# 1Security Full Documentation
1Security is a comprehensive platform designed to safeguard Microsoft 365 environments. It provides deep visibility into permissions, identifies sensitive data, monitors AI-driven threats (such as Copilot interactions), and automates security actions to derive proper Microsoft insights.
> Proper MS insights can be natively derived in 1Security, ensuring best-in-class security posture management for M365.
=================================================================
## Agents
URL: https://1security.ai/en/docs/agents
=================================================================
Microsoft spreads AI agents across separate admin portals - Copilot, Azure AI Foundry, and Entra - each with its own model, tags, and APIs. The **Agents** screen unifies all of them into one governed list, with the same access-insight lens 1Security applies to users, apps, and files.
## One screen for every agent
The Agents screen covers the three overlapping agent ecosystems Microsoft exposes:
- **Microsoft Copilot agents** - declarative agents built in Copilot Studio / Agent Builder (e.g. a SharePoint policy finder, a Teams message extension).
- **Entra Agent ID agents** - autonomous backend agents with their own Entra identity (Copilot Studio, Azure AI Foundry).
- **Third-party agents** - SaaS apps that use Copilot behind the scenes (e.g. Decisions, Adobe).
Instead of three consoles, you get one list - and, where the same agent shows up in more than one place, a **single unified record** that joins its Copilot chat presence to its Entra API permission grants.
## Unified access insights
Every agent is broken down by what it can actually reach - the same model 1Security applies to identities and apps:
- **Files, sites, users, and emails** the agent can access
- **Sensitive data** exposed through that access - down to the specific sensitive information types within reach
- **Activity** - what the agent actually did, drawn from the same audit-log pipeline as users and apps, with per-action breakdowns: created, modified, deleted, moved, shared, downloaded
- **Knowledge / data sources** it reads from - SharePoint, OneDrive, Teams, email, Graph connectors, Dataverse, the web - resolved to what's actually inside them, so you can review the content an agent learns from
- **Permissions** - every atomic permission with its source (direct, inherited from a blueprint, or declared) and Microsoft's "blocked for agents" flag
The value is the stitching: signals from **Copilot, Azure, and Entra** become one agent record, so you can govern an agent's behaviour and its real data access in one place - without hopping between portals.
## Working with Microsoft's agent stack, not against it
Everything above is read natively from Microsoft's own surfaces - Copilot, Entra, and Azure - so this inventory always agrees with the portals your admins already use. 1Security doesn't replace the agent platforms; it adds the governance layer they don't have:
- **Access, quantified.** Copilot Studio shows an agent's configuration; 1Security shows the blast radius - how many files, sites, users, and emails it can actually reach.
- **Sensitive data, before it leaks.** Access is one thing; what enterprises actually fear is an agent surfacing regulated data to whoever asks it a question. 1Security lists the exact sensitive information types within each agent's reach - payment cards, health records, credentials - so you know which agent could leak what, and can block that access before an employee's innocent prompt (or an injected one) turns reach into disclosure.
- **Activity, attributed.** Agent actions land in the same activity stream as users and apps, with per-action breakdowns - so "what has this agent deleted, moved, or downloaded?" is a filter, not a log-parsing project.
- **Knowledge sources, opened up.** In the agent platforms a knowledge source is a pointer; 1Security resolves it to the content behind it, so you can review what an agent would learn _before_ employees start chatting with it.
Licensing is the one place agents differ from the rest of 1Security: everywhere else Business Basic is enough, but Microsoft gates the Copilot agent catalog behind **Agent 365** - a single license on the admin account that connects 1Security unlocks it (details below). Entra-backend agents need nothing extra.
## Licensing: what you can see
Agent visibility depends on the tenant's Microsoft licensing. This is a Microsoft API limitation, not a 1Security one.
1Security **always** scans the Entra backend. A license only gates the
Microsoft **Copilot Package catalog** - the API where lightweight Copilot
agents live.
| Agent type | Visible without Agent 365 | Needs Agent 365 |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-----------------------: | :-------------: |
| **Entra Agent ID agents** - Azure AI Foundry, heavier Copilot Studio bots (they create real Entra service principals tagged `power-virtual-agents-*` / `AgenticInstance`) | ✅ | |
| **Declarative Copilot agents** - SharePoint policy finders, Teams extensions, and third-party wrappers like Decisions / Adobe (no Entra footprint; they live only in the Copilot Package catalog) | | ✅ |
Without the license, declarative Copilot agents either don't surface or look like ordinary enterprise apps - 1Security can't tell they're agents. This affects **both third-party wrappers and first-party declarative Copilot agents**, not just third-party apps.
## Licensing: what you need to buy
You do **not** need the $99 Microsoft 365 E7 bundle. The product that unlocks
the catalog is **Agent 365**.
- **E7 ("Frontier" suite)** just bundles E5 + Microsoft 365 Copilot + the Entra Suite + Agent 365. It's the expensive way in.
- **Agent 365** is available **standalone at ~$15/user per month** and can be added on top of an existing E3 or E5 - this is all the API actually checks for.
**You only need ONE license.** 1Security reads the catalog with a **delegated** admin token, so Microsoft validates the license of the single admin who connected it - not every user. License that one admin account and the entire tenant's Copilot agent catalog unlocks.
**For testing:** assign one standalone **$15 Agent 365** license to the admin
account you use to connect 1Security.
## Connecting & graceful degradation
To scan Copilot agents, an admin connects a delegated token once (see the **Connecting Tenants** guide). Until that's done - or if the tenant has no Agent 365 - 1Security:
- still scans and governs every **Entra** agent,
- shows a banner on the Agents screen explaining that Copilot agents need Agent 365,
- never fails the tenant scan over a missing license.
### Talking to customers
A customer worried about Copilot security already owns Microsoft 365 Copilot - and Microsoft requires **Agent 365** to govern the agents they build with it using native tools, so most target customers already have it. If they don't, 1Security states the limit plainly:
> We can only scan your Entra backend. License your admin with Agent 365 to also scan your Copilot chat agents.
=================================================================
## Connecting Tenants
URL: https://1security.ai/en/docs/connecting-tenants
=================================================================
You can connect multiple Microsoft 365 tenants to a single 1Security account - useful for MSPs, holding companies, and organisations with several tenants.
## Adding a tenant
### Open the tenant menu
Click the tenant switcher in the top-left of the dashboard, then **Add tenant**.
### Authenticate
A new tab opens to Microsoft's OAuth consent flow. Sign in with a global admin of the tenant you want to add.
### Grant permissions
Approve the same permissions you granted during the initial install.
### Wait for the initial scan
The new tenant appears in your switcher immediately, but full data takes the duration of the [initial scan](/en/docs/getting-started/first-scan) to populate.
## Troubleshooting
This error means the account you tried to sign in with isn't a member of the
target tenant. Make sure you're using a global admin account **from the
tenant you're adding**, not from your main 1Security account.
Microsoft Graph rate limits sometimes throttle initial discovery. Check
**Settings → Scan status** for error messages. If you see `TooManyRequests`,
the scan will retry automatically - no action needed.
Newly created users in Microsoft 365 take up to 24 hours to appear in
1Security. Manually trigger a delta scan from **Settings → Scan status → Run
delta** to pull them in immediately.
Go to **Settings → Tenants**, click the three-dot menu next to the tenant,
then **Disconnect**. This removes all data associated with the tenant from
1Security within 7 days.
## Tenant permissions
1Security requests **read-only** permissions by default. Write permissions
(used by automations) are opt-in per workflow.
The exact Microsoft Graph permissions requested:
```text
- User.Read.All
- Group.Read.All
- Files.Read.All
- Sites.Read.All
- Directory.Read.All
- AuditLog.Read.All
- Policy.Read.All
- SecurityEvents.Read.All
```
=================================================================
## Getting Started with 1Security
URL: https://1security.ai/en/docs/getting-started
=================================================================
Welcome to 1Security! This guide will help you understand the core concepts of the platform, how to navigate the interface, and how to start investigating your Microsoft 365 environment immediately.
## 1. Platform Basics & Navigation
1Security is designed to make complex security data easy to explore.
- **Interactive Visualizations:** Every element on our graphs and lists is interactive. Clicking on an item (like a user, file, or site) will drill down and reveal more detailed results and relationships.
- **Data Export:** Every list in the platform can be downloaded. This is highly useful for offline reporting, compliance processing, or forensic investigations.
- **Helpful Tooltips:** Hover over table cells to view additional context and definitions without leaving your current view.
- **Language Preferences:** You can easily toggle the platform language in your account settings to suit your team's needs.
## 2. Filters & Saved Views
Finding the exact data you need is fast thanks to our precomputed values.
- **Combine Filters:** You can stack multiple filters to narrow down results. For example, you can filter for *Files containing sensitive information* AND *Files shared with external users*.
- **Precomputed Values:** Because our filters use precomputed data, you'll immediately see counts (e.g., exactly how many users have access to sensitive information) before you even apply the filter.
- **Saved Views:** Once you build a useful combination of filters, use **Save view** to keep it for later.
- **Share with Your Team:** When saving a view, you have the option to make it public/shared, allowing other team members to access your specific filter configurations.
## 3. Monitorings
Monitorings are automated rules that alert you to risks, potential cost savings, and data exposure.
- **Ready to Use:** When you join, 1Security pre-populates several useful monitorings to give you immediate insights.
- **Relationship-Based Alerts:** Monitorings excel at finding complex relationship scenarios. Common examples include:
- *Users with access to sensitive files*
- *SharePoint sites with zero active users*
- **Customizable & Shareable:** You can edit existing monitorings or create your own. You can also share specific monitorings with selected non-admin users so they can track risks relevant to their departments.
## 4. Logs & Forensics
1Security provides a complete forensic trail of activity in your environment.
- **Comprehensive Tracking:** Logs show exactly *what* resource was modified, by *whom*, through *which app*, and on *which device*.
- **Interactive Log Viewer:** For deeper forensic and admin needs, you can access the raw version of the logs using our interactive log viewer.
- **Data Retention:** Your logs are retained securely for as long as your tenant maintains an active 1Security license. For example, if you maintain a continuous yearly subscription for three years, you will have three full years of logs available for investigation. *(Note: Needs product confirmation on specific minimum retention limits if any).*
## 5. Multitenancy & Administration
1Security makes it simple to manage multiple environments from a single interface.
- **Switching Tenants:** Add or switch between tenants quickly using the **Select tenant** dropdown in the navigation bar, or manage them directly via `/dashboard/tenants/`.
### Managing Accounts and Access
Tenant admins can invite new team members by navigating to `/dashboard/1Security-users/` and clicking **Invite user**.
