HomeDocsGetting started

Getting started

What actually happens between landing on the signup page and seeing your first posture score on the dashboard. The v3.0.0 self-serve flow, five steps, sourced from the production app.

Last updated 2026-05-12

What you’ll need

  • A Microsoft work accountUsed to sign in via Microsoft OAuth. Multi-factor authentication is enforced by your tenant’s Entra ID conditional access, ScanPosture doesn’t add a second MFA layer on top.
  • Tenant admin (later)The admin-consent step needs someone who can grant tenant-wide consent on Microsoft’s side, typically a Global Administrator. They don’t need to be the same person who signs up.
  • A couple of minutesSign-up + Microsoft sign-in is sub-second. The first scan typically completes within a minute or two of admin consent being granted.

The flow, step by step

Acknowledge UK data residency, click Continue with Microsoft

Visit app.scanposture.com/signup. The page is a single screen: a checkbox confirming you understand your organisation’s ScanPosture data will be stored and processed in the UK, and a Continue with Microsoft button. The button stays disabled until the checkbox is ticked. Each acknowledgement is recorded with timestamp, version, source route, IP and user-agent, visible to you and to your auditors via the in-product audit trail once the tenant is provisioned.

Sign in with Microsoft

You’re handed off to Microsoft’s standard OAuth sign-in. ScanPosture only requests user-scoped permissions at this step: openid, profile, email, and User.Read. The tenant-level Microsoft Graph permissions ScanPosture’s scan engine needs are NOT requested here, they’re handled in step 4 by your IT administrator. Your Entra conditional access enforces MFA at this point; ScanPosture relies on Microsoft’s own MFA, it doesn’t add its own.

Tenant + trial provisioned automatically

Microsoft hands you back to ScanPosture. In a single atomic database transaction, ScanPosture provisions your user account, your tenant, your 28-day trial, your acknowledgement record, and the connection placeholder. There is no “You’re registered” interstitial, no welcome email round-trip, and no separate workspace setup form, you land directly on app.scanposture.com/dashboard. The subdomain is generated for you; you can rename it later from Settings → Tenantif you’d prefer something custom.

Already have a ScanPosture account?

If the Microsoft account you signed in with already has a ScanPosture account, you land on your dashboard with a calm “Welcome back” toast. No re-provisioning, no trial reset. If your Microsoft tenant already has a ScanPosture account but registered to a different colleague, you’re shown a friendly rejection page that surfaces the existing owner’s email, ask them for an invite rather than creating a duplicate.

Get tenant-level admin consent

Your dashboard shows an “Almost ready, your IT admin needs to approve ScanPosture” panel. Two paths from here.

If you’re the Global Administrator, click “I’m the admin, grant access now”. You’re taken to Microsoft’s standard admin-consent screen where ScanPosture is listed as a Microsoft-verified publisher and the full read-only permission set is displayed. Approve, and you’re back on the dashboard. See Permissions for what each scope does and does NOT grant.

If you’re not the admin, click “Send admin consent link”and enter the admin’s email. The recipient address must match a verified domain on your Microsoft tenant, ScanPosture won’t send admin-consent links to addresses outside your own organisation. Send rate is capped: 30-minute cooldown per recipient, 5 sends per tenant per 24h, and 10 sends per recipient per 24h platform-wide. Your Global Admin receives an email containing only the consent URL, your name, your email, and your organisation name, no findings, no scan history, no other context. They click through, approve, and your tenant flips automatically.

First scan auto-runs, dashboard updates live

The moment your admin grants consent, ScanPosture queues your first scan automatically. The dashboard switches from the awaiting-consent panel to a live “First scan running”panel that polls every five seconds. Polling pauses if you switch to a different tab and resumes the moment you come back. When the scan finishes (typically 1–2 minutes for an SMB tenant), the panel disappears and the standard dashboard renders: posture score at the top, priority actions, framework readiness, and a recent-scan-movement strip.

That’s the whole loop

UK ack → Microsoft sign-in → auto-provisioned tenant → admin consent → first scan. No subdomain picker, no workspace setup form, no welcome-email round-trip. Subsequent scans run automatically, see How scanning works for cadence and triggers, and Trial for what happens during and after the 28-day window.

Where to look first on the dashboard

The dashboard is composed of four section groups, in a deliberate order:

1. Hero card, posture score (0–100), grade band (A–E), 30-day trend, and the metric rail (open findings, critical, high, resolved this week, users protected). This is the daily glance view.

2. Where to focus next, priority actions ranked by estimated score impact. Each action links to the affected control + remediation guidance. Start here for the highest-leverage fixes.

3. Posture & readiness, per-domain breakdown across nine control domains (Identity, Privileged Access, Conditional Access, Apps & Non-Human Identity, Tenant Configuration, Monitoring & Risk, Account Hygiene, Authentication, Authorisation), plus framework-readiness views for Cyber Essentials, ISO 27001:2022, GDPR Article 32, NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8.1, SOC 2 and NCSC CAF 4.0.

4. Operations & rhythm, operational signals (scan cadence, exception governance, change control) and the recent-activity feed. Useful for ongoing assurance work and audit preparation.

What to do next

Three things almost every new tenant does in the first week:

1. Set up Slack or Microsoft Teams alerts so the team sees scan results without having to log in. See Integrations.

2. Schedule the executive PDF report to land in stakeholders’ inboxes. See Reports.

3. Invite the rest of the security team from Settings → Team. Invited users sign in with their own Microsoft account and inherit MFA from your Entra tenant.

Email + password is also supported

If your organisation needs an account that doesn’t use Microsoft OAuth, for an MSP analyst, a platform admin, or a federation edge case, ScanPosture supports email-and-password sign-in with TOTP-based MFA (and recovery codes) as a fallback. The OAuth path above is the default for self-serve trials; the credentials path is opt-in and configured per user.