Documentation

Review overprivileged accounts

Insights A workflow for Identity Security Insights

Scope of this guide

Following this workflow on a regular basis helps your organization reduce the Azure attack surface, enforce least privilege across Entra ID and Azure RBAC, and maintain a clear audit record of privilege posture improvements over time.

Prerequisites

  • Microsoft Azure instance

Workflow summary

StepNameWhat You Do
SetupSet Up the Microsoft Azure ConnectorRegister the connector in ISI, run the onboarding script, grant admin consent, and optionally configure Azure Event Hub.
1Review the Home DashboardGet an at-a-glance view of Azure privilege posture and escalation paths.
2Review Overprivileged IdentitiesSurface Entra ID users with Highest/High True Privilege, dormant accounts, and escalation risks.
3Investigate Individual IdentitiesDrill into identity details: linked Azure accounts, Detections, Recommendations, Entitlements, and the True Privilege graph.
4Review Overprivileged AccountsFind high-privilege Azure accounts especially dormant, unmanaged, or non-federated ones.
5Review EntitlementsIdentify Azure RBAC roles and Entra ID group memberships granting Highest/High privilege and map escalation paths.
6Review DetectionsPrioritize active Azure risk findings by importance; investigate each detection's concern and recommended action.
7Review Recommendations and RemediateAction Azure security posture guidance, update statuses, add comments, and export findings for ticketing.

Setup: Set up the Microsoft Azure connector

Why this matters

Before Identity Security Insights can discover your Azure identities, accounts, and entitlements, the Microsoft Azure connector must be configured. The connector uses a dedicated app registration (BT-SP-Connector) and a PowerShell onboarding script to grant read-only access to Entra ID, Azure RBAC, and activity logs. No write permissions are required. Setup is a one-time activity; the only ongoing maintenance is rotating the app registration client secret before it expires.

Prerequisites

Confirm the following before beginning connector setup:

  • Auditing is enabled in Microsoft Purview / Azure (see Microsoft's Audit documentation).
  • You have Azure Global Administrator privileges in the target tenant.
  • The tenant has a minimum Microsoft Entra ID P1 licence.
  • Azure PowerShell (Az module) is installed on your workstation, or you plan to use Azure CloudShell (Az is pre-installed in CloudShell).
  • If you are enabling AI Agents (optional): Dataverse is enabled in your Power Platform environments, and you are a System Administrator for those environments.

Required roles and permissions

The following read-only permissions are granted automatically by the onboarding script. You do not need to assign them manually.

ServicePermissions Required
Microsoft Graph (Application)Application.Read.All, AuditLog.Read.All, DelegatedAdminRelationship.Read.All, DeviceManagementApps.Read.All, Directory.Read.All, EntitlementManagement.Read.All, GroupMember.Read.All, IdentityProvider.Read.All, IdentityRiskEvent.Read.All, IdentityRiskyