How Aether365 Works

Maintained by: Aether365 Team Audience: All users Scope: Architecture and data flow of Aether365 scans

Aether365 is a continuous Microsoft 365 security assessment platform. By default it connects to your tenant using read-only Microsoft Graph permissions, runs security checks against established frameworks, and surfaces findings with remediation guidance. An optional, opt-in capability called AI Pilot can additionally apply fixes you approve, using a separate write-consent connection.

Architecture Overview

Your M365 Tenant
      │
      │  (read-only Microsoft Graph API calls)
      ▼
  Aether365 Scanner
      │
      │  (structured findings)
      ▼
  Aether365 Database
      │
      │  (API)
      ▼
  Your Dashboard / REST API

No agents, connectors, or PowerShell scripts run inside your tenant. Aether365 operates entirely from outside your environment using the Microsoft Graph API.

By design, scanning uses a read-only architecture: the scanner holds only application-level read permissions and has no technical capability to create, modify, or delete anything in your Microsoft 365 environment. This read-only posture is the default for every connected tenant. If you choose to enable AI Pilot, write permissions are granted through a separate, opt-in consent and are used only to apply the specific fixes you approve, one item at a time.

The Scan Flow

1. Trigger - A scan starts either on the automatic schedule, or when you trigger one manually from the dashboard or API.
2. Authentication - Aether365 uses the service principal consent you granted during tenant connection. It authenticates as an application - not as a user.
3. Data collection - The scanner reads configuration data from Microsoft Graph endpoints: user settings, policies, tenant configuration, service-specific settings (Exchange, Teams, SharePoint, Entra ID).
4. Evaluation - Each collected value is evaluated against a library of security checks. Checks are mapped to one or more compliance frameworks.
5. Results storage - Pass, fail, and skip results are stored per-check. For failed checks, the actual value detected is recorded alongside the expected value.
6. Delivery - Results appear in your dashboard. If email or Teams notifications are configured, you receive an alert when the scan completes.

What Data Aether365 Reads

Aether365 reads configuration data only - not email content, file content, chat messages, or user-generated data.

Configuration data includes:

• Tenant and organisation settings
• Entra ID (Azure AD) policies - conditional access, authentication methods, role assignments
• Exchange Online - transport rules, anti-phishing policies, mailbox settings, DKIM/DMARC status
• Microsoft Teams - meeting policies, external federation, guest access settings
• SharePoint Online - sharing policies, external access configuration
• Microsoft 365 security settings - Defender policies, audit log status, alert policies

Read-only by default

Scanning never creates, modifies, or deletes any data in your Microsoft 365 environment. The scan permissions are application-level and read-only. Write access is granted only if you opt in to AI Pilot, through a separate consent, and is used solely to apply fixes you approve per item.

No AI processing of your data

Aether365 does not send your tenant configuration, scan results, or any customer data to AI or large language model services. No customer data is used for AI model training or automated profiling. AI assistance is used only to author the public remediation documentation on this site - never to process data read from your tenant.

Scan Types

Type	What it checks	Frameworks
Compliance	Configuration against security benchmarks	CIS, EIDSCA, CISA SCuBA, NIS2
Exposure	Risky configurations across M365 services	Aether365 exposure library

See Compliance Scans and Exposure Scans for details.

Data Residency

All data - including scan results and configuration snapshots - is stored in our EU data centre (Ireland, Sweden). No data is replicated to other regions. Scan data is retained for a defined period before being permanently deleted.

See Data Residency & Privacy for details.

Tenant Isolation

Each customer's data is stored with a tenant ID applied to every database record. It is architecturally impossible for one customer's data to be accessed via another customer's session. Scan workloads run in isolated, ephemeral environments with no shared state between tenants.