LicenSweepHome

Trust center

Read-only Microsoft 365 insights, with the administrator in control

LicenSweep identifies potential license waste and prepares recommendations. It does not remove users, assign or unassign licenses, read email content, or change Microsoft tenant settings.

Security at a glance

Read-only access

Microsoft Graph permissions are used to produce reports and recommendations, not to alter the tenant.

Microsoft sign-in

Dashboard users authenticate with Microsoft. LicenSweep does not collect or store their Microsoft passwords.

Human approval

Every recommendation must be verified and carried out by an authorized administrator in Microsoft 365.

Revocable access

Owners can disconnect a tenant, and Microsoft administrators can revoke the enterprise application at any time.

Microsoft Graph permissions

LicenSweep requests only the application permissions needed for its current reporting features. Microsoft administrator consent is required.

PermissionWhy it is usedWhat it does not allow
Reports.Read.AllReads Microsoft 365 usage reports and activity dates used to identify accounts for review.Does not read email bodies, Teams messages, or document contents.
LicenseAssignment.Read.AllReads assigned-license information so purchased and assigned seats can be compared.Does not assign, remove, or modify licenses.
User.Read.AllReads the user directory fields needed to match reports with accounts and their status.Does not create, delete, disable, or update users.

Important: read-only access still provides visibility into business directory and usage metadata. Review the permissions and privacy terms before granting consent.

Authentication and access controls

Microsoft identity

Users sign in through Microsoft. Production sessions use secure, HTTP-only cookies and expire automatically.

Role-based access

Owner, Administrator, and Viewer permissions are enforced by the server for protected actions—not only hidden in the interface.

Request protections

State-changing requests are restricted to the application origin. Authentication and API routes are rate limited, and sensitive pages are marked not to be cached.

Browser protections

HTTPS, HSTS, a Content Security Policy, clickjacking protection, restricted browser capabilities, and conservative referrer handling are enabled.

Data handling and retention

Infrastructure, monitoring, and recovery

LicenSweep runs in AWS. Application health and public endpoints are monitored with CloudWatch alarms and scheduled availability checks. Operational logs support incident investigation, and the production database uses point-in-time recovery and deletion protection.

Security headers, dependency checks, automated tests, container scanning, and code scanning are part of the delivery workflow. No security control eliminates all risk; controls and dependencies are reviewed as the service changes.

What your administrator should verify

  1. Review the requested Microsoft permissions and confirm LicenSweep is the intended enterprise application.
  2. Limit LicenSweep dashboard roles to people who need access and remove former team members promptly.
  3. Verify employment, leave, retention, legal-hold, shared-mailbox, group-based licensing, contract, and renewal details before acting on a recommendation.
  4. Make all license changes directly in Microsoft 365, then confirm that billing or renewal quantities changed as expected.
  5. Disconnect LicenSweep and revoke the enterprise application when the service is no longer needed.

Responsible reporting

Report a security or privacy concern

Send a clear description, affected URL, and steps to reproduce. Do not include passwords, client secrets, access tokens, or unnecessary personal data.

support@licensweep.com

This page describes controls currently implemented by LicenSweep. It is not a claim of SOC 2, ISO 27001, or other third-party certification.