v1.0.1

Changelog

• 5e9d42c: Use -V instead of -v as the short version flag (@anderix)

v1.0.0

Xensus is a self-hosted identity registry for Microsoft 365 tenants. Its only job is to hand out a permanent ID for every person in your organization's orbit and record where each one shows up — in HR, in Active Directory, in FieldGlass, in whatever system a steward names.

I built it because every client I work with has the same gap. HR tracks employees and some contractors. FieldGlass tracks staffing-vendor contractors, but not all of them. Independent consultants are tracked nowhere. MSP-managed staff need system access but live in no corporate registry. For years organizations have tried to make one of these systems the master record for everyone, and it never holds: each owner backs out the moment the scope grows past their mandate, because tracking the whole orbit was never their job in the first place.

Xensus exists to be that one job and nothing else. It assigns canonical IDs in the form X-000123, and those IDs are permanent — never deleted, never reused. A steward can record that X-000123 is employee 48817 in Workday and contractor c-9921 in FieldGlass, and anyone signed in to your tenant can look it up. The registry doesn't reconcile or verify those identifiers; it records what your stewards assert and keeps a full audit trail of who asserted what and when.

What it deliberately does not do matters just as much. It does not connect to your source systems, and it does not sync, scrape, or reconcile anything. It reads no mail, no calendars, no directory — it asks Microsoft only who you are at sign-in. Wiring Xensus up to the systems it points at is real work, and it's the work I do for clients; the registry itself is free.

Xensus ships as a single Go binary with no runtime dependencies and stores everything in a local SQLite file. Sign-in runs through your own Microsoft Entra app registration, so there is no shared Excelano app in the path and your tenant's data never leaves your server. You run one deployment per tenant, and the first person to sign in binds that tenant and becomes its first steward. Install it with the one-line script, a Debian package, or go install — the README covers setup, the Entra registration, and deployment end to end.

The /api/v1/ REST surface is stable as of this release. Verify any download against the checksums.txt published below. MIT licensed.