O365Validatorby Trifident
Security First

Security & Privacy Practices

We understand that connecting a third-party application to your Microsoft 365 tenant requires absolute trust. Here's exactly how we protect your data.

Read-Only Access

We only request permissions that end in .Read or .Read.All. We cannot modify any settings in your tenant.

Military-Grade Encryption

All tokens encrypted with AES-256-GCM. Unique salt and IV per encryption. Keys derived via scrypt.

Disconnect Anytime

Revoke access instantly from Microsoft Entra admin center. No lock-in, no data hostage.

Complete Permission Transparency

Here is every Microsoft Graph API permission we request, why we need it, and explicitly what we do and don't access.

Directory.Read.All

To analyze user accounts, groups, and role assignments for security misconfigurations

What we access:
  • User profiles
  • Group memberships
  • Role assignments
  • Organization structure
What we don't access:
  • Passwords
  • Personal files
  • Private messages
  • Password hashes
Policy.Read.All

To evaluate security policies like Conditional Access and authentication methods

What we access:
  • Conditional Access policies
  • Authentication policies
  • Security defaults configuration
What we don't access:
  • Policy modification capabilities
  • User credentials
  • Secret keys
SecurityEvents.Read.All

To identify active security threats and risky sign-in patterns

What we access:
  • Security alerts
  • Risk detections
  • Sign-in logs for risk analysis
What we don't access:
  • Incident remediation
  • Alert dismissal
  • Security investigation tools
AuditLog.Read.All

To review administrative actions and detect suspicious activity

What we access:
  • Directory audit logs
  • Sign-in activity logs
  • Administrative action history
What we don't access:
  • Log modification
  • Log deletion
  • Data beyond retention period
User.Read.All

To check user configurations like MFA status and account settings

What we access:
  • User properties
  • License assignments
  • Authentication method registration
What we don't access:
  • Email content
  • Calendar data
  • Personal files
  • OneDrive content
Group.Read.All

To analyze group-based access and identify overly permissive groups

What we access:
  • Group memberships
  • Group settings
  • Dynamic group rules
What we don't access:
  • Group conversations
  • SharePoint content
  • Team messages
Application.Read.All

To identify risky third-party apps and OAuth permissions granted

What we access:
  • Registered applications
  • Service principals
  • Granted OAuth permissions
What we don't access:
  • Application secrets
  • Client credentials
  • Certificate private keys
RoleManagement.Read.All

To audit privileged role assignments and identify over-privileged accounts

What we access:
  • Role definitions
  • Role assignments
  • PIM eligible assignments
What we don't access:
  • Role assignment changes
  • PIM activation
  • Role creation
Organization.Read.All

To understand tenant configuration and organizational settings

What we access:
  • Organization profile
  • Verified domains
  • Subscription info
What we don't access:
  • Billing information
  • Payment methods
  • Support tickets

All Permissions Are Read-Only

Notice every permission ends in .Read.All or .Read. We intentionally never request write permissions. O365Validator cannot modify your tenant configuration, user accounts, policies, or any settings.

How We Protect Your Data

Security isn't just a feature - it's the foundation of everything we build.

AES-256-GCM Encryption

All OAuth tokens are encrypted using AES-256-GCM, the same encryption standard used by governments and financial institutions. Each token uses a unique salt and initialization vector.

Secure Key Derivation

Encryption keys are derived using scrypt, a memory-hard key derivation function that makes brute-force attacks computationally infeasible.

Secure Infrastructure

Our infrastructure runs on Vercel's edge network with automatic TLS 1.3 encryption for all data in transit. Database is hosted on Neon's secure PostgreSQL platform.

Token Lifecycle Management

Access tokens are short-lived and automatically refreshed. Refresh tokens are encrypted and can be revoked at any time through Microsoft's admin center.

Minimal Data Retention

We store only assessment results (pass/fail status, recommendations). We do not retain raw tenant data, user lists, or personal information.

No Persistent Access

Each assessment runs on-demand. We don't maintain persistent connections to your tenant. You can disconnect access at any time.

Data Handling

Complete transparency about what data we store and what we never touch.

What We Store

  • Assessment results (pass/fail for each security check)
  • Severity ratings and remediation recommendations
  • Aggregate statistics (total users, apps, etc.)
  • Encrypted OAuth tokens (access + refresh)
  • Your email address (for authentication)

What We Never Store

  • User passwords or password hashes
  • Email content or attachments
  • Personal files or OneDrive content
  • Chat messages or Teams conversations
  • Calendar data or meeting details
  • Raw API response data

How to Disconnect

You can revoke O365Validator's access to your tenant at any time.

  1. 1

    Sign in to the Microsoft Entra admin center (entra.microsoft.com)

  2. 2

    Navigate to Enterprise Applications

  3. 3

    Search for 'O365Validator'

  4. 4

    Click on the application

  5. 5

    Click 'Delete' to remove all access

Note: Deleting the enterprise application immediately terminates all access. Previously stored assessment results remain in your account but no new data can be retrieved without re-connecting.

Questions About Our Security?

We're happy to discuss our security practices in detail. Contact our team for more information.