Horizontal Permissions
Granting an app User.Read.All gives it access to every user in the tenant. No exceptions. No filters. Microsoft offers no native way to scope it down.
GraphWarden is the security layer Microsoft Graph does not include. Granular API filtering, zero-knowledge secrets, and a complete audit trail - deployed in under 60 minutes without changing your application code.
Microsoft Graph is powerful. Too powerful.
Granting an app User.Read.All gives it access to every user in the tenant. No exceptions. No filters. Microsoft offers no native way to scope it down.
Your PowerShell scripts, CI/CD pipelines, and legacy apps - how many have a ClientSecret hardcoded somewhere? And how many people know where?
A Graph secret expires or gets compromised. Now you need to find and update every script, every app, every pipeline that uses it. Manually.
Which app calls Graph? What data does it read? How often? Microsoft Graph provides no granular answer. You're flying blind.
mobilePhone, passwordProfile, onPremisesExtensionAttributes - sensitive properties returned automatically even when the app doesn't need them. GDPR, SOC2, HIPAA, and Loi 25 all have opinions about that.
PowerShell scripts running since 2018 with credentials nobody dares touch. They work. Nobody knows how. Rotating their secrets would break everything.
A lightweight proxy deployed in your environment. Your apps change almost nothing.
Your apps authenticate with GraphWarden using revocable proxy credentials. Real Graph secrets live in Azure Key Vault - never exposed, never hardcoded.
A single YAML file defines granular policies: allowed methods, returned properties, object scope by AAD group. 11 condition types with first-match evaluation.
Every call logged: which app, which endpoint, which rule triggered, how many objects returned vs filtered. Immutable audit trail for GDPR, SOC2, and HIPAA.
GraphWarden is not an API gateway, a data-governance catalog, or an SSPM dashboard. It is a runtime proxy for Microsoft Graph that minimizes responses per-property and per-object while keeping tenant credentials zero-knowledge. Nothing else on the market does this at runtime for Graph.
Purpose-built capabilities that fill the governance gap Microsoft doesn't address. Every enterprise with Microsoft 365 is a potential beneficiary.
Test rules against live Graph data before deploying to production. See exactly what would be filtered.
Interactive API browser to explore endpoints, visualize rule impact, and debug access issues.
Monitor all Graph API activity across your tenant from a single pane. Request volumes, rule triggers, blocked calls, and response times - updated live.
Six alert types out of the box: brute force detection, orphaned identities, expiring secrets, sync timeouts, block spikes, and anomalous access patterns.
Mask, redact, hash, initials, truncate, noise, regex_replace, domain_only, constant.
Manage hundreds of organizations from a single SaaS dashboard. The proxy agent runs in each tenant; the control plane centralizes policy and monitoring.
From HR apps to legacy scripts to third-party integrations - GraphWarden solves problems you face today.
Problem: The app has User.Read.All and can see all 5,000 employees with every property.
With GraphWarden:
The HR app sees all 5,000 users with 40+ properties including mobilePhone, passwordProfile, and home addresses.
The HR app sees only 47 HR department members with 5 properties: name, email, department, job title, and ID.
The app sees only the 47 members of the HR group, with 5 properties instead of 40+.
Problem: A script that's been running for 5 years has a ClientSecret in plain text.
With GraphWarden:
Change 2 lines in your script. Real credentials move to Azure Key Vault. If the proxy credential is compromised, revoke it instantly from the dashboard.
The script changes only 2 lines. Real credentials are in Key Vault.
Problem: An ISV app has User.ReadWrite.All but should only be reading.
With GraphWarden:
Any write attempt (PATCH, PUT, POST, DELETE) from the ISV returns 403 Forbidden, logged with full context for your security team.
Read operations continue normally with sensitive properties stripped. The ISV gets the data it needs - nothing more.
Any write attempt returns 403, logged with the app's identity. Reads proceed normally.
Problem: The Graph secret expires in 24 hours. 8 apps use it.
With GraphWarden:
All 8 apps changed nothing. Zero downtime. Zero code changes.
Problem: Your SaaS apps sync data via Graph - and have access to everything in the tenant.
With GraphWarden:
SaaS App sees all 5,000 tenant users with every property - executives, HR staff, IT admins, and service accounts included.
SaaS App sees only 320 authorized contacts with 6 properties: name, email, phone, job title, company, and ID. 10-minute cache reduces API load by 80%.
SaaS apps see only authorized contacts, 6 properties, 10-minute cache. Zero configuration changes on the SaaS side.
Problem: The auditor asks who accesses which M365 data and how.
With GraphWarden:
Every API call is logged with:
Complete documentation of application-level data access for HIPAA, SOC2, GDPR, and Loi 25.
From sign-up to your first secured Graph API call. Cloud or on-premise - same process, same result.
Sign up on app.graphwarden.com. Your organization dashboard is ready instantly - no provisioning wait, no sales call required during the beta.
Authorize GraphWarden to access your tenant via Entra ID. We guide you through the App Registration and Key Vault setup step by step.
Both options are included in your license. Use one or both depending on your architecture.
We run the proxy for you on Azure (Canada, US, or Europe). No infrastructure to manage. Ready in minutes.
Install a single executable on your Windows Server. Your data never leaves your network.
Set which apps can access which endpoints, which properties to return, and which to strip or transform. Managed through the dashboard or a version-controlled configuration file.
Update the base URL in your applications from graph.microsoft.com to your GraphWarden proxy. For most scripts, that is a one-line change.
Every Graph API call is now filtered, audited, and controlled. Sensitive properties are stripped. Secrets are in Key Vault. Your compliance team can sleep at night.
We teardown the Graph application permissions that grant the most blast radius once compromised — and what a runtime policy changes for each.
One app registration can send as every user in the tenant. No per-sender scope, no per-recipient filter, no native way to audit who was impersonated.
Files.ReadWrite.AllRead and rewrite any file in any site or OneDrive — including executive libraries, HR, and legal — with no site-level boundary and no content-level alert.
Sites.FullControl.AllFull control over every SharePoint site: permissions, sharing, site settings. The permission most often used to pivot from app compromise to tenant takeover.
Application.ReadWrite.AllAny holder can grant itself any other application permission — including Directory-level roles. This permission is a one-step path from app to Global Admin.
Five articles, roughly thirty minutes end to end. No signup required.
No. GraphWarden is a pass-through proxy - data flows through it but nothing is stored. The optional cache is in-memory only and never persisted to disk.
Yes. The proxy agent is a self-contained executable running in your environment. In on-premise mode, there is zero communication with our infrastructure. Your data never leaves your tenant.
Apps can no longer reach Graph through the proxy. This is a single point of failure to consider. Active-passive mode is available for high availability deployments.
20-50ms overhead on the local network. Under 5ms when serving from cache. Optional Redis integration for high-frequency workloads.
Only the base URL and authentication. For PowerShell scripts, that's 2-3 lines of change. No SDK swap, no library update, no architectural overhaul.
Yes. It operates on common OData primitives. A single rule targeting /users* covers all sub-endpoints. Works with v1.0 and beta endpoints.
Tokens exist only in the GraphWarden process memory. They are never returned to client apps, never written to logs, and never persisted to disk.
Dev Proxy is a development-time tool for local testing. GraphWarden is a production-grade 24/7 proxy with policy enforcement, secrets management, caching, and a complete audit trail.
Both. The management dashboard runs on app.graphwarden.com (SaaS). The proxy agent runs in your environment - your data never transits external infrastructure. This hybrid model gives you central management with data sovereignty.
GraphWarden is currently in beta. We are working with a select group of design partners. Request a demo to discuss your use case and get early access.
GraphWarden aligns with seven compliance frameworks that enterprise buyers and auditors recognize: Loi 25 (Québec), PIPEDA (Canada), GDPR (EU), HIPAA (US), SOC 2, ISO 27001, and OWASP API Security Top 10. Graph credentials remain in your Azure Key Vault — the proxy brokers tokens but never stores them. Data residency is configurable per deployment.
Walk through a ruleset with us, or apply to the design-partners pilot.