One-time setup (takes ~30 seconds): no app registration needed.
1. Click Admin-consent this app. You'll be redirected to Microsoft's admin consent page to approve Application.Read.All and DelegatedPermissionGrant.Read.All (both delegated, read-only) for this tool in your tenant. A Global Administrator (or Privileged Role Administrator) account is required for this step.
2. After consent, click Sign in and audit. Any user with at least Global Reader can then run the audit.
The tool is a multi-tenant SPA hosted at blue16.nl. It runs entirely in your browser, read-only, and never sends data anywhere except Microsoft Graph.
Advanced: pin to a specific tenant
Useful if you're a guest in multiple tenants and want to force sign-in to a specific one.