Automated SOC 2 / ISO 27001 / CIS / HIPAA readiness for Microsoft 365 — assess, then remediate in a click.
Sign in with Microsoft 365 and get an auditor-ready assessment of your Entra ID, Conditional Access, privileged access, logging, devices, and data-sharing controls. Then apply guided, safe fixes — Conditional Access changes start in report-only mode, so nothing breaks. The scan runs entirely in your browser; your tenant data never reaches our servers.
Enterprise-grade security assessment tools designed for compliance teams and auditors
Your Microsoft 365 access tokens never leave your browser. We use delegated authentication—you sign in, we scan, you get results. No persistent access, no security risk.
Download comprehensive reports in PDF, CSV, and JSONL formats. Each scan includes raw evidence from Microsoft Graph API, perfect for auditor verification and compliance documentation.
No ongoing monitoring, no data retention. Run assessments on-demand when you need them. Perfect for pre-audit preparation, compliance reviews, and security assessments.
Every finding maps to SOC 2, ISO 27001, CIS Microsoft 365, and the HIPAA Security Rule — so you see exactly which controls you meet and where the gaps are, in your auditor's language.
Over 20 checks across identity, Conditional Access, privileged access, audit logging, devices (Intune), and data sharing — evaluated against Microsoft and CIS baselines.
The scan is read-only. When you're ready, apply guided remediations with one click — and Conditional Access fixes start in report-only mode, so you review the impact before anything is enforced.
The full source code is public on GitHub. You can read every line of code that touches your data before you run it. No black boxes — exactly what you need for a security tool.
LockList Security runs as a local desktop app. The backend server runs on your machine, scans happen on your machine, and results stay on your machine — we never see your org data.
The FastAPI server runs on localhost:8000 on your own machine. Every API call, every result, every report — processed locally. There is no LockList cloud server involved.
Your Microsoft 365 access token is used for the scan and then discarded. It is never written to a database, never sent to a third-party server, and expires on its own after ~1 hour.
The only outbound connections made during a scan are to graph.microsoft.com and login.microsoftonline.com — Microsoft's own infrastructure. No data is sent anywhere else.
Scan results are saved to a SQLite database file (dev.db) on your hard drive. Only you can access it. You can delete it at any time to remove all records.
Every Microsoft Graph permission requested is read-only. The app cannot modify your tenant, create users, change policies, or take any action — it can only read and report on what already exists.
There is no analytics SDK, no crash reporter, no usage tracking. We don't know when you run scans, what your results are, or anything about your organisation. The app has no way to phone home.
Our security scan evaluates your Microsoft 365 tenant against SOC2 Trust Service Criteria
Verifies that Conditional Access policies exist and are enabled for privileged roles. Checks that MFA is required in grant controls and that policies target admin role assignments. Critical for preventing unauthorized administrative access.
Evaluates organization-wide MFA enforcement through Conditional Access. Confirms policies include all users and require MFA before granting access to cloud applications. Ensures comprehensive protection across your entire tenant.
Detects policies that block legacy authentication protocols (basic auth, IMAP, POP). Legacy protocols bypass MFA and modern security controls, making them a significant attack vector. We verify blocking policies are in place.
Inventories all directory role assignments in your tenant. Flags excessive assignments (>10) as potential over-provisioning. Recommends Privileged Identity Management (PIM) and least privilege principles for better access control.
Audits Entra ID directory roles and member counts. Provides visibility into who holds sensitive roles like Global Admin, Privileged Role Admin, and Security Admin. Essential for access governance and compliance.
Calculates the percentage of users with MFA methods registered. Target is ≥95% coverage. Pulls data from Microsoft's authentication methods user registration report to provide accurate metrics.
Samples authentication methods registered per user. Validates that admins and high-risk accounts use strong methods like Microsoft Authenticator or FIDO2 security keys, not weaker SMS or phone-based MFA.
Verifies access to sign-in logs via Microsoft Graph API. These logs are essential for detecting failed login attempts, legacy client usage, anomalous access patterns, and potential security incidents.
Confirms access to directory audit logs that capture administrative actions. Logs include role changes, app consent grants, user modifications, and other critical changes. Required for change management evidence.
Validates that sign-in logs include appliedConditionalAccessPolicies field. This confirms policy evaluation visibility in your audit trail, essential for understanding why access was granted or denied.
Retrieves subscribed SKUs to explain feature availability. Conditional Access requires Entra ID P1 or P2 licenses, while Security Defaults are available on the free tier. Helps understand control limitations.
Built on Microsoft Graph API with delegated authentication—secure, transparent, and evidence-ready
LockList Security uses delegated authentication—your browser obtains an access token directly from Microsoft, and we use it for a single scan request. Tokens are never stored on our servers.
All permissions are delegated (user context) and read-only. Admin consent is required. We never request write permissions or application-level access.
Each scan produces downloadable artifacts suitable for SOC2 audit documentation and compliance reviews.
Sign in with Microsoft 365, get auditor-ready results in minutes — then fix what's wrong.
Nothing to install. Sign in with Microsoft 365 and the assessment runs entirely in your browser — your tenant data is read directly from Microsoft and never sent to our servers.
The assessment is free. Unlock the full multi-format report (PDF, CSV, JSONL, SOC 2 JSON) and guided auto-fix with a one-time payment.