deleted. Your email address is used only to deliver your report. Full details are in our Privacy Policy.
Paid subscriptions are billed monthly in USD. You may cancel at any time — cancellation takes effect at the end of your current billing period. No refunds are issued for partial periods. We reserve the right to change pricing with 30 days notice.
We may suspend or terminate your access to the Service if you violate these terms, abuse the service, or fail to pay for a paid plan. You may stop using the Service at any time.
These terms are governed by the laws of the Republic of South Africa. Any disputes shall be subject to the jurisdiction of the South African courts. If you are an EU consumer, mandatory consumer protection laws of your country of residence also apply.
We may update these terms. We will notify paid subscribers by email. Continued use after changes constitutes acceptance.