PS architect@web:~/AzureHelper>Get-Architecture -Explain

how it's wired

Read-only by design.
Safe to put next to production.

Azure Helper is a thin browser extension plus a backend. It authenticates as you, with a public-client flow and read-only Graph scopes. It reads your tenant to teach — and there is no path for it to write. Here's exactly how the bytes move.

data flow

Three lanes — and the write lane never includes us

1 · connect (read-only)

You (admin)

Click "Sign in" in the side panel

PKCE

Microsoft Entra

.Read token

Extension

Caches a short-lived, read-only delegated token

2 · read & teach

Extension

Side-panel UI in Chrome / Edge / Firefox

GET (.Read)

Microsoft Graph

graph.microsoft.com/v1.0 · CORS-enabled reads

your data

Your tenant

Entra ID · M365 · returns real read data

Azure Helper backend

LLM orchestration · learning content · entitlements · audit of reads. Never sees a write token because none exists.

explanation

Side panel

Renders the answer + Portal / Graph / PowerShell steps

3 · change (you run it — we're not in this lane)

Side panel

Shows the exact step, three ways. Copy it.

you act

You

Run it in the portal, Graph Explorer, or your own shell

write

Your tenant

The change happens under your credentials & audit log

The Helper has no write scope, so it physically cannot enter lane 3. Every change lives in your own audit trail, made by you.

capability boundary

What it can do — and what it can't

Can

Read users, groups, roles, licenses, policies & sign-in activity

Explain your real configuration in plain language

Generate the exact Portal path, Graph call & PowerShell for any task

Run read-only Graph queries in the Explorer

Cannot

Create, update or delete any object

Assign licenses, change policies, or reset passwords

Hold a client secret or app-only write role

Act outside what your own sign-in already permits

browser support

One product, three engines

The docked panel uses each browser's native API. Read-only scope keeps store review and enterprise allow-listing simple everywhere.

Concern	Chromium · Chrome / Edge	Firefox	Safari
Docked panel	chrome.sidePanel (114+)	sidebar_action (mature)	Separate native-wrapped port
Background	MV3 service worker (ephemeral)	Persistent bg still allowed	App-extension model
Auth	identity.launchWebAuthFlow	browser.identity (PKCE)	ASWebAuthSession
Store review	Easy — read-only perms	Easy — read-only perms (AMO)	Xcode + App Store

Long-running work runs in the side-panel page (alive while open), not the killable MV3 worker.

trust & security

The boring details that make IT comfortable

public client

No secret in the browser

PKCE public-client flow — there's no client secret to extract, because the extension never holds one. App-only access (Team tier) is brokered server-side.

tokens

Short-lived & scoped

Read-only delegated tokens, cached briefly and refreshed via the identity API. Revoke in Entra at any time and access stops instantly.

LLM

Model stays server-side

Prompts, keys and orchestration live in the backend — never shipped in the extension — alongside the read-audit and entitlement checks.

enterprise

Allow-list friendly

A read-only extension with narrow host permissions is trivial for admins to approve via Chrome / Edge enterprise policy.

data

Your data stays yours

Reads are used to render your answer and aren't retained as tenant records. Only learning progress & usage are stored per account.

portal

We don't puppeteer the portal

No fragile DOM scraping of portal.azure.com — the Helper calls Graph directly and teaches the portal path as instructions.

Read-only by design.Safe to put next to production.