Features
One read-only scan. Everything it unlocks.
Tenant Hawk connects to your tenant once - read-only, two minutes - and turns that access into a health score, a change journal, recovered license spend, and reports you can put in front of anyone.
The Journal · Pro
Every change in your tenant, recorded.
Someone disabled an MFA policy on Tuesday. Would you know? Tenant Hawk journals every Conditional Access, authentication, and Intune policy change - who, what, and when - with a diff you can actually read.
Before / after diffs
Not just “something changed” - the exact field, the old value, and the new one.
Who made the change
Every entry is attributed from the Entra audit log, so “who touched this policy?” has an answer.
History that doesn't expire
Entra audit logs age out in 30–90 days. Your Journal keeps the timeline for as long as you're a customer.
Journal
contoso.com · this week
Go deeper on each one
And the parts you'd expect
Health score & trends
One A–F score across security, cost, reliability, and hygiene - tracked over time.
Drift & instant alerts
Email, Slack, Teams, or Discord when new high findings appear or scores move.
CIS / NIST mapping
Every finding mapped to CIS Controls and NIST SP 800-53 for audit conversations.
Executive reports & exports
Shareable read-only report links, plus CSV, XLSX, and PDF exports.
Guided remediation
Fix-it steps with Microsoft doc links and exportable scripts (PS 7, PS 5.1, Azure Runbook).
Daily scans, read-only
App-only Graph consent, no agents, no stored credentials, revocable any time.
See it against your own tenant.
Two minutes of read-only setup gets you a graded scan - and starts your Journal's history from day one.
Start free scan