Glossary
M365 & Entra ID terms, defined
Short definitions for the vocabulary admins use in audits, QBRs, and cleanup projects. Each term links to guides and scanner checks where relevant.
Security
- Conditional Access
Entra ID policies that grant or block sign-in based on user, device, location, and risk signals. Enforcement mode blocks non-compliant access; report-only mode logs without blocking.
- Report-only mode (Conditional Access)
A Conditional Access policy state that evaluates sign-ins and writes logs without blocking access. Useful for testing, but policies left in report-only indefinitely create a false sense of security.
- Legacy authentication
Older Microsoft 365 sign-in protocols (IMAP, POP, SMTP AUTH, basic auth) that bypass modern authentication and MFA. Blocking legacy auth is a baseline control for most tenants.
- Multifactor authentication (MFA)
A second verification step beyond password at sign-in, typically via authenticator app, SMS, or FIDO key. Entra ID tracks per-user MFA registration; gaps often appear on admin and service accounts.
- Microsoft Secure Score
Microsoft's security posture score in the Entra admin center, based on recommended security actions. It focuses on identity and device security, not license waste, expiring secrets, or tenant hygiene.
- Security defaults
Baseline security settings in Entra ID for tenants without Conditional Access licenses. Enables MFA for admins and blocks legacy authentication. Replaced by custom CA policies in mature tenants.
Identity
- Global Administrator
The highest privileged Entra ID role with full tenant control. Excessive Global Admins without MFA or PIM is a top audit finding. Microsoft recommends fewer than five standing Global Admins.
- Privileged Identity Management (PIM)
Entra ID feature for just-in-time activation of admin roles with approval, MFA, and time limits. Reduces standing privileged access compared to permanently assigned directory roles.
- Guest user (B2B)
External identities invited into your Entra ID tenant for collaboration. Stale guests with lingering group memberships and licenses are a common hygiene and licensing problem in Microsoft 365.
- Microsoft Entra ID
Microsoft's cloud identity platform (formerly Azure AD) for users, groups, apps, and Conditional Access in Microsoft 365. Admin consent for third-party apps is granted here.
Cost
- License waste
Microsoft 365 seats paid for but unused or misassigned: disabled users still licensed, never-signed-in accounts, duplicate SKUs, or oversized plans. Often the fastest cost recovery lever in a tenant.
- Unused M365 license
A paid Microsoft 365 seat assigned to a user who has not consumed the service recently or does not need the SKU. Reclaiming unused licenses directly reduces monthly subscription spend.
- Never signed in user
An enabled account with an assigned license but no recorded Entra ID sign-in. Often created during onboarding mistakes or mergers. Among the quickest license waste to reclaim after validation.
- SKU assignment
Mapping a Microsoft 365 product SKU (E3, E5, Business Premium, etc.) to a user or group. SKU mismatch, such as E5 for email-only users, is a common source of silent overspend.
Reliability
- App registration
An Entra ID application object representing a service or integration that authenticates to Microsoft Graph or other APIs. Each registration can have secrets or certificates with expiration dates.
- Client secret (app registration)
A password-like credential for an app registration, typically valid 6 to 24 months. Expired secrets break integrations silently until the next sync job or user complaint surfaces the outage.
- Certificate expiration (SSO)
SAML or token-signing certificates for enterprise applications and federated SSO have fixed validity periods. Expired certs cause widespread sign-in failures for the dependent application.
- Service principal
The runtime identity of an app registration inside a tenant, holding permissions granted via admin consent. Orphaned service principals with broad Graph permissions are a recurring security review item.
Governance
- Configuration drift
Gradual divergence between intended Microsoft 365 security and cost standards and what is actually configured. Drift accumulates through admin turnover, acquisitions, and one-off exceptions.
- Tenant health score
A single numeric grade summarizing Microsoft 365 posture across security, cost, reliability, and hygiene. Tenant Hawk computes a 0–100 score from read-only scans with category breakdowns and dollar impact.
- CIS Microsoft 365 benchmark
Center for Internet Security configuration guidance for Microsoft 365 and Entra ID. Many audits map findings to CIS controls. Tenant Hawk Pro maps scan results to CIS and NIST references.
- Read-only admin consent
OAuth admin consent granting an application delegated read permissions without write access to the tenant. Tenant Hawk uses read-only Graph scopes so scans cannot modify users, licenses, or policies.
Hygiene
- SharePoint external sharing
Settings that allow guests or anonymous links to access SharePoint and OneDrive content. Overly permissive sharing defaults are a data exposure risk and frequent audit finding.
- Intune device compliance
Microsoft Intune policies that evaluate whether managed devices meet security baselines before accessing corporate resources. Non-compliant devices often indicate stale enrollments or missing patches.
Try it on your tenant
Run a free health scan in under 5 minutes
Tenant Hawk connects read-only to Microsoft 365 and Entra, scores your tenant across security, cost, reliability, and hygiene, then gives you a prioritized fix-it list.
Read-only access · no credentials stored · no credit card