Security
Security and trust, kept practical
Directory Guard follows a straightforward, tenant-first approach so you can meet your assurance needs without adding new risk.
Read-only by design
Minimal Microsoft Graph scopes agreed by you, no impersonation, and no background agents.
You hold the keys
The app registration lives in your tenant so secrets and permissions stay under your control.
Server-side token handling
Tokens and secrets never touch the browser. Everything is stored and used server-side only.
Scoped to one tenant
Every call is isolated to the connected tenant with no cross-tenant caching.
How we run it
Operational safeguards
We keep the platform small and clear so you can see how access is handled.
Lightweight footprint
A single Next.js runtime with minimal dependencies keeps the attack surface small.
Secret hygiene
Client secret metadata is surfaced so you can rotate credentials on your schedule. Automated renewal is not performed.
Transparent permissions
We keep the required Graph scopes documented and visible in the product experience.
No global admin passwords
Directory Guard never asks for shared admin accounts.
Customer consented
You approve every permission inside your own tenant.
Data stays scoped
Findings stay tied to the tenant you connect.
Want the security detail?
We will walk through permissions, data handling, and how you keep ownership of credentials.