I’ve been working on a Microsoft 365 security tool focused on identity misconfigurations (things like MFA gaps, excessive admin roles, dormant accounts, etc.).

The core idea is:

• connect via OAuth (Entra ID)
• read tenant configuration
• highlight risky settings
• optionally help remediate them
• provide rollback option in case of mistaken operations carried out

Recently I shared it and got some strong (and fair) feedback from admins, mainly around trust and risk, not functionality.

Some of the concerns raised:

• “What stops any user in the tenant from authenticating to the app?”
• “How is admin consent handled and documented?”
• “How are enterprise app restrictions (users/groups/CA policies) expected to be configured?”
• “Where is tenant data stored, and how is isolation enforced?”
• “What guarantees are there that automated fixes won’t break things?”

None of these are unreasonable — and it made me realize that even if the implementation is secure, if the trust model isn’t clear and explicit, admins will (rightfully) reject it.

So I wanted to ask this community directly:

From your perspective as admins/security folks:

• What would you need to see before trusting a tool like this?
• What are non-negotiables when it comes to:
  • OAuth apps / enterprise app access
  • Graph permissions
  • data storage & isolation
• How should remediation be handled? (fully manual vs staged vs automated with guardrails)
• What kind of documentation or transparency would make you comfortable enough to even test something like this?

I’m not trying to sell anything here — just trying to understand how to build this in a way that aligns with how admins actually think about risk.

Appreciate any honest feedback, even if it’s blunt.

Been looking at a bunch of SMB Microsoft 365 tenants recently and keep seeing the same issues:

• admin accounts without MFA
• dormant users still active
• legacy access still enabled

Most of this doesn’t show up clearly unless you dig through logs or run scripts.

So I built a small tool that:

• connects via Microsoft OAuth
• runs a quick identity security scan
• highlights risks (MFA gaps, inactive users, etc.)

🔐 About access (since this came up last time)

Yes — it does require an admin account to access tenant-wide data.

But:

• Preview mode is read-only
• No changes are made to your tenant
• No credentials are stored (standard Microsoft OAuth flow)

Permissions used (read-only):

• User.Read.All
• Directory.Read.All
• UserAuthenticationMethod.Read.All
• Policy.Read.All
• RoleManagement.Read.Directory
• AuditLog.Read.All

👉 These are used only to:

• check MFA coverage
• identify inactive users
• review basic identity configuration

👉 The app does NOT:

• access emails or files
• modify any settings in preview mode
• run any actions without explicit approval

🚀 What it does

• scans your tenant in ~2 minutes
• shows exactly where identity risks exist
• gives you a clear view of what’s misconfigured

If anyone wants to try it or give feedback:

👉 https://cloudlocksmith.co

Would especially love input from people currently doing this manually or via scripts.

Been seeing the same issues across a bunch of SMB tenants:

• admins without MFA
• inactive users still active
• permissions that don’t make sense anymore

Most of this doesn’t show up unless you go digging or run scripts.

So I built a small tool that:

• scans your tenant in a couple minutes
• surfaces identity/security gaps
• lets you fix them quickly

Right now it’s completely free to use (no catch) — just sign in with a Microsoft admin account and run the scan.if you see a message to upgrade just click it since there is no subscriptions yet. you can also change your plan freely from the settings.

👉 https://cloudlocksmith.co

Would really appreciate any feedback — especially from people managing multiple tenants or doing this manually today.