When inviting a user, you can assign one of three access levels:
1. **Sync with Microsoft 365:** The user's admin status in 1Security is automatically determined by their existing Azure AD / Microsoft Entra roles (e.g., Global Administrator, Security Administrator).
2. **Admin:** Grants full access to all resources, settings, and tenants in 1Security, bypassing their Microsoft role.
3. **User (Limited Access):** The user only sees their own resources. This includes files, emails, groups, and sites they own or interact with, as well as specific monitorings assigned to them.
*Tip for Admins:* Before sending an invite to a limited User, you can use the built-in preview feature to see exactly what they will see, ensuring they only have access to appropriate data.
=================================================================
## Installation
URL: https://1security.ai/en/docs/installation
=================================================================
1Security offers flexible deployment options to meet your organization's compliance, data residency, and operational requirements. You can choose to run 1Security as a fully managed SaaS (Cloud), deploy it within your own Azure environment (BYOC), or host it fully On-Premise.
## Prerequisites
Regardless of your chosen deployment method, you will need:
- A **Microsoft 365 tenant**
- **Global Administrator** access (for the initial OAuth consent)
- Modern browser (Chrome, Edge, Firefox, Safari - last two major versions)
## Deployment Models
**Recommended for most teams.**
1Security manages the infrastructure, updates, and maintenance. You simply log in and connect your tenant.
- **Zero infrastructure** to manage.
- **Continuous updates** with no downtime.
- Setup takes less than 5 minutes.
- Hosted in secure, SOC 2 Type II compliant environments.
### Getting Started
### Create your account
Go to [1security.ai](https://1security.ai) and sign up using your Microsoft work account. We use OAuth - your password never leaves Microsoft.
### Grant tenant permissions
During the consent dialog, an admin in your tenant approves the permissions 1Security needs to read your Microsoft 365 metadata. We never request write access to user data without an explicit per-action prompt.
### Run your first scan
Once connected, the platform automatically queues an initial scan. You'll see results stream in over the next few minutes.
**Bring Your Own Cloud** is ideal for organizations with strict data residency requirements that want to keep all processed data inside their own Azure tenant, while still using our managed Docker images.
### Architecture Overview
Docker images are provided pre-built from 1Security's Azure Container Registry. You will receive access credentials to pull images directly to your environment.
**Required Azure Services:**
- **Azure App Service (Linux)**: 2 instances (API + Client)
- **Azure App Service Plan**: Separate compute plans for API and Client recommended.
- **Azure Database for PostgreSQL**: Flexible Server recommended over Single Server.
- **Azure Key Vault** (Optional): Secure storage for secrets and certificates.
- **Azure Storage Account** (Optional): File share for certificate mounting.
### Resource Specifications & Estimated Costs
Tenant scans are CPU and memory-intensive. Below are recommended specs based on active users (costs exclude discounts like Reserved Instances, which can reduce prices by ~60%):
| Tenant Size | API Server | Client App | PostgreSQL | Estimated Monthly Cost |
| :--- | :--- | :--- | :--- | :--- |
| **Small** (< 350 users) | **P2V3** (2 vCPU, 8GB RAM) | **P1V2** (1 vCPU, 3.5GB RAM) | **Standard_D2s_v3** (2 vCores, 8GB RAM) | ~$355 / month |
| **Medium** (350-1,000 users) | **P3V3** (4 vCPU, 16GB RAM) | **P2V3** (2 vCPU, 8GB RAM) | **Standard_D2s_v3** (2 vCores, 8GB RAM) | ~$580 / month |
| **Large** (1,000+ users) | **P3V3** (4 vCPU, 16GB RAM) | **P2V3** (2 vCPU, 8GB RAM) | **Standard_D4s_v3** (4 vCores, 16GB RAM) | ~$840+ / month |
### Required Permissions
To set up the BYOC deployment, the administrator needs:
- **Azure Subscription**: Contributor role (or Resource Group Owner).
- **Entra ID**: Application Admin or Cloud Application Admin (to create App Registrations and grant consent).
- **Specific Resources**: App Service Contributor, Key Vault Admin, PostgreSQL Contributor.
*Contact our support team to receive your ACR credentials and the complete BYOC deployment manifests.*
**Fully self-hosted deployment** for organizations with air-gapped environments or ultimate infrastructure control needs.
- **Total control** of data location and network boundaries.
- **Air-gapped** installation supported.
### Minimum Hardware Requirements
- **Compute**: 16 vCPU
- **Memory**: 64 GB RAM
- **Storage**: 500 GB SSD (NVMe recommended)
*Contact our enterprise sales team to plan an on-premise deployment.*
Granting consent requires **Global Administrator** privileges. If you're not a
global admin, ask one to complete the consent flow - you can still own
day-to-day operations afterwards.
## Verifying the install
After the consent flow and environment setup finish, you should land on the dashboard with at least the following populated:
- **Tenant** card showing your tenant ID and domain
- **Scan status** showing "Running" or "Queued"
- **Users** count matching what you see in the Microsoft 365 admin centre (give it a minute to sync)
If any of these are missing, see [connecting tenants](/en/docs/getting-started/connecting-tenants) for troubleshooting.
=================================================================
## Integrations & Modules
URL: https://1security.ai/en/docs/integrations-modules
=================================================================
1Security is built from the ground up around the **Principle of Least Privilege**. By default, the platform operates entirely as a **read-only visibility module**, requiring only the minimum Microsoft 365 permissions necessary to map your environment.
You can optionally extend 1Security with additional capabilities through specific modules. This architecture ensures you only grant expanded permissions—especially write access or access to communication data—when you explicitly need those features.
## Core Visibility (Default)
The base installation of 1Security provides complete operational visibility into your Microsoft 365 tenant without requiring any write permissions.
- **Permission Graph**: A fully interactive tenant map of users, groups, applications, and resources.
- **Activity & Risk Monitoring**: Out-of-the-box tracking of unified audit logs and basic risk scorings.
- **Built-in Sensitivity**: 1Security's proprietary text-extraction and OCR engine securely scans file contents for sensitive patterns without requiring Purview or Exchange access.
---
## Extension Modules
When you are ready to expand your workflow, you can enable the following extension modules from the **Settings → Integrations** dashboard. Each module requests a localized set of new permissions.
### 1. Sensitivity (1Security Engine + Microsoft Purview)
1Security includes a powerful, built-in sensitivity scanning engine that automatically identifies and classifies sensitive data across your Microsoft 365 environment. Using a combination of text extraction, OCR for images, and pattern matching, it detects over 300 types of sensitive information—all without requiring advanced Microsoft licenses.
Enabling this extension module expands these built-in capabilities by integrating directly with Microsoft Purview Information Protection.
- **Why it requires an extension**: Requires explicit permissions to read your tenant's Purview configuration and sensitivity labels.
- **Benefits**: Merges Microsoft Purview's native labeling system with 1Security's independent algorithmic scanning. This provides a powerful hybrid classification layer, allowing you to utilize your custom Purview labels alongside 1Security's findings, even if you don't have Purview autodiscovery licensed.
### 2. Email (Microsoft Exchange)
Expands the platform to analyze email traffic and individual mailbox contents.
- **Why it requires an extension**: Requires explicit read access to Exchange mailbox contents, email bodies, and attachments.
- **Benefits**: Detects sensitive data shared via email, analyzes attachments in transit, and seamlessly maps complex email activities (like forwarding sensitive data externally) into the interactive permission graph.
### 3. Automations
Unlocks active remediation capabilities, transforming 1Security from an auditing platform into a security orchestrator.
- **Why it requires an extension**: This is the **only** module that requires **Write permissions** in your Microsoft 365 tenant.
- **Benefits**: Enables you to manage permissions at scale. You can create rules to instantly revoke stale external access, expire widely-shared sensitive links, remove overprivileged Copilot agents, and automatically remediate permission sprawl across thousands of files simultaneously.
=================================================================
## Location Intelligence
URL: https://1security.ai/en/docs/location
=================================================================
Every action in your Microsoft 365 environment happens _somewhere_. Location Intelligence turns the raw, throwaway IP addresses buried in your audit logs into a clear, human answer to a deceptively hard question: **"Where is this activity actually coming from - and should I be worried about it?"**
## What You Can Achieve
## Where a Location Comes From
A **Location** in 1Security is not an IP address. Raw IPs are noisy and disposable - a single user on a phone might use dozens in a day. Instead, we resolve each event's network address into a stable, meaningful identity made of three parts:
- **Country and City** - _where_ the activity appears to originate.
- **Network (ASN)** - _who_ owns the connection: a home ISP, a corporate network, a mobile carrier, a cloud provider, or an anonymity service.
Dynamic IPs that all belong to the same place collapse into one Location, so you see "Warsaw, Poland - home ISP" once, not two hundred fleeting addresses.
## The Signals That Matter
Beyond the map, 1Security classifies the **type of network** behind each action. This is often the real story:
- **Standard** - an ordinary residential or corporate connection. Expected.
- **VPN** - traffic routed through a commercial VPN. Sometimes legitimate, sometimes an attacker hiding their true location.
- **Tor** - the anonymity network. Almost never a normal way for an employee to open a spreadsheet.
- **Datacenter** - a hosting/cloud provider. A person browsing files from a datacenter is unusual and worth a look.
- **Microsoft** - Microsoft's own infrastructure (see below).
VPN, Tor, and datacenter egress on a user's activity is one of the strongest
early signals of a stolen session or compromised account. Location
Intelligence surfaces it automatically - no rules to write.
## The Microsoft Relay Problem (and How We Solve It)
Here is a subtlety that trips up almost every security tool: **many Microsoft 365 actions do not carry the user's real IP address.** When a server-side operation happens - adding a mailbox permission, a background SharePoint action, a Copilot interaction - Microsoft often records the IP of _its own datacenter_, not the person who triggered it.
Left unhandled, this floods your logs with hundreds of "logins from a US datacenter" for users who never left the office. It buries real threats in false alarms.
1Security handles this in two ways:
1. **We recognise Microsoft's own networks** - across both IPv4 and IPv6 ranges - and label that traffic clearly as **Microsoft** origin, styled neutrally rather than as a suspicious datacenter.
2. **We use Microsoft's own location signal when it's available.** Microsoft frequently includes the user's _real_ country alongside the relayed IP. We trust that over the meaningless address of the relay, so a file previewed by someone in Poland reads as Poland - even though the underlying connection was a Microsoft server in the US.
Crucially, we do this by recognising Microsoft's *infrastructure*, never by
assuming "any foreign-looking activity is just Microsoft." A genuine sign-in
from an unexpected country stays fully visible - because that might be exactly
the compromise you need to catch.
