Introduction to Sentinel
GrantFlow Sentinel is a standalone CLI tool that audits your security posture across Microsoft Entra ID (Azure AD), on-premises Active Directory, and Linux hosts. It runs locally on your machine, connects to your environment using your existing credentials, and produces a self-contained HTML report with a security score, prioritized findings, and actionable remediation steps.
No agents to install. No data sent to external servers. Run it in under five minutes.
Scan Modes
Sentinel operates in three independent modes. You can run any combination.
| Mode | Target | How it connects |
|---|---|---|
cloud | Microsoft Entra ID tenant | Microsoft Graph API via browser or device code login |
ad | On-premises Active Directory | LDAP to a Domain Controller (+ PowerShell for domain policies on Windows) |
linux | Local Linux host | Reads system files and commands directly |
Each mode runs its own set of checks and produces an independent score. When you combine modes in a single run, Sentinel merges the results into one unified report.
What You Get
Each scan produces a report in the format(s) you choose:
- HTML — Standalone single-file report with security score, domain breakdowns, finding cards, and per-finding remediation steps. Opens in any browser, no server needed.
- JSON — Machine-readable results suitable for SIEM ingestion, dashboards, or scripted pipelines.
- PDF — Print-ready version of the HTML report.
Reports are named sentinel-<tenant>-<date>.html (cloud) or sentinel-<hostname>-<date>.html (linux/AD) and written to the configured output directory. See Reading Reports for a walkthrough of the report structure.
Check Coverage
Sentinel evaluates 92 security checks across 15 domains.
Entra ID (Cloud Mode)
- Authentication & MFA — number matching, suspicious activity reporting, FIDO2, insecure methods
- Conditional Access — MFA policies, legacy auth blocking, risk-based policies, sign-in frequency
- Privileged Access — permanent Tier 0 assignments, Global Admin count, stale privileged accounts
- Tenant Hardening — user consent, guest restrictions, app registration controls
- Workload Identity — high-privilege service principals, expired credentials, long-lived secrets
- High-Value Targets — shadow admins, orphaned apps, disabled users with active roles
- Monitoring & Detection — unreviewed risk users, stale guests, Entra recommendations
Active Directory (AD Mode)
- AD Privileged Access — Domain Admin count, DCSync rights, unconstrained delegation, Kerberoasting
- AD Protocol Security — LDAP signing, SMB signing, LLMNR, NetBIOS, NTLM
- AD Hygiene — password policy, stale accounts, disabled accounts in privileged groups, LAPS deployment
- AD Credential Exposure — GPP passwords, gMSA usage, credentials in description fields
- AD Certificate Services — ESC1–ESC4, ESC6, and ESC8 attack vectors, CA misconfigurations, template ACLs, enrollment endpoints
Linux (Linux Mode)
- Linux Access Control — SSH root login, password auth, empty passwords, SUID binaries
- Linux Network Security — firewall status, service binding
- Linux System Hardening — ASLR, ptrace scope, auditd, unattended updates, file permissions
For the full list of checks with IDs, severity, and remediation guidance, see the Checks Reference.
GrantFlow Integration
When Sentinel detects that GrantFlow PAM is deployed in your Entra ID tenant, the report adapts automatically:
- Findings that GrantFlow already controls are marked as Managed by GrantFlow and shown as passed.
- The projected score section disappears — you are already there.
- For tenants without GrantFlow, findings show a projected score so you can see the impact GrantFlow would have.
This makes Sentinel a useful before-and-after tool: run it before deploying GrantFlow to see your baseline score, then run it again afterward to confirm the improvement.