← Back to ButWhy.Cloud

Frequently Asked Questions

Everything you need to know before running a scan.

About the Scan
We run a number of automated security checks across four modules:
  • Entra ID — MFA, Conditional Access, admin roles, guest users, app registrations, legacy authentication.
  • CSPM — Azure resources including VMs, storage accounts, Key Vaults, SQL servers, NSGs, and Defender for Cloud.
  • Email Security — SPF, DKIM, DMARC, Safe Links, Safe Attachments, external forwarding rules.
  • Endpoint & Devices — Intune compliance policies, BitLocker, app protection, device enrolment, LAPS.
Each check is mapped to CIS, Maester, SCUBA, ISO 27001, and NIST CSF frameworks.
Typically 20–30 minutes end to end. The scan runs in the background after you consent — you can close the browser tab. Your report will arrive by email when complete.
Most of the permissions we request require admin consent, which means a Global Administrator must grant consent on behalf of the tenant — either by running the scan themselves, or by pre-consenting the app for a delegated user. A Security Reader or Security Administrator role is not sufficient for the initial consent step.
Your report includes:
  • An overall security score out of 100.
  • An executive summary showing which areas passed and which have issues.
  • A finding for each of the checks — PASS, FAIL, or SKIP.
  • For paid tiers: evidence (what was found), step-by-step remediation, and ISO 27001 / NIST CSF mappings per finding.
  • For free tier: top-level results with limited evidence and remediation.
A check is skipped when it requires a feature or license your tenant does not have. For example, Intune checks are skipped if you have no Intune licence, and some Entra ID checks require an Entra ID P2 licence. Skipped checks do not count for or against your score.
Security & Access
No. Every permission we request is read-only. We cannot create, modify, or delete users, policies, resources, or any other object in your tenant or Azure subscription. This is enforced at the Microsoft API level — read-only permissions simply do not allow write operations.
We request 16 Microsoft Graph permissions and 1 Azure Service Management permission, all read-only. Each permission is documented with a plain-English explanation of exactly what it is used for. View the full permissions list →
Go to Entra ID → Enterprise Applications in the Azure portal, search for ButWhy.Cloud, and click Delete. This immediately and permanently removes our access from your tenant. The access token used during your scan has already expired by this point regardless.
No. The OAuth access token is held in memory during the scan only and is never written to disk or any storage. Once the scan completes the token is discarded. Microsoft access tokens expire after 1 hour regardless.
Microsoft Publisher Verification is in progress. Until verification is complete you may see an "unverified publisher" warning on the consent screen. This is a Microsoft process requirement and does not affect the security of the scan itself. You can review our exact permissions before consenting at butwhy.cloud/permissions.
Data & Privacy
Your scan report (check results and evidence) is stored in Azure Blob Storage for 5 days then permanently and automatically deleted. Your email address is used only to deliver the report and is not stored in any database. We do not store your OAuth token, passwords, or any other credentials.
Scan results are stored in Microsoft Azure Blob Storage in the East US region. Report delivery uses Mailgun, which may process your email address in the United States under Standard Contractual Clauses.
Yes. We process only the minimum personal data necessary to deliver the service, retain it for no longer than required (5 days), and have sub-processor agreements in place. Our full Privacy Policy and Data Processing Agreement are available for review. If you require a signed DPA for your organisation, contact hello@butwhy.cloud.
Yes. We operate under South African law and comply with the Protection of Personal Information Act (POPIA). Data is stored in Microsoft Azure (East US region). See our Privacy Policy for full details.
Pricing & Plans
The free scan runs all automated security checks and gives you your security score, executive summary, and top-level pass/fail results. Evidence details and remediation steps are limited and locked to paid tiers. You can run one free scan every 30 days.
Yes — with your client's explicit consent. The Global Administrator of the client tenant must be the one to grant OAuth consent. You can be present during that process and receive the report to your email address. Contact hello@butwhy.cloud if you need a multi-tenant or white-label arrangement.
Email us at hello@butwhy.cloud and we'll get back to you within one business day.