Automated security assessments for Entra ID, Conditional Access, and audit controls
LockList Security provides comprehensive, evidence-ready security assessments for Microsoft 365 tenants. Evaluate your Entra ID configuration, Conditional Access policies, and monitoring controls against SOC2 Trust Service Criteria. Generate auditor-ready reports in minutes, not weeks.
Enterprise-grade security assessment tools designed for compliance teams and auditors
Your Microsoft 365 access tokens never leave your browser. We use delegated authenticationβyou sign in, we scan, you get results. No persistent access, no security risk.
Download comprehensive reports in PDF, CSV, and JSONL formats. Each scan includes raw evidence from Microsoft Graph API, perfect for auditor verification and compliance documentation.
No ongoing monitoring, no data retention. Run assessments on-demand when you need them. Perfect for pre-audit preparation, compliance reviews, and security assessments.
Every security check maps directly to SOC2 Trust Service Criteria. Understand exactly which controls you're meeting and where gaps exist, with clear remediation guidance.
Assess 11 critical security areas: MFA enforcement, legacy auth blocking, privileged access, directory roles, audit logging, and more. All evaluated against industry standards.
Our scans use read-only Microsoft Graph API permissions. We never modify your tenant configurationβwe only assess and report on your current security posture.
The full source code is public on GitHub. You can read every line of code that touches your data before you run it. No black boxes β exactly what you need for a security tool.
LockList Security runs as a local desktop app. The backend server runs on your machine, scans happen on your machine, and results stay on your machine β we never see your org data.
The FastAPI server runs on localhost:8000 on your own machine. Every API call, every result, every report β processed locally. There is no LockList cloud server involved.
Your Microsoft 365 access token is used for the scan and then discarded. It is never written to a database, never sent to a third-party server, and expires on its own after ~1 hour.
The only outbound connections made during a scan are to graph.microsoft.com and login.microsoftonline.com β Microsoft's own infrastructure. No data is sent anywhere else.
Scan results are saved to a SQLite database file (dev.db) on your hard drive. Only you can access it. You can delete it at any time to remove all records.
Every Microsoft Graph permission requested is read-only. The app cannot modify your tenant, create users, change policies, or take any action β it can only read and report on what already exists.
There is no analytics SDK, no crash reporter, no usage tracking. We don't know when you run scans, what your results are, or anything about your organisation. The app has no way to phone home.
Our security scan evaluates your Microsoft 365 tenant against SOC2 Trust Service Criteria
Verifies that Conditional Access policies exist and are enabled for privileged roles. Checks that MFA is required in grant controls and that policies target admin role assignments. Critical for preventing unauthorized administrative access.
Evaluates organization-wide MFA enforcement through Conditional Access. Confirms policies include all users and require MFA before granting access to cloud applications. Ensures comprehensive protection across your entire tenant.
Detects policies that block legacy authentication protocols (basic auth, IMAP, POP). Legacy protocols bypass MFA and modern security controls, making them a significant attack vector. We verify blocking policies are in place.
Inventories all directory role assignments in your tenant. Flags excessive assignments (>10) as potential over-provisioning. Recommends Privileged Identity Management (PIM) and least privilege principles for better access control.
Audits Entra ID directory roles and member counts. Provides visibility into who holds sensitive roles like Global Admin, Privileged Role Admin, and Security Admin. Essential for access governance and compliance.
Calculates the percentage of users with MFA methods registered. Target is β₯95% coverage. Pulls data from Microsoft's authentication methods user registration report to provide accurate metrics.
Samples authentication methods registered per user. Validates that admins and high-risk accounts use strong methods like Microsoft Authenticator or FIDO2 security keys, not weaker SMS or phone-based MFA.
Verifies access to sign-in logs via Microsoft Graph API. These logs are essential for detecting failed login attempts, legacy client usage, anomalous access patterns, and potential security incidents.
Confirms access to directory audit logs that capture administrative actions. Logs include role changes, app consent grants, user modifications, and other critical changes. Required for change management evidence.
Validates that sign-in logs include appliedConditionalAccessPolicies field. This confirms policy evaluation visibility in your audit trail, essential for understanding why access was granted or denied.
Retrieves subscribed SKUs to explain feature availability. Conditional Access requires Entra ID P1 or P2 licenses, while Security Defaults are available on the free tier. Helps understand control limitations.
Built on Microsoft Graph API with delegated authenticationβsecure, transparent, and evidence-ready
LockList Security uses delegated authenticationβyour browser obtains an access token directly from Microsoft, and we use it for a single scan request. Tokens are never stored on our servers.
All permissions are delegated (user context) and read-only. Admin consent is required. We never request write permissions or application-level access.
Each scan produces downloadable artifacts suitable for SOC2 audit documentation and compliance reviews.
Use the browser for a quick scan, or download the desktop app for full local privacy.
No download needed. Sign in with Microsoft 365 and run your assessment instantly. Scan results are processed on our server and displayed in your browser.
Download the Electron app and run everything 100% on your own machine. Your org data never leaves your computer β not even to our servers.
β οΈ Windows SmartScreen warning? This is normal for new apps without a paid code signing certificate. Click "More info" β "Run anyway" to proceed. The app is open source β you can review the full source code before running it.
Each scan costs $5 β the software is free and open source. Developers can self-host for free.