tools/secure-score-gap

Where is your Secure Score leaking points?

Sign in read-only and this page pulls your tenant's Secure Score live from Microsoft Graph — gaps ranked by points available, every control mapped to the ASD Essential Eight, CIS Controls v8 and NIST CSF 2.0. There is no backend: your browser talks to Graph directly, and the report is rendered right here. Nothing is sent or stored.

secure-score-gap --sign-in
Delegated read-only permission: SecurityEvents.Read.All Only hosts contacted: login.microsoftonline.com · graph.microsoft.com Verify it: DevTools → Network while this runs

Sign in with a Microsoft work account holding Security Reader or higher. Reading Secure Score needs one-time admin consent in your tenant. A popup opens — allow it if your browser asks.

by category

top gaps ranked by points available

controlgapeffortframeworks

quick wins low effort · real points

controlgapframeworks

This snapshot counts the gaps — a full assessment closes them, with an Essential Eight maturity target and a quoted fix list. Fixed price, one week → ./view pricing

questions before you sign in

What exactly am I consenting to?
One delegated, read-only Microsoft Graph permission: SecurityEvents.Read.All. Delegated means the tool can only read what your signed-in account can already read, only while this page is open. It cannot change anything in your tenant — there is no write permission to misuse.
Why does it need admin consent?
Microsoft classifies security data as high-privilege, so reading Secure Score always requires a one-time approval by a Global Administrator — that's a Microsoft rule, not ours. In most small businesses and MSPs the person running this tool is that admin, so it's one extra click on the consent screen.
Why does the consent screen say "unverified"?
Sentavo is a new independent practice and hasn't completed Microsoft's publisher verification yet. The warning describes the publisher, not the permission — which remains read-only, listed in full on that same screen, and revocable by you at any time (see below). If that's not enough assurance today, fair — verify the traffic yourself first (next question).
How do I verify nothing leaves my browser?
Open DevTools (F12) → Network tab, then run the tool. Every request is visible: you'll see login.microsoftonline.com (sign-in) and graph.microsoft.com (your data) — and nothing else. No calls to us, no analytics, no third parties. The page source is unminified if you'd rather read the code.
What role do I need, and how do I revoke access afterwards?
Your account needs Security Reader or higher. To remove the app afterwards: Entra admin centre → Enterprise applications → Sentavo Tools → Delete. The session token expires on its own when you close the tab — nothing persists.

Reads /security/secureScores and /security/secureScoreControlProfiles via Microsoft Graph with delegated permissions. Framework mappings are indicative, derived from control titles. Sign out of the popup session by closing this tab; the app can be revoked any time in Entra → Enterprise applications.