Aether365

English

Deutsch
Français
Español
Nederlands
Türkçe
Italiano
Ελληνικά
Polski
Български
Čeština
Dansk
Eesti
Suomi
Magyar
Lietuvių
Latviešu
Norsk bokmål
Português
Română
Slovenčina
Slovenščina
Svenska
Українська

English

Deutsch
Français
Español
Nederlands
Türkçe
Italiano
Ελληνικά
Polski
Български
Čeština
Dansk
Eesti
Suomi
Magyar
Lietuvių
Latviešu
Norsk bokmål
Português
Română
Slovenčina
Slovenščina
Svenska
Українська

Appearance

AI Pilot

Aether365's core is read-only Microsoft 365 security scanning: it scans your tenant, shows findings, and gives you remediation steps to run yourself. AI Pilot extends this with assisted remediation. After a scan, AI Pilot can propose specific fixes, let you review each one, and apply the changes you approve directly in your Microsoft 365 tenant through Microsoft Graph.

AI Pilot is opt-in and uses a separate Microsoft write-consent connection. Read-only scanning stays the default for every tenant, and nothing is written to your tenant unless you approve it.

How AI Pilot differs from read-only scanning

Read-only scanning (default)AI Pilot (opt-in)
What it doesReads tenant configuration, runs scans, shows findings and remediation stepsEverything scanning does, plus applying the fixes you approve
Who applies fixesYou, by following the remediation stepsAI Pilot, after your per-item approval
ConsentRead-only Microsoft consent (granted when you connect a tenant)A separate write-consent, granted only when you enable AI Pilot
PlansAll plansPro and Enterprise

Read-only scanning is always the default. AI Pilot never changes that posture on its own: it adds an optional, separate write-consent connection that you set up explicitly.

Availability

AI Pilot is available on the Pro and Enterprise plans. If your plan does not include it, the AI Pilot section prompts you to upgrade. Read-only scanning continues to work on every plan.

The AI Pilot flow

Using AI Pilot follows five steps:

  1. Connect an AI Pilot tenant - grant the separate Microsoft write-consent for the tenant you want to enable.
  2. Run an AI Pilot scan - Aether365 scans the tenant and identifies failed checks.
  3. Review findings - AI Pilot generates a remediation plan that shows each proposed change, with the current value and the proposed new value side by side.
  4. Approve fixes per item - you approve each fix individually. Nothing is applied until you do.
  5. AI Pilot applies and verifies - approved fixes are applied through Microsoft Graph, and the new state is verified.

Enabling AI Pilot for a tenant

AI Pilot requires a separate Microsoft admin-consent that grants scoped write permissions in addition to the read permissions used for scanning. This is a one-time step per tenant, and it does not affect the read-only connection you already have.

Global Administrator required

The AI Pilot consent must be approved by a Global Administrator for the tenant you want to enable. The write permissions allow Aether365 to apply the fixes you approve in that tenant.

Steps:

  1. Open the Connect Tenant page.
  2. Find the AI Pilot Connection section.
  3. Choose the connected tenant you want to enable AI Pilot on, then click Enable AI Pilot.
  4. You are redirected to the Microsoft consent screen. Sign in with a Global Administrator account for that tenant.
  5. Review the scoped write permissions shown on the consent screen, then click Accept.
  6. Microsoft redirects you back to Aether365. The tenant now shows an AI Pilot badge, confirming write consent is active.

Your existing read-only connection for the same tenant is not affected. AI Pilot is connected as a separate, independent connection alongside it, not as an upgrade that replaces it. Scanning continues unchanged.

Read-only stays the default

Enabling AI Pilot on one tenant does not change anything for your other tenants. Each tenant stays read-only until you enable AI Pilot on it specifically.

