M365 identity security · built for MSPs

You're already doing M365 security reviews by hand. Start billing for them.

SentraliQ turns a manual identity-posture review into a client-ready assessment and report in about an hour. Deterministic findings — no AI guessing at verdicts, nothing fabricated. Built for MSPs serving all-Microsoft shops under 300 seats.

~1 hourtenant connect to finished report
Read-onlyGraph access, nothing changed
Deterministicno LLM in the verdict path
ASSESSMENT · example tenant · 84 identities READ-ONLY
CRITICAL
4
HIGH
2
MEDIUM
3
LOW
0
COVERAGE MATRIX
Privileged role assignments
3 users with admin roles · 1 stale
FINDINGS
OAuth app consents
4 apps with high permissions
FINDINGS
Mailbox forwarding rules
Checked across all mailboxes · none found
CONFIRMED CLEAN
Conditional Access policies
Permission not granted — flagged in report
COULDN'T CHECK
"Couldn't check" never renders as "nothing found." Every report says exactly what it saw — and what it didn't.
The margin leak

The security review your MSA already promised is quietly eating your margin.

Every managed-services agreement with an M365 client implies identity security work. Today that work is either done by hand, unbilled — or not done, undocumented. Both cost you.

Unbillable hours

Senior techs walking Entra by hand

Admin roles, stale accounts, OAuth grants, forwarding rules — half a day per tenant, spread across a dozen portal blades. That labor is bundled into the MSA. You're paying for it.

tech hours × tenants × every quarter
Silent liability

Undocumented posture is your problem

The day a client gets phished, the first question is what was reviewed, when, and what wasn't visible. Without a record, the answer defaults to you.

no record = your word vs. the incident
Missed project revenue

Findings nobody surfaced, projects nobody scoped

Every real finding is a remediation project with a client-ready justification attached. If nothing surfaces it, that revenue never exists.

the assessment is the sales document
How it works

Connect. Assess. Hand over the report.

Connect a tenant

Read-only Microsoft Graph consent on the client tenant. Minutes to set up. Nothing in the environment is changed — ever.

Run the assessment

Deterministic checks across identities, privileged access, authentication posture, OAuth consents, guests and devices. Every verdict is rule-based and explainable — no LLM decides what's a finding.

Hand over the report

A tenant-wide identity posture report your client can actually read: prioritized review items, severity that never gets quietly downgraded, and a coverage matrix showing what was checked.

Then keep watching

The assessment shows the problem. Monitoring watches it: continuous detection on the same checks, delta alerting when posture changes, and retained forensics when something needs investigating. Same views, same depth — monitoring wins on time, not on locked features.

The honesty model

Every check ends in one of four states. You see all four.

Most tools collapse "we found nothing" and "we couldn't look" into the same blank screen. For a security deliverable, that's not a UX shortcut — it's a false clean.

RESOLVED

Checked — findings returned

The check ran with full access and surfaced results, each with a deterministic, immutable severity.

EMPTY_CONFIRMED

Checked — confirmed clean

The check ran with full access and found nothing. Clean because it was verified, not because it was skipped.

PERMISSION_MISSING

Couldn't check — access gap

The tenant hasn't granted the permission this check needs. The report says so, plainly, instead of showing a blank.

NOT_AVAILABLE

Couldn't check — not offered

Licensing or platform limits make this data unreachable in this tenant. Named, not hidden.

A tool that can't tell you what it didn't see will eventually tell your client "clean" when it means "blind." Severity is deterministic and immutable — marking an app "known good" never downgrades a finding. If that vendor is compromised later, the risk was never hidden.
SENTRALIQ · IDENTITY POSTURE ASSESSMENT

Tenant-wide report — sections

Identity census — users, apps, guests01
Privileged access02
Authentication posture03
Applications & OAuth surface04
Guests & devices05
Prioritized review items06
Coverage matrix — all four states07
The deliverable

The report is the product.

Not a dashboard your client will never log into — a document you hand them, with your engagement attached to it.

  • Client-readable. Written for the business owner who signs your invoices, not for a SOC analyst.
  • Shadow-AI visible. OAuth consents surface every app — including AI tools — that employees have quietly wired into the tenant.
  • Project-ready. Prioritized review items map directly to remediation work you can scope and bill.
  • Honest by structure. The coverage matrix ships in every report. What was checked, what was clean, what couldn't be seen.
Why this doesn't exist already

"Can't I just—"

…use the Entra portal?

Microsoft gives you the raw data — spread across a dozen blades, with no verdicts and nothing you can hand a client. The data was never the problem. The deliverable is.

…use CIPP?

Great at multi-tenant management and automation. It's an operations console for you — not an assessment report for your client, and not a detection layer with an honesty model.

…buy a big security platform?

Built and priced for enterprises with a SOC to feed. A 60-seat law firm doesn't have one — and neither should its MSP need one to answer "who can do damage in this tenant?"

Nobody cheaply serves the all-Microsoft, sub-300-seat business through the MSP channel with an identity report you can hand to the client. That's the lane SentraliQ was built for.

Founding MSP program

Run it on one client tenant. Free.

SentraliQ is working with a small group of founding MSPs right now. You get a full assessment and client-ready report on a real tenant, direct access to the founder, and early pricing that stays with you. We get the feedback that shapes the product. Read-only access, minutes to connect, nothing changed in the environment.

No fabricated findings. No false clean claims. If we couldn't check it, the report says so.