Intercept
Every Graph API request passes through the proxy. Rules are evaluated in real time with sub-50ms overhead. No API call reaches Microsoft without policy enforcement.
A comprehensive zero-trust platform that interposes between your applications and Microsoft Graph - enforcing granular policies, filtering sensitive data, managing secrets, and auditing every call. No application code changes required.
A transparent proxy that sits between your applications and Microsoft Graph. Your apps point to GraphWarden instead of graph.microsoft.com - everything else stays the same.
Every Graph API request passes through the proxy. Rules are evaluated in real time with sub-50ms overhead. No API call reaches Microsoft without policy enforcement.
11 condition types determine what data is visible. Responses are filtered per-object, sensitive properties stripped or transformed, and unauthorized methods blocked outright.
Every request is logged with full context: caller identity, endpoint, rule matched, objects returned vs. filtered, and response time. Immutable records for compliance.
Define exactly who can see what, down to the individual object and property level. Rules are YAML files - human-readable, version-controllable, and auditable.
Every rule can combine multiple condition types for surgical precision. Group Membership scopes access to AAD security groups. Object Attribute matches on any property value. Email Domain restricts by domain. Custom Attributes check extension attributes 1–15. Administrative Unit enforces OU boundaries. License Assignment filters by assigned SKU. Caller Identity ties rules to specific apps. Time Window limits access to business hours. Rate Limit throttles abusive patterns. Object Count caps response sizes. IP Range restricts by network origin.
Rules are evaluated top-to-bottom. The first rule that matches a request determines the outcome - filter, block, or allow. This deterministic model eliminates ambiguity. You always know which rule will fire, and in what order. No conflict resolution, no priority weights, no surprises. Place your most restrictive rules at the top and your catch-all at the bottom.
Your entire security policy lives in a single YAML file. Check it into Git. Review changes in pull requests. Roll back with git revert. No proprietary console, no opaque JSON blobs, no database migrations. Security teams can read and review rules without learning a new tool. Infrastructure-as-code for Graph API governance.
This is what makes GraphWarden fundamentally different. Conditions are evaluated against each individual object in the Graph API response - not just at the request level. If an app calls /users and the rule scopes access to a specific AAD group, only group members appear in the response. The rest are silently removed. Microsoft Graph returns 5,000 users; GraphWarden delivers the 47 that matter.
Nine transform types let you protect sensitive data in transit without removing it entirely. Whitelist or blacklist properties, then apply transforms to what remains.
Partially redact values while preserving enough context to be useful. A phone number becomes 555-***-****. An email becomes j***@contoso.com. The app can still display meaningful data; it just cannot reconstruct the original.
Replace the entire value with [REDACTED]. The property key is still present in the response - the app knows the field exists - but the value is gone. Clean and unambiguous for compliance audits.
Deterministic one-way hashing. The same input always produces the same hash, so you can correlate records across datasets without exposing the raw value. Ideal for analytics pipelines that need to join on identity without accessing PII.
john.smith@contoso.com becomes contoso.com. Strips the local part of the email address. Useful when applications need to know the organization but not the individual. Perfect for multi-tenant reporting.
John Smith becomes J.S.. Preserves just enough identity for display purposes - dashboards, reports, and UI elements that need a label but not a full name. GDPR-friendly pseudonymization.
Three additional transforms for specialized scenarios. Truncate cuts a value to a configurable length. Noise adds controlled randomness to numeric values. Regex replace lets you define custom patterns for surgical modifications to any string value.
Whitelist mode returns only the properties you explicitly list. Everything else is stripped from the response automatically.
Name only the 5 properties you need - for example: name, email, department, job title, and ID. The other 35+ properties in the Graph user object never reach the app.
Best when your app needs a small, known set of properties. Maximum security - unknown properties cannot leak.
Blacklist mode removes specific properties and returns everything else. Faster to configure when you only need to hide a few fields.
Name the 4 sensitive properties to hide - for example: mobilePhone, passwordProfile, extension attributes, and employee ID. Everything else passes through unchanged.
Best when your app needs most properties but a few are sensitive. Quick to set up - just name what to remove.
