A comprehensive IT admin toolkit for Microsoft 365 tenant management, security monitoring, and operational visibility.
TenantScope is a PowerShell-based solution that collects data from your Microsoft 365 tenant via Microsoft Graph API and presents it in a local HTML dashboard. It provides IT administrators and security specialists with a single-pane-of-glass view across:
- Identity - Users, guests, admin roles, MFA status, risky sign-ins
- Security - Conditional access, PIM, OAuth consents, vulnerabilities, ASR rules
- Endpoints - Devices, compliance, BitLocker, Windows Update, Defender alerts
- Licensing - SKU allocation, waste analysis, overlap detection
- Collaboration - Teams, SharePoint sites, external sharing
All data stays local. No cloud services. No external dependencies.
| Problem | How TenantScope Helps |
|---|---|
| "I need to check 5 different admin portals to get the full picture" | Single dashboard aggregates data from Entra, Intune, Defender, and M365 admin centers |
| "Which users still don't have MFA enabled?" | MFA status page shows all users without strong authentication, sorted by risk |
| "Our license costs are out of control" | License analysis detects unused licenses, duplicate assignments, and overlap waste |
| "I can't tell which devices are actually compliant" | Device compliance view shows real-time status with drill-down to specific policy failures |
| "Stale guest accounts are a security risk" | Guest management identifies inactive external users who should be removed |
| "Configuration profiles keep failing but I don't know why" | Configuration Profiles page shows deployment errors, conflicts, and affected devices |
| "I need to report on our security posture" | Export any view to CSV/Excel for management reporting |
| Problem | How TenantScope Helps |
|---|---|
| "I need to find users without MFA before attackers do" | Prioritized list of unprotected accounts with admin role highlighting |
| "Which Conditional Access policies have gaps?" | CA policy analysis shows coverage gaps, excluded users, and legacy auth exposure |
| "Are there overprivileged apps in our tenant?" | OAuth consent grants page reveals high-risk application permissions |
| "Which devices have known vulnerabilities?" | Vulnerability dashboard shows CVEs by severity with affected device counts |
| "I need to investigate a risky sign-in" | Sign-in logs with risk levels, locations, and device details for forensic analysis |
| "Who activated privileged roles recently?" | PIM activity tracking shows all role elevations with justifications |
| "Are attack surface reduction rules actually working?" | ASR rules page shows audit/block events and rule effectiveness |
| "BitLocker encryption status across the fleet" | BitLocker coverage report identifies unencrypted devices |
- Offline Analysis - Data collected once, analyze without internet dependency
- No Agent Required - Uses existing Graph API, no software deployment needed
- Privacy First - All data stays on your local machine, never transmitted externally
- Fast Answers - Search across all entities instantly, no waiting for portal loads
- Cross-Reference Everything - Click a user to see their devices, sign-ins, groups, and roles
- Direct Action Links - Jump straight to Entra/Intune/Defender portals to fix issues
- 42 Data Collectors - Comprehensive Graph API coverage across M365 workloads
- Cross-Entity Navigation - Click users to see devices, sign-ins, roles; click devices to see users, vulnerabilities
- Deep Links - Direct links to Entra, Intune, and Defender admin portals for immediate action
- Problem Detection - Aggregated critical issues with severity-based prioritization
- Signal Cards - Executive summary with risk scores and actionable insights
- Selective Collection - Run specific collectors when you need fresh data on just users or devices
- Flexible Auth - Interactive sign-in or app-only with certificate/secret
# Clone the repository
git clone https://github.com/Thugney/TenantScope.git
cd TenantScope/m365-toolkit
# Install prerequisites (Graph SDK modules)
.\Install-Prerequisites.ps1
# Run data collection (interactive auth)
.\Invoke-DataCollection.ps1
# Or run specific collectors only
.\Invoke-DataCollection.ps1 -CollectorsToRun @("DeviceData", "UserData", "SignInLogs")TenantScope collection is designed to finish predictably. Use Fast for everyday quick posture, Full for bounded full collection, and Deep only when an operator explicitly wants expensive detail collection. deepCollection is never enabled implicitly.
