M365 + Azure Security Glossary

Azure AD (Azure Active Directory)

Microsoft's cloud-based identity and access management service, now rebranded as Microsoft Entra ID. It manages user identities, authentication, and authorization for Microsoft 365, Azure, and thousands of third-party applications. Azure AD is the primary attack surface in most M365 breaches. See Entra ID.

Azure RBAC (Role-Based Access Control)

The authorization system for Azure resources. Permissions are granted through roles (Owner, Contributor, Reader, and hundreds of built-in plus custom roles) assigned at management group, subscription, resource group, or individual resource scope. Misconfigured RBAC — particularly overly broad Contributor assignments — is one of the most common Azure posture findings. See Financial Services assessment.

BAA (Business Associate Agreement)

A contract required under HIPAA between a covered entity and any vendor (business associate) that creates, receives, maintains, or transmits protected health information (PHI) on its behalf. Microsoft offers a standard BAA for applicable Microsoft 365 and Azure services. Organizations must ensure their BAA covers all services used to process ePHI.

BEC (Business Email Compromise)

A social engineering attack where adversaries impersonate executives, vendors, or employees via email to fraudulently redirect wire transfers, steal credentials, or exfiltrate sensitive data. BEC is the highest-dollar cybercrime category globally. Key M365 controls against BEC include anti-spoofing policies, DMARC enforcement, and Conditional Access blocking legacy auth protocols.

CASB (Cloud Access Security Broker)

Security policy enforcement points between cloud service consumers and providers. A CASB provides visibility into shadow IT, enforces data loss prevention (DLP) policies, and detects anomalous cloud usage. Microsoft Defender for Cloud Apps is Microsoft's built-in CASB integrated with the M365 ecosystem. CASBs typically monitor but do not replace Conditional Access or identity governance controls.

CIS Benchmark (Center for Internet Security)

Consensus-based secure configuration guidelines published by the Center for Internet Security. The CIS Microsoft 365 Benchmark maps specific hardening actions to each M365 workload (Exchange Online, SharePoint, Teams, etc.) with Level 1 (essential) and Level 2 (defense-in-depth) profiles. See Compliance Audit Prep.

CMMC (Cybersecurity Maturity Model Certification)

A US Department of Defense framework requiring defense contractors to demonstrate specific cybersecurity practices. CMMC 2.0 has three levels: Level 1 (17 practices, self-assessment), Level 2 (110 practices, third-party assessment for most), and Level 3 (NIST 800-172 + additional controls, government-led assessment). Microsoft 365 GCC or GCC High environments are often required to handle CUI at Level 2 and above. CMMC guide in blog.

Conditional Access

Microsoft Entra's policy engine that enforces access controls based on signals: user identity, device compliance, location, application, and real-time risk level. Conditional Access policies evaluate before granting tokens to any application. Gaps in Conditional Access coverage — particularly policies that exclude service accounts, break-glass accounts, or legacy authentication — are among the most critical findings in M365 assessments. See Tenant Hardening.

DLP (Data Loss Prevention)

Policies that detect and prevent unauthorized transmission of sensitive data — credit card numbers, SSNs, PHI, trade secrets — across M365 workloads including Exchange Online, SharePoint, Teams, and OneDrive. Microsoft Purview DLP supports regulatory templates for HIPAA, GDPR, PCI-DSS, and others. Effective DLP requires policy tuning; default templates frequently produce high false-positive rates that lead organizations to disable them.

Entra ID (Microsoft Entra ID)

The current name for Azure Active Directory (rebranded October 2023). Microsoft's cloud-native identity platform providing authentication, authorization, single sign-on (SSO), and identity governance for M365, Azure, and integrated third-party applications. Entra ID is the identity control plane for every M365 deployment and the primary target of credential-based attacks. See Azure AD.

ePHI (Electronic Protected Health Information)

Any protected health information (PHI) created, stored, transmitted, or received in electronic form. Under HIPAA, covered entities and business associates must implement administrative, physical, and technical safeguards for all ePHI. In M365 environments, ePHI may appear in Exchange Online mailboxes, SharePoint libraries, Teams chats, and OneDrive — each requiring specific DLP and access controls. See Healthcare security.

