The safest thing you'll connect to a tenant.
AIRM is designed to be the lowest-risk integration in a client tenant: agentless, read-only, and reversible in one click. Nothing is installed, no business content is read, and nothing changes unless a human explicitly acts. Here is exactly how it works.
How AIRM connects
- Agentless. Nothing is installed in the tenant or on any endpoint. AIRM connects through the Microsoft Graph API.
- Read-only. AIRM requests delegated, read-only Graph permissions. On day one it observes only.
- GDAP-compatible. Designed for MSP delivery through Granular Delegated Admin Privileges, without standing access where it isn't needed.
- Microsoft Verified Publisher. Sabiki's publisher identity is verified with Microsoft. A Global Admin approves a one-time consent.
What AIRM can access, and what it can't
AIRM reads identity and permission metadata only: users, applications, service principals, OAuth grants, role assignments, and sign-in and audit metadata. It does not read mailboxes, files, chats, or any business content. It cannot create, modify or delete anything in the tenant unless you explicitly choose to act on a finding.
The permissions we request
| Permission | Why | Access |
|---|---|---|
Directory.Read.All | List users, apps and service principals (the non-human identities) | READ |
Application.Read.All | See app registrations, agents and their granted scopes | READ |
AuditLog.Read.All | Spot stale or unused credentials | READ |
What we store
AIRM stores the identity inventory and risk findings needed to produce the report and the NHI Risk Score. It does not store your emails, files or business content.
Revoke access at any time
Go to the Microsoft Entra admin centre → Enterprise applications → Sabiki AIRM → revoke. Access ends immediately. You stay in full control.
Hosting & data residency
Certifications & attestations
Sabiki is a Microsoft Verified Publisher. Formal security attestations are being progressed:
Sub-processors
Security questions before you connect a tenant?
Talk to us directly, or run the free NHI Risk Score read-only on any Microsoft 365 tenant and see exactly what AIRM does.
Free NHI Risk Score →