What is Entra Documentation?

Entra Documentation is a free web tool that generates a complete, audit-ready PDF of your Microsoft Entra ID (formerly Azure AD) tenant configuration. It covers Conditional Access policies, Privileged Identity Management (PIM), roles, groups, users, applications, and identity governance in a single document suitable for SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, NIS2, and NIST audits.

How much does it cost?

Entra Documentation is 100% free and will stay free. There are no paid tiers, no trial limits, and no feature gates. Generate as many reports as you need, as often as you need.

What permissions does it require?

Only read-only Microsoft Graph API permissions, grouped across six categories: Identity & Directory, Security & Access Control, Privileged Identity Management, Identity Governance, Applications, and External Identities. A tenant admin must grant consent once. The complete list of scopes and what each is used for is documented on the Get Started page.

Is my tenant data safe? Where is it processed?

Yes. All processing happens entirely in your browser. Your tenant configuration is fetched directly from Microsoft Graph to your browser and rendered into a PDF locally. Nothing is uploaded to or stored on our servers. We do not see, log, or retain any of your data.

How long does it take to generate a report?

Typically 2 to 4 minutes, depending on tenant size. The tool paginates through Graph responses and assembles the PDF in the browser, so generation time scales with the number of users, groups, policies, and applications in your tenant.

Which compliance frameworks does it support?

The PDF report is structured to provide evidence for SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, NIS2, and NIST audits. It captures the configuration items most commonly requested by auditors for identity and access controls.

What's the difference between this and a PowerShell script?

Entra Documentation requires no PowerShell, no modules to install, no scripts to maintain, and no agents to deploy. It works in any modern browser, uses the same Graph API that PowerShell scripts use, and produces a formatted PDF instead of raw JSON or CSV output. There is nothing to keep up to date between releases.

Can MSPs use it for multiple client tenants?

Yes. MSPs can sign into each client tenant and generate a separate report for each. Because processing is browser-only with no backend, there is no per-tenant configuration or setup required on our side.

100% Free — no paywalls, no trial limits

Audit-Ready Entra ID Documentation in 3 Minutes

Export your complete Entra ID configuration as a professional PDF.Roles, Conditional Access, PIM, and governance. All in one document.Ready for your next SOC 2, ISO 27001, or NIS2 audit.

100% read-onlyBrowser-only processingZero data storage

SOC 2
ISO 27001
NIS2
HIPAA
GDPR
PCI DSS
NIST

Join organizations worldwide automating their Entra ID documentation

Built by Ugur Koc, Microsoft MVP · Open to feedback on GitHub

How it works

From sign-in to audit-ready PDF in 3 minutes

No agents to install, no scripts to maintain, nothing to deploy. Everything runs in your browser.

01
Sign in with Microsoft
Authenticate with your Entra ID account. An admin approves the read-only permissions once per tenant.
02
Your browser reads your tenant
Your browser queries Microsoft Graph directly for Conditional Access, PIM, roles, groups, applications, and identity governance. The data never touches our servers.
03
Download your audit-ready PDF
Get a structured PDF in about 3 minutes. No data is ever uploaded to or stored on our servers.

What's in the report

Every configuration your auditor will ask for

Comprehensive coverage of all critical Microsoft Entra ID configurations required for compliance, security, and operational excellence.

Privileged Access & Governance

Just-in-time privileged access, access certification, entitlement management, and terms of use agreements for compliance.

PIM role and group eligibility
Access reviews and certification
Access packages and catalogs
Terms of use agreements

Users & Groups

Complete user statistics, licensing data, privileged user tracking, group management, and critical group identification.

User statistics and lifecycle tracking
Licensed and unlicensed user counts
Privileged user assignments
Security and M365 groups

Security & Access Control

Zero Trust security with Conditional Access policies, named locations, risky user detection, and authentication method configuration.

Conditional Access policies
Named locations (IP and Country)
Risky users and identity protection

External Collaboration

B2B guest access, cross-tenant partner configurations, identity providers, and detailed collaboration analytics.

Guest user statistics and tracking
Cross-tenant access partners
Collaboration settings and permissions
SAML/WS-Fed identity providers

Application Management

Enterprise applications, app registrations, SSO configurations, and comprehensive application policies.

Enterprise applications
App registrations and API permissions
Service principals and authentication
Token lifetime and SSO policies

License Management

Detailed license analytics, utilization tracking, assignment monitoring, and service plan consumption analysis.

SKU inventory and utilization rates
Direct vs group-based assignments
Service plan assignment tracking
License usage optimization insights

Tenant & Infrastructure

Tenant properties, custom domains, administrative units for delegated administration, and directory role assignments.

Organization information
Custom domain verification
Administrative units and delegation
Directory role assignments

Export & Documentation

Generate comprehensive PDF documentation with all configuration details, perfect for audits and disaster recovery.

Detailed PDF reports
Audit-ready documentation
Configuration backup snapshots
Compliance and disaster recovery

Trust & security

Read-only, browser-only, zero data storage.

Every Microsoft Graph permission we request is read-only. Your tenant data is fetched directly into your browser and rendered into a PDF locally. Nothing is uploaded to or stored on our servers.

Read-only accessAdmin consent requiredZero data storage

Full list of requested scopes and architecture details

Why automated documentation matters

Transform your identity governance with documentation that prevents costly failures and accelerates compliance.

98%

Time Savings

Reduce manual documentation from 10+ hours to 3 minutes per tenant. For MSPs managing 30 clients, that's 1,680+ hours saved annually.

Based on a typical 10-hour manual Entra ID documentation baseline.

100%

Compliance Ready

Meet SOC 2, ISO 27001, HIPAA, PCI DSS, and GDPR requirements with always-current, audit-ready documentation and evidence.

Built for IT Professionals

Designed to serve the diverse needs of everyone involved in identity and access management.

IT Administrators

Troubleshoot issues and manage configurations efficiently

MSPs

Manage multiple client tenants with baseline configurations

Security Teams

Monitor security posture and respond to incidents quickly

Compliance Officers

Demonstrate controls and maintain audit-ready evidence

Auditors

Verify comprehensive controls across all frameworks

FAQ

Frequently asked questions

Everything IT admins and security teams usually ask before signing in.

Your next audit PDF is 3 minutes away.

Free forever. Read-only. Processed entirely in your browser.