Built for Enterprise Graph API Security

A comprehensive zero-trust platform that interposes between your applications and Microsoft Graph - enforcing granular policies, filtering sensitive data, managing secrets, and auditing every call. No application code changes required.

Core Architecture

A transparent proxy that sits between your applications and Microsoft Graph. Your apps point to GraphWarden instead of graph.microsoft.com - everything else stays the same.

HR App Legacy Script SaaS App CI/CD Pipeline proxy credentials GraphWarden Policy Engine · Proxy · Audit 11 conditions 9 transforms real credentials Microsoft Graph v1.0 & beta YAML Rules Azure Key Vault Audit Log Your apps never see the real Graph credentials. Data flows through - nothing is stored.

Intercept

Every Graph API request passes through the proxy. Rules are evaluated in real time with sub-50ms overhead. No API call reaches Microsoft without policy enforcement.

Enforce

11 condition types determine what data is visible. Responses are filtered per-object, sensitive properties stripped or transformed, and unauthorized methods blocked outright.

Audit

Every request is logged with full context: caller identity, endpoint, rule matched, objects returned vs. filtered, and response time. Immutable records for compliance.

The Most Sophisticated Policy Language for Graph API

Define exactly who can see what, down to the individual object and property level. Rules are YAML files - human-readable, version-controllable, and auditable.

11 Condition Types

Every rule can combine multiple condition types for surgical precision. Group Membership scopes access to AAD security groups. Object Attribute matches on any property value. Email Domain restricts by domain. Custom Attributes check extension attributes 1–15. Administrative Unit enforces OU boundaries. License Assignment filters by assigned SKU. Caller Identity ties rules to specific apps. Time Window limits access to business hours. Rate Limit throttles abusive patterns. Object Count caps response sizes. IP Range restricts by network origin.

First-Match Evaluation

Rules are evaluated top-to-bottom. The first rule that matches a request determines the outcome - filter, block, or allow. This deterministic model eliminates ambiguity. You always know which rule will fire, and in what order. No conflict resolution, no priority weights, no surprises. Place your most restrictive rules at the top and your catch-all at the bottom.

YAML Configuration

Your entire security policy lives in a single YAML file. Check it into Git. Review changes in pull requests. Roll back with git revert. No proprietary console, no opaque JSON blobs, no database migrations. Security teams can read and review rules without learning a new tool. Infrastructure-as-code for Graph API governance.

Per-Object Filtering

This is what makes GraphWarden fundamentally different. Conditions are evaluated against each individual object in the Graph API response - not just at the request level. If an app calls /users and the rule scopes access to a specific AAD group, only group members appear in the response. The rest are silently removed. Microsoft Graph returns 5,000 users; GraphWarden delivers the 47 that matter.

Control Exactly What Data Leaves Your Tenant

Nine transform types let you protect sensitive data in transit without removing it entirely. Whitelist or blacklist properties, then apply transforms to what remains.

mask_end / mask_start

Partially redact values while preserving enough context to be useful. A phone number becomes 555-***-****. An email becomes j***@contoso.com. The app can still display meaningful data; it just cannot reconstruct the original.

redact

Replace the entire value with [REDACTED]. The property key is still present in the response - the app knows the field exists - but the value is gone. Clean and unambiguous for compliance audits.

hash (SHA-256)

Deterministic one-way hashing. The same input always produces the same hash, so you can correlate records across datasets without exposing the raw value. Ideal for analytics pipelines that need to join on identity without accessing PII.

domain_only

john.smith@contoso.com becomes contoso.com. Strips the local part of the email address. Useful when applications need to know the organization but not the individual. Perfect for multi-tenant reporting.

initials

John Smith becomes J.S.. Preserves just enough identity for display purposes - dashboards, reports, and UI elements that need a label but not a full name. GDPR-friendly pseudonymization.

truncate, noise, regex_replace

Three additional transforms for specialized scenarios. Truncate cuts a value to a configurable length. Noise adds controlled randomness to numeric values. Regex replace lets you define custom patterns for surgical modifications to any string value.

Allow Only What You Name

Whitelist mode returns only the properties you explicitly list. Everything else is stripped from the response automatically.

Whitelist Mode

Name only the 5 properties you need - for example: name, email, department, job title, and ID. The other 35+ properties in the Graph user object never reach the app.

Best when your app needs a small, known set of properties. Maximum security - unknown properties cannot leak.

Strip Only What You Name

Blacklist mode removes specific properties and returns everything else. Faster to configure when you only need to hide a few fields.

! Blacklist Mode

Name the 4 sensitive properties to hide - for example: mobilePhone, passwordProfile, extension attributes, and employee ID. Everything else passes through unchanged.

Best when your app needs most properties but a few are sensitive. Quick to set up - just name what to remove.

Zero-Knowledge Credential Architecture

Your applications never see real Graph credentials. Real secrets live in Azure Key Vault, accessed only by GraphWarden through Managed Identity. Apps authenticate with revocable proxy credentials.

Apps Never See Real Secrets

Applications authenticate with GraphWarden using proxy credentials - a synthetic client ID and secret that GraphWarden issues and controls. The real Entra ID application credentials are never exposed to any consuming application, script, or pipeline.

Rotation Without Downtime

When a Graph secret expires or is compromised, update it in Key Vault via the dashboard. GraphWarden invalidates its token cache and acquires a new token on the next request. All consuming applications continue working without any changes. Zero downtime, zero code modifications.

Azure Key Vault Integration

Real Graph client secrets and certificates are stored in Azure Key Vault. GraphWarden accesses them via Managed Identity - no stored credentials on disk, no secrets in configuration files. The Key Vault access itself is authenticated through Azure's identity platform.

Instant Revocation

If a proxy credential is compromised, revoke it from the dashboard in one click. The affected application loses access immediately. No need to rotate the real Graph secret. No need to update other applications. Blast radius is contained to the single proxy credential.

Managed Identity Pattern

In Azure-hosted deployments, GraphWarden authenticates to Key Vault using Azure Managed Identity. No credentials stored anywhere - not in files, not in environment variables, not in code. The entire credential chain is managed by Azure's identity infrastructure.

Token Isolation

Real Graph tokens exist only in the GraphWarden process memory. They are never returned to client applications, never written to logs, and never persisted to disk. If the process stops, tokens vanish. A clean, zero-persistence security model.

Real-Time Visibility Into Every API Call

A purpose-built dashboard that gives security teams, IT admins, and compliance officers a single pane of glass into all Graph API activity across the tenant.

Security Posture Dashboard

A live overview of your Graph API security state. Total requests, blocked calls, filtered objects, active rules, and agent health - all at a glance. Time-series charts show trends over hours, days, and weeks. Identify anomalies before they become incidents.

6 Alert Types Out of the Box

Brute Force - repeated failed authentication attempts from a single caller. Orphaned Identity - an app registration with no owner making Graph calls. Expiring Secret - credentials approaching their expiration date. Secret Rotated - notification when Key Vault secrets are updated. Sync Timeout - proxy agent loses connection to the dashboard. Block Spike - sudden increase in blocked requests suggesting misconfiguration or attack.

Time-Series Analytics

Request volume, response latency, rule trigger frequency, and block rates - charted over configurable time windows. Drill down by application, endpoint, or rule. Identify which apps generate the most traffic, which rules fire most often, and where bottlenecks emerge.

Agent Health Monitoring

The proxy agent reports its status to the SaaS dashboard at regular intervals. CPU, memory, uptime, last sync time, and certificate expiration - all visible from a central console. When an agent goes silent, you know immediately. Multi-tenant deployments show all agents on a single map.

Additional Capabilities

Beyond the core proxy and rule engine, GraphWarden ships with a complete set of tools for testing, exploring, managing, and securing your Graph API environment.

What-If Simulator

Test your rules against live Graph data before deploying them. Select an app identity, an endpoint, and a rule set - then see exactly which objects would be returned, filtered, or blocked. Catch misconfigurations before they reach production.

Graph Explorer

An interactive API browser built into the dashboard. Browse endpoints, execute queries, and see rule impact visualization in real time. Understand exactly what each application can access through the proxy without leaving the console.

Multi-Tenant Support

Manage hundreds of organizations from a single SaaS dashboard. The proxy agent runs inside each tenant; the control plane centralizes policy management, monitoring, and alerting. Designed for MSPs, ISVs, and enterprises with multiple M365 tenants.

Role-Based Access Control

Four built-in roles govern who can do what in the dashboard. Admin has full control. Editor manages rules and proxy credentials. Viewer can see dashboards and logs. Auditor has read-only access to compliance reports and audit trails.

HMAC-Authenticated Agent API

Communication between the proxy agent and the SaaS dashboard is authenticated with HMAC signatures. Every request is signed with a shared secret. Tampered or replayed messages are rejected. No bearer tokens to steal, no session cookies to hijack.

Configurable Token TTL

Control how long proxy tokens remain valid. Short TTLs reduce the window of exposure if a credential is compromised. Longer TTLs reduce authentication overhead for high-frequency workloads. Set per-application or globally - the right balance for each use case.

See GraphWarden in Action

Every enterprise running Microsoft 365 faces these challenges. Most just don't know a solution exists yet. Let us show you what zero-trust Graph API security looks like in practice.

Beta · Now Accepting Partners

Or read the documentation to explore the technical details.