FedRAMP (Federal Risk and Authorization Management Program)

A US government-wide program providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Cloud providers must achieve FedRAMP authorization before federal agencies can use their services. Microsoft 365 Government (GCC, GCC High, DoD) carries FedRAMP authorizations. Organizations pursuing FedRAMP authorization for their own products on Azure must map controls to NIST SP 800-53 Rev 5. See Compliance Audit Prep.

GDPR (General Data Protection Regulation)

The European Union's comprehensive data protection law, effective May 2018. GDPR applies to any organization processing personal data of EU residents regardless of where the organization is based. In M365 environments, GDPR compliance requires data subject access request (DSAR) capability, breach notification workflows, data residency configuration, and appropriate data processing agreements (DPAs) with Microsoft. See Financial Services assessment.

GLBA (Gramm-Leach-Bliley Act)

US federal law requiring financial institutions to explain data-sharing practices and protect customer financial information. The FTC Safeguards Rule under GLBA was updated in 2023 to include specific cybersecurity requirements including MFA, encryption, access controls, and annual penetration testing — all of which have direct M365 control mappings.

HIPAA (Health Insurance Portability and Accountability Act)

US federal law establishing national standards for protecting sensitive patient health information (PHI). HIPAA's Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards for electronic PHI. M365 controls relevant to HIPAA include encryption, access controls, audit logging, DLP, and BAA with Microsoft. See Healthcare security.

HITRUST CSF (Common Security Framework)

A certifiable framework that incorporates HIPAA, NIST, ISO 27001, PCI-DSS, and other standards into a single comprehensive framework widely used in healthcare. HITRUST r2 (Validated Assessment) is the gold standard for demonstrating M365 security to healthcare customers and partners. Controls map directly to Microsoft 365 workloads, Entra ID policies, and Azure security services. See Healthcare security.

ITDR (Identity Threat Detection and Response)

A security discipline focused on detecting and responding to identity-based attacks — including credential theft, privilege escalation, lateral movement, and persistence through compromised accounts. Microsoft Entra ID Protection and Microsoft Defender for Identity are the primary ITDR tools in the M365 ecosystem. ITDR is increasingly treated as a separate security domain from endpoint detection and response (EDR).

M365 Tenant

A dedicated, isolated instance of Microsoft 365 services provisioned for a single organization. Each tenant has its own Entra ID directory, Exchange Online organization, SharePoint farm, and licensing. Tenant-wide settings — like external sharing policies, admin consent for apps, and security defaults — apply across all users and workloads. In multi-tenant MSP environments, each customer organization has its own tenant. See MSP / MSSP assessment.

MFA (Multi-Factor Authentication)

An authentication method requiring two or more verification factors: something you know (password), something you have (authenticator app, hardware token), or something you are (biometric). In Entra ID, MFA is enforced via Conditional Access policies or per-user MFA settings. Not all MFA methods are equal — SMS-based MFA is phishing-vulnerable; FIDO2 hardware keys and certificate-based authentication are phishing-resistant. See MFA coverage blog post.

MITRE ATT&CK

A globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK matrix for Enterprise includes a dedicated Microsoft 365 cloud matrix covering Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact techniques specific to M365 and Entra ID. 365 Security Assessment maps critical rules to MITRE ATT&CK technique IDs.

NIST 800-171

NIST Special Publication 800-171 defines requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. It contains 110 security requirements across 14 families. CMMC Level 2 is directly based on NIST 800-171 Rev 2 requirements. Organizations handling CUI for federal agencies must demonstrate compliance, which requires specific M365 and Azure configuration standards. See CMMC guide.

NIST CSF (Cybersecurity Framework)

A voluntary framework developed by NIST providing organizations with a common language and systematic methodology for managing cybersecurity risk. CSF 2.0 (released 2024) organizes controls into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Many organizations use NIST CSF as a meta-framework that maps to more prescriptive standards like CIS Benchmarks, NIST 800-53, or ISO 27001.

OAuth (Open Authorization)

An open standard protocol for access delegation. In M365, OAuth 2.0 allows third-party applications to access Microsoft Graph APIs on behalf of a user without sharing passwords. Misconfigured OAuth consent policies — particularly user consent grants to unverified third-party apps — are a major attack vector. Attackers use consent phishing to trick users into granting malicious apps persistent access to mailboxes and files. See OAuth phishing blog post.

PCI-DSS (Payment Card Industry Data Security Standard)

A security standard for organizations that handle branded credit cards. PCI-DSS v4.0 (effective March 2025) introduced new requirements including automated web application scanning (Req 6.4.2), expanded logging requirements (Req 10.7.2), and targeted risk analysis for customized implementations. Organizations using M365 to process, store, or transmit cardholder data must ensure applicable controls are in scope. PCI-DSS v4.0 guide.

PIM (Privileged Identity Management)

Microsoft Entra Privileged Identity Management provides just-in-time (JIT) privileged access, approval workflows, access reviews, and full audit history for Entra ID and Azure roles. PIM is a critical control for reducing standing privileged access — a major risk factor in enterprise M365 environments where Global Administrator accounts are often permanently active. PIM is included in Entra ID P2 licensing. See Tenant Hardening.

Power Platform

Microsoft's low-code/no-code application platform including Power Apps, Power Automate, Power BI, and Power Virtual Agents. Power Platform is a frequent security blind spot: default Data Loss Prevention (DLP) policies for Power Platform are often absent or misconfigured, allowing users to create flows that exfiltrate data to external connectors. Organizations should audit all Power Platform environments and connector usage in every M365 assessment.

RBAC — see Azure RBAC

Secure Score (Microsoft)

Microsoft's built-in security metric that awards points for implementing specific recommended security controls across M365 and Azure. Secure Score is useful for prioritizing basic hardening steps but has significant limitations: it does not evaluate configuration depth, enforced vs report-only policies, or security controls outside Microsoft's own product surface. It also does not map to compliance frameworks. See how we compare to Secure Score.

SharePoint Online

Microsoft's cloud-based content management and collaboration platform included in Microsoft 365. SharePoint Online is a significant data governance risk area: external sharing settings, anonymous link policies, guest access permissions, and site-level access controls must all be audited. A single misconfigured site with anonymous "anyone with the link" access can expose sensitive documents to the public internet.

SOC 2 (System and Organization Controls 2)

An auditing standard developed by the AICPA evaluating a service organization's controls relevant to the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type II covers a period of 6–12 months and is the de facto security certification expected by enterprise SaaS buyers. M365 controls are directly assessed in most SOC 2 engagements. See our Trust page.

SSPM (SaaS Security Posture Management)

A category of security tools that continuously monitor and assess the security configuration of SaaS applications — particularly Microsoft 365, Google Workspace, Salesforce, and others — against security benchmarks and compliance frameworks. SSPM tools surface misconfigurations, track posture over time, and provide remediation guidance. 365 Security Assessment is purpose-built SSPM for M365 and Azure, providing rule depth (24,000+ rules) far beyond general SSPM platforms. Compare vs. AppOmni.

Microsoft Teams

Microsoft's collaboration platform combining chat, video conferencing, file sharing, and app integrations within M365. Teams is a growing security concern: external access (federation), guest access, app permissions, and meeting recording settings require policy governance. Sensitive data shared in Teams channels is stored in SharePoint or Exchange, making Teams DLP and retention policies critical for data governance compliance.

Token Theft

An attack technique where adversaries steal OAuth access or refresh tokens to authenticate as a victim without knowing their password or bypassing MFA. Tokens are typically stolen via malware, adversary-in-the-middle (AiTM) phishing proxies, or compromised browser sessions. Microsoft Entra's Continuous Access Evaluation (CAE) and token protection features help mitigate token theft, but require P1/P2 licensing and explicit configuration.

Zero Trust

A security model based on the principle "never trust, always verify" — no user, device, or network segment is trusted by default regardless of location. Microsoft's Zero Trust architecture for M365 and Azure centers on three pillars: verify explicitly (authenticate and authorize based on all available signals), use least privilege access (limit user access with JIT/JEA and risk-based policies), and assume breach (minimize blast radius and segment access). See Tenant Hardening.