Your First Scan
Understand what happens after you connect the tenant - and how to read the results.
1Security automatically schedules a full scan after a tenant is connected. This page explains what that scan actually does, how long it takes, and what to look at first.
What gets scanned
Scan stages
The scan runs through several stages in order. You can watch progress in the header or Tenants page → Scan status column.
Discovery
1Security discovers all identities, resources, and activities in your tenant. You can track found identities across pages like Users, Files, Activity, and Alerts. Permissions for a resource are mapped shortly after discovery. Sites require to be Fully scanned for the permissions to be mapped.
Permission graph
For each resource, we map every identity that can access it - including indirect access through nested groups. This is the longest stage. We map access not just for Users but Apps including Copi Agents.
This makes 1Security into a fully interactive tenant map. You can navigate from users to their actions to the modified files to their sensitive data - any point allows for an audit travel.
Sensitivity classification
Files are scanned for sensitive content using our 300+ pattern library, OCR for images, and (optionally) LLM-based classification.
Sensitivity can work with Microsoft Purview, with 1Security handling classification, or both. As for both, the advantage is it allows you to use custom Purview labels while having 1Security as a sensitivity analysis layer - as many clients do not have Purview autodiscovery enabled.
Risk scoring
Each resource is scored on multiple dimensions: external sharing, sensitivity, stale access, abnormal patterns.
Expected duration
For the largest tenants in production (40M+ files), the initial full scan can take weeks. Incremental scans run continuously after that and process changes within minutes.
| Tenant size | Files | Initial scan * | New resources / Activity |
|---|---|---|---|
| Small | < 100K | 1–2 hours | ~ 10 min |
| Medium | 1M | 6–12 hours | ~ 10 min |
| Large | 10M | 1 week | ~ 10 min |
| Enterprise * | 40M+ | 4+ weeks | ~ 10 min |
- *Enterprise tenants can significantly improve initial scan speeds by contacting Microsoft Support to increase their API throttling limits. To do this, go to the Microsoft 365 Admin Center, navigate to Support > Help & support, and open a new service request asking to "Increase Microsoft Graph and SharePoint API throttling limits for a security auditing application."
Live updates
New and updated entities such as files, emails, logs (excluding Sensitive Info and Sensitivity Labels) etc should appear in the system within several minutes alongside their changed permissions. Similar to how Copilot works, we use a combination of real-time updates and periodic scans to keep the system up to date.
Updated Sensitive Info and Sensitivity Labels are processed in the background and may take longer to appear.
Monitorings
Track your tenant over time using the permission map as a base. We provide over 50 default, pre-configured monitorings (such as 'External Users Downloading Files') that you can easily edit or use as templates for nearly limitless custom rules in an intuitive UI. By default, monitoring results are evaluated and updated once a day.