Dashboard
Permission Drift Detection
Monitor Microsoft 365 permissions across all customers
Scan SharePoint sites for deviations from root permissions, and Exchange Online mailboxes for delegated access (Full Access, Send As, Send on Behalf, folder delegations).
Tenants
New Tenant
Azure App Setup (automated)
Connect to the customer's Microsoft tenant, then create a dedicated scan app automatically.
- Click Connect Microsoft and approve admin consent.
- Created scan app receives SharePoint
Sites.FullControl.Allwith admin consent. - For mailbox scanning, the Exchange.ManageAsApp permission and Exchange Administrator Entra role must be added manually after creation — see the Enable mailbox scanning section below.
Azure App Setup (manual)
Create a dedicated Azure app registration in the customer's tenant.
- Open Azure Portal → Entra ID → App registrations → New registration.
- Pick a name (e.g. Clearview Scan App), select Single tenant, click Register.
- Copy Directory (tenant) ID and Application (client) ID.
- For SharePoint: API permissions → Add a permission → SharePoint → Application permissions, select
Sites.FullControl.All, then click Grant admin consent. - For group resolution (recommended): also add Microsoft Graph → Application permissions →
Group.Read.Alland grant admin consent. This lets Clearview expand Microsoft 365 / Azure AD security groups to their members and owners during the Resolve groups action. Without it, M365 group entries are kept as a single line. - The primary domain is the tenant's default Microsoft 365 domain — typically
<tenantname>.onmicrosoft.com. Find it in Microsoft 365 admin center → Settings → Domains (the Default entry).
Enable mailbox scanning (Exchange Online)
Mailbox scanning needs additional permissions on the scan app, on top of the SharePoint setup. Skip this section if the tenant only needs SharePoint scans.
- Add the API permission. Azure Portal → Entra ID → App registrations → [your scan app] → API permissions → Add a permission → APIs my organization uses. Search for Office 365 Exchange Online, choose Application permissions and tick
Exchange.ManageAsApp. Click Add permissions. - Grant admin consent. Still on the API permissions page, click Grant admin consent for <tenant>. Verify the status column shows Granted for <tenant>.
- Assign the Exchange Administrator role. Entra ID → Roles and administrators → search Exchange Administrator → click the role → Add assignments → search the scan app by name (you'll need to switch the picker to include Service principals / Apps) → select it and confirm. This role grants the app the right to read mailbox permissions; it cannot be granted via Microsoft Graph and must be done in the portal.
- Generate a certificate. Save the tenant first (this section's form), then use the Certificate button in the Tenants table to generate a self-signed RSA-2048 key. The public PEM appears in a panel — click Download .cer.
- Upload the certificate to Azure. Back in the scan app, go to Certificates & secrets → Certificates → Upload certificate, pick the downloaded
.cerfile, and confirm. Azure shows the SHA-1 thumbprint — it must match the one shown in the Tenants table. - Fill in the Primary Domain field on the tenant form (e.g.
contoso.onmicrosoft.com). Clearview uses this forConnect-ExchangeOnline -Organizationand to auto-fill the Mailbox scan form. - Test the connection. Run a Scan all mailboxes job for this tenant; preflight on the first target validates that authentication works end-to-end.
Exchange Online does not support client-secret app-only authentication. Mailbox scans require a certificate. The same certificate is reused for SharePoint scans, so generating it once is enough.
| Name | Tenant ID | Client ID | Auth | Added | Actions |
|---|---|---|---|---|---|
| No tenants configured yet. | |||||
Public Certificate
Upload this certificate in Azure Portal → App registrations → [your app] → Certificates & secrets → Certificates → Upload certificate.
New SharePoint Scan
SharePointScan mode
Deviations from root traverses every document library and reports only permissions that differ from the site root baseline. Root permissions only lists the role assignments on the site root itself — much faster, useful for an inventory of who has site-level access.
Tenant
Microsoft App Credentials
New Mailbox Scan
Exchange OnlineTenant
Mailbox scanning requires a certificate on the tenant profile and the
Exchange.ManageAsApp permission with the Exchange Administrator role.
Client-secret authentication is not supported for Exchange Online.
New Entra Group Scan
Microsoft GraphTenant
Entra group scans use the Microsoft Graph API. The scan app needs the
Application permission Group.Read.All with admin consent. Authentication
uses the same tenant certificate as SharePoint and Mailbox scans.
Scan Jobs
Auto refresh: on
| Job ID | Type | Tenant | Source | Status | Targets | Items | Updated | Actions |
|---|---|---|---|---|---|---|---|---|
| No jobs yet. | ||||||||
Selected Job Details
No selection
Select a job to inspect targets and deviations.
Targets
| URL | Status | Attempts | Error | Connection test | |
|---|---|---|---|---|---|
| No job selected. | |||||
Resolve SharePoint Groups
Expand SharePoint groups (Owners / Members / Visitors / custom site groups) to the underlying
user list. When a member is itself a Microsoft 365 / Azure AD group, Clearview recursively
expands it via Microsoft Graph (members + owners, depth 3) — requires
Group.Read.All on Microsoft Graph for that tenant. Without that permission the
M365 group lines stay collapsed. Members are written to the deviation rows and Excel export.
Permission Deviations
| Site | Object | Type | Principal | Role | Delta |
|---|---|---|---|---|---|
| No deviation data yet. | |||||
Settings
Runtime configuration is currently controlled via environment variables in stack/.env. See the TECHNICAL.md document for the full list (timeouts, retries, scan caps, onboarding).