The compliance tool MSP teams reach for

Azure compliance
for every client, automated.

Beacon scans every Azure tenant you manage every 6 hours, surfaces the gaps, and ships the reports.

Get started Try the demo
Set up in 15 minutes
No agents in client tenants
Cancel anytime

Includes checks required by CIS Microsoft 365 Benchmark, NIST CSF, and ISO 27001:2022

Everything your MSP needs for compliance

Beacon handles the full lifecycle, from scanning to remediation guidance to client reporting, without the manual work.

Automated 6-hour scans

Beacon runs the full check suite against every managed Azure tenant every 6 hours. Critical findings surface within minutes. No manual intervention, no missed windows.

6h
Scan interval
63
Checks per scan
0
Agents required

63 built-in security checks

Identity, Conditional Access, NSG rules, Key Vault, storage, Defender for Cloud, EOL OS, Intune, M365, DevOps — via Microsoft Graph and ARM APIs.

Intune endpoint checks

Five checks across unenrolled devices, non-compliant endpoints, stale sync, unsupported OS builds, and missing Windows Update rings.

Microsoft 365 coverage

Exchange, SharePoint, and Teams: DKIM, DMARC, legacy authentication, anonymous sharing links, and external federation policy.

Defender for Cloud

Seven checks: stale recommendations, active high/critical alerts, workload protection gaps, and regulatory compliance score.

DevOps & GitHub checks

Seven checks: public ADO projects, over-privileged service connections, branch protection, pipeline secrets, and unpinned GitHub Actions.

Multi-tenant RBAC

Four role levels with team-based access scoping. Every MSP's data completely isolated.

Per-client SLA tracking

Configurable SLA targets per client and severity. Automatic breach detection and alerts.

Client compliance portal

Growth+: share a read-only URL with each client showing their score, active findings, and resolved activity. MSP controls exactly what's visible.

Cross-client findings

Pro+: aggregate findings from every client in one table. Bulk acknowledge, assign, or suppress up to 500 findings at once.

Auto PSA escalation

Growth+: hourly job creates ConnectWise, HaloPSA, or Freshservice tickets for any finding that has passed its SLA due date.

Remediation Dashboard

Growth+: per-client MTTR, SLA breach rate league table, and weekly opened-vs-resolved bar chart across 30/60/90-day windows.

Scheduled compliance reports

Weekly or monthly reports emailed directly to clients. Findings, score trends, and remediation guidance included.

PSA and webhook integration

Push findings to ConnectWise, HaloPSA, or Freshservice per client. HMAC-signed webhooks for Slack, Teams, and custom integrations.

SAML SSO and MFA

Integrate with Microsoft Entra ID or any SAML 2.0 provider. TOTP MFA for local accounts. AES-256-GCM encryption at rest.

Tamper-evident audit log

HMAC-SHA256 chained log. Provide auditors evidence of control operation without exposing raw data.

AES-256-GCM encryption

Credentials, notification channel secrets, PSA API keys, and report recipient emails all encrypted at rest. GET responses return masked values.

GDPR data portability

Self-service org deletion (Article 17) and structured data export (Article 20). Rate-limited to 5 exports per org per day.

Per-client scan scheduling

Configure a custom scan interval for each client. Default is 6 hours; shorter intervals available on Growth and Pro plans.

REST API and M2M tokens

Full REST API with machine-to-machine tokens for automation. Build dashboards or feed findings into your ITSM workflow.

63 security checks, continuously evaluated

No agents, no extra tooling in the client tenant. Beacon uses Microsoft Graph and Azure Resource Manager APIs directly.

Identity and access (6 checks)

ID-001
Privileged accounts without MFA
Admin roles that have not enrolled multi-factor authentication
ID-002
Missing Conditional Access policies
No CA policies blocking legacy authentication or requiring MFA for all users
ID-003
Risky users flagged by Identity Protection
Accounts with high or medium risk signals from Entra ID Protection
ID-004
App registration credential expiry
Client secrets or certificates expiring within 30 days
ID-005
Admin accounts with weak MFA
Administrators using SMS or voice call instead of an authenticator app
ID-006
Directory sync disabled
Hybrid environments where Entra Connect sync has stopped

Infrastructure (9 checks)

INF-001
NSG rules exposing sensitive ports
Inbound rules open to the internet on RDP, SSH, or SQL
INF-002
Storage accounts with public access
Blob containers allowing anonymous public read or list access
INF-003
Key Vault soft delete disabled
Key Vaults without soft delete or purge protection enabled
INF-005
Recovery Vault soft delete disabled
Azure Backup vaults without immutable or soft-delete protection
INF-007
SQL backup retention below 7 days
Azure SQL databases with point-in-time restore retention under 7 days
INF-008
Defender for Cloud not enabled
Subscriptions missing Microsoft Defender for Cloud plans
INF-009
End-of-life OS versions in use
Virtual machines running Windows Server 2012 or other EOL operating systems

Intune endpoints (5 checks)

EP-001
Unenrolled devices
Devices not enrolled in Intune MDM
EP-002
Non-compliant devices
Devices marked non-compliant by Intune compliance policy
EP-003
Unsupported Windows build
Devices running Windows older than build 18362 (19H1)
EP-004
Stale device sync
Devices that have not synced with Intune in 14 or more days
EP-005
Update ring not configured
No Windows Update ring policy assigned to the device group

Microsoft 365 (6 checks)

