Glossary
Maintained by: Aether365 Team Audience: All users Scope: Definitions of Microsoft 365, security, and Aether365-specific terms
Definitions for Microsoft 365, security, and Aether365-specific terms.
Admin Consent A one-time approval granted by a Microsoft 365 Global Administrator that allows an application to access the tenant using specified permissions. Required to connect a Microsoft 365 tenant to Aether365.
Application Permission A Microsoft Graph permission granted to an application (not a user). Application permissions allow the app to operate without a signed-in user. All Aether365 permissions are application permissions.
Audit Log A record of actions taken within an account. In the Aether365 context: the record of actions taken in the Aether365 dashboard or API. Separate from the Microsoft 365 Unified Audit Log (UAL).
Baseline A defined minimum standard of security configuration. CIS, EIDSCA, CISA SCuBA, and NIS2 each define a baseline that organisations should meet.
CIS (Center for Internet Security) A non-profit organisation that publishes security benchmarks, including the CIS Microsoft 365 Foundations Benchmark. CIS benchmarks are widely used as the baseline for commercial security programmes.
Compliance Scan A scan that evaluates your Microsoft 365 tenant against established security frameworks (CIS, EIDSCA, CISA SCuBA, NIS2). Returns pass/fail/skip results per check.
Conditional Access A Microsoft Entra ID feature that enforces access policies based on user identity, device, location, and other signals. Many CIS and EIDSCA checks evaluate conditional access configuration.
Connected Tenant A Microsoft 365 tenant that has been linked to an Aether365 account via admin consent. Connected tenants are scanned automatically on the account's recurring schedule.
Control A security requirement defined by a framework. In Aether365, each control is implemented as a "check" that tests a specific configuration value in your Microsoft 365 tenant.
CISA (Cybersecurity and Infrastructure Security Agency) The US federal agency responsible for cybersecurity policy. CISA publishes the SCuBA (Secure Cloud Business Applications) M365 Security Baseline.
DKIM (DomainKeys Identified Mail) An email authentication method that uses cryptographic signatures to verify that email was sent from an authorised server for the claimed domain.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) An email authentication policy that specifies how to handle email that fails SPF or DKIM checks. A key control in CIS and CISA email security checks.
EIDSCA (Entra ID Security Config Analyzer) An open-source security framework co-developed by Microsoft that focuses on Entra ID configuration security. Covers areas not fully addressed by CIS.
Entra ID Microsoft's identity and access management service, formerly known as Azure Active Directory (Azure AD). Manages users, groups, applications, and conditional access for Microsoft 365.
Exposure Scan A scan that identifies risky configurations across Microsoft 365 services (Exchange, Teams, SharePoint, Entra ID). Returns findings by service and severity rather than by framework.
Finding An individual result from a security scan. In Aether365, each check produces a finding with a status (passed, failed, skipped), severity, and optionally remediation guidance.
Global Administrator The highest-privilege role in Microsoft Entra ID. Required to grant admin consent for Aether365. Best practice is to have only 2-4 Global Admins and use dedicated roles for specific tasks.
Legacy Authentication Older authentication protocols (SMTP AUTH, IMAP, POP3, EWS Basic Auth) that do not support modern MFA. Blocking legacy authentication is a critical control in most frameworks.
MFA (Multi-Factor Authentication) Requiring a second factor (phone, authenticator app, hardware key) in addition to a password for sign-in. One of the highest-impact controls for reducing account compromise risk.
Microsoft Graph The unified API for accessing Microsoft 365 data and services. Aether365 uses Microsoft Graph to read your tenant's configuration during scans.
NIS2 The EU Network and Information Systems Directive 2 (Directive 2022/2502). Requires operators of essential and important entities in the EU to implement appropriate cybersecurity measures.
On-Demand Scan A scan triggered manually by a user, as opposed to an automatic scheduled scan.
PIM (Privileged Identity Management) A Microsoft Entra ID feature that provides just-in-time access to privileged roles. Several EIDSCA checks evaluate PIM configuration.
Remediation The process of fixing a security finding. Aether365 provides step-by-step remediation guidance for each failed check.
SCuBA Secure Cloud Business Applications - CISA's M365 security baseline for US federal agencies. Structured by M365 product (AAD, Exchange, Teams, etc.).
Security Score The percentage of applicable checks that passed in the most recent scan. Calculated as: passed ÷ (passed + failed) × 100. Skipped checks are excluded.
Service Principal An identity in Microsoft Entra ID that represents an application. When you grant admin consent, a service principal for Aether365 is created in your tenant.
SPF (Sender Policy Framework) A DNS record that specifies which mail servers are authorised to send email for a domain. Part of email authentication, evaluated in CIS and CISA email checks.
Tenant In Microsoft terminology: an organisation's instance of Microsoft 365 / Entra ID, identified by a globally unique tenant ID (GUID). In Aether365 terminology: your Aether365 account (which may manage one or more Microsoft tenants).
Tenant Isolation The architectural guarantee that one customer's data cannot be accessed by another customer. Aether365 enforces tenant isolation at the database level on every query.
Unified Audit Log (UAL) Microsoft 365's audit logging service. Records user and admin activity across Exchange, SharePoint, Teams, Entra ID, and other services. Several CIS and EIDSCA checks verify that the UAL is enabled and properly configured.