Automated SOC 2 / ISO 27001 / CIS / HIPAA readiness — assess your tenant, then remediate in a click.
Sign in with Microsoft 365 or Google Workspace and get an auditor-ready assessment of your identity, admin access, MFA, logging, and data-sharing controls. Then apply guided, safe fixes — on Microsoft, Conditional Access changes start in report-only mode so nothing breaks. The scan runs entirely in your browser; your tenant data never reaches our servers.
Enterprise-grade security assessment tools designed for compliance teams and auditors
Your Microsoft 365 access tokens never leave your browser. We use delegated authentication—you sign in, we scan, you get results. No persistent access, no security risk.
Download comprehensive reports in PDF, CSV, and JSONL formats. Each scan includes raw evidence from Microsoft Graph API, perfect for auditor verification and compliance documentation.
No ongoing monitoring, no data retention. Run assessments on-demand when you need them. Perfect for pre-audit preparation, compliance reviews, and security assessments.
Every finding maps to SOC 2, ISO 27001, CIS Microsoft 365, and the HIPAA Security Rule — so you see exactly which controls you meet and where the gaps are, in your auditor's language.
Microsoft 365: 20+ checks across identity, Conditional Access, privileged access, audit logging, devices (Intune), and data sharing. Google Workspace: 2-Step Verification, admin access, audit logs, domains and more — evaluated against Microsoft, Google, and CIS baselines.
The scan is read-only. When you're ready, apply guided remediations with one click — and Conditional Access fixes start in report-only mode, so you review the impact before anything is enforced.
The full source code is public on GitHub. You can read every line of code that touches your data before you run it. No black boxes — exactly what you need for a security tool.
The assessment runs entirely in your browser. Your tenant data is read directly from Microsoft or Google and is never sent to or stored by LockList.
The scan executes as client-side code in your browser and calls your provider's API directly. There is no LockList server in the path reading your tenant.
Your Microsoft / Google access token stays in your browser, is used only to read your settings, and is never transmitted to or stored by us. It expires on its own.
During a scan the only outbound calls are to graph.microsoft.com / admin.googleapis.com and the provider's own login — nowhere else.
We keep no database of scans and no user accounts. Results live only in your browser tab for the session; closing it clears them.
The assessment requests read-only permissions. Any fixes are opt-in, require your explicit approval, and Conditional Access changes start in report-only mode.
No analytics SDK, no tracking, no usage collection. See our Privacy Policy for the full detail.
Every finding maps to SOC 2, ISO 27001, the CIS Microsoft 365 / Google Workspace Benchmarks, and the HIPAA Security Rule
Verifies that Conditional Access policies exist and are enabled for privileged roles. Checks that MFA is required in grant controls and that policies target admin role assignments. Critical for preventing unauthorized administrative access.
Evaluates organization-wide MFA enforcement through Conditional Access. Confirms policies include all users and require MFA before granting access to cloud applications. Ensures comprehensive protection across your entire tenant.
Detects policies that block legacy authentication protocols (basic auth, IMAP, POP). Legacy protocols bypass MFA and modern security controls, making them a significant attack vector. We verify blocking policies are in place.
Inventories all directory role assignments in your tenant. Flags excessive assignments (>10) as potential over-provisioning. Recommends Privileged Identity Management (PIM) and least privilege principles for better access control.
Audits Entra ID directory roles and member counts. Provides visibility into who holds sensitive roles like Global Admin, Privileged Role Admin, and Security Admin. Essential for access governance and compliance.
Calculates the percentage of users with MFA methods registered. Target is ≥95% coverage. Pulls data from Microsoft's authentication methods user registration report to provide accurate metrics.
Samples authentication methods registered per user. Validates that admins and high-risk accounts use strong methods like Microsoft Authenticator or FIDO2 security keys, not weaker SMS or phone-based MFA.
Verifies access to sign-in logs via Microsoft Graph API. These logs are essential for detecting failed login attempts, legacy client usage, anomalous access patterns, and potential security incidents.
Confirms access to directory audit logs that capture administrative actions. Logs include role changes, app consent grants, user modifications, and other critical changes. Required for change management evidence.
Validates that sign-in logs include appliedConditionalAccessPolicies field. This confirms policy evaluation visibility in your audit trail, essential for understanding why access was granted or denied.
Retrieves subscribed SKUs to explain feature availability. Conditional Access requires Entra ID P1 or P2 licenses, while Security Defaults are available on the free tier. Helps understand control limitations.
Built on Microsoft Graph and the Google Workspace Admin SDK with delegated authentication—secure, transparent, and evidence-ready
LockList uses delegated authentication. Your browser obtains an access token directly from your provider and calls the provider's API from the browser — the token and your tenant data never pass through our servers.
The assessment uses delegated (user-context), read-only permissions; admin consent is required. Write permissions are requested only if you choose to apply a fix — incrementally, one fix at a time, never as application-level access. (Google Workspace uses the equivalent read-only Admin SDK scopes.)
Each scan produces downloadable artifacts suitable for SOC2 audit documentation and compliance reviews.
Sign in with Microsoft 365 or Google Workspace, get auditor-ready results in minutes — then fix what's wrong.
Nothing to install. Sign in with Microsoft 365 or Google Workspace and the assessment runs entirely in your browser — your tenant data is read directly from Microsoft/Google and never sent to our servers.
The assessment is free. Unlock the full multi-format report (PDF, CSV, JSONL, SOC 2 JSON) and guided auto-fix with a one-time payment.