Operator surface for Microsoft Graph permission-scope governance — consented apps, over-permissioned scopes, unused-90d revoke, Conditional Access coverage, scope-creep detection.
Single-page operator surface served as static HTML — no backend, no login, no telemetry. Synthetic data only. Part of the Kinetic Gain operator-surface lane.
https://scopes.kineticgain.com/
For a Microsoft 365 / Entra tenant, which apps are over-permissioned, dormant, scope-creeping, or running outside Conditional Access policy coverage — visualized as a single operator board with 30 synthetic apps drawn from the four populations every real tenant has:
- Microsoft 1P (8 apps) — SharePoint Online, Teams, OneDrive, Exchange, Power BI, Power Automate, Azure DevOps, Defender for Cloud Apps
- ISV Tier 1 (10 apps) — Salesforce, Slack, Atlassian, ServiceNow, Datadog, Splunk, Workday, Zoom, Box, DocuSign
- Mid-market SaaS (8 apps) — Calendly, Loom, Notion, Lattice, Lucidchart, PagerDuty, Greenhouse, Gong
- In-house custom (4 apps) — ContinentalDataPortal, CB-Trust-Audit-Worker, ContractsAI-Pilot, SalesIntelExtractor
- Over-permissioned — in-house custom (
Sites.FullControl.Allon a read-only data browser app) - Over-permissioned — ISV without DLP (
Files.Read.Allon Slack without Purview DLP coverage) - Unused — should revoke (apps with 90+ days no usage retaining scopes — Loom + Lucidchart)
- Scope creep — silent over-time growth (Microsoft Teams quietly added
User.Read.Allsince baseline) - Secret expiring — rotation overdue (Datadog audit-ingest client secret with 12-day expiry, silent-failure mode)
- Conditional Access coverage gap (3 apps not covered by any CA policy — PagerDuty, ContractsAI-Pilot, SalesIntelExtractor)
| Tab | What's there |
|---|---|
| Overview | 30-app registry with class, auth-type, highest-risk scope, total scopes, consent date, status |
| Anomalies | 6 detected anomaly cards with regulatory anchors |
| CA coverage | Conditional Access policy × app matrix (8 policies × 30 apps) |
| Audit chain | 8-event hash-chained audit-stream (ed25519-signable) |
Microsoft 365 security teams · Entra admins · IAM teams running OAuth scope reviews.
CIS Microsoft 365 Foundations Benchmark v3 · CIS Controls v8 5.6 + 6.7 + 8.5 · SOX ITGC · NIST 800-53 AC-2 + AC-6 + IA-5 · ISO 27001 A.9.2 + A.9.4 · Microsoft Zero Trust security baseline · Microsoft Purview DLP.
Microsoft Graph permission scopes are the runtime trust boundary between every SaaS app and the M365 tenant. The runtime ops problem is not granting the scope at consent time — it's the silent drift after consent: unused-but-still-authorized apps, scope creep from in-place upgrades, client secrets expiring without alarm, Conditional Access policies that don't actually cover the apps that ship them. This surface makes that drift visible.
v1.0-prod — hardened 2026-06-02 (same-day as v0.1-shipped). CI green on Node 20+22, 15 structure + data-integrity tests passing, HTML5-validated, security headers verified in .htaccess. See .release-notes.md.
No backend. No login. No telemetry. All synthetic data is baked into index.html as JavaScript constants. Nothing leaves the tab.
github.com/mizcausevic-dev/microsoft-graph-permission-scope-auditor
AGPL-3.0 — see LICENSE.
Part of the buyer-facing operator-surface lane (5 surfaces and growing): see also cert.kineticgain.com (CyberArk Access Certification Mesh), jml.kineticgain.com (Workforce-to-Privilege Identity Flow), mt.kineticgain.com (Tenant Boundary Risk Command Center), and pv.kineticgain.com (Pharmacovigilance Review and Reporting Hub). Indexed at kineticgain.com/constellation/.