Read-only — we cannot change anything

What we access — and what we don't

Before you connect, here's exactly what read-only permissions we request and why. No surprises, no hidden access.

PermissionWhat it lets us doWhat we cannot do

Directory.Read.All

See user accounts, group memberships, and guest users across your tenant.

Modify users, reset passwords, or create accounts.

Sites.Read.All

Read SharePoint site names and sharing settings.

Read file contents, or modify files or permissions.

Reports.Read.All

Read Copilot usage statistics and adoption metrics.

Read email content, Teams messages, or any file content.

ReportSettings.Read.All

Read report configuration settings.

Change any settings.

InformationProtectionPolicy.Read

Read sensitivity label configuration for your tenant.

Apply, modify, or remove sensitivity labels.

Your data

We store only scan metadata — your readiness scores and anonymised findings. Your Microsoft access token is encrypted in transit and permanently deleted the moment the scan finishes — typically within 5 minutes, and never longer than 1 hour under any circumstances.

Admin consent required

All permissions require Global Admin approval. If you're not an admin, don't worry — you'll be able to send a one-click approval request to your admin from the next screen. Most admins approve in under 30 seconds.

Cancel, go back

By clicking "Start Scan" you agree to our Terms of Service and Privacy Policy.