Granting Audit Access — Microsoft 365

Time required: 5 minutes Who should do this: A Global Admin in your Microsoft 365 / Entra ID tenant What we get: Read-only access to check MFA adoption, license usage, and security posture What we can't do: Change passwords, modify users, alter policies, or access email content

---

Option A: Assign us a Global Reader role (simplest)

1. Go to Entra Admin Center → Users → All Users
2. Click + New User → Invite external user
3. Enter the email address your Studio B contact provides
4. Click Assignments → add the role: Global Reader
5. Send the invitation

That's it. Global Reader gives us read-only visibility into:

• User accounts and MFA status
• License assignments and usage
• Security defaults and conditional access policies
• Sign-in logs and risk events
• Directory information

Global Reader cannot: reset passwords, create/delete users, change policies, access mailboxes, or modify anything.

---

Option B: Consent to a read-only app (more control)

If you prefer not to create a guest user, you can consent to our Entra app registration instead. This gives read-only API access without a user account.

1. We'll send you a consent URL (an admin consent link for our app)
2. Click the link and sign in with your Global Admin account
3. Review the permissions — you'll see only Read scopes:
   • User.Read.All — read user profiles and MFA status
   • Organization.Read.All — read tenant info and license counts
   • Directory.Read.All — read directory data
   • SecurityEvents.Read.All — read sign-in risk events
4. Click Accept

After consenting, our app can read your tenant data via API. No user account is created.

To revoke: Go to Entra Admin Center → Enterprise Applications → find "Studio B Audit" → Properties → Delete.

---

What we check

Check	What it tells you
MFA adoption rate	What % of users have MFA enabled?
License utilization	Are you paying for licenses nobody uses?
Security defaults	Are basic security policies turned on?
Conditional access gaps	Are there risky gaps in your access policies?
Failed sign-in patterns	Are there signs of credential attacks?

After the audit

• Option A: Disable or delete the guest user in Entra
• Option B: Delete the enterprise app registration

Either way, access is fully revoked in seconds. The audit takes about 15 minutes to run.