## Where You'll See It
Location Intelligence is woven through the product rather than hidden on one screen:
- **Activity Logs** gain **Location** and **Infrastructure** columns, plus filters for country, network type, and whether a location is new for that user.
- **User and Device drawers** include a **Locations** tab - a travel timeline of everywhere that identity has been seen active, newest first. Click any location to jump straight to the exact events that came from it.
- **First-seen detection** flags the first time a user is observed at a given location - a lightweight, high-signal indicator of a new or anomalous session.
## Licensing
Like the rest of 1Security, Location Intelligence works with a **standard Microsoft 365 license**. Enrichment runs locally and privately - we never send your IP data to a third-party lookup service. No Microsoft E5, Entra ID P2, or premium sign-in log add-on is required.
=================================================================
## Monitorings
URL: https://1security.ai/en/docs/monitorings
=================================================================
Monitorings allow you to track your Microsoft 365 tenant over time. By using the permission graph as a base, you can create nearly limitless monitorings in an intuitive UI.
## Overview
Monitorings continuously evaluate the state of your environment against defined conditions. They allow you to proactively identify risks such as excessive permissions, sensitive data exposure, or anomalous user activities.
## Pre-configured Monitorings
To help you get started immediately, 1Security comes with over 50 popular monitorings pre-configured out of the box.
Examples of pre-configured monitorings include:
- **External Users Downloading Files**: Detects when guests or external accounts download documents, especially those containing sensitive information.
- **Insider Risk Detection**: Monitors anomalous internal user activities that might indicate a compromised account or insider threat.
- **Sensitive Data Exposure to Copilot**: Tracks files containing sensitive information that are indexed and exposed to Microsoft Copilot.
## Custom Monitorings
Leveraging the interactive permission map, you can create highly specific custom monitorings. Because 1Security understands the full context of your tenant—users, files, sensitivity, and activities—you can set up alerts for exact scenarios relevant to your organization's security policies.
=================================================================
## NIS2
URL: https://1security.ai/en/docs/nis2
=================================================================
# NIS2 Readiness
NIS2 turns incident response into a race against statutory clocks: an **early warning within 24 hours** of becoming aware of a significant incident, an **incident notification with an initial assessment within 72 hours**, and a **final report within a month**. Most organizations cannot answer the underlying questions - _what happened, who was affected, is it still happening_ - in that window, because the evidence lives in 90-day logs and disconnected admin centers. 1Security's job is to make the deadline the easy part.
## What NIS2 Actually Requires
The directive (EU 2022/2555, transposed into national law since October 2024) applies to _essential_ and _important_ entities across 18 sectors, and it is not a checkbox exercise:
- **Article 21** mandates risk-management measures: incident handling, logging and detection, access control and asset management, supply-chain security, cyber hygiene, and - critically - _policies to assess the effectiveness_ of those measures.
- **Article 23** sets the reporting clock: 24-hour early warning (including whether malicious action is suspected), 72-hour notification with severity, impact, and indicators of compromise, and a one-month final report covering root cause and mitigation.
- **Management is personally accountable.** Boards must approve and oversee the measures, and can be held liable for violations - with fines up to €10M or 2% of worldwide turnover for essential entities (€7M / 1.4% for important ones).
## Beating the Reporting Clock
| Deadline | What the regulator needs | Where you get it |
| -------------------------- | ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **24 h** - early warning | Is it real? Is it malicious? Is it cross-border? | [Activity Logs](/en/docs/screens/activity-logs): the account's full timeline with every action attributed to actor, resource, app, device, and location. [Location Intelligence](/en/docs/location) separates a genuine foreign sign-in from Microsoft backend noise in one glance. |
| **72 h** - notification | Severity, impact assessment, indicators of compromise | Blast radius on demand: everything the account touched, [every file it can still reach](/en/docs/screens/files), whether [sensitive or regulated data](/en/docs/screens/sensitive-info) was in scope, and which [device](/en/docs/screens/devices) - managed, personal, or shadow - carried the activity. |
| **1 month** - final report | Root cause, full chronology, mitigation applied | Up to **three years of retained history** reconstructs the entire attack path - including entry points months old - and the remediation trail (revoked links, stripped permissions) documents your response. |
## Evidence for the Article 21 Measures
NIS2 doesn't just ask you to have controls - it asks you to _demonstrate they work_. That's the hard part, and it's where continuous visibility replaces the annual PDF:
- **Incident handling & detection** - [Monitorings](/en/docs/monitorings) run 50+ prebuilt and unlimited custom detections over the permission graph: mass downloads, insider-risk patterns, sensitive data exposed to AI. Alerts arrive in minutes, not at the next audit.
- **Logging & forensic readiness** - three years of unified, searchable audit history on standard licenses, instead of a log-storage bill that punishes you for being prepared.
- **Access control policy** - the [permission graph](/en/docs/permission-graph) shows effective access (nested groups and inheritance resolved), so least-privilege is something you _measure_, and access reviews audit reality instead of intentions.
- **Asset management** - live inventories of [devices](/en/docs/screens/devices) (including shadow devices that never registered), [sites](/en/docs/screens/sites), and [connected apps](/en/docs/screens/apps) - the assets you can't protect are the ones you don't know about.
- **Supply-chain security** - every third-party app and [AI agent](/en/docs/screens/agents) with a foothold in your tenant, its publisher verification, its access channel, and who let it in.
- **Effectiveness assessment** - [sensitivity-label coverage](/en/docs/screens/sensitivity-labels) measured against actual [sensitive-data locations](/en/docs/sensitivity): the difference between "we have a data classification policy" and "here is its coverage, as a number, trending quarterly."
## The 72-Hour Drill
Run this as an exercise before you run it as an incident: pick a user account,
and within one sitting produce (1) their complete 90-day activity timeline
with devices and locations, (2) every file, site, and mailbox item they can
currently reach, (3) how much of it carries regulated data, and (4) one
revoked permission as remediation evidence. If you can do it in a drill, the
72-hour notification stops being frightening.
## Scope, Honestly
1Security provides the forensic record, the live risk visibility, and the remediation trail that NIS2 obligations rest on. Whether a given incident is "significant," which national authority receives your report, and how your sector's transposition applies - those are calls for your compliance counsel. Bring them the evidence; 1Security makes sure you have it.
=================================================================
## Permission Graph
URL: https://1security.ai/en/docs/permission-graph
=================================================================
# Permission Graph
The permission graph answers the question that burns more analyst hours than any other in Microsoft 365: **"Why does this person have access to this file?"** Native tools can sometimes tell you _that_ someone has access. The _why_ - the chain of nested groups, site inheritance, and sharing links behind it - is scattered across admin centers and PowerShell output. 1Security draws it as a path you can walk, in either direction, from any starting point.
## What You Can Achieve
## One Map, Every Relationship
The graph connects the two halves of your tenant that Microsoft keeps in separate tools:
- **Identities** - users, groups, third-party apps, and AI agents.
- **Resources** - sites, files, and emails.
The edges between them are the permissions and activity that actually matter: membership, direct grants, link access, inheritance, and actions taken. Because indirect paths are resolved - including the hard ones, like multi-level group nesting and per-site SharePoint permission inheritance - the graph is a **single source of truth** for who has access to what at any moment.
## Where the Graph Works for You
The graph isn't a page you visit; it's the backbone the platform runs on, and every screen is one of its views:
- The [Files screen](/en/docs/screens/files) answers "who has access to our files - and why?" with the graph's resolved paths behind every count.
- The [Groups screen](/en/docs/screens/groups) shows effective membership - nesting resolved - and the blast radius each group unlocks.
- The [Sites screen](/en/docs/screens/sites) separates direct from indirect access, so you see through which doors people enter each site.
- The [Apps](/en/docs/screens/apps) and [Agents](/en/docs/screens/agents) screens quantify how far third-party software and AI reach along the same edges.
- The [Activity Logs](/en/docs/screens/activity-logs) attribute every action to the actor, resource, app, device, and location - the graph in motion.
- [Monitorings](/en/docs/monitorings) evaluate conditions over the graph continuously, turning any pattern you can describe into an alert.
## Investigative Patterns
**The why-chain audit**: pick a high-risk detection on the [Sensitive Info
screen](/en/docs/screens/sensitive-info), open the files that carry it, and
walk each access path to its origin. Every path ends in one of three places -
a deliberate grant, a forgotten link, or an inheritance nobody considered. The
second and third are your findings, and you can revoke them where you stand.
=================================================================
## Your First Scan
URL: https://1security.ai/en/docs/scans
=================================================================
1Security automatically schedules a full scan after a tenant is connected. This page explains what that scan actually does, how long it takes, and what to look at first.
## What gets scanned
## Scan stages
The scan runs through several stages in order. You can watch progress in the header or **Tenants page → Scan status** column.
### Discovery
1Security discovers all identities, resources, and activities in your tenant. You can track found identities across pages like **Users**, **Files**, **Activity**, and **Alerts**. Permissions for a resource are mapped shortly after discovery. Sites require to be **Fully scanned** for the permissions to be mapped.
### Permission graph
For each resource, we map every identity that can access it - including indirect access through nested groups. This is the longest stage. We map access not just for **Users** but **Apps** including Copi Agents.
This makes 1Security into a fully interactive tenant map. You can navigate from users to their actions to the modified files to their sensitive data - any point allows for an audit travel.
### Sensitivity classification
Files are scanned for sensitive content using our 300+ pattern library, OCR for images, and (optionally) LLM-based classification.
Sensitivity can work with Microsoft Purview, with 1Security handling classification, or both. As for both, the advantage is it allows you to use custom Purview labels while having 1Security as a sensitivity analysis layer - as many clients do not have Purview autodiscovery enabled.
### Risk scoring
Each resource is scored on multiple dimensions: external sharing, sensitivity, stale access, abnormal patterns.
## Expected duration
For the largest tenants in production (40M+ files), the **initial** full scan
can take weeks. Incremental scans run continuously after that and process
changes within minutes.
| Tenant size | Files | Initial scan \* | New resources / Activity |
| ------------- | ------ | --------------- | ------------------------ |
| Small | < 100K | 1–2 hours | ~ 10 min |
| Medium | 1M | 6–12 hours | ~ 10 min |
| Large | 10M | 1 week | ~ 10 min |
| Enterprise \* | 40M+ | 4+ weeks | ~ 10 min |
- \*Enterprise tenants can significantly improve initial scan speeds by contacting Microsoft Support to increase their API throttling limits. To do this, go to the **Microsoft 365 Admin Center**, navigate to **Support > Help & support**, and open a new service request asking to "Increase Microsoft Graph and SharePoint API throttling limits for a security auditing application."
