Each Sentinel scan produces an HTML report — a single self-contained file that opens in any browser. This page explains what the report contains and how to use it.
Security score
The top of every report shows a security score from 0 to 100. The score is a weighted aggregate of all checks in the scan. Each check has a score weight that reflects its risk impact. Critical findings carry far more weight than low-severity ones.
The score is split into domain-level scores so you can see exactly which area needs the most attention.
Score interpretation
There is no universal "good" score. A score of 100 means every check passed — which is the goal, but rarely where organizations start. Focus on eliminating Critical and High findings first, as they have the largest impact on the score.
Severity levels
Every finding is assigned one of five severity levels:
| Severity | Meaning |
|---|---|
| Critical | Immediate, high-confidence risk. An attacker could exploit this today with minimal effort. Fix as soon as possible. |
| High | Significant risk that materially increases attack surface. Address in your next change window. |
| Medium | Moderate risk or defense-in-depth gap. Important to address but not an emergency. |
| Low | Minor configuration issue or best-practice deviation. Low exploitability. |
| Info | Observation only — no direct risk. May affect scoring context. |
Check results
Each check appears in the report as a card with one of these states:
| Status | Meaning |
|---|---|
| Pass | The check completed and the configuration meets the expected baseline. |
| Fail | The configuration does not meet the baseline. A finding is present. |
| Warning | Partially meets the baseline, or the check could not determine the state with certainty. |
| Skip | The data needed to evaluate this check was not collected (e.g., no domain controller was reachable). |
| Error | An unexpected error occurred during the check. |
Recommendation lanes
Every failing or warning check includes a recommendation. Recommendations are grouped into three lanes:
Self-Fix — You can address this directly in the Microsoft Entra admin center or Group Policy. The finding card includes a direct portal link and step-by-step guidance.
Ecosystem — Another tool in your security stack can help (for example, enabling Microsoft Entra PIM, or using Maester for policy testing). The finding card names the tool and links to relevant documentation.
GrantFlow — GrantFlow directly addresses this finding by enforcing JIT access, removing standing privileges, or adding approval controls. The card shows the projected score impact if GrantFlow were deployed.
Attack path analysis
For cloud scans, the report includes a separate attack paths section. This shows chains of role assignments and ownership relationships that could allow an attacker to escalate from a lower-privilege account to Tier 0 (Global Administrator) access.
Each path shows:
- The starting account (the initial foothold)
- The chain of roles, group memberships, or app ownerships traversed
- The final target (the Tier 0 role or resource reached)
- The number of steps and the exploitability rating
Prioritize paths with fewer steps
Short attack paths (two or three hops) are the most dangerous because they require less attacker capability and leave less audit trail. Fix the highest-severity node in each path to break the chain.
Projected score with GrantFlow
If GrantFlow is not deployed in your tenant, the report shows a projected score — the score you would achieve if GrantFlow were managing privileged access. This number reflects only the findings that GrantFlow directly resolves (Privileged Access and related Conditional Access checks). Other findings require separate action.
When Sentinel detects an active GrantFlow service principal in the tenant, this section disappears and the relevant findings are shown as Managed by GrantFlow.
Output formats
| Format | Best for |
|---|---|
| HTML | Human review, executive reporting, sharing with stakeholders |
| JSON | SIEM ingestion, dashboards, scripted pipelines, trend tracking over time |
| Compliance documentation, offline review |
Generate multiple formats in a single run:
grantflow-sentinel cloud --format html,json,pdf --output ~/reportsJSON as the source of truth
Every scan writes a JSON report file first. The JSON contains the full results — scores, domain breakdowns, every check with its status and evidence, attack paths, and GrantFlow projection data. The HTML viewer is then generated from that JSON.
The JSON is embedded directly inside the HTML file as a JavaScript variable, so the report is fully self-contained. It opens in any browser — including Chromium-based browsers (Chrome, Edge) from file:// — with no web server required.
JSON + HTML are always produced together
When you run a scan with --format html (the default), Sentinel writes both the JSON file and the HTML viewer. The JSON file is the canonical data; the HTML file is a read-only viewer.
Re-rendering reports with --render
Since the HTML viewer is generated from JSON, you can edit the JSON and re-render a fresh HTML report without re-running the scan. This is useful when you want to:
- Remove sensitive findings before sharing with a client
- Adjust metadata or annotations in the JSON
- Regenerate HTML after updating Sentinel to get the latest viewer layout
Use the --render flag with the path to an existing JSON report:
# Re-render HTML from a JSON report (writes to the same directory)
grantflow-sentinel --render sentinel-contoso-2026-03-14.json
# Re-render to a different output directory
grantflow-sentinel --render sentinel-contoso-2026-03-14.json --output ~/reports/clientThe --render flag skips authentication and data collection entirely — it reads the JSON, generates the HTML viewer, and exits.
Tracking progress over time
Run Sentinel on a regular cadence (weekly or after significant changes) and store the JSON output. The JSON report contains the full results with check IDs, statuses, scores, and evidence — everything you need to build a trend dashboard or compare two runs programmatically.
Report filenames include the tenant name and date (sentinel-contoso-2026-03-10.html), so they sort naturally in a directory.