Scans & Scheduling
How IdentityOps reads your tenant's state, produces snapshots, and detects changes between scans.
Applies to: All plans (manual), Starter+ (scheduled)Module: Scans
What scans do
A scan queries Microsoft Graph to read your tenant's current state — app registrations, license assignments, user accounts, and devices (if enabled). Each scan produces a complete snapshot that IdentityOps uses to score risk, detect waste, and track changes over time.
Read-only: Scans never write to your tenant. They have zero impact on your tenant's operation, users, or configuration. IdentityOps uses only read-scoped Microsoft Graph permissions.
Scan types
IdentityOps runs full scans that read all enabled data types — app registrations, license assignments, user accounts, and devices. This is the default and only scan type. Every scan captures a complete snapshot so comparisons are always apples-to-apples.
Running a scan
1Manual
Click "Run Scan" in the navigation bar. Available to any user with scan permissions. Useful for on-demand checks after making changes in Entra.
2Scheduled
Configure automatic scans at regular intervals from the Scans page. IdentityOps recommends at least weekly scans for meaningful governance coverage.
Scan duration
Most scans complete in 1 to 5 minutes. Larger tenants with thousands of app registrations or user accounts may take longer due to Microsoft Graph pagination and rate limits. IdentityOps handles pagination and throttling automatically — you do not need to intervene.
Scan history
Every scan is logged with metadata you can review at any time from the Scans page:
| Field | Description |
|---|
| Start time | When the scan was initiated. |
| Finish time | When the scan completed (or failed). |
| Status | Succeeded or Failed, with error details if applicable. |
| Summary | Counts of apps, users, licenses, and devices read. |
What changes between scans
IdentityOps compares each scan to the previous one to detect drift and changes. The following types of changes are tracked:
New app registrations: Apps that appeared since the previous scan.
Permission changes (drift): API permissions added or removed from existing apps.
Credential expirations: Secrets or certificates that expired between scans.
Owner changes: Owners added to or removed from app registrations.
License assignment changes: New assignments, removals, or SKU changes for users.
Device compliance changes: Devices that moved between compliant, non-compliant, or stale states.
Troubleshooting failed scans
Scans can fail for several reasons. Here are the most common causes and how to resolve them:
Consent revoked
The most common cause of scan failures. If an admin revokes the IdentityOps service principal consent, scans cannot query Microsoft Graph. Re-grant consent from Settings.
Rate limiting
Microsoft Graph enforces per-tenant rate limits. Very large tenants (tens of thousands of objects) may experience throttling. IdentityOps handles this automatically with exponential backoff and retries.
Partial permissions
If some permissions were not granted during admin consent, those data types will be skipped. For example, without Intune permissions, device data will not be collected. Check Settings to see which permissions are active.
Transient Graph errors
Occasional Microsoft outages or transient API errors. These resolve on their own. The scan will retry on the next scheduled run.
Data retention
Scan snapshots are retained for the duration of your subscription. Historical comparisons (drift detection, trend charts, change tracking) require at least two completed scans. The more scan history you have, the richer the trend data and change detection becomes.
Recommendation: Set up a weekly scheduled scan as a baseline. For tenants with frequent changes or compliance requirements, consider daily scans. Each scan is lightweight and read-only, so there is no downside to scanning more often.
IdentityOps Recommendation
Set up at least weekly scheduled scans as a baseline. Governance without consistent scanning is just a one-time audit. Daily scans are lightweight and give the best drift detection.
Where teams usually go next