Your applications never see real Graph credentials. Real secrets live in Azure Key Vault, accessed only by GraphWarden through Managed Identity. Apps authenticate with revocable proxy credentials.
Applications authenticate with GraphWarden using proxy credentials - a synthetic client ID and secret that GraphWarden issues and controls. The real Entra ID application credentials are never exposed to any consuming application, script, or pipeline.
When a Graph secret expires or is compromised, update it in Key Vault via the dashboard. GraphWarden invalidates its token cache and acquires a new token on the next request. All consuming applications continue working without any changes. Zero downtime, zero code modifications.
Real Graph client secrets and certificates are stored in Azure Key Vault. GraphWarden accesses them via Managed Identity - no stored credentials on disk, no secrets in configuration files. The Key Vault access itself is authenticated through Azure's identity platform.
If a proxy credential is compromised, revoke it from the dashboard in one click. The affected application loses access immediately. No need to rotate the real Graph secret. No need to update other applications. Blast radius is contained to the single proxy credential.
In Azure-hosted deployments, GraphWarden authenticates to Key Vault using Azure Managed Identity. No credentials stored anywhere - not in files, not in environment variables, not in code. The entire credential chain is managed by Azure's identity infrastructure.
Real Graph tokens exist only in the GraphWarden process memory. They are never returned to client applications, never written to logs, and never persisted to disk. If the process stops, tokens vanish. A clean, zero-persistence security model.
A purpose-built dashboard that gives security teams, IT admins, and compliance officers a single pane of glass into all Graph API activity across the tenant.
A live overview of your Graph API security state. Total requests, blocked calls, filtered objects, active rules, and agent health - all at a glance. Time-series charts show trends over hours, days, and weeks. Identify anomalies before they become incidents.
Brute Force - repeated failed authentication attempts from a single caller. Orphaned Identity - an app registration with no owner making Graph calls. Expiring Secret - credentials approaching their expiration date. Secret Rotated - notification when Key Vault secrets are updated. Sync Timeout - proxy agent loses connection to the dashboard. Block Spike - sudden increase in blocked requests suggesting misconfiguration or attack.
Request volume, response latency, rule trigger frequency, and block rates - charted over configurable time windows. Drill down by application, endpoint, or rule. Identify which apps generate the most traffic, which rules fire most often, and where bottlenecks emerge.
The proxy agent reports its status to the SaaS dashboard at regular intervals. CPU, memory, uptime, last sync time, and certificate expiration - all visible from a central console. When an agent goes silent, you know immediately. Multi-tenant deployments show all agents on a single map.
Beyond the core proxy and rule engine, GraphWarden ships with a complete set of tools for testing, exploring, managing, and securing your Graph API environment.
Test your rules against live Graph data before deploying them. Select an app identity, an endpoint, and a rule set - then see exactly which objects would be returned, filtered, or blocked. Catch misconfigurations before they reach production.
An interactive API browser built into the dashboard. Browse endpoints, execute queries, and see rule impact visualization in real time. Understand exactly what each application can access through the proxy without leaving the console.
Manage hundreds of organizations from a single SaaS dashboard. The proxy agent runs inside each tenant; the control plane centralizes policy management, monitoring, and alerting. Designed for MSPs, ISVs, and enterprises with multiple M365 tenants.
Four built-in roles govern who can do what in the dashboard. Admin has full control. Editor manages rules and proxy credentials. Viewer can see dashboards and logs. Auditor has read-only access to compliance reports and audit trails.
Communication between the proxy agent and the SaaS dashboard is authenticated with HMAC signatures. Every request is signed with a shared secret. Tampered or replayed messages are rejected. No bearer tokens to steal, no session cookies to hijack.
Control how long proxy tokens remain valid. Short TTLs reduce the window of exposure if a credential is compromised. Longer TTLs reduce authentication overhead for high-frequency workloads. Set per-application or globally - the right balance for each use case.
Every enterprise running Microsoft 365 faces these challenges. Most just don't know a solution exists yet. Let us show you what zero-trust Graph API security looks like in practice.
Beta · Now Accepting PartnersOr read the documentation to explore the technical details.