Running an AI Pilot scan and reviewing the plan

Once a tenant has AI Pilot enabled, you can turn scan results into a remediation plan:

  1. Run a scan for the tenant (manually or on its schedule), or use a completed scan.
  2. In the AI Pilot area, generate a remediation plan from the scan. The plan lists the failed checks that have an automated fix.
  3. The plan shows each proposed change as a row:
    • The check that failed
    • The current setting value
    • The proposed new value
    • The severity of the finding

Review every item before approving anything. Each row tells you exactly what will change.

Approving fixes per item

AI Pilot applies fixes per item. Nothing is applied automatically, and there is no blanket "apply everything" action that bypasses your review.

  1. In the remediation plan, click Approve on each item you want AI Pilot to apply.
  2. Approved items are applied one at a time through Microsoft Graph.
  3. After each change, Aether365 verifies the new state and marks the item as applied.
  4. Items you do not approve are left unchanged. You can return to the plan later to approve more items.

Confirm with a fresh scan

After applying fixes, run a new scan to confirm the checks now pass. The scan reads the actual tenant state independently, so it is the authoritative check that a fix took effect.

Automated and manual fixes in a scan's detail

Not every failed check has an automated fix. When you open a scan's detail and look at a failed finding, AI Pilot tells you which kind it is:

  • Findings with an automated fix show an AI Pilot checkbox. Tick it to have AI Pilot apply that fix for you.
  • Findings with no automated fix show a Manual marker and the manual remediation steps to follow yourself. For a step-by-step approach to working through these, see Remediating Findings.

This split is the same whether you are reviewing a scan to approve fixes by hand or letting auto-remediation handle the fixable ones. The manual findings always remain yours to apply.

Auto-remediation on scan completion

Beyond reviewing fixes one at a time, AI Pilot can apply the fixable failed findings automatically as soon as an AI Pilot scan completes, then verify each change. This is convenient for tenants you trust AI Pilot to keep in shape without a manual review step after every scan.

Auto-remediation only runs when both of these are true:

  • The tenant has an AI Pilot connection with write consent granted.
  • Auto-remediation is enabled for your account. This is a separate switch from connecting AI Pilot, so simply having an AI Pilot connection does not start auto-applying fixes on its own.

When both conditions are met, a completed AI Pilot scan triggers the fixable failed findings to be applied and then verified, the same way a fix you approve by hand is applied and verified. Findings that have no automated fix are left for you to handle manually, exactly as in the scan detail described above.

You stay in control

Auto-remediation is off until you enable it. With it off, AI Pilot still does everything else - you just approve the fixes you want, when you want. With it on, the fixable findings are handled for you on each scan, and the manual findings are still yours to apply.

The safety model

AI Pilot is designed so that write access is deliberate and reviewable:

  • Opt-in. AI Pilot is off by default. Read-only scanning is the default posture for every tenant.
  • Separate consent. Write access uses its own Microsoft consent, distinct from the read-only scan consent. Granting it requires a Global Administrator.
  • Per-item approval. Every fix is reviewed and approved individually before anything is written to your tenant. No fix is auto-applied blindly.
  • Verified. After each fix is applied, the new state is verified, and you can confirm the result with an independent scan. This holds for auto-remediation too: each automatically applied fix is verified before it is marked done.
  • Auto-remediation is opt-in. Applying fixes automatically on scan completion only happens when you turn it on, on top of an AI Pilot connection. It never applies fixes that have no automated remediation, and manual findings stay yours to handle.
  • Scoped. The write permissions cover only the remediation areas Aether365 supports.

To remove AI Pilot write access for a tenant:

  1. In your Microsoft tenant, open the Entra admin center (portal.azure.com > Enterprise Applications > Aether365).
  2. Remove the write permissions, or remove the enterprise application entry.

Your read-only connection in Aether365 keeps working for scanning after you revoke write consent. If you later want AI Pilot again, re-enable it from the AI Pilot Connection section on the Connect Tenant page.

Was this page helpful?

© 2026 Aether365. All rights reserved.