Know exactly which
E5 licenses to cut.
Connect your Microsoft 365 tenant and get per-user downgrade classifications in minutes — backed by live Graph API signals across PIM, Conditional Access, Defender, and eDiscovery.
How it works
Three steps from consent to cost savings
Connect
Grant read-only admin consent. We request minimum permissions: User, Directory, Policy, and Role data.
Scan
Our engine checks each E5 user against PIM assignments, risk-based CA policies, Defender enrollment, and eDiscovery.
Act
Download a CSV with classifications, confidence scores, and remediation steps. Bring it to your licensing review.
Four-tier classification system
Every E5 user receives a deterministic safety classification with a confidence score
No E5-exclusive feature dependencies detected. Can move to E3 immediately.
Minor dependencies exist. Remove them (e.g., risk-based CA policy) then downgrade.
Active PIM, eDiscovery, or Defender P2 dependencies. Downgrade would break functionality.
Signal data was unclear or incomplete. Manual review recommended.
Exactly what we request — nothing more.
We request the minimum Graph API permissions required to assess E5 dependencies. All are read-only. We never write to your tenant.
User.Read.AllRead user license assignments
Directory.Read.AllRead organizational data
Group.Read.AllRead group license assignments
Policy.Read.AllRead Conditional Access policies
RoleManagement.Read.DirectoryRead PIM role assignments
eDiscovery.Read.AllDetect eDiscovery custodians