Skip to main content

Security & tenant boundaries

Kybera Impact is designed for organizations where data residency, tenant boundaries, and security review are part of the procurement conversation. This page covers how the platform authenticates, where it runs, and what stays inside your tenant.

Your tenant, your subscription

Everything Kybera Impact does runs inside your Microsoft 365 tenant and your Azure subscription. The four Power Apps live in your Power Platform environment. The Azure Automation accounts are in a resource group you own. The portal site is in your tenant. The content-type hub and term store are the standard Microsoft 365 services in your tenant.

There is no Kybera-operated infrastructure your data needs to reach.

How authentication works

  • Managed identities, where Microsoft supports them. The automation accounts use Azure managed identities — Azure provisions and manages the credential, so there's no secret to store or rotate. This is the platform's default.
  • App-only certificates, where managed identity isn't supported yet. A few Microsoft Graph endpoints require an app registration. Certificates live in your Key Vault; only the automation account can retrieve them. No client secrets, no stored passwords.
  • User identity flows naturally through the apps. When a business user submits a request, the request is captured as their action; when a broker approves, the approval is captured as theirs.

Least privilege, by design

  • No tenant-admin standing access. The platform's runtime identities don't have global admin or SharePoint admin roles. Specific operations get granted to the managed identity directly.
  • No mailbox access. The platform sends notifications via Microsoft Graph — it doesn't read user mailboxes.
  • No file content access. The platform reads library metadata (counts, content types, last-modified) but not document contents.
  • No identity-management capability. The platform reads identity through Graph; it doesn't create users or modify Entra groups.

What stays inside your tenant

  • All documents. Your content stays where Microsoft 365 stores it.
  • Identity. Users authenticate to Microsoft 365 the way they always have. Kybera Impact reads identity through Graph; it doesn't proxy authentication.
  • Operational logs. Every runbook run, every workflow job, every audit result is written to lists in your tenant. There's no external logging service.

Zero stored secrets

In a typical Kybera Impact deployment, there are effectively no secrets for your IT team to rotate manually. Managed identities have nothing to rotate. App-only certificates rotate on your schedule. Power Automate uses OAuth tokens managed by Power Platform. The portal lists hold configuration, not credentials.

Why your organization benefits

  • A short, clean security review. Reviewers see Microsoft's own primitives, not a vendor's hosting stack. The questions are familiar.
  • Compliance posture aligns with your tenant. Whatever you already commit to as a tenant — sovereignty, residency, retention — the platform inherits automatically.
  • Auditable end-to-end. Every runbook execution, every workflow job, every Graph call is visible in Azure and Microsoft 365 audit logs alongside your other tenant activity.

Where this fits

The architecture this security model attaches to is in How it's built. How the platform extends Microsoft's own security primitives is in Microsoft alignment.