Features

One read-only scan. Everything it unlocks.

Tenant Hawk connects to your tenant once - read-only, two minutes - and turns that access into a health score, a change journal, recovered license spend, and reports you can put in front of anyone.

The Journal · Pro

Every change in your tenant, recorded.

Someone disabled an MFA policy on Tuesday. Would you know? Tenant Hawk journals every Conditional Access, authentication, and Intune policy change - who, what, and when - with a diff you can actually read.

  • Before / after diffs

    Not just “something changed” - the exact field, the old value, and the new one.

  • Who made the change

    Every entry is attributed from the Entra audit log, so “who touched this policy?” has an answer.

  • History that doesn't expire

    Entra audit logs age out in 30–90 days. Your Journal keeps the timeline for as long as you're a customer.

How the Journal works

Journal

contoso.com · this week

Require MFA for adminsModifiedHigh impact
Conditional Access policyalex.rivera@contoso.comTue 2:14 PM
stateenableddisabled
HQ OfficeModified
Named locationsam.chen@contoso.comWed 9:41 AM
ipRanges["198.51.100.0/24"]["198.51.100.0/24", "203.0.113.0/24"]
Require MFA for guestsCreated
Conditional Access policy · report-onlysam.chen@contoso.comWed 4:03 PM
Windows baseline complianceModified
Intune compliance policypriya.patel@contoso.comThu 11:26 AM
passwordMinimumLength86

And the parts you'd expect

Health score & trends

One A–F score across security, cost, reliability, and hygiene - tracked over time.

Drift & instant alerts

Email, Slack, Teams, or Discord when new high findings appear or scores move.

CIS / NIST mapping

Every finding mapped to CIS Controls and NIST SP 800-53 for audit conversations.

Executive reports & exports

Shareable read-only report links, plus CSV, XLSX, and PDF exports.

Guided remediation

Fix-it steps with Microsoft doc links and exportable scripts (PS 7, PS 5.1, Azure Runbook).

Daily scans, read-only

App-only Graph consent, no agents, no stored credentials, revocable any time.

See it against your own tenant.

Two minutes of read-only setup gets you a graded scan - and starts your Journal's history from day one.

Start free scan