## Live updates
New and updated entities such as files, emails, logs (excluding Sensitive Info and Sensitivity Labels) etc should appear in the system within several minutes alongside their changed permissions.
Similar to how Copilot works, we use a combination of real-time updates and periodic scans to keep the system up to date.
Updated Sensitive Info and Sensitivity Labels are processed in the background and may take longer to appear.
## Monitorings
Track your tenant over time using the permission map as a base. We provide over 50 default, pre-configured monitorings (such as 'External Users Downloading Files') that you can easily edit or use as templates for nearly limitless custom rules in an intuitive UI. By default, monitoring results are evaluated and updated once a day.
=================================================================
## Sensitivity Scanning
URL: https://1security.ai/en/docs/sensitivity
=================================================================
# Sensitivity Scanning
Sensitivity scanning answers a question Microsoft puts behind its most expensive licenses: **"Where is our sensitive data - and who can reach it?"** 1Security ships its own scanning engine that reads file and email content, detects over 300 types of sensitive information - credit card numbers, personal identifiers, financial records - and connects every detection to the permission graph. It runs on a **standard Microsoft 365 Business Basic license**.
## What You Can Achieve
## How the Scan Works
1. **Extraction** - text is securely extracted from documents, spreadsheets, presentations, and emails.
2. **OCR** - for images and scanned documents, built-in optical character recognition reads the text inside the pixels.
3. **Pattern matching** - extracted text is evaluated against the library of 300+ sensitive information patterns, each detection carrying a confidence level.
4. **Risk assessment** - files and emails with detections are flagged in the permission graph and across every screen, so exposure analysis starts immediately.
## Supported Formats and Limitations
The scanner focuses on the formats where business data actually lives:
- **Documents**: `.txt`, `.csv`, `.docx`, `.pdf`, `.xlsx`, `.pptx`
- **Images (OCR)**: `.jpg`, `.jpeg`, `.png`, `.gif`, `.bmp`, `.tif`, `.tiff`, `.webp`
- **Emails**: message bodies are enriched and scanned.
**Performance limits:**
- **File size** - files up to **50 MB** are scanned; larger files are skipped to keep the system responsive.
- **PDF depth** - the **first 5 pages** of each PDF are processed, capturing the most relevant context.
- **Embedded images** - up to **10 embedded images** per document (e.g. `.docx`) go through OCR.
## Where Detections Land
- The [Sensitive Info screen](/en/docs/screens/sensitive-info) rolls every detection type into an estate-wide map: which files, emails, sites, groups, users, and apps each type touches, filterable by compliance framework (GDPR, HIPAA, PCI-DSS, and more).
- The [Files](/en/docs/screens/files) and [Emails](/en/docs/screens/email) screens filter by sensitive info presence, specific types, minimum counts, and confidence - and combine those with sharing and exposure filters.
- The [Sensitivity Labels screen](/en/docs/screens/sensitivity-labels) closes the loop: compare what the scan _found_ against what Purview labels _cover_, and measure your real protection gap.
## Licensing Requirements
You do not need premium Microsoft licenses for deep security visibility. **Nearly every functionality in 1Security works with a standard Microsoft 365 Business Basic license.**
The only exceptions that require advanced Microsoft licenses are:
- **Security Alerts** - requires **Microsoft Defender** to pull native security alerts into 1Security.
- **Sensitivity Labels** - requires **Microsoft Purview** if you want to sync and display Purview's native labels alongside 1Security's findings.
Even without Microsoft Purview, 1Security's independent sensitivity engine
fully classifies and analyzes your sensitive data - Purview adds a second
opinion, not the first one.
=================================================================
## Welcome
URL: https://1security.ai/en/docs/welcome
=================================================================
Welcome to the **1Security** documentation. 1Security is the platform for the permission-centric era of security: attackers don't break in anymore, they **log in** - and 1Security is built to catch them, on standard Microsoft 365 licenses.
These pages walk you through everything from your first scan to the deepest configuration knobs the platform exposes.
## Start here
## Explore the platform
New here? Read [Why 1Security](/en/docs/why-1security) first - it frames
everything the platform does around questions you already know you can't
answer today.
=================================================================
## Why 1Security
URL: https://1security.ai/en/docs/why-1security
=================================================================
# Why 1Security
## Attackers don't break in anymore. They log in.
The vast majority of today's breaches are not sophisticated malware slipping past a firewall - they are **identity and permission attacks**. Attackers exploit overshared data, dormant accounts, rogue AI agents, and unmanaged shadow devices, moving through your environment along the _exact same access pathways your employees use_. There's no exploit to patch and no signature to match - just a valid login doing things it shouldn't.
Cybercrime evolved from vulnerabilities to permissions. Most security tooling didn't.
### The Invisible Attack Vector
**Access permissions are the #1 attack vector** of successful cybercrime and
AI data leaks - and the surface almost no tool actually watches.
## The tooling landscape completely failed to evolve
Despite the shift, legacy tools are stuck in the past:
- **SIEMs & Data Lakes** extort organizations into storing "dead logs" for compliance, but lack the contextual intelligence to catch a threat in real time.
- **IAM & Directory tools** manage provisioning, but are completely blind to what identities are actually _doing_ with your data - or which unmanaged devices they're doing it from.
- **Static compliance scanners** produce point-in-time dashboards that are obsolete the moment they're exported, leaving teams drowning in alerts they can't act on.
The result: security teams flying blind, manually stitching cryptic audit trails across fragmented systems just to answer one deceptively simple question - **"Who has access to what, and what did they do with it?"**
1Security is built to answer it. Five questions every security team gets asked and can't answer from native Microsoft 365 tooling - each turned into minutes of work, on a standard license.
## 1. The Identity-Attack Forensic Tool
> _"Did somebody steal our data - and exactly what was affected?"_
A new category of tool for a threat the old ones can't see.
- **Proactive anomaly & insider-threat alerting** - active defense, not post-breach autopsy. High-signal alerts for tenant-wide risks, sudden mass downloads, and anomalous access catch compromised accounts and insiders in real time. See [Monitorings](/en/docs/monitorings).
- **3-year forensic memory without the log-storage tax** - storing logs is expensive even with tools that add no intelligence on top. 1Security retains up to **three years** of [activity history](/en/docs/screens/activity-logs) out of the box, on standard licenses.
- **12 hours to 10 minutes** - answer definitively _"is this a breach, or normal behavior?"_ and chart the exact blast radius of a compromised account.
- **Shadow Devices & Shadow Locations** - automatically surface unmanaged [endpoints touching your data](/en/docs/screens/devices) and anomalous, previously-unseen access origins - with [Microsoft's own backend IPs filtered out](/en/docs/location) so real anomalies aren't buried in false positives.
- **Contextual enrichment vs. cryptic logs** - turn raw, unreadable audit events into a unified timeline that attributes every action to the exact **Actor, Resource, App, Device, and Location**.
- **Unmasking the insider threats traditional tooling misses** - most successful breaches never trip a single alarm: an email quietly forwarded to an unknown recipient, an unknown device signing in with a stolen employee token, data accessed from an unexpected location, activity patterns just slightly off the norm. To traditional tooling, every one of those events looks completely legitimate. 1Security correlates **Actor, Device, Location, and behavior** across the full activity timeline to expose the attack hiding inside "normal" events.
## 2. The Data & Permission Crystal Ball
> _"Who has access to what - and why?"_
Another new category: permission visibility at every altitude.
- **From bird's-eye to single detail** - zoom seamlessly from a tenant-wide view of permission creep down to a single risk. Not just _"which financial files are available to AI?"_ but _"exactly why does this specific user and this specific AI have access to this one file?"_ See the [Permission Graph](/en/docs/permission-graph).
- **The ultimate access map** - map where data lives, who (humans, service accounts) can reach it, what AI and apps can read it, and where your real sensitivity risks are concentrated across [Files](/en/docs/screens/files), [Sites](/en/docs/screens/sites), and [Groups](/en/docs/screens/groups).
- **Oversharing & exposure profiling** - spot widely-available sensitive data before it leaks, and reveal the hidden pathways normal directory logs miss: dormant public links, over-permissioned folders, unauthorized routes.
- **Security-measure verification** - see the true, real-time coverage of controls you already pay for, like [Microsoft Purview labels](/en/docs/screens/sensitivity-labels). Know instantly what's tagged and what's exposed.
- **Audit-ready compliance & reporting** - frameworks like [NIS2](/en/docs/nis2), ISO 27001, and SOC 2 demand continuous evidence of who can access what and what's done with the data. With black-box permission models, producing that evidence is slow and costly - and every report is outdated the moment it's generated, because data ecosystems never stop changing. 1Security draws reporting straight from the live permission and activity map, so it's always current.
## 3. Total Hygiene & Attack-Surface Cleanup
> _"Are we wasting budget and hoarding hidden risks?"_
Every stale account and forgotten resource is both a cost line and an attack path. 1Security finds both in one pass.
- **Zero-waste IT** - reclaim budget by finding [unused licenses](/en/docs/screens/licenses), [dormant apps](/en/docs/screens/apps), inactive users, abandoned mailboxes, and orphaned sites.
- **Attack-surface cleanup** - eliminate stale, orphaned, and disabled [devices](/en/docs/screens/devices), and sever lingering access for offboarded employees before it becomes an insider threat or breach vector.
- **AI context-window optimization** - declutter the data footprint so corporate AI like Copilot doesn't hallucinate on outdated junk or surface sensitive executive documents to regular employees.
## 4. Shadow AI, Shadow IT & Autonomous Agents
> _"What AI tools and third-party apps are secretly reading our data?"_
Employees consent to OAuth apps and build agents in an afternoon; IT finds out at the incident review.
- **Shadow AI discovery** - catch rogue AI tools and unvetted third-party [apps](/en/docs/screens/apps) that employees quietly connect to corporate data.
- **Safe AI guardrails** - establish bulletproof data-access boundaries and clean up permissions _before_ rolling out enterprise AI, so every [agent](/en/docs/screens/agents) operates only within authorized limits.
## 5. Instant Ecosystem-Wide Remediation
> _"How do we immediately fix the vulnerabilities we just found?"_
- **From dashboards to control** - move past read-only. Safely revoke, grant, or update permissions - from a tenant-wide oversharing fix down to [removing one user's access to a single file](/en/docs/screens/files) - across the entire Microsoft 365 ecosystem, right from the 1Security interface.
- **Strict opt-in write model** - the platform runs read-only until you deliberately enable remediation, so granting write access is a controlled decision, never a leap of faith.
