Incredible Insights.
Amazingly Affordable.

FAQs

• How can I get started?

  1. Sign up at https://app.cloudcapsule.io/

  2. Enter your Tenant ID.
     Click here to find your tenant ID via your domain name.

  3. Consent to the permissions with a Global Admin in the tenant.

  4. Click on Start Assessment.

  Check out our Video Tutorial for more details.

• What Microsoft licensing is required?

  CloudCapsule is optimized for use with Microsoft's premium licensing to elevate security to the proper standard.

  For most SMB clients, Microsoft Business Premium is going to be the most optimal licensing choice given it has these key features: 

  • Entra ID P1 

  • Intune 

  • Defender  

  Microsoft M365 E3 and E5 licenses also provide optimal results but will also reflect additional complexity due to the expanded feature set found in these licenses.

  Please note that if you try to add a tenant with licensing with reduced features such as Business Standard, the assessment will fail given the lack of a Defender service principal.

• How do I obtain pricing for a tenant with over 1000 seats?

  Simply reach out to our team at support@cloudcapsule.io or use our Book a Demo link to schedule an appointment to discuss your specific needs.

  We offer volume pricing discounts and can scale to meet business with 10,000 seats or more with ease. 

• What's your cancellation policy?

  Our Essentials plan is available on a monthly or annual basis. Monthly plans can be cancelled at any time, annual plans can be cancelled upon completion of the 12-month subscription term.

• What access does the application need to a tenant and why?

  The data privacy of a tenant is of utmost importance to our team, so please contact us if you have any questions or concerns about using CloudCapsule.

  In general, we primary request read permissions to the tenant with a few read/write permissions to properly enable and disable access of our platform.

  Below are details for each specific service we leverage to properly assess a given tenant:

  Application.Read.All 

  Purpose: Used to read all Enterprise Applications in the account. 

   

  Application.ReadWrite.OwnedBy 

  Purpose: Manage apps that this app creates or owns. Used to provide you the ability to revoke CloudCapsule permissions to the tenant and delete the app from the underlying tenant as well. 

   

  AuditLog.Read.All 

  Purpose: Read all audit log data for Sign in information and suspicious user activity.  

   

  DelegatedAdminRelationship.Read.All 

  Purpose: Read Delegated Admin relationships with customers. Used to pull in all tenants under the MSP partner tenant.  

   

  DeviceManagementApps.Read.All 

  Purpose: Read Microsoft Intune apps 

   

  DeviceManagementConfiguration.Read.All 

  Purpose: Read Microsoft Intune device configuration and policies 

   

  DeviceManagementManagedDevices.Read.All 

  Purpose: Read Microsoft Intune devices 

   

  DeviceManagementServiceConfig.Read.All 

  Purpose: Read Microsoft Intune configuration 

   

  Directory.Read.All 

  Purpose: Read directory data (specifically users and groups) 

   

  email 

  Purpose: View users' email address 

   

  GroupMember.Read.All 

  Purpose: Read all group memberships 

   

  IdentityRiskEvent.Read.All 

  Purpose: Read all identity risk event information 

   

  MailboxSettings.Read 

  Purpose: Read all user mailbox settings 

   

  offline_access 

  Purpose: Maintain access to data you have given it access to. Specifically used for SSO to the application 

   

  openid 

  Purpose: Sign users in. Specifically used for SSO to the application 

   

  Organization.Read.All 

  Purpose: Read organization information 

   

  OrganizationalBranding.Read.All 

  Purpose: Read organizational branding information 

   

  Policy.Read.All 

  Purpose: Read your organization's policies such as Conditional Access 

   

  Policy.ReadWrite.AuthenticationMethod 

  Purpose: Read and write all authentication method policies  

   

  profile 

  Purpose: View users' basic profile. Used for SSO.  

   

  Reports.Read.All 

  Purpose: Read all usage reports 

   

  ReportSettings.ReadWrite.All 

  Purpose: Read and write all admin report settings 

   

  RoleManagement.ReadWrite.Directory 

  Purpose: Read and write all directory RBAC settings. This is used to add the app to the Exchange and Teams roles in AD so that the application can grab Exchange and Teams policy information.  

   

  SecurityAlert.Read.All 

  Purpose: Read all security alerts 

   

  SecurityEvents.Read.All 

  Purpose: Read your organization’s security events 

   

  SharePointTenantSettings.Read.All 

  Purpose: Read SharePoint and OneDrive tenant settings 

   

  Sites.Read.All 

  Purpose: Read all site collections. This is used to pull in all details about SharePoint sites.  

   

  Team.ReadBasic.All 

  Purpose: Get a list of all teams 

   

  TeamSettings.Read.All 

  Purpose: Read all teams' settings 

   

  User.Read 

  Purpose: Sign in and read user profile. Used for SSO. 

   

  User.Read.All 

  Purpose: Read all users' full profiles 

   

  UserAuthenticationMethod.Read.All 

  Purpose: Read all users' authentication methods 

   

  Exchange.ManageAsApp 

  Purpose: Manage Exchange As Application. Used to get Exchange Policies. Read-only calls are made. 

   

  Alert.Read.All 

  Purpose: Read all alerts 

   

  Machine.Read.All 

  Purpose: Read all machine profiles 

   

  Score.Read.All 

  Purpose: Read Threat and Vulnerability Management score 

   

  SecurityRecommendation.Read.All 

  Purpose: Read Threat and Vulnerability Management security recommendations 

   

  Software.Read.All 

  Purpose: Read Threat and Vulnerability Management software information 

   

  Vulnerability.Read.All 

  Purpose: Read Threat and Vulnerability Management vulnerability information 

• What data security practices does CloudCapsule follow and where is the data stored?

  The data privacy of a tenant is of utmost importance to our team, so please contact us if you have any questions or concerns about using CloudCapsule.

  • All data is stored in cloud instance within a region that you selected upon sign up (US or EU). The data for each tenant is isolated in its own instance in the database 

  • EU datacenter:

    • The data is hosted in GCP: europe-west1 (Belgium).

    • The data is not being stored in any other location but it is also being processed with an Azure function in a West Europe datacenter on the Microsoft side (Amsterdam/Netherlands). 

  • US datacenter: 

    • The data is hosted in GCP: East US​

  • All tenant data is encrypted at rest and in transit 

  • The data is only retained for one year and can be deleted on demand by revoking access in CloudCapsule 

  • Role based access control is enforced on database with row-level access control. All access is gaited by MFA at restricted locations. 

  • Periodic Vulnerability scanning is performed on the database 

  • The data is not aggregated or used to train a larger model.