M365-002
Legacy auth not blocked
No Conditional Access policy blocking legacy authentication protocols
M365-004
DKIM not configured
DKIM signing not enabled for the primary Exchange Online domain
M365-005
DMARC missing or p=none
DMARC record absent or set to monitoring-only policy
M365-006
SharePoint anonymous links
Anonymous sharing links enabled on one or more SharePoint sites
M365-007
SharePoint external sharing
SharePoint external sharing policy allows new and existing guests
M365-009
Teams external federation
Teams federation unrestricted — any external domain can initiate contact

Defender for Cloud (7 checks)

DEF-001
Stale recommendations
Unresolved Defender for Cloud recommendations older than 30 days
DEF-002
Active high/critical alerts
Open high or critical security alerts in Defender for Cloud
DEF-003
VM protection off
Microsoft Defender for Servers not enabled on one or more subscriptions
DEF-004
SQL protection off
Microsoft Defender for SQL not enabled
DEF-005
Storage protection off
Microsoft Defender for Storage not enabled
DEF-006
Container protection off
Microsoft Defender for Containers not enabled
DEF-007
Compliance score low
Defender for Cloud regulatory compliance score below 70%

DevOps & GitHub (7 checks)

DEV-001
Public ADO projects
Azure DevOps projects discoverable by the public internet
DEV-002
Subscription-scope service connections
Service connections using Subscription-scope service principals
DEV-003
Branch policy missing
Default branch has no blocking reviewer policy configured
DEV-004
Unencrypted pipeline secrets
Pipeline variables with secret-like names stored as plaintext
DEV-005
No branch protection
GitHub default branch has no branch protection rules enabled
DEV-006
No required PR reviews
Branch protection exists but does not require pull request reviews
DEV-007
Unpinned Actions
Workflow steps reference third-party Actions by tag rather than pinned SHA

Up and running in three steps

No agents. No complex setup. Beacon only needs a read-only Azure App Registration in each client tenant.

01

Create an App Registration

In each Azure client tenant, create a read-only App Registration. Grant it the Graph API and ARM reader permissions Beacon needs. Paste the credentials into Beacon.

02

Beacon scans automatically

Beacon runs the full 63-check suite every 6 hours. Findings are reconciled across scan cycles, so no duplicate alerts. Critical issues trigger immediate notifications.

03

Remediate, report, repeat

Fix issues from guided remediation steps, share read-only portals with clients, and schedule automatic compliance reports. Compliance scores update in real time.

Simple, per-client pricing

Pay for the Azure tenants you manage. All features available on Growth and Pro plans.

A single manual compliance audit costs thousands in engineer time. Beacon runs the same checks continuously, for every tenant, starting at $49 per month.

2 months free on annual billing

Solo

$15 /mo

$180 billed yearly

1 user, 1 Azure tenant

  • All 63 security checks
  • 6-hour automatic scans
  • Email alerts
  • Compliance reports
Get started

Starter

$39 /mo

$468 billed yearly

Up to 10 Azure tenants

  • All 63 security checks
  • 6-hour automatic scans
  • Email alerts
  • Scheduled reports
Get started
Most popular

Growth

$79 /mo

$948 billed yearly

Up to 30 Azure tenants

  • Everything in Starter
  • Slack & Teams notifications
  • SAML SSO
  • Per-client SLA and webhooks
  • PSA integration
  • Priority email support
  • Client compliance portal
  • Auto PSA escalation
  • Remediation Dashboard
Get started

Pro

$159 /mo

$1,908 billed yearly

Up to 75 Azure tenants

  • Everything in Growth
  • Custom compliance checks
  • API access and M2M tokens
  • White-label reports
  • Cross-client findings & bulk remediation
Get started

Enterprise

Custom

Unlimited Azure tenants

  • Everything in Pro
  • Dedicated infrastructure
  • SLA-backed uptime
  • White-label portal
  • Custom check development
Contact sales

Card required at checkout. Cancel anytime. Annual billing saves two months. Questions? Contact us.

Built for MSPs. Not retrofitted.

Beacon is the only Azure compliance platform designed around how MSPs actually work: managing multiple client tenants, proving compliance, and keeping engineers focused on fixes.

Manual audits & spreadsheets
  • Monthly reviews at best, weeks between audits
  • Engineer hours consumed per client, every month
  • No alerting, issues sit undetected between reviews
  • No client-shareable reports without manual export
  • Does not scale, each new client adds linear overhead
Microsoft Defender for Cloud
  • Per-tenant setup, no unified cross-client view
  • Requires Azure Defender licensing in client tenants
  • No team scoping, SLA tracking, or per-client reporting
  • No PSA integration or scheduled client reports
  • Identity-focused, limited infrastructure and backup checks
Beacon
Purpose-built for MSPs
  • 6-hour automated scans across every managed tenant
  • Single pane of glass with MSP-native team scoping
  • PSA + webhook integrations built in from day one
  • Scheduled reports delivered directly to client contacts
  • No extra licensing, one read-only App Registration per tenant

Common questions

Everything you need to know before getting started.

Live read-only demo

See Beacon in action

Explore a pre-loaded environment with 5 sample MSP clients, real findings, and full navigation. No sign-up required, just use demo code BEACON-DEMO.

Read-only. No sign-up required. No data stored.

Stop checking Azure manually.

Beacon runs the full check suite every 6 hours. You get alerts when something needs attention.

Get started Try the demo