Ready to scan your tenant
Click Scan Tenant Now below to assess passkey readiness across users, devices, Conditional Access policies, and applications.
User Passkey Readiness
App Identities
Conditional Access Policy Analysis
AI Assistant
Ask questions about your tenant's passkey readiness in plain English. The assistant interprets your scan results and gives you actionable, personalised recommendations β without ever exposing user names, UPNs, or tenant identifiers to any external service.
- Full analysis using built-in rules
- No data leaves your browser
- Maximum privacy β default setting
- No API key or account required
- Powered by Cloudflare's free tier
- Only count-level aggregates are sent
- No names, UPNs, or tenant IDs transmitted
- Rate-limited and CORS-protected
- Use GPT-4o, Claude, Mistral, or any compatible model
- You choose the endpoint, model, and provider
- Ideal for teams with existing AI contracts
- Same count-only data minimisation applies
How to use EntraPass
A quick reference for reading your scan results and turning them into action. What to look at, what it means, and what to do next.
Tabs at a glance
Your readiness score, user tier breakdown, and infrastructure health chips. Start here. The executive summary lists every gap in priority order β critical to low.
Per-user cards with status, blockers, and one specific recommended action each. Filter by tier, search by name, export to CSV, and use the rollout phase planner at the bottom.
App registrations and service principals with findings that can bypass passkeys β password credentials, orphaned apps, multi-tenant exposure. Microsoft substrate apps are excluded; focus is entirely on apps your team can act on.
Conditional Access policies that block passkey registration or allow password fallback alongside passkey auth. Each flagged policy shows the specific change required.
Optional. Ask plain-English questions about your results. Cloudflare Free AI needs no key β or bring your own key for any OpenAI-compatible endpoint.
Reading the readiness score
The score is computed live from each scan β re-scan after making changes to track progress. On tenants with more than 50 users it is based on the first 50 returned by Graph and is labelled as a sample. A score of 'β' means no scorable users were found (all accounts are exempt or have unavailable registration data).
Acting on the five user tiers
aka.ms/mfasetup and guide them to add a passkey. No admin action is required before they enroll.Quick actions
Passkey Readiness tab β scroll below the user cards. Exports 13 columns: display name, UPN, account type, status, privileged flag, stale flag, issues, recommended action, auth methods, device count, device OS summary, groups, and last sign-in.
Bottom of the Passkey Readiness tab. Translates your tier counts into a four-phase roadmap: Phase 1 Pilot (Ready) β Phase 2 Enable (Capable) β Phase 3 Prepare (Needs Prep) β Phase 4 Unblock (Blocked).
Click Scan Tenant Now in the header at any time. Results are not cached between sessions β every scan reads live data from the Microsoft Graph API.
Click Reset app in the header to clear all browser data without touching the App Registration. Run cleanup-entrapass.ps1 -ClientId <id> -RevokeConsent to also remove the App Registration from your tenant.
Data security
sessionStorage only. Closing the browser tab clears everything automatically β no server ever stores your tenant data.