tools/mfa-coverage-check
Who in your tenant still has no MFA?
Sign in read-only and get the answer in seconds: MFA registration coverage across the tenant, every admin without MFA named, and how much of your coverage is phishing-resistant. The report renders in this browser tab and nowhere else — no data is sent to Sentavo or stored anywhere.
// exactly what you're consenting to
- AuditLog.Read.All (delegated, read-only) — reads the authentication methods registration report. Requires an admin to consent, because the report is org-wide.
- User.Read — your own basic sign-in profile. Standard for any sign-in.
- No write permissions of any kind. Nothing in your tenant is changed. Revoke anytime: Entra admin centre → Enterprise applications → Sentavo Tools → delete.
- Role required: your signed-in account needs a reader-level Entra role — Global Reader is enough (Reports Reader, Security Reader, or any admin also works). First run in a tenant needs a Global Administrator to consent; after that, any reader-role account can run it. If your role is assigned via PIM, activate it before running.
coverage.txt
findings.log
Fixing the gaps is Conditional Access work — enforcement policy, phishing-resistant strengths, break-glass exclusions. That's exactly what the fixed-price assessment scopes → ./view pricing
Reads Microsoft Graph reports/authenticationMethods/userRegistrationDetails. Registration data can lag reality by up to 24–48 hours per Microsoft. Guest accounts are counted separately. Your access token lives only in this tab's memory and dies when you close it.