Frequently Asked Questions

You need to be a Global Administrator in your Microsoft 365 tenant to grant the consent Kyberbyte requests. This is a one-time step — you authenticate via Microsoft's standard sign-in and approve read-only API access.

If you're not a Global Admin, you'll need someone with that role to approve the consent screen. The scan itself can be initiated by whoever has your Kyberbyte login — the Microsoft admin only needs to be involved at the connection step.

Kyberbyte supports the full range of commercial M365 subscription SKUs — including Business Basic, Business Standard, Business Premium, Microsoft 365 Apps, the Enterprise family (E3, E5, F1, F3), and common standalone add-ons (Exchange Online, Intune, Defender, and others).

The scan works across CSP, NCE, and direct billing arrangements. If you're unsure whether your specific licence mix is covered, the free scan will tell you immediately — if a licence type isn't recognised, it'll say so rather than silently ignoring it.

Kyberbyte requests the following Microsoft Graph API permissions — all read-only, none write:

• User.Read.All — full user profiles, including account status and sign-in activity
• LicenseAssignment.Read.All — which licences are assigned to which users
• Directory.Read.All — directory objects including users, groups, and service principals
• RoleManagement.Read.Directory — directory role assignments (used to identify admin accounts for guardrail protection)
• GroupMember.Read.All — group memberships (used to identify shared mailboxes and distribution groups)
• Organization.Read.All — tenant-level subscription and organisation information
• AuditLog.Read.All — sign-in and activity audit logs
• Reports.Read.All — Microsoft 365 usage reports (application activity per user)
• User.Read — the signed-in admin's own profile (delegated, used for authentication)

Kyberbyte cannot read email content, files, Teams messages, calendar entries, or any user-generated content. The consent screen Microsoft presents to your admin reflects exactly these permissions — nothing beyond what's listed above.

By default, estimates use Microsoft UK standard list pricing. During the scan setup, you'll be prompted to confirm your billing type — if you're on a CSP arrangement or have negotiated rates, you can indicate this, and the estimates will be adjusted accordingly.

The free preview always shows you which pricing basis was used. If the figure looks off, it's usually because the wrong billing basis was selected — it's a 30-second fix before you decide whether to unlock the full report.

Guardrails are rules that prevent recommendations from being made against accounts where removal could cause serious operational harm — even if they look like waste on paper.

For example, an account with no recent sign-in activity might look inactive — but if it's a Global Administrator, a service account, or a shared mailbox with recent inbound activity, Kyberbyte will flag it for your awareness rather than recommend removal. You'll see these in the full report with the reason they were held back.

The guardrail system is designed to make the report safe to act on directly — you shouldn't need to second-guess whether a recommendation is risky.

Yes. Each scan is a separate, independent audit of your tenant at that point in time. If you action the recommendations from your first report and want to verify the changes, or if your organisation grows and you want a fresh view, you can run another scan.

Each subsequent scan is a new purchase at the standard pricing tier for your user count at the time of that scan.

Scan data is processed and stored on Microsoft Azure infrastructure in the UK. We store the output of your scan (user-level licence and activity data) to generate and serve your report — not indefinitely.

Specifically: scan results are retained for 90 days after your scan date, after which they are deleted from our systems. Your report download is yours to keep indefinitely — we just don't hold the underlying data longer than needed.

We do not sell, share, or transfer your tenant data to any third party. See our Privacy Policy for full detail.

No. Your tenant data — user names, licence assignments, activity signals — is used solely to generate your report. It is not aggregated, benchmarked against other tenants, used to train models, or analysed for any purpose beyond producing your specific output.

The statistics on our website (e.g. "30% of licences go unused") come from published third-party research, not from data collected through Kyberbyte scans.

Yes — the easiest method is to open the downloaded HTML file in your browser and use File → Print → Save as PDF. In Chrome and Edge this produces a clean, well-formatted output. The report is styled to print cleanly, with the full detail intact.

A native PDF export option is on the roadmap. For now, the browser print route works well for attaching to emails or sharing with Finance.

Some organisations prefer to have the report actioned for them rather than doing it internally — particularly if the changes involve multiple departments or need to be handled carefully around renewal dates.

The implementation service covers reviewing your full report, confirming the recommended changes with you, and making the licence adjustments in your tenant directly. Pricing is quoted based on scope and is discussed after you receive your report.

Get in touch to discuss — or use the contact link on the main site.

The product works for any Microsoft 365 commercial tenant, regardless of geography. The default pricing estimates use UK list prices — if your billing is in a different currency or region, adjust the pricing basis during setup to get estimates that reflect what you actually pay.

Our company is UK-registered and our primary market is the UK and Ireland. Support for additional regional pricing defaults is in development.

Yes — when you apply, you can request a test scan as part of the onboarding conversation. We'll walk you through a scan on your own tenant (or a test tenant) so you can see the report output before committing to scanning client environments.

There's no obligation at application stage. We want you to be confident in what you're putting in front of clients before you do.

Yes. Each client tenant is a separate Microsoft environment, so each one requires its own admin consent to grant Kyberbyte read-only access to their data. This is a standard Microsoft requirement — cross-tenant access isn't possible without explicit per-tenant consent.

In practice, this means a client's Global Admin needs to approve the consent screen once per tenant. It takes under two minutes and only needs to happen once — subsequent scans of the same tenant don't require re-consent unless the permissions change.

We provide a short, plain-English explanation you can send to clients ahead of the consent step if they want to understand what they're approving.

Currently, the MSP workspace is MSP-access only — your clients don't have their own portal login. Reports are delivered to you, and how you share them with clients is your choice (most partners download the HTML and include it in a QBR pack, or send it directly).

Client-facing access is something we're evaluating for a future release — if that's important to your workflow, let us know during onboarding and we'll factor it into roadmap prioritisation.

Not at this time. Reports carry Kyberbyte branding and there are no current plans to change that in the near term. This is something we may revisit further down the line, but we'd rather be straightforward than put it on a roadmap we can't commit to.

In practice, most partners add a short cover memo or summary in their own template when presenting to clients — the report itself handles the detailed content, so the Kyberbyte branding tends not to be a friction point. If it's a hard requirement for your business, it's worth raising during onboarding so we have an honest conversation about fit.

Under the partner programme, the MSP is billed directly at the agreed partner rates. You invoice your clients however you choose — most partners include the audit cost within their remediation quote or as a line item in a quarterly managed service fee.

Client direct billing (where the client pays Kyberbyte independently) is possible via the standard direct-buyer route, but that would sit outside the MSP workspace and wouldn't count toward your volume pricing.

Tenant management is fully self-serve. From your MSP workspace you can create a workspace, add new client tenants, and remove them at any time — no involvement from us required.

Adding a tenant triggers the standard Microsoft Graph consent flow for that client. Once their admin approves, the tenant appears in your workspace and is ready to scan.