Revoking tenant access and data deletion
How to remove a tenant from CloudCapsule, revoke its enterprise app in Entra ID, and what gets deleted.
When a client relationship ends, or a tenant simply no longer needs to be managed, you need to remove it from CloudCapsule and separately revoke the access it was granted during consent. These are two different actions, and skipping the second one leaves the client's tenant holding an enterprise application that no longer serves any purpose.
Order of operations
- Export or download anything you want to keep, such as a Delta Report or an evidence package, before you remove the tenant. Assessment history is not recoverable once a tenant is gone from CloudCapsule.
- If Manage is enabled on the tenant, disable it first. This step is permanent: it erases the tenant's historical assessments, drift data, deployed policies, exclusions, and any co-managed portal access set up for the client.
- Remove the tenant from CloudCapsule. This stops all future scans and reporting for it.
- Sign in to the client's Microsoft 365 tenant with a Global Administrator or Privileged Role Administrator account and revoke the CloudCapsule enterprise application, covered below. Removing the tenant on your side does not touch anything on theirs, so this step still has to happen even after step 3.
Revoking the enterprise application in the client tenant
CloudCapsule connects to a tenant through one or two app registrations, depending on the consent level that was granted.
- CloudCapsule: the read-only registration used for Analyze. It's present on every tenant that was ever connected.
- CloudCapsule-Manage: an additional registration with least-privilege write scopes, present only if the tenant had Read & Write consent for Manage.
- In the client's Microsoft 365 environment, open Entra ID and go to enterprise applications.
- Find CloudCapsule, and CloudCapsule-Manage if it appears.
- Remove each one. This revokes the delegated permissions immediately, and CloudCapsule can no longer read from or write to that tenant.
This step has to be done by an administrator with sufficient privilege in the client tenant itself. CloudCapsule cannot revoke its own access from your side.
What gets removed from CloudCapsule
Deleting a tenant from CloudCapsule removes what CloudCapsule stored about it, not the client's actual Microsoft 365 configuration. Anything changed through Quick Fixes, Guided Workflows, or Capsules stays exactly as it was left; CloudCapsule only clears its own records.
- Assessment and control history, including past scan results and the trend data used for historic reporting.
- Drift detection data and any reversions it had recorded.
- Policies, exclusions, and configuration tracked through Manage, if it was enabled.
- Annotations and the audit trail tied to that tenant.
- Co-managed portal access, if the client had been given a login to view their own data.
None of this reverses changes CloudCapsule made while it was connected. If you need to undo a specific fix, do that manually in Microsoft 365, the same as any other configuration change.