Your First Scan
What happens when IdentityOps scans your tenant, what data gets collected, and what to expect in the results.
Applies to: All plansModule: Scans
IdentityOps Recommendation
Don't panic at your first scan score. Most tenants have 20+ issues they didn't know about. Focus on credential health and ownership first — those two signals drive the majority of risk.
What happens during a scan
When a scan starts, IdentityOps queries the Microsoft Graph API using your delegated permissions to read your tenant data. Every API call runs in the context of the signed-in admin user. No data is written to your tenant — the entire process is read-only.
The scan fetches data in parallel where possible, respecting Microsoft Graph rate limits. Results are processed, scored, and stored in IdentityOps for you to review. Previous scan data is retained so you can track changes over time.
What gets collected
IdentityOps collects metadata only — never passwords, secrets, certificates, or authentication tokens from your tenant.
What IdentityOps reads
App registrations & service principals
Application names, owners, credential types and expiry dates, API permissions, publisher verification status, and sign-in activity.
License subscriptions & assignments
Active subscription SKUs, assigned vs. available seat counts, per-user license assignments, and sign-in activity for waste detection.
User accounts
Display names, UPNs, account status, last sign-in timestamps, group memberships, and assigned roles. Used for ownership mapping, inactivity detection, and license assignment context.
Intune devices (Pro plan)
Device names, OS versions, compliance state, last check-in, enrollment date, and deployed applications. Requires device permissions to be granted.
How long scans take
Typical scan duration: 1 – 5 minutes
Scan time depends on your tenant size. A tenant with a handful of apps and a few hundred users will complete in under a minute. Larger enterprise tenants with thousands of app registrations, users, and devices may take several minutes as IdentityOps pages through the Microsoft Graph API. You can navigate away during the scan — results will appear when processing is complete.
What to expect after your first scan
Once processing completes, your IdentityOps dashboard will be populated with findings. Here is where to look:
Dashboard
Shows your overall tenant health score, top risks, and key metrics at a glance. The health score updates with every scan.
Apps page
Lists every app registration with a computed risk score. Each app shows credential status, permission scope, owner coverage, and activity signals with plain-English explanations.
Licenses page
Surfaces license waste — subscriptions with unassigned seats, licenses assigned to inactive users, and duplicate assignments across overlapping SKUs.
Activity log
Records every scan event, finding, and status change with timestamps. Provides a full audit trail for compliance reporting.
Scan scheduling
After your first scan, you can run scans manually at any time from the dashboard or schedule them to run automatically. IdentityOps recommends weekly scans for ongoing governance — this cadence catches credential expirations, new app registrations, license changes, and device drift before they become security issues.
Scheduled scans use your stored refresh token and run in the background. Results appear on your dashboard as soon as processing completes, and the activity log records the scan event with a timestamp.
Troubleshooting
“My scan is stuck”
Check Settings to verify your consent status is active. Large tenants with thousands of app registrations and users may take longer due to Microsoft Graph rate limits. If a scan has been running for more than 15 minutes, try canceling and re-running from the Settings page.
“Missing data”
Some data requires specific permissions to be granted. Go to Settings and check the Required Graph Permissions section. If any permissions show as "not granted," re-consent from Settings to add the missing permissions.
“Scan failed”
Scan failures are almost always caused by a consent issue — either consent was revoked in Entra, or the refresh token has expired. Go to Settings and click Re-consent to re-authorize IdentityOps. Your next scan should succeed.
“Device data is not appearing”
Device governance requires Pro plan device permissions (DeviceManagementManagedDevices.Read.All and related scopes). If you recently upgraded to Pro, re-consent from Settings to grant the additional permissions.
Where teams usually go next