TenLensDocsbeta
Search 124 articles: “connect tenant”, “mfa report”, “reclaim license”…⌘K
DocsGetting StartedIntroduction to TenLens
Getting Started

Introduction to TenLens.

TenLens is a local-first desktop console for hybrid identity teams. One place to report on, automate, and manage Active Directory and Microsoft Entra without bouncing between admin centers.

UPDATED · MAY 20, 2026READ TIME · 4 MINAPPLIES TO · beta
TIP· Start here

New to TenLens? Read this page for the big picture, then follow Installation to download and set up the desktop app.

What is TenLens?

TenLens is an on-premise desktop console for IT teams that manage hybrid Microsoft identity environments: on-premises Active Directory and Microsoft Entra ID side by side.

Instead of juggling the Entra admin center, Exchange admin, Intune, a folder of PowerShell scripts, and a separate LDAP tool, TenLens gives you one window to see what's happening and act on it. It reads both directories natively, caches data locally for fast search and reporting, and lets you run lifecycle changes and automations from the same place.

TenLens is built for the work that lives between AD and Entra: hybrid drift, license reclamation, MFA coverage, joiner/mover/leaver flows, and the reports your auditors actually ask for.

Who it's for

TenLens is designed for people who run identity day to day:

  • Identity & access admins who need cross-directory visibility without writing a new script every week
  • Hybrid IT teams managing both on-prem AD and cloud Entra tenants
  • MSPs managing multiple customer organizations and Entra tenants from a single console
  • Security & compliance leads who need scheduled reports, audit trails, and evidence on demand
  • Platform engineers who want runbooks and a CLI instead of one-off automation glue

You do not need to be a PowerShell expert to get value from TenLens. The app ships with pre-built reports, guided flows, and visual runbooks. If you do live in the terminal, there is a full CLI and REST API when you want them.

How it works

TenLens runs entirely on your machine. Your directory data, cached reports, credentials, and audit logs stay under your control, not on a vendor SaaS bridge.

  1. 1
    Install locally

    Download a signed desktop app for macOS or Windows. No server to provision, no agent to push to domain controllers, and no inbound firewall rules.

  2. 2
    Connect your tenant

    Sign in with a Microsoft work account (or a service principal, if your org requires it). TenLens requests read-only Graph scopes by default and stores tokens in your OS keychain.

  3. 3
    Optionally bind on-prem AD

    Point TenLens at your LDAP/LDAPS endpoints to correlate hybrid objects, detect drift, and run cross-directory lifecycle actions.

  4. 4
    Work from one console

    Search users and groups instantly, run reports, schedule deliveries, and execute runbooks, all against live or recently synced directory data.

NOTE

TenLens talks to Microsoft Graph and your AD endpoints directly. We do not host your installation, mirror your tenant, or require a cloud sync layer. Outbound HTTPS to graph.microsoft.com and login.microsoftonline.com is all you need for Entra.

Local-first by design

That architecture matters for three reasons:

  • Latency: Search and reports run against a local index, not a round trip through a remote service.
  • Trust: Sensitive directory data never transits a third-party cloud you did not choose.
  • Offline resilience: Many views work against cached data while sync catches up in the background.

What you can do

TenLens is not a single-purpose tool. The docs are organized around the jobs identity teams actually perform:

Reporting & insights

120+ pre-built reports across licenses, MFA, sign-ins, stale accounts, Conditional Access, and hybrid drift. Schedule them, export to CSV or PDF, or push summaries to Slack and Teams.

Lifecycle management

Onboard, move, and offboard users across AD and Entra in one flow: groups, mailbox, licenses, and app access applied together instead of spread across four admin centers.

Automation

Build visual runbooks from triggers, conditions, and actions. Dry-run before you write, roll back when something goes wrong, and schedule recurring jobs without maintaining a script library.

License intelligence

See who consumes what, find unused seats, and right-size your tenant before renewal season. Copilot pilot tracking and cost views ship in the same console.

Multi-tenant & hybrid operations

Connect multiple Entra tenants, bind one or more on-prem domains, and manage them from a single top-bar switcher. Hybrid drift detection flags objects that are out of sync between directories.

Each of these areas has its own section in the docs. This page stays at the overview level. Dive into Reporting, Automation, or Tenants when you are ready for specifics.

Get TenLens on your machine

TenLens ships as a native desktop app for macOS and Windows. The installer is notarized on macOS and Authenticode-signed on Windows. A typical install is around 200 MB and does not require admin rights for a personal install. Application data lives under your user profile.

You can download from the product page when you have access, or install via your platform package manager once you are off the waitlist. See Installation for step-by-step macOS and Windows walkthroughs with screenshots.

What's next

The fastest path from zero to a running install:

  1. 1
    Installation

    Download and install TenLens for your operating system. Verify the app launches and check the version in Settings → About.

  2. 2
    Open TenLens

    Start local services from the Desktop Launcher, then click Open TenLens to launch the main console in your browser.

If you are evaluating TenLens for a larger team, skim Permissions & scopes and Credential storage in the Security section before you roll out. They explain how TenLens handles tokens, RBAC, and audit logging at scale.

← PreviousGetting StartedNext →Installation