A Microsoft work account to sign in. The tool only reads
your Conditional Access setup — it never changes anything.
Read access is enough. A read-only admin role such as
Global Reader or Security Reader can see everything the
report covers.
Sign-in-log insights (MFA recency, token-protection readiness) come automatically from
your tenant's sign-in logs. Optional: for the most complete and fastest results
— especially on large tenants — point it at Log Analytics (needs
read-only Log Analytics Reader) by ticking the box below.
No install, nothing to set up. No sign-in? Download the kit, run it yourself, and upload
the result instead.
Sign in with your Microsoft work account to run a
live, read-only assessment of this tenant's Conditional Access posture.
or
No sign-in? Download the data-gathering kit, run it against your tenant
(read-only), then come back and upload the JSON it produces.
Sign-in: read-only delegated Graph (admin-consented).
Upload: no permissions needed — the kit collects the same data locally.
Choose a Log Analytics workspace
Reads sign-in history from the workspace your tenant exports
Entra sign-in logs to (feeds MFA recency, token-protection readiness…). You need at least
Log Analytics Reader on the workspace you pick.