Read-only access
Microsoft Graph permissions are used to produce reports and recommendations, not to alter the tenant.
Trust center
LicenSweep identifies potential license waste and prepares recommendations. It does not remove users, assign or unassign licenses, read email content, or change Microsoft tenant settings.
Microsoft Graph permissions are used to produce reports and recommendations, not to alter the tenant.
Dashboard users authenticate with Microsoft. LicenSweep does not collect or store their Microsoft passwords.
Every recommendation must be verified and carried out by an authorized administrator in Microsoft 365.
Owners can disconnect a tenant, and Microsoft administrators can revoke the enterprise application at any time.
LicenSweep requests only the application permissions needed for its current reporting features. Microsoft administrator consent is required.
| Permission | Why it is used | What it does not allow |
|---|---|---|
Reports.Read.All | Reads Microsoft 365 usage reports and activity dates used to identify accounts for review. | Does not read email bodies, Teams messages, or document contents. |
LicenseAssignment.Read.All | Reads assigned-license information so purchased and assigned seats can be compared. | Does not assign, remove, or modify licenses. |
User.Read.All | Reads the user directory fields needed to match reports with accounts and their status. | Does not create, delete, disable, or update users. |
Important: read-only access still provides visibility into business directory and usage metadata. Review the permissions and privacy terms before granting consent.
Users sign in through Microsoft. Production sessions use secure, HTTP-only cookies and expire automatically.
Owner, Administrator, and Viewer permissions are enforced by the server for protected actions—not only hidden in the interface.
State-changing requests are restricted to the application origin. Authentication and API routes are rate limited, and sensitive pages are marked not to be cached.
HTTPS, HSTS, a Content Security Policy, clickjacking protection, restricted browser capabilities, and conservative referrer handling are enabled.
LicenSweep runs in AWS. Application health and public endpoints are monitored with CloudWatch alarms and scheduled availability checks. Operational logs support incident investigation, and the production database uses point-in-time recovery and deletion protection.
Security headers, dependency checks, automated tests, container scanning, and code scanning are part of the delivery workflow. No security control eliminates all risk; controls and dependencies are reviewed as the service changes.
Responsible reporting
Send a clear description, affected URL, and steps to reproduce. Do not include passwords, client secrets, access tokens, or unnecessary personal data.
This page describes controls currently implemented by LicenSweep. It is not a claim of SOC 2, ISO 27001, or other third-party certification.