HomeDocsHow scanning works

How scanning works

What happens when ScanPosture scans your tenant. Read-only, configuration-only, no agents, 1–3 minutes per scan.

Last updated 2026-04-25

Read-only · no agents · no inbox content

ScanPosture only reads configuration metadata from Microsoft Graph, Exchange Online, SharePoint Online and (optionally) Azure Resource Manager. It never reads mailbox content, document content, or message content; never installs an agent in your tenant; and never makes a write call.

Scan trigger paths

A scan starts in one of two ways.

  • Scheduled (default): a background scheduler checks for due tenants every 15 minutes and starts any scan that’s ready to run. The default schedule is one scan per day at 02:00 in the tenant’s configured timezone.
  • Manual: any user with admin or owner role can hit Run scan now on the dashboard. Manual scans queue immediately and start within seconds.

Cadence and limits

  • Default cadence1 scan per day at 02:00 tenant timezone.
  • Scheduler checkEvery 15 minutes (a background scheduler looks for tenants whose next scan is due and starts them).
  • Maximum cadence4 scans per day (configurable in settings — useful during a remediation push, or for high-change MSP customers).
  • ConcurrencyOne scan per tenant runs at a time. Manual triggers during an in-flight scan queue and run immediately after.
  • Typical duration1–3 minutes for an SMB tenant. Larger tenants (5,000+ Entra users) are typically 3–8 minutes.
  • ThrottlingMicrosoft Graph throttling is honoured automatically. ScanPosture’s Graph client respects Retry-After headers and surfaces persistent 429s as skipped with a truthful reason — never as failed checks.

What a scan fetches

ScanPosture currently runs 201 read-only checks across 9 security domains. Each check issues one or more Microsoft Graph (or Exchange / SharePoint admin) calls, then evaluates the response against a deterministic rule. The full per-check spec, including the Graph endpoint, control mapping, and remediation guide, is generated from the production check registry — see the Coverage page for the canonical list.

Examples of what a single scan fetches:

  • Identity: users (subset of attributes), groups, directory roles, role assignments, PIM-eligible roles, identity-provider configuration.
  • Authentication: conditional-access policy set, authentication-methods policy, MFA enforcement state, sign-in risk events.
  • Applications: app registrations, service principals, OAuth permission grants, app credentials and expiry.
  • Collaboration: SharePoint sharing settings (tenant-wide), Teams team settings, Teams app installations.
  • Email: mailbox audit state, transport rules, distribution-list moderation, outbound spam policy, inbox forwarding-rule presence.
  • Logging: Entra diagnostic-settings (if batch F is granted), Microsoft Graph activity log destination.

What a scan never fetches

The four lines we will never cross

ScanPosture never reads message content, document content, mailbox bodies, or Teams chat content. Every permission requested is read-scoped configuration — see Permissions for the per-scope list of what each scope does and does NOT grant. See also Your data for the same in plain language.

Drift detection

Every completed scan is compared to the previous completed scan for the same tenant. Differences are surfaced as scan changeson the dashboard — for example, “a new conditional-access policy was added,” or “an app registration’s client secret was rotated.” Drift events are independent of severity and don’t affect the posture score on their own; they exist so an operator can spot a change quickly and decide whether it’s an intended improvement or an unexpected regression.

What the dashboard shows after a scan

  • Posture score — weighted score across the 9 security domains, with the trend vs. the previous scan.
  • Priority actions — open findings sorted by severity × estimated score impact. This is what to fix first.
  • Compliance readiness — the same findings re-projected against Cyber Essentials, ISO 27001, GDPR, NIST and CIS.
  • Scan changes — drift since the previous completed scan.
  • Skipped checks — every check that couldn’t answer its own question, with the truthful reason (missing licence, missing role assignment, throttled, etc.). These are listed separately from failed checks so you don’t chase phantom problems.

If a scan fails to start

Three things can stop a scan: (1) the consent has been revoked or one of the required directory roles has been removed; (2) Microsoft Graph is throttling persistently; (3) Microsoft Graph itself is having an incident. ScanPosture surfaces all three on the dashboard with the reason and a recommended action, and the public status page is updated when (3) is the cause.

Still got questions? Email hello@scanposture.com — UK working days, real human, same-day reply.