Security Glossary

Conditional Access feature that specifies which authentication methods are acceptable for a given access scenario.

Periodic evaluation of user access rights to ensure appropriate access and remove unnecessary permissions.

Chronological record of activities and events for security monitoring, compliance, and forensic investigation.

Emergency access accounts that bypass normal security controls to prevent lockout during system failures or misconfigurations.

Policy-based access control that evaluates signals and enforces security requirements before granting access.

Real-time policy enforcement that can revoke access within seconds when critical security events occur.

Consensus-based security configuration guidelines developed by the Center for Internet Security.

Identity governance feature that automates access request, approval, and review workflows for groups, apps, and resources.

An open authentication standard that enables passwordless authentication using public key cryptography.

US government program providing standardized security assessment for cloud services used by federal agencies.

Azure AD role with unrestricted access to all administrative features in Microsoft 365 and Azure AD.

US federal law requiring protection of electronic protected health information by covered entities and business associates.

A system that creates, maintains, and manages identity information while providing authentication services.

International standard for information security management systems with Annex A controls.

Azure AD feature that detects identity-based risks and enables automated responses to suspicious sign-ins.

Security principle that provides access only when needed and only for the minimum time required.

Security principle that grants users only the minimum access rights necessary to perform their job functions.

Older authentication protocols (IMAP, POP3, SMTP AUTH, older Office clients) that cannot enforce multi-factor authentication.

A security mechanism that requires users to provide two or more verification factors to gain access to a resource.

Microsoft cloud-based identity and access management service, formerly known as Azure Active Directory.

Microsoft mobile app that provides MFA verification, passwordless sign-in, and password management.

Cloud-based security solution that uses on-premises Active Directory signals to detect advanced threats.

Unified enterprise defense suite that provides integrated threat protection across endpoints, identities, email, and applications.

Unified API for accessing Microsoft 365 data and services including users, groups, mail, calendar, and files.

Conditional Access feature that defines trusted or untrusted network locations based on IP addresses or countries.

Comprehensive catalog of security and privacy controls published by the National Institute of Standards and Technology.

Social engineering attack that tricks users into granting malicious applications access to their data through OAuth consent.

Authentication methods that cannot be intercepted or replayed by attackers through phishing attacks.

Authentication methods that verify identity without requiring traditional passwords.

A FIDO2 credential that can be synced across devices, enabling passwordless authentication without hardware tokens.

Just-in-time privileged access service that enables time-limited, approval-based activation of administrative roles.

Attack technique that tries a few common passwords against many accounts to avoid lockout thresholds.

Access control method that assigns permissions to roles rather than individual users.

Authentication scheme that allows users to access multiple applications with one set of login credentials.

Feature that allows users to reset their passwords without helpdesk intervention through verified authentication methods.

Audit framework for service organizations based on Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy.

Real-time assessment of the probability that a given sign-in attempt is not performed by the legitimate account owner.

User account that has not been used for an extended period, typically 90 days or more.

Identity used by applications and services to authenticate and access Azure AD-protected resources.

Attack technique where adversaries steal OAuth tokens to impersonate users without needing credentials.

Assessment of the probability that a user account has been compromised based on accumulated risk signals.

Microsoft enterprise credential that replaces passwords with strong two-factor authentication using biometrics or PIN.

Security model that assumes breach and verifies every access request as though it originates from an untrusted network.