Recommended schedule:
- Daily: Fast profile
- Weekly: Full profile
- Manual only: Deep profile
Expensive collectors include AppDeployments, EndpointAnalytics, DefenderDeviceHealth, DeviceHardening, ASRAuditEvents, SharePointData, TeamsData, SignInLogs, AuditLogData, and VulnerabilityData.
Operator commands:
# Daily quick posture
pwsh -File .\m365-toolkit\Invoke-DataCollection.ps1 -CollectionProfile Fast -SkipDashboard
# Diagnostic runtime mode: identify bottleneck collectors without building dashboard
pwsh -File .\m365-toolkit\Invoke-DataCollection.ps1 -DiagnosticRuntime -SkipDashboard
# Isolate specific collectors
pwsh -File .\m365-toolkit\Invoke-DataCollection.ps1 -CollectorsToRun @("DeviceData","UserData") -SkipDashboard
# Skip expensive collectors during a bounded run
pwsh -File .\m365-toolkit\Invoke-DataCollection.ps1 -SkipExpensiveCollectors -SkipDashboard
# Isolate suspected AppDeployments runtime
pwsh -File .\m365-toolkit\Invoke-DataCollection.ps1 -CollectorsToRun @("AppDeployments") -CollectorTimeoutMinutes 15 -SkipDashboardTo isolate a slow collector, run diagnostic mode first, then rerun the slow collector alone with -CollectorsToRun and an explicit -CollectorTimeoutMinutes. Timed-out collectors are marked as failed, write a JSON marker or partial output, and appear in _run-status.json and collection-metadata.json.
DeviceData can be slow in large tenants because it combines Intune managed devices, Entra registered devices, Autopilot identities, optional Autopilot profile enrichment, and compliance policy state detail.
DeviceData stages:
Intune managed device retrieval: gets base Intune managed-device inventory. If this blocks, the Graph managed devices call is the bottleneck.Entra registered device retrieval: gets Entra devices that are not already Intune-managed. This is page-limited bymaxEntraDevicePages.Autopilot identity retrieval: gets Windows Autopilot device identities. This is page-limited bymaxAutopilotDevicePages.Autopilot deployment profile enrichment: resolves profile metadata. Per-device lookup is limited bymaxAutopilotProfileLookups; set it to0to disable.Compliance policy state batch: fetches policy-state detail for non-compliant devices. This is limited bymaxDeviceComplianceStateFetches.Managed device processing loopandEntra-only device processing loop: local processing and shaping of already collected data.Save output: writes partial or completedevices.json.
Recommended large-tenant limits in m365-toolkit\config.json:
{
"thresholds": {
"maxDeviceComplianceStateFetches": 25,
"maxAutopilotProfileLookups": 0,
"maxEntraDevicePages": 25,
"maxAutopilotDevicePages": 25
}
}Use maxAutopilotProfileLookups: 25 only when profile names are needed. Partial DeviceData output is explicit: partial, stopReason, stoppedAtStage, sourceTracking, and runtime metadata are written with the data.
This repository uses a two-machine flow:
- Develop and commit changes on the primary development machine.
- Push to GitHub (
origin/main) from the dev machine. - Pull latest on the work/test machine.
- Run collection + dashboard validation on the work/test machine.
This keeps implementation and tenant validation separated while preserving a single source of truth in GitHub.
| Document | Description |
|---|---|
| Full README | Complete usage guide with all options |
| Authentication Guide | How to set up app registration in Entra ID |
| Architecture | Technical architecture and data flow |
| Security Considerations | Data sensitivity and countermeasures |
| Changelog | Version history and release notes |
| Method | Use Case | LAPS Support |
|---|---|---|
| Interactive (default) | Testing, ad-hoc runs | No* |
| Client Secret | Scheduled automation | Yes |
| Certificate | Production, high security | Yes |
*LAPS requires DeviceLocalCredential.Read.All which is Application-only.
See the Authentication Guide for setup instructions.
- PowerShell 7.0+
- Microsoft Graph PowerShell SDK modules
- Microsoft 365 tenant with appropriate Graph API permissions
- See full requirements for detailed permissions
This project is licensed under the MIT License - see the LICENSE file for details.
Made with focus by [Thugney]