## Built to be affordable
All of this runs on **standard Microsoft 365 licenses**. [Sensitivity scanning](/en/docs/sensitivity) doesn't need E5 or Purview. [Location intelligence](/en/docs/location) doesn't need premium sign-in logs. Three-year retention doesn't need a SIEM contract. The pattern is deliberate: elite visibility priced like a utility, not like a data lake.
Ready to see it on your own tenant? Start with the [installation
guide](/en/docs/installation) - first scan results arrive the same day. If
NIS2 is on your desk, jump to [NIS2 Readiness](/en/docs/nis2).
=================================================================
## SIEM Integration
URL: https://1security.ai/en/docs/guides/siem-integration
=================================================================
This guide shows how to forward 1Security **monitoring alerts**, **audit logs**,
and **security alerts** into your SIEM using the [REST API](/docs/reference/api).
The model is **pull-based**: your SIEM polls on a schedule and stores a cursor so
each poll fetches only what's new.
## 1. Create an API key
In the dashboard, open **Settings → API Keys** and create a key with the scopes
you need (`logs:read`, `monitoring-alerts:read`, `security-alerts:read`). Copy
the `1sec_live_…` secret - it's shown once.
Verify it:
```bash
curl -H "Authorization: Bearer $ONESEC_API_KEY" \
https://api.1security.ai/api/v1/ping
```
## 2. The incremental polling pattern
Don't page through the entire history on every run. Instead, **window by
ingestion time** and persist the high-water mark between polls.
### Track a watermark
Persist the timestamp of your last successful poll (start with "now minus a
few minutes").
### Query the window
Ask only for events ingested since the watermark. For `/logs`, use
`discoveredFrom` (ingestion time) rather than `from` (event time) - late-
arriving M365 events are surfaced by ingestion time, so this never misses
them.
```bash
curl -H "Authorization: Bearer $ONESEC_API_KEY" \
"https://api.1security.ai/api/v1/logs?discoveredFrom=2026-06-05T09:00:00Z&limit=1000"
```
### Drain pages
Follow `pagination.nextCursor` with `?cursor=` until `hasMore` is `false`.
### Advance + dedupe
Move the watermark to the current time, and dedupe on the event `id` (use it
as the SIEM event key) so an overlapping window never double-indexes.
Always overlap windows slightly (re-poll the last minute or two) and rely on
`id` dedupe rather than exact-boundary cursors. This is the safest way to
guarantee no gaps across restarts.
## 3. Wire it into your SIEM
Use a **REST API Modular Input** (e.g. the Splunk Add-on Builder or
`rest_ta`):
- Endpoint: `https://api.1security.ai/api/v1/security-alerts`
- Auth header: `Authorization: Bearer `
- Response handler: index `data[]`, set the event time from
`firstActivityDateTime`, and use `id` as the dedup key.
- Schedule: every 1–5 minutes, persisting `discoveredFrom`/`from` as a
checkpoint.
Use a **Codeless Connector** (or a Logic App) that GETs each endpoint on a
timer, paginates via `pagination.nextCursor`, and posts `data[]` to a Log
Analytics custom table through the Data Collection Endpoint. Store the
watermark in the connector's state.
Minimal poller sketch:
```bash
#!/usr/bin/env bash
SINCE=$(cat .watermark 2>/dev/null || date -u -d '-5 min' +%FT%TZ)
CURSOR=""
while :; do
RESP=$(curl -s -H "Authorization: Bearer $ONESEC_API_KEY" \
"https://api.1security.ai/api/v1/logs?discoveredFrom=$SINCE&limit=1000&cursor=$CURSOR")
echo "$RESP" | jq -c '.data[]' >> /var/log/1security-logs.ndjson
CURSOR=$(echo "$RESP" | jq -r '.pagination.nextCursor // empty')
[ -z "$CURSOR" ] && break
done
date -u +%FT%TZ > .watermark
```
## 4. Handle rate limits
Stay under 600 requests/min per key. If you receive `429`, honor the
`Retry-After` header. Polling each endpoint once per minute with a large `limit`
is well within budget for typical tenants.
## Field mapping cheatsheet
| Use for | Logs | Security alerts |
| ---------- | ------------------------------- | ----------------------- |
| Event time | `occurredAt` | `firstActivityDateTime` |
| Dedup key | `id` | `id` |
| Severity | `severity` | `severity` |
| Actor | `actorName` / `actorIp` | `actorDisplayName` |
| Resource | `resourceName` / `resourceType` | `threatDisplayName` |
See the full [API reference](/docs/reference/api) for every field and parameter.
=================================================================
## API Reference
URL: https://1security.ai/en/docs/reference/api
=================================================================
The 1Security REST API lets a SOC, MSSP, or SIEM **pull** your tenant's
detections on a schedule. Three resources are exposed today:
| Resource | Endpoint | What it is |
| ----------------- | -------------------- | -------------------------------------------- |
| Monitoring alerts | `/monitoring-alerts` | Alerts raised by your monitoring policies |
| Audit logs | `/logs` | Normalized M365 activity / audit events |
| Security alerts | `/security-alerts` | Microsoft Defender / Sentinel-sourced alerts |
This is a **read-only**, **pull-based** API: you poll it. Outbound webhook
push delivery is on the roadmap - see [SIEM
integration](/docs/guides/siem-integration) for the recommended polling
pattern in the meantime.
## Base URL
| Environment | URL |
| ----------- | --------------------------------- |
| Production | `https://api.1security.ai/api/v1` |
| Local dev | `http://localhost:4001/api/v1` |
## Authentication
Every request is authenticated with a **per-tenant API key**. A key is bound to
one tenant and grants read access to that tenant's data only.
### Creating a key
In the dashboard, go to **Settings → API Keys** (admin only) and choose
**Create API key**. The full secret - `1sec_live_…` - is shown **once**, at
creation. Store it in your SIEM's credential store immediately; it cannot be
retrieved again.
You can also mint a key from the server CLI for headless testing:
```bash
cd apps/server
bun src/scripts/createApiKey.ts --tenant --name "Splunk prod"
```
### Sending the key
Pass it as a bearer token (preferred) or via `X-API-Key`:
```bash
curl -H "Authorization: Bearer $ONESEC_API_KEY" \
https://api.1security.ai/api/v1/ping
```
### Scopes
Each key carries one or more read scopes. A request to an endpoint whose scope
the key lacks returns `403`.
Treat an API key like a password. Anyone holding it can read the tenant's
alerts and logs. Rotate by creating a new key and revoking the old one —
revocation takes effect immediately.
## Pagination
List endpoints return at most `limit` items (default `50`, max `1000`) plus an
opaque cursor. To page through a result set, pass the returned `nextCursor` back
as `?cursor=`:
```json
{
"data": [
/* … */
],
"pagination": {
"nextCursor": "eyJvIjo1MH0",
"hasMore": true,
"limit": 50
}
}
```
When `hasMore` is `false`, `nextCursor` is `null` and you've reached the end.
For **incremental polling** (only new events since the last poll), filter by a
time window rather than paging the whole table - see
[SIEM integration](/docs/guides/siem-integration).
## Rate limits
Keys are limited to **600 requests per minute** (best-effort). Every response
includes `X-RateLimit-Limit`, `X-RateLimit-Remaining`, and `X-RateLimit-Reset`
(epoch seconds). Over the limit returns `429` with a `Retry-After` header.
## Endpoints
### `GET /ping`
Connection test. Returns the tenant and scopes the key maps to - use it to
validate setup before wiring a connector.
```bash
curl -H "Authorization: Bearer $ONESEC_API_KEY" \
https://api.1security.ai/api/v1/ping
```
```json
{
"data": {
"tenantId": "01H…",
"keyId": "01J…",
"name": "Splunk prod",
"scopes": ["logs:read", "monitoring-alerts:read", "security-alerts:read"]
}
}
```
### `GET /logs`
Normalized audit/activity events. Requires `logs:read`.
**Query parameters**
```bash
curl -H "Authorization: Bearer $ONESEC_API_KEY" \
"https://api.1security.ai/api/v1/logs?severity=high,critical&limit=100"
```
```json
{
"data": [
{
"id": "01J…",
"occurredAt": "2026-06-05T09:12:44Z",
"discoveredAt": "2026-06-05T09:13:01Z",
"action": "FileDownloaded",
"severity": "high",
"actorName": "jane@contoso.com",
"actorType": "user",
"actorIp": "20.42.x.x",
"resourceName": "Q3-forecast.xlsx",
"resourceType": "file",
"workload": "SharePoint",
"applicationDisplayName": "Microsoft SharePoint"
}
],
"pagination": { "nextCursor": "eyJvIjoxMDB9", "hasMore": true, "limit": 100 }
}
```
### `GET /monitoring-alerts`
Alerts raised by your monitoring policies. Requires `monitoring-alerts:read`.
**Query parameters**
```bash
curl -H "Authorization: Bearer $ONESEC_API_KEY" \
"https://api.1security.ai/api/v1/monitoring-alerts?severity=high&isResolved=false&limit=50"
```
Each item: `id`, `name`, `severity`, `status`, `isResolved`, `resourceType`,
`resources`, `assignedUser`, `description`, `createdFrom`, `lastScan`,
`resolvedAt`, `snoozedAt`.
### `GET /security-alerts`
Defender / Sentinel-sourced alerts. Requires `security-alerts:read`.
**Query parameters**
```bash
curl -H "Authorization: Bearer $ONESEC_API_KEY" \
"https://api.1security.ai/api/v1/security-alerts?severity=high&status=new"
```
Each item: `id`, `title`, `description`, `severity`, `status`, `classification`,
`category`, `threatDisplayName`, `firstActivityDateTime`, `isResolved`,
`users`, `groups`, `emails`, `apps`.
### `GET /security-alerts/{id}`
Full detail for a single security alert, including the raw provider payload
(`rawData`) and recommended actions. Requires `security-alerts:read`. Returns
`404` if the id is unknown to your tenant.
## Errors
Errors use a consistent JSON shape and standard HTTP status codes:
```json
{
"error": {
"code": "UNAUTHENTICATED",
"message": "Invalid, expired, or revoked API key."
}
}
```
Missing, invalid, expired, or revoked API key. Check the `Authorization`
header and that the key hasn't been revoked.
The key is valid but lacks the scope required by this endpoint. Create a key
with the needed scope.
The requested resource id does not exist within your tenant.
Too many requests this minute. Honor the `Retry-After` header.
Unexpected server error. Safe to retry with backoff.
=================================================================
## Configuration
URL: https://1security.ai/en/docs/reference/configuration
=================================================================
This page lists every setting exposed by 1Security, organised by area. Settings marked **(env)** can only be changed via environment variables; everything else is settable from the dashboard.
## Tenant settings
## Sensitivity scanner
## Notifications
## Environment variables (server)
These are set during deployment and require a restart to change.
```bash title=".env.local"
DATABASE_URL=postgres://localhost:5432/1security
GRAPHQL_URL=http://localhost:4001/graphql
OPENAI_API_KEY=sk-...
NEXT_PUBLIC_TIMEZONE=Europe/Warsaw
```
```bash title=".env.production"
DATABASE_URL=postgres://prod-pool:5432/1security
GRAPHQL_URL=https://api.1security.ai/graphql
SENTRY_DSN=https://...@sentry.io/...
NODE_OPTIONS=--max-old-space-size=8192
```
## Feature flags
Feature flags are subject to change without notice. Don't depend on them for production behaviour unless explicitly documented.
Surface AI-suggested policy changes in the dashboard. Default: **on** for Pro+ tiers.
Run sensitivity classification on multiple files in parallel. Default: **on**. Disable if you hit Microsoft Graph rate limits.
Cache permission graph computations between scans. Default: **off**. Significant performance boost for large tenants but increases memory usage.
=================================================================
## Activity Logs
URL: https://1security.ai/en/docs/screens/activity-logs
=================================================================
# Activity Logs
The Activity Logs screen is your organization's memory. It brings every action across your connected Microsoft 365 environment - files, email, Teams, SharePoint, sign-ins, AI agents, third-party apps - into one searchable, long-term timeline that answers **"who did what, when, from where, and on which device?"**
## What You Can Achieve
## Three Years of Retention, Out of the Box
Microsoft's default audit retention is short - often just 90 days - and extending it usually means expensive E5 or add-on licenses. 1Security retains your activity for **up to three years** as part of the platform (three years of usage builds up three years of history), on a standard license. When an incident surfaces months later, the trail is still there.
## Every Event, Attributed
The log table turns raw, cryptic audit events into readable rows. For each action you see:
- **What happened** - the action and a plain-language description, with an icon for the action type.
- **When** - when it occurred, and when 1Security discovered it.
- **Who** - the actor (user, app, or AI agent), clickable to their full profile.
- **On what** - the file, site, group, or other resource affected (and a count when one action touched many).
- **Through what** - the application or AI agent used.
- **From what device** - with an indicator for managed vs. unmanaged.
- **Its severity** - so the risky events stand out.
Click any row to open the full event, including the raw source record.
## Location Intelligence in Your Logs
Every event now also tells you **where it came from**. Two columns bring this to the surface:
- **Location** - the country and city behind the action.
- **Infrastructure** - the type of network: an ordinary connection, or a **VPN**, **Tor**, or **datacenter** (the risky ones are highlighted), or **Microsoft**'s own backend.
Many Microsoft 365 events carry Microsoft's datacenter IP rather than the
user's real one. 1Security recognises this and labels it **Microsoft** instead
of raising a false "foreign datacenter" alarm - while keeping genuine foreign
sign-ins fully visible. See [Location Intelligence](/en/docs/location).
### Filtering by Location
Alongside the usual filters (severity, actor type, source, action, and date), you can now narrow the timeline by:
- **Country** - everything from a specific country.
- **Infrastructure type** - e.g. show only Tor / VPN / datacenter activity.
- **Location novelty** - the _first time_ a user was ever seen at a location versus places they've been before. First-time locations are a lightweight, high-signal indicator of a new or suspicious session.
### The Locations Tab and One-Click Pivots
When you open a user's or device's drawer, the **Locations** tab lists everywhere that identity has been active - a travel timeline. **Click any location and you jump straight to the exact log events that came from it**, already filtered.
So an investigation like _"I see activity attributed to Delhi, but this user works in Warsaw - show me precisely which events those were"_ takes a single click.
## Why This Matters
Logs on their own are just data. The value is in the questions you can answer quickly: _Did this account do anything it never has before? From a place it never has? On a device we don't manage?_ By unifying action, actor, resource, device, and location in one retained timeline, the Activity Logs screen turns raw events into answers.
=================================================================
## Agents
URL: https://1security.ai/en/docs/screens/agents
=================================================================
Microsoft spreads AI agents across separate admin portals - Copilot, Azure AI Foundry, and Entra - each with its own model, tags, and APIs. The **Agents** screen unifies all of them into one governed list, with the same access-insight lens 1Security applies to users, apps, and files.
## One screen for every agent
The Agents screen covers the three overlapping agent ecosystems Microsoft exposes:
- **Microsoft Copilot agents** - declarative agents built in Copilot Studio / Agent Builder (e.g. a SharePoint policy finder, a Teams message extension).
- **Entra Agent ID agents** - autonomous backend agents with their own Entra identity (Copilot Studio, Azure AI Foundry).
- **Third-party agents** - SaaS apps that use Copilot behind the scenes (e.g. Decisions, Adobe).
Instead of three consoles, you get one list - and, where the same agent shows up in more than one place, a **single unified record** that joins its Copilot chat presence to its Entra API permission grants.
## Unified access insights
Every agent is broken down by what it can actually reach - the same model 1Security applies to identities and apps:
- **Files, sites, users, and emails** the agent can access
- **Sensitive data** exposed through that access - down to the specific sensitive information types within reach
- **Activity** - what the agent actually did, drawn from the same audit-log pipeline as users and apps, with per-action breakdowns: created, modified, deleted, moved, shared, downloaded
- **Knowledge / data sources** it reads from - SharePoint, OneDrive, Teams, email, Graph connectors, Dataverse, the web - resolved to what's actually inside them, so you can review the content an agent learns from
- **Permissions** - every atomic permission with its source (direct, inherited from a blueprint, or declared) and Microsoft's "blocked for agents" flag
The value is the stitching: signals from **Copilot, Azure, and Entra** become one agent record, so you can govern an agent's behaviour and its real data access in one place - without hopping between portals.
## Working with Microsoft's agent stack, not against it
Everything above is read natively from Microsoft's own surfaces - Copilot, Entra, and Azure - so this inventory always agrees with the portals your admins already use. 1Security doesn't replace the agent platforms; it adds the governance layer they don't have:
- **Access, quantified.** Copilot Studio shows an agent's configuration; 1Security shows the blast radius - how many files, sites, users, and emails it can actually reach.
- **Sensitive data, before it leaks.** Access is one thing; what enterprises actually fear is an agent surfacing regulated data to whoever asks it a question. 1Security lists the exact sensitive information types within each agent's reach - payment cards, health records, credentials - so you know which agent could leak what, and can block that access before an employee's innocent prompt (or an injected one) turns reach into disclosure.
- **Activity, attributed.** Agent actions land in the same activity stream as users and apps, with per-action breakdowns - so "what has this agent deleted, moved, or downloaded?" is a filter, not a log-parsing project.
- **Knowledge sources, opened up.** In the agent platforms a knowledge source is a pointer; 1Security resolves it to the content behind it, so you can review what an agent would learn _before_ employees start chatting with it.
Licensing is the one place agents differ from the rest of 1Security: everywhere else Business Basic is enough, but Microsoft gates the Copilot agent catalog behind **Agent 365** - a single license on the admin account that connects 1Security unlocks it (details below). Entra-backend agents need nothing extra.
## Licensing: what you can see
Agent visibility depends on the tenant's Microsoft licensing. This is a Microsoft API limitation, not a 1Security one.
1Security **always** scans the Entra backend. A license only gates the
Microsoft **Copilot Package catalog** - the API where lightweight Copilot
agents live.
| Agent type | Visible without Agent 365 | Needs Agent 365 |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-----------------------: | :-------------: |
| **Entra Agent ID agents** - Azure AI Foundry, heavier Copilot Studio bots (they create real Entra service principals tagged `power-virtual-agents-*` / `AgenticInstance`) | ✅ | |
| **Declarative Copilot agents** - SharePoint policy finders, Teams extensions, and third-party wrappers like Decisions / Adobe (no Entra footprint; they live only in the Copilot Package catalog) | | ✅ |
Without the license, declarative Copilot agents either don't surface or look like ordinary enterprise apps - 1Security can't tell they're agents. This affects **both third-party wrappers and first-party declarative Copilot agents**, not just third-party apps.
## Licensing: what you need to buy
You do **not** need the $99 Microsoft 365 E7 bundle. The product that unlocks
the catalog is **Agent 365**.
- **E7 ("Frontier" suite)** just bundles E5 + Microsoft 365 Copilot + the Entra Suite + Agent 365. It's the expensive way in.
- **Agent 365** is available **standalone at ~$15/user per month** and can be added on top of an existing E3 or E5 - this is all the API actually checks for.
**You only need ONE license.** 1Security reads the catalog with a **delegated** admin token, so Microsoft validates the license of the single admin who connected it - not every user. License that one admin account and the entire tenant's Copilot agent catalog unlocks.
**For testing:** assign one standalone **$15 Agent 365** license to the admin
account you use to connect 1Security.
## Connecting & graceful degradation
To scan Copilot agents, an admin connects a delegated token once (see the **Connecting Tenants** guide). Until that's done - or if the tenant has no Agent 365 - 1Security:
- still scans and governs every **Entra** agent,
- shows a banner on the Agents screen explaining that Copilot agents need Agent 365,
- never fails the tenant scan over a missing license.
### Talking to customers
A customer worried about Copilot security already owns Microsoft 365 Copilot - and Microsoft requires **Agent 365** to govern the agents they build with it using native tools, so most target customers already have it. If they don't, 1Security states the limit plainly:
> We can only scan your Entra backend. License your admin with Agent 365 to also scan your Copilot chat agents.
=================================================================
## Apps
URL: https://1security.ai/en/docs/screens/apps
=================================================================
# Apps
The Apps screen answers a question most organizations can't: **"Which third-party apps and AI tools are secretly reading our data - and who let them in?"** Every OAuth consent an employee clicked, every add-in, every vendor integration and managed identity is a standing credential into your data. Most tenants have hundreds; almost none can list them, let alone say what each one reaches.
## What You Can Achieve
## Access Channels - How Apps Really Get to Data
The single most important attribute of an app is not what it _is_ but how it _reaches_ your data. 1Security classifies every app's channel:
- **Tenant-wide app** - application permissions granted by an admin; reads data for _everyone_, no user present.
- **Admin-consent delegated** - an admin approved it to act on behalf of any user who signs in.
- **User consent** - an individual clicked "Accept". This is the shadow-IT channel - and the OAuth-phishing channel.
- **License-driven** - access implied by product licensing.
- **Explicit grant** - scoped, deliberate access to specific resources.
- **None** - present in the tenant, currently no data path. Still worth knowing about.
The screen also separates the five application flavors - **enterprise apps**, **app registrations**, **add-ins**, **agents**, and **managed identities** - and flags whether each publisher is **verified**.
## The App List
Each row quantifies an app's real footprint: files and users it can access (external users broken out), its permission levels to **files**, **user data**, and **email**, sensitivity labels and sensitive info within its reach, security alerts, when it was connected and by which admin, and an activity sparkline that separates the living from the abandoned.
Filters narrow by application type, access channel, Graph permission families (files, sites, chat, directory, audit logs, and more), publisher verification, sensitive-data reach, **orphaned indicators** (no users, no activity for a month or a year), and security alerts. Click any app for the full drawer view of its permissions and reach.
## Investigative Patterns
**The OAuth-phishing triage**: filter **user consent** + **unverified
publisher** + file or email permissions. This is the exact pattern attackers
use to turn one careless click into persistent mailbox access - review this
list on a schedule, not after the incident.
- **Overpowered and idle** - **tenant-wide** channel + **no activity in the last year**: maximum privilege, zero use. Revoke candidates with no business pushback.
- **AI with reach** - application type **Agent** + sensitive info present, then continue in the [Agents screen](/en/docs/screens/agents) for knowledge-source-level detail.
- **Blast radius pre-read** - before approving a pending consent request, look up the app's current reach and alerts here; approve with numbers, not vibes.
=================================================================
## Devices
URL: https://1security.ai/en/docs/screens/devices
=================================================================
# Devices
The Devices screen answers a question most organizations can't: **"What is actually touching our data - and do we trust it?"** It brings every device in your environment into one view, from fully managed corporate laptops to personal phones, and even devices you didn't know existed.
## What You Can Achieve
## Registered, Unregistered, and Shadow Devices
Not every device politely registers itself with Microsoft. 1Security classifies every device it sees so nothing slips through:
- **Registered** - properly enrolled in Entra ID / Intune, with full posture information.
- **Unregistered** - a device that is **not** in your directory at all, however we discovered it - from sign-in events or from data activity. Unmanaged access you'd otherwise be blind to.
- **Shadow** - the riskiest subset of unregistered: a device observed _accessing data_ with no observed authentication at all. Think "a sensitive document was opened from a machine that never signed in the normal way."
Because devices are reconstructed from real activity - not just the directory
- the Devices screen reflects how your data is *actually* being reached, which
is often broader than the official device inventory.
## Working With Intune, Not Against It
1Security integrates natively with Entra ID and Intune: compliance, management state, ownership, and trust type are read straight from Microsoft, so the posture you see here always agrees with your MDM. On top of that foundation, 1Security adds what Intune structurally can't see:
- **Devices that never enrolled.** Intune's model starts at enrollment - unregistered and shadow devices are invisible to it by definition.
- **A real last-seen signal.** Entra's activity timestamp updates only about every two weeks, and only on certain authentications; 1Security's last-seen comes from actual activity logs.
- **The data dimension.** Which files, users, and locations a device has touched - Intune has no data-access view at all.
None of this requires special licensing: a Business Basic tenant is enough for every insight 1Security produces itself - discovery, activity statistics, locations, and the data linkage. An Intune license enriches the same rows with Intune's own posture fields (compliance, management state, ownership) and unlocks remediation: when you find a device to wipe, retire, or disable, you do it in Intune or Entra - 1Security tells you exactly which ones deserve it.
## Quick Filters
An always-visible chip row above the list puts the security-relevant cuts one click away, each with a live count:
- **Shadow** and **Unregistered** - the discovery classes described above.
- **Unmanaged** - not under Intune (or any MDM) management.
- **Non-compliant** - failing its compliance policy.
- **Rooted** - jailbroken or rooted devices.
- **Compliance expired** - the device's compliance certification has lapsed.
- **No activity in the last year** - stale devices; prime cleanup and attack-surface candidates.
- **Personal** - BYOD: personal devices used for work.
- **Disabled** - device accounts turned off.
Chips combine with each other and with the full filter drawer - they're one mechanism - so **Unmanaged** + **Personal** is the classic "BYOD that nobody controls" view, one click away.
## The Device List
Each row summarizes a device at a glance - its name, operating system, how it's joined to your network (Trust Type), whether it's **compliant** and **managed** (e.g. by Intune), whether it's company-owned or personal, its account status, when it was first and last seen, its most recent IP, and the users associated with it.
Because devices are reconstructed from activity, each one also carries statistics no directory can give you: how many sign-ins it has made, and how many distinct users, applications, and IP addresses it has been seen with. A device shared by four users across twelve apps and nine IPs reads very differently from a one-user laptop - alongside hardware identity (manufacturer, model) and browser, that context is often what turns a row into a lead.
Click any device to open its detail drawer for the full story.
### The Locations Tab
Inside a device's drawer, the **Locations** tab shows a travel timeline: every place that device has been seen active - country, city, and network - newest first, with how many events came from each and when it was first and last seen there. Click a location to jump straight to that device's activity from it.
This makes questions like _"has this device suddenly started connecting from a datacenter or a foreign country?"_ answerable in seconds. See [Location Intelligence](/en/docs/location) for how these places are resolved.
## Filtering In Depth
A full filter drawer narrows the list to exactly what you're investigating - by **registration status** (registered, unregistered, shadow), **management** and **compliance** state, **rooted/jailbroken** status, **orphaned indicators** (no recent activity, no assigned users), **account status**, **compliance expiration**, **operating system**, **trust type**, **ownership**, **registration** and **last-seen** date ranges, and the specific **users** a device belongs to.
A powerful investigative pattern: combine **Unmanaged** + **Personal**
ownership + a recent **last-seen** range to find exactly the unmanaged,
personal devices that have been touching your environment lately.
=================================================================
## Emails
URL: https://1security.ai/en/docs/screens/email
=================================================================
# Emails
The Emails screen answers a question most organizations can't: **"Is data leaving through email - and would we even notice?"** Email is still the most common exit route for corporate data and the entry route for most compromises. 1Security turns your organization's mail flow into a security signal layer: direction, delegation, attachments, sensitivity, and thread evidence - without turning anyone's inbox into a surveillance feed.
## What You Can Achieve
## The Signals That Matter
- **Direction** - inbound, outbound, or internal. Exfiltration analysis starts with outbound; phishing analysis with inbound.
- **Sending method** - direct, **send as**, **send on behalf**, **shared mailbox**, or **delegate access**. Delegated paths are legitimate features and favorite BEC disguises; here they're first-class filters.
- **Thread evidence** - every message is classified as a thread root, direct reply, or forward, and threads are linked across mailboxes. A reply whose parent is **missing** from all scanned mailboxes means the original was deleted or never passed through your tenant - either way, worth your attention.
- **Attachments three ways** - classic file attachments, **cloud attachments** (SharePoint/OneDrive links), and **unique uploads**: files sent by mail that exist nowhere in your Microsoft 365 estate. Data appearing from - or leaving to - places you don't control.
- **Verdicts and sensitivity** - spam, phishing, and malware flags, plus sensitivity labels, protection status, and 1Security's own sensitive-info detections with confidence levels.
## The Email List
Each row carries the investigative surface: subject, sender, recipient counts split internal vs. external, direction, sending method, thread role and length, autoreply likelihood, importance, attachment and upload indicators, security alerts, and timestamps. Filters cover every signal above, plus sender and recipient search and date ranges. Click a message to open its drawer with the full thread context; select messages and choose **Run actions** to trigger automation workflows.
## Investigative Patterns
**The exfiltration shortlist**: filter **outbound** + external recipients +
**with sensitive info** + **unique uploads**. Sensitive content leaving the
organization in files that never existed in SharePoint or OneDrive - the
highest-signal mail view in the platform.
- **BEC sweep** - sending method **send as** or **delegate access** + outbound + external recipients: verify each delegated identity use is expected.
- **Cover-up traces** - **missing parent** + phishing or malware flags: threads where the incriminating original is already gone but the evidence chain survives.
- **Quiet forwarding** - type **forward** + external recipients + sensitive info: internal material being passed outside, one forward at a time.
=================================================================
## Files
URL: https://1security.ai/en/docs/screens/files
=================================================================
# Files
The Files screen answers the question most organizations can't: **"Who has access to our files - and why?"** Not who should have access according to the org chart - who actually does, right now: which people, which sharing links, which apps, which AI agents, across every SharePoint site and OneDrive in the tenant. Microsoft scatters that answer across thousands of permission dialogs. 1Security assembles it into one filterable map - and the map works at every altitude: start from the tenant-wide picture of oversharing, then drill until you can say exactly why one specific user, or one specific AI, can open one specific file.
## What You Can Achieve
## Exposure, Classified
1Security classifies every file by the paths that lead to it, so you filter by risk instead of reading permission dialogs one at a time:
- **Shared with anyone** - an anonymous link exists; the file is effectively public to whoever holds the URL.
- **Shared with the organization** - every employee can open it. This is how an "internal" payroll spreadsheet ends up in enterprise search results and Copilot answers.
- **External users** - named guests from outside your tenant hold access.
- **SharePoint-only guests** - external identities that live only in SharePoint and never appear in an Entra ID guest review.
- **Apps with access** - third-party applications and AI agents that can read the file.
Sensitivity comes from two engines - Microsoft Purview detections and 1Security's own content scan (300+ pattern detectors plus OCR for images), each detection carrying a confidence level. See [Sensitivity Scanning](/en/docs/sensitivity).
## The File List
Columns are grouped around the questions investigators actually ask:
- **Exposure** - users with access (and specifically with _edit_ access), groups with access, external-sharing flags, sharing links, and the users reaching the file through those links.
- **Sensitivity** - detected sensitive information and how much of it, applied sensitivity labels, and whether real protection such as encryption is in force.
- **Email trail** - how many times the file was uploaded or linked in email and when it last left through one. A download is not the only way data leaves.
- **Lifecycle** - who created and last modified it and when, size, location, and an activity sparkline that makes a suddenly-busy dormant file jump out.
Click any file to open its detail drawer for the full permission breakdown - then act on it without switching tools.
The filter drawer goes deeper than any native admin view: link scope (anyone / specific users / organization), link type (view / edit / review), links without passwords, links past their expiration date, disabled links, specific sensitive info types, minimum detection counts, file containers (personal OneDrives vs. SharePoint sites), and **files accessible to a specific user**.
## Remediation Built In
Remediation spans the same zoom range as the visibility: fix tenant-wide oversharing or remove one user's access to a single file. Select the files and choose **Remove access** - 1Security lists every user, group, and sharing link with access to the selection, lets you pick exactly which grants to strip, and pushes the change to Microsoft 365. **Run actions** triggers your automation workflows on the same selection. Write operations are opt-in by design - the platform runs read-only until you deliberately enable remediation.
## Investigative Patterns
**Public + sensitive + permanent**: filter **Shared with anyone** + **with
sensitive info** + links **without expiration**. This is your genuine "already
exposed" list - most teams find in minutes what manual audits missed for
years.
- **Offboarding sweep** - filter **Files accessible to user** for a departing employee or contractor and see everything they can still open, including access inherited through groups and links.
- **Purview gap audit** - **with sensitive info** + **without label**: the exact files where your classification policy exists on paper but not on the data.
- **Link hygiene** - links **without password** or **past expiration** on files with sensitivity detections; tighten or remove them straight from the selection.
=================================================================
## Groups
URL: https://1security.ai/en/docs/screens/groups
=================================================================
# Groups
The Groups screen answers a question most organizations can't: **"If someone lands in this group, what do they actually get?"** Groups are how access multiplies silently in Microsoft 365: groups contain groups, which contain more groups, and a single membership change can unlock thousands of files without any admin approving - or even noticing - the outcome.
## What You Can Achieve
## Group Types, Untangled
Microsoft 365 runs on six kinds of groups with very different security weight, and 1Security keeps them distinct: **Microsoft 365 groups**, **security groups**, **SharePoint groups**, **directory roles** (admin privileges - membership here is privileged access), **distribution lists**, and **mail-enabled security groups**.
For every group the screen separates **direct members** from **total users** (nesting resolved), and shows both **contained groups** and **parent groups** - so you can walk the inheritance chain in either direction.
## The Group List
Each row answers "what does this group unlock?" at a glance: member counts (direct, total, external), nesting depth in both directions, **accessible files** and **accessible sites**, affected items, sensitivity labels and sensitive info reachable through the group, sharing links granted to it, email traffic for mail-enabled groups, security alerts, and an activity sparkline. Click a group to open its drawer and see the members, resources, and activity behind those numbers.
The filter drawer narrows by group type, external vs. internal membership, a specific user's groups, **orphaned indicators** (no owners, no files, no users), sensitive info presence, security alerts, sharing-link characteristics, and email activity dates.
## Investigative Patterns
**Privilege check**: filter type **Directory Role** and scan the external and
total user counts. Every membership here is an admin privilege - if a role
group's effective membership includes anyone you can't name, you've found your
first finding.
- **Guest reach audit** - groups with **external users** sorted by **accessible files**: the exact groups where one guest invitation translates into the widest data reach.
- **Ungoverned access** - **no owners** + sensitive info present: access that keeps working with nobody responsible for it.
- **Dead lists that still receive** - distribution lists with external members and recent **emails received**: mail flowing to the outside through a list everyone forgot.
=================================================================
## Licenses
URL: https://1security.ai/en/docs/screens/licenses
=================================================================
# Licenses
The Licenses screen answers a question most organizations can't answer without a spreadsheet exercise: **"What are we paying Microsoft for that nobody is using?"** License spend grows by default - people leave, projects end, trials convert - and the units keep billing. This screen turns the license inventory into a reclamation list.
## What You Can Achieve
## The License List
Each row shows a subscription plan with its **status**, the **users** holding it (external users broken out), and the unit math that drives cost: **all units** purchased, **used units** assigned, and **available units** unassigned. The **applies to** column distinguishes user licensing from device licensing.
Sort by **available units** to get an instant savings shortlist, or by **external users** to review why guests hold paid seats at all.
## Investigative Patterns
**The renewal prep**: sort by **available units** descending, then review each
SKU's external-user count. In most tenants this ten-minute pass finds enough
idle and misassigned units to change the renewal conversation.
Licenses tell you what's _assigned_; activity tells you what's _used_. Cross-reference license holders against user activity and sign-in history to find paid seats on dormant accounts - then reclaim the license as part of the same offboarding automation that revokes the account's access.
=================================================================
## Sensitive Info
URL: https://1security.ai/en/docs/screens/sensitive-info
=================================================================
# Sensitive Info
The Sensitive Info screen answers the question every auditor asks and almost no one can answer: **"Where is our regulated data right now - and who can reach it?"** Credit card numbers, national IDs, health records, credentials - each detected type becomes one row, mapped across your entire estate: how many files and emails contain it, which sites concentrate it, and which users, groups, and apps can get to it.
## What You Can Achieve
## Two Engines, One Truth
Detections carry their provenance, and the two sources are deliberately independent:
- **Microsoft Purview sync** - 1Security imports the Sensitive Information Type detections Microsoft has already made, so existing Purview investment shows up here immediately.
- **1Security scan** - our own engine reads file and email content and applies 300+ detectors, including OCR for scanned documents and images - the place card numbers actually hide. It runs without E5 licensing. See [Sensitivity Scanning](/en/docs/sensitivity).
The two engines synergize rather than compete: existing Purview investment shows up immediately and gets an independent verification, while 1Security's own engine covers tenants - and file types - Purview doesn't. Remediation stays where it belongs: DLP and auto-labeling policies are configured in Purview, aimed by what you find here.
Every detection includes a **confidence level** (high / medium / low), so you can quote regulator-grade numbers from high-confidence matches while still investigating the long tail.
## The Detection List
Each row is a sensitive information type with its active status, confidence level, and reach counts across **files**, **emails**, **sites**, **groups**, **users**, and **apps**. Those counts are the pivot points: they tell you not just that 4,120 files contain IBAN numbers, but that they concentrate in two sites and are reachable by three third-party apps.
Filters scope the view to specific users, groups, sites, files, or apps, compliance frameworks, label associations, and orphaned resources - so "sensitive data reachable by X" is a filter, not a project.
## Investigative Patterns
**Third-party reach into regulated data**: filter framework **GDPR** and sort
by the **apps** column. Every app that can read personal data is a
data-processing relationship your DPO should know about - most organizations
discover several here they never documented.
- **Concentration analysis** - pick your highest-risk type (payment cards, health data) and check the **sites** count: two sites holding 90% of it means two remediation projects, not two hundred.
- **Regulator-grade numbers** - filter **high confidence** only when preparing disclosure or audit figures; keep lower confidence matches as your investigation backlog.
- **From detection to exposure** - from any type, pivot to the [Files screen](/en/docs/screens/files) and combine it with sharing filters to see which instances of that data are public, external, or unlabeled.
=================================================================
## Sensitivity Labels
URL: https://1security.ai/en/docs/screens/sensitivity-labels
=================================================================
# Sensitivity Labels
The Sensitivity Labels screen answers a question your labeling policy can't: **"How much of our data is actually labeled - and does the label actually protect it?"** Organizations invest months designing Purview taxonomies, then never measure deployment. This screen shows the ground truth: for every label, how many real files, emails, and groups carry it - and whether it enforces protection or just decorates the ribbon.
## What You Can Achieve
## Working With Purview, Not Against It
The labels themselves are Microsoft Purview's - 1Security syncs them natively, so everything here always agrees with your Purview configuration. What 1Security adds is the measurement layer Purview doesn't have:
- **Ground-truth deployment.** Live per-label counts across real files, emails, and groups - not the policy as designed, but where labels actually landed.
- **The unlabeled side.** The coverage-gap analysis (sensitive data carrying no label) is powered by 1Security's own scanning engine, so it works even where Purview detections don't reach.
- **Cross-estate context.** Labels join the same graph as sites, users, groups, and apps, so a label's real reach is one pivot away.
No special licensing is required on 1Security's side - a Business Basic tenant is enough for every insight 1Security produces itself, including the sensitivity detections behind the coverage-gap view. Purview enhances the picture with its labels and detections, and remediation stays where it belongs: taxonomy, auto-labeling, and enforcement are configured in Purview - 1Security shows you exactly where they're needed.
## The Label List
Each row is one label synced from Microsoft Purview: its real usage counts across **files**, **emails**, and **groups**, whether it enforces **protection** (encryption, watermarking), whether it's currently **active** in the tenant, the **content formats** it applies to, and its Purview **priority**. Click a label to drill into the resources carrying it.
## Investigative Patterns
**The false-comfort check**: find your highest-priority labels **without
protection** but with high file counts. Thousands of documents marked
"Confidential" that any recipient can open and forward - the gap between
labeled and protected is where leaks live.
Coverage has two sides, and this screen shows only the labeled one. For the other side - sensitive data carrying **no** label - go to the [Files screen](/en/docs/screens/files) and filter **with sensitive info** + **without label**. Together the two views turn "are we protected?" into a number you can track quarter over quarter.
=================================================================
## Sites
URL: https://1security.ai/en/docs/screens/sites
=================================================================
# Sites
The Sites screen answers a question most organizations can't: **"Where does our data actually live - and which of those places are wide open?"** Every Team spawns a site. Every private channel spawns another. Every employee carries a personal OneDrive. Most tenants hold several times more sites than IT believes they have - and the ones nobody remembers are exactly the ones nobody is watching.
## What You Can Achieve
## The Site Types That Matter
1Security distinguishes the site flavors Microsoft blurs together, because each carries a different governance story:
- **Sites, subsites, and hub sites** - classic SharePoint structure.
- **Teams-connected sites** - created implicitly whenever someone creates a Team; broken out further into standard, **private**, and **shared** channel sites, each with its own membership rules.
- **Personal sites** - every user's OneDrive. Corporate data in the thousands of "sites" nobody governs.
Access is split into **direct** users and **indirect** users (via groups) - so you can see not just how many people can enter a site, but through which doors.
## The Site List
Each row summarizes a site's footprint and risk: members, owners, direct vs. indirect access, external users, groups with access, sharing links, Teams channels (including private and shared), drives, lists, subsites, storage size, sensitivity labels and detected sensitive info, whether **Copilot is enabled**, and an activity sparkline. Click a site to open its drawer and drill into its files, users, and activity.
The filter drawer narrows by site type, external exposure, **orphaned indicators** (no activity in the last year, no users, no owners), blocked status, scan coverage, the full sharing-link toolkit (scope, type, passwords, expiration), sensitive info presence, and the sites a specific user can access.
Select sites and choose **Run actions** to trigger automation workflows on them.
## Investigative Patterns
**The forgotten-but-open pattern**: filter **no activity in the last year** +
**external users**. Nobody inside touches these sites - but someone outside
still can. This list is usually short, shocking, and immediately actionable.
- **Pre-Copilot cleanup** - **Copilot enabled** + **with sensitive info**, sorted by sensitive detections: the sites to label, restrict, or exclude before AI answers start quoting them.
- **Anonymous doors** - sites with **anyone** sharing links + sensitive info: whole containers reachable by URL alone.
- **Ownerless data** - **no owners**: nobody approves membership or reviews access for these sites. Assign owners or archive them.