Security posture

Customer-specific credentials and certificates stay scoped to the customer tenant.
Admin actions around pricing, credits, and credential changes should be audited.
Migration runs should be isolated by tenant and project.
Microsoft 365 setup must validate API permissions before scan or migration starts.

Control	Expectation
Authentication	Role-separated customer and admin access
Secrets	Encrypted at rest
Billing	Prepaid credits only
Audit	Immutable change trail