Enforce Microsoft Graph like a policy.

GraphWarden is the security layer Microsoft Graph does not include. Granular API filtering, zero-knowledge secrets, and a complete audit trail - deployed in under 60 minutes without changing your application code.

11
Condition Types
9
Transform Types
<60 min
To Deploy
0
Secrets Exposed
SOC 2 Ready
GDPR Compliant
HIPAA Compatible
Loi 25 (Québec)
Zero-Knowledge Architecture
Azure Key Vault Integrated

The Problem Everyone Ignores

Microsoft Graph is powerful. Too powerful.

Horizontal Permissions

Granting an app User.Read.All gives it access to every user in the tenant. No exceptions. No filters. Microsoft offers no native way to scope it down.

Secrets in Code

Your PowerShell scripts, CI/CD pipelines, and legacy apps - how many have a ClientSecret hardcoded somewhere? And how many people know where?

Impossible Rotation

A Graph secret expires or gets compromised. Now you need to find and update every script, every app, every pipeline that uses it. Manually.

Zero Visibility

Which app calls Graph? What data does it read? How often? Microsoft Graph provides no granular answer. You're flying blind.

Compliance & Sensitive Data

mobilePhone, passwordProfile, onPremisesExtensionAttributes - sensitive properties returned automatically even when the app doesn't need them. GDPR, SOC2, HIPAA, and Loi 25 all have opinions about that.

The Legacy Problem

PowerShell scripts running since 2018 with credentials nobody dares touch. They work. Nobody knows how. Rotating their secrets would break everything.

GraphWarden Interposes. Intelligently.

A lightweight proxy deployed in your environment. Your apps change almost nothing.

BEFORE HR App Legacy Script SaaS App Microsoft Graph (entire tenant) AFTER HR App Legacy Script SaaS App Graph Warden filter + audit Microsoft Graph proxy credentials real credentials Secrets Management Your apps authenticate with GraphWarden using revocable proxy credentials. Real Graph secrets live in Azure Key Vault. Apps never see them. Rule Engine A YAML file defines granular rules: allowed methods, returned properties, object scope by AAD group. First-match evaluation across 11 condition types. Complete Audit Every call is logged: which app, which endpoint, which rule was triggered, how many objects were returned vs filtered. Immutable logs for compliance.

Secrets Management

Your apps authenticate with GraphWarden using revocable proxy credentials. Real Graph secrets live in Azure Key Vault - never exposed, never hardcoded.

Rule Engine

A single YAML file defines granular policies: allowed methods, returned properties, object scope by AAD group. 11 condition types with first-match evaluation.

Complete Audit

Every call logged: which app, which endpoint, which rule triggered, how many objects returned vs filtered. Immutable audit trail for GDPR, SOC2, and HIPAA.

What GraphWarden is not

GraphWarden is not an API gateway, a data-governance catalog, or an SSPM dashboard. It is a runtime proxy for Microsoft Graph that minimizes responses per-property and per-object while keeping tenant credentials zero-knowledge. Nothing else on the market does this at runtime for Graph.

Enterprise-Grade Security for Graph API

Purpose-built capabilities that fill the governance gap Microsoft doesn't address. Every enterprise with Microsoft 365 is a potential beneficiary.

What-If Simulator

Test rules against live Graph data before deploying to production. See exactly what would be filtered.

Graph Explorer

Interactive API browser to explore endpoints, visualize rule impact, and debug access issues.

Real-Time Dashboards

Monitor all Graph API activity across your tenant from a single pane. Request volumes, rule triggers, blocked calls, and response times - updated live.

Smart Alerts

Six alert types out of the box: brute force detection, orphaned identities, expiring secrets, sync timeouts, block spikes, and anomalous access patterns.

Data Transforms

Mask, redact, hash, initials, truncate, noise, regex_replace, domain_only, constant.

Multi-Tenant

Manage hundreds of organizations from a single SaaS dashboard. The proxy agent runs in each tenant; the control plane centralizes policy and monitoring.

Real-World Scenarios

From HR apps to legacy scripts to third-party integrations - GraphWarden solves problems you face today.

HR Application

Problem: The app has User.Read.All and can see all 5,000 employees with every property.

With GraphWarden:

! Without GraphWarden

The HR app sees all 5,000 users with 40+ properties including mobilePhone, passwordProfile, and home addresses.

With GraphWarden

The HR app sees only 47 HR department members with 5 properties: name, email, department, job title, and ID.

The app sees only the 47 members of the HR group, with 5 properties instead of 40+.

Legacy Script

Problem: A script that's been running for 5 years has a ClientSecret in plain text.

With GraphWarden:

Before graph.microsoft.com
After your-server:5000

Change 2 lines in your script. Real credentials move to Azure Key Vault. If the proxy credential is compromised, revoke it instantly from the dashboard.

The script changes only 2 lines. Real credentials are in Key Vault.

Block Writes

Problem: An ISV app has User.ReadWrite.All but should only be reading.

With GraphWarden:

! Write Attempts

Any write attempt (PATCH, PUT, POST, DELETE) from the ISV returns 403 Forbidden, logged with full context for your security team.

Read Operations

Read operations continue normally with sensitive properties stripped. The ISV gets the data it needs - nothing more.

Any write attempt returns 403, logged with the app's identity. Reads proceed normally.

Secret Rotation

Problem: The Graph secret expires in 24 hours. 8 apps use it.

With GraphWarden:

  1. Admin opens the GraphWarden dashboard
  2. Creates a new secret in Entra ID
  3. Updates the secret in Key Vault via the dashboard
  4. GraphWarden invalidates the token cache
  5. Next API call: new token acquired automatically

All 8 apps changed nothing. Zero downtime. Zero code changes.

SaaS Apps → Graph

Problem: Your SaaS apps sync data via Graph - and have access to everything in the tenant.

With GraphWarden:

! Without GraphWarden

SaaS App sees all 5,000 tenant users with every property - executives, HR staff, IT admins, and service accounts included.

With GraphWarden

SaaS App sees only 320 authorized contacts with 6 properties: name, email, phone, job title, company, and ID. 10-minute cache reduces API load by 80%.

SaaS apps see only authorized contacts, 6 properties, 10-minute cache. Zero configuration changes on the SaaS side.

Compliance & Audit

Problem: The auditor asks who accesses which M365 data and how.

With GraphWarden:

Every API call is logged with:

Which application made the request
The exact endpoint accessed
Which policy rule was triggered
Objects returned vs. filtered
Properties stripped from responses
Precise timestamp and response time

Complete documentation of application-level data access for HIPAA, SOC2, GDPR, and Loi 25.

Up and Running in Under 60 Minutes

From sign-up to your first secured Graph API call. Cloud or on-premise - same process, same result.

1

Open Your Account

Sign up on app.graphwarden.com. Your organization dashboard is ready instantly - no provisioning wait, no sales call required during the beta.

2

Connect Your Microsoft 365 Tenant

Authorize GraphWarden to access your tenant via Entra ID. We guide you through the App Registration and Key Vault setup step by step.

3

Choose Your Deployment

Both options are included in your license. Use one or both depending on your architecture.

Cloud Hosted

We run the proxy for you on Azure (Canada, US, or Europe). No infrastructure to manage. Ready in minutes.

On-Premise

Install a single executable on your Windows Server. Your data never leaves your network.

4

Define Your Security Rules

Set which apps can access which endpoints, which properties to return, and which to strip or transform. Managed through the dashboard or a version-controlled configuration file.

5

Point Your Applications

Update the base URL in your applications from graph.microsoft.com to your GraphWarden proxy. For most scripts, that is a one-line change.

You Are Now Locked Down

Every Graph API call is now filtered, audited, and controlled. Sensitive properties are stripped. Secrets are in Key Vault. Your compliance team can sleep at night.

Frequently Asked Questions

No. GraphWarden is a pass-through proxy - data flows through it but nothing is stored. The optional cache is in-memory only and never persisted to disk.

Yes. The proxy agent is a self-contained executable running in your environment. In on-premise mode, there is zero communication with our infrastructure. Your data never leaves your tenant.

Apps can no longer reach Graph through the proxy. This is a single point of failure to consider. Active-passive mode is available for high availability deployments.

20-50ms overhead on the local network. Under 5ms when serving from cache. Optional Redis integration for high-frequency workloads.

Only the base URL and authentication. For PowerShell scripts, that's 2-3 lines of change. No SDK swap, no library update, no architectural overhaul.

Yes. It operates on common OData primitives. A single rule targeting /users* covers all sub-endpoints. Works with v1.0 and beta endpoints.

Tokens exist only in the GraphWarden process memory. They are never returned to client apps, never written to logs, and never persisted to disk.

Dev Proxy is a development-time tool for local testing. GraphWarden is a production-grade 24/7 proxy with policy enforcement, secrets management, caching, and a complete audit trail.

Both. The management dashboard runs on app.graphwarden.com (SaaS). The proxy agent runs in your environment - your data never transits external infrastructure. This hybrid model gives you central management with data sovereignty.

GraphWarden is currently in beta. We are working with a select group of design partners. Request a demo to discuss your use case and get early access.

Designed against the frameworks you are audited on

GraphWarden aligns with seven compliance frameworks that enterprise buyers and auditors recognize: Loi 25 (Québec), PIPEDA (Canada), GDPR (EU), HIPAA (US), SOC 2, ISO 27001, and OWASP API Security Top 10. Graph credentials remain in your Azure Key Vault — the proxy brokers tokens but never stores them. Data residency is configurable per deployment.

Run Microsoft Graph under your policy

Walk through a ruleset with us, or apply to the design-partners pilot.