This guide walks you through running your first scan with each of Sentinel's three modes. You need the binary installed first — see Installation if you haven't done that yet.
Entra ID scan (cloud mode)
The cloud scan connects to your Microsoft Entra ID tenant via the Microsoft Graph API. You authenticate with your own account — the same account you use to sign in to the Entra admin center.
Step 1: Run the scan
grantflow-sentinel cloudSentinel opens a browser window and prompts you to sign in. Use an account with at least Global Reader permissions for full coverage. Some checks (such as reading authentication method policies) require additional roles — see the checks reference for per-check requirements.
After you authenticate, Sentinel collects data and runs all checks automatically.
Step 2: Review the output
Progress prints to your terminal as checks complete. When the scan finishes, you see:
- A total security score out of 100
- Domain-by-domain breakdown
- A projected score showing the impact of deploying GrantFlow (if GrantFlow is not already detected)
- The path to your generated report
✓ Completed 68 checks: 42 passed, 18 failed, 8 warnings
Entra ID Security Score: 61/100
Domain Scores
─────────────────────────────────────
Authentication & MFA 75/100
Conditional Access 55/100
Privileged Access 50/100
Tenant Hardening 70/100
Workload Identity 60/100
High-Value Targets 80/100
Monitoring & Detection 65/100
Projected score with GrantFlow: 78/100 (+17 from 12 findings GrantFlow would resolve)
✓ Report saved: sentinel-contoso-2026-03-10.htmlThe HTML report opens automatically in your browser unless you pass --no-open.
Headless / SSH environments
If you are running on a server without a browser, use device code flow:
grantflow-sentinel cloud --device-codeSentinel prints a URL and a one-time code. Open the URL on any device, enter the code, and authenticate. The scan proceeds once the token is granted.
Active Directory scan (ad mode)
The AD scan connects to a Domain Controller via LDAP for user, group, stale object, and ADCS collection, and uses PowerShell for domain-level policy queries.
grantflow-sentinel adSentinel needs an LDAP connection to a Domain Controller. You can configure it explicitly or let Sentinel auto-discover it from the LOGONSERVER and USERDNSDOMAIN environment variables on a domain-joined Windows machine.
PowerShell requirement (partial)
Some AD checks — domain functional level, password policy, protocol settings (LDAP signing, SMB signing, LLMNR, NTLM), and GPP password detection — still require the Active Directory PowerShell module (RSAT) on Windows. These checks are automatically skipped on macOS and Linux. All user, group, stale account, service account, delegation, and ADCS checks use native LDAP and work cross-platform.
Cross-platform AD scanning
On macOS or Linux, configure LDAP explicitly in sentinel.yaml to run user collection, ADCS checks (ESC1–ESC4, ESC6, ESC8), stale object detection, and SID-resolved ACL reporting:
ldap_server: dc.example.com
ldap_tls: true
ldap_bind_dn: "CN=sentinel,OU=ServiceAccounts,DC=example,DC=com"Pass the bind password via the LDAP_BIND_PASS environment variable — Sentinel does not support ${VAR} expansion inside sentinel.yaml:
export LDAP_BIND_PASS="your-password"
grantflow-sentinel adPowerShell-only checks are automatically skipped. LDAP-based findings are collected and scored as usual.
Linux scan (linux mode)
The Linux scan reads system configuration files and inspects running processes directly on the host.
sudo grantflow-sentinel linuxRunning as root (or with sudo) is required for checks that inspect /etc/shadow, sudoers rules, and SUID binaries. Sentinel will complete a partial scan if you run without elevated privileges, but some checks will be skipped.
Common flags
You can combine these flags with any mode.
# Save output to a specific directory
grantflow-sentinel cloud --output ~/reports
# Generate HTML and JSON together
grantflow-sentinel cloud --output ~/reports --format html,json
# Use a named profile from sentinel.yaml
grantflow-sentinel cloud --profile contoso
# Target a specific tenant (skips tenant picker)
grantflow-sentinel cloud --tenant contoso.onmicrosoft.com
# Re-render HTML from an existing JSON report (no scan, no auth)
grantflow-sentinel --render sentinel-contoso-2026-03-14.json
# Suppress terminal colors (useful for CI)
grantflow-sentinel cloud --no-color
# Show verbose progress
grantflow-sentinel cloud --verboseSee Configuration for persistent defaults and named profiles.
Next steps
Configuration
Set defaults and named profiles in sentinel.yaml to avoid retyping flags.