HomeDocsGetting started

Getting started

What actually happens between filling in the signup form and seeing your first posture score on the dashboard. Six steps, sourced from the production app.

Last updated 2026-04-25

What you’ll need

  • A work emailFree-mail providers (gmail.com, outlook.com, etc.) are blocked at signup. Use your company domain.
  • A Microsoft work accountUsed to sign in via Microsoft OAuth. Multi-factor authentication is enforced by your tenant’s Entra ID conditional access — ScanPosture doesn’t add a second MFA layer on top.
  • Tenant admin (later)The admin-consent step needs someone who can grant tenant-wide consent on Microsoft’s side — typically a Global Administrator. They don’t need to be the same person who signs up.
  • About five minutesThe signup form is one screen and the first scan typically completes in around five minutes after admin consent is granted.

The flow, step by step

Fill in the signup form

Visit app.scanposture.com/signup. The form asks for your work email, your name, your company name and size, your role, and whether you’re registering as a Managed Service Provider. There’s a Cloudflare Turnstile check at the bottom — no captcha clicks, just a quick browser challenge.

You’re registered → check your inbox

Submitting takes a couple of seconds. You’ll see a “You’re registered” confirmation page; in parallel, ScanPosture sends a welcome email from noreply@scanposture.com. The email contains a single “Sign in with Microsoft” button — that’s how you complete setup. There is no separate password to set; ScanPosture authenticates you against your Microsoft tenant.

Sign in with Microsoft

Click the button. You’re redirected to Microsoft’s standard OAuth sign-in. Use a Microsoft work account that has at least Global Readeron the tenant you want to assess. Your Entra ID conditional access enforces MFA at this point — ScanPosture relies on Microsoft’s own MFA, it doesn’t add its own.

Set up your workspace

On first sign-in, ScanPosture asks for your company name and a subdomain (e.g. acme.scanposture.com). Availability is checked live as you type. The subdomain is your tenant’s permanent URL — pick something you’ll be happy to share with auditors and customers.

Connect Microsoft (admin consent)

Once the workspace is set up, head to Settings → Connect Microsoft. You’re redirected to the Microsoft admin-consent screen, where you’ll see ScanPosture listed as a Microsoft-verified publisher and the full read-only permission set. A user who can grant tenant-wide consent (typically a Global Administrator) approves the scopes — see Permissions for what each scope does and does NOT grant.

Not a Global Administrator? Send a link to a colleague.

If you’re onboarding ScanPosture but don’t hold the Global Administrator role yourself, you don’t need to wait for one to log in alongside you. From the same Settings → Connect Microsoft screen there’s a “Send consent link to your Global Admin”form. Enter their email (and optionally name); they receive a one-time, 72-hour link that takes them to a ScanPosture-hosted explainer page and onwards to the standard Microsoft admin-consent flow. They don’t need a ScanPosture account — they sign in with Microsoft, approve, and the connection is bound to your workspace automatically. You’ll see the invitation status (pending → approved) on the same screen and can revoke it at any time.

First scan and dashboard

With consent granted, ScanPosture starts your first posture scan. The welcome email quotes around five minutes — typical for an SMB tenant. When it finishes, head into the dashboard: start at Posture score at the top, drill into Priority actions for the highest-impact remediations, then check Compliance readiness to see how the same findings map onto Cyber Essentials, ISO 27001, GDPR, NIST and CIS.

That’s the whole loop

Signup form → welcome email → Microsoft sign-in → workspace → admin consent → first scan. Subsequent scans run automatically — see How scanning works for cadence and triggers.

What to do next

Three things almost every new tenant does in the first week:

1. Set up Slack or Microsoft Teams alerts so the team sees scan results without having to log in. See Integrations.

2. Schedule the executive PDF report to land in stakeholders’ inboxes. See Reports.

3. Invite the rest of the security team. Invited users sign in with their own Microsoft account and inherit MFA from your Entra tenant.

Email + password is also supported

If your organisation needs an account that doesn’t use Microsoft OAuth — for an MSP analyst, a platform admin, or a federation edge case — ScanPosture supports email-and-password sign-in with TOTP-based MFA (and recovery codes) as a fallback. The OAuth path above is the default for trial signups; the credentials path is opt-in and configured per user.

Still got questions? Email hello@scanposture.com — UK working days, real human, same-day reply.