Connect a Tenant
Connecting a Microsoft 365 tenant allows Aether365 to read your tenant configuration and run security scans. The connection is established through Microsoft Admin Consent - a standard Microsoft process where a Global Administrator approves an application's permission request.
What is admin consent?
Admin consent is Microsoft's mechanism for granting an application access to tenant-wide resources. When you connect a tenant in Aether365, you are directed to Microsoft's consent screen where a Global Administrator approves the permissions Aether365 needs.
Once approved, Aether365 appears as a registered enterprise application in your tenant's Entra ID portal (portal.azure.com > Enterprise Applications). You can revoke access at any time by removing the application from there.
Required permissions
By default, Aether365 requests 35 read-only Microsoft Graph API permissions, and scanning cannot modify anything in your tenant. Write access is never granted by this connection. If you later want Aether365 to apply approved fixes for you, you can opt in to AI Pilot, which uses a separate write-consent connection that you set up explicitly on this page.
The most commonly referenced permissions:
| Permission | Purpose |
|---|---|
Directory.Read.All | Read users, groups, roles, and directory settings |
Policy.Read.All | Read conditional access, authorization, and security policies |
Reports.Read.All | Read usage and security reports |
SecurityEvents.Read.All | Read security alerts and events |
RoleManagement.Read.All | Read Entra ID role assignments |
UserAuthenticationMethod.Read.All | Read registered MFA methods |
Organization.Read.All | Read tenant configuration and license assignments |
AuditLog.Read.All | Read audit log data |
SharePointTenantSettings.Read.All | Read SharePoint tenant-wide security settings |
User.Read.All | Read user profiles and sign-in settings |
For the complete list of all 35 permissions with scan type mapping, see Microsoft Permissions.
No write permissions are requested. For AI Pilot (optional write-consent remediation), a separate consent step is required - see AI Pilot.
Step by step
1. Sign in to app.aether365.io with your Microsoft account.
2. Navigate to Connect in the sidebar. This page shows all your connected tenants and a count against your plan limit (e.g. "Pro plan - 2 / 3 tenants").
3. Click Add tenant. You are redirected to the Microsoft consent screen.
4. Sign in with a Global Administrator account for the tenant you want to connect.
5. Review the requested permissions and click Accept.
6. Microsoft redirects you back to Aether365. Your tenant now appears on the Connect page.
7. Optionally, click the edit button next to the tenant to assign a custom label (e.g. "Contoso - Production"). Labels appear in scan results, email reports, and the tenant switcher.
Global Admin required
Only a Global Administrator can grant admin consent. If you are the end user but not a Global Admin, you can copy the consent link and send it to your IT administrator to complete the connection.
The Connect page
The Connect page (/connect in the sidebar) is where you manage all tenant connections. For each connected tenant, you see:
- The tenant label (custom name or first 8 characters of the tenant ID)
- The full Microsoft Tenant ID (GUID)
- An edit button to change the label
- A remove button to disconnect the tenant
The header shows your plan name and how many of your allowed tenant slots are used.
Multi-tenant support
You can connect multiple Microsoft 365 tenants to a single Aether365 account. The number of allowed connections depends on your plan:
| Plan | Tenant limit |
|---|---|
| Free | 1 |
| Pro | 3 |
| Enterprise | Unlimited |
To add more tenants, click Add tenant on the Connect page and repeat the consent process. If you have reached your plan limit, the button shows a lock icon with a prompt to upgrade.
Each connected tenant is scanned independently and has its own results and score.
Switching between tenants
Use the tenant switcher in the top navigation bar to change which tenant's data you are viewing. The switcher shows all connected tenants with their labels and Microsoft Tenant IDs. The currently active tenant is marked with a checkmark.
The dashboard, scan history, and results pages all update to show data for the selected tenant.
Revoking access
To disconnect a tenant and revoke Aether365's access:
- Navigate to Connect in the sidebar.
- Find the tenant you want to remove and click the remove button.
- Confirm the disconnection in the dialog. You may need to type the tenant ID to confirm.
Disconnecting removes the connection from Aether365 and stops future scans for that tenant. Existing scan data is retained according to your plan's retention policy.
For complete removal, also delete the enterprise application from your tenant's Entra ID portal at portal.azure.com > Enterprise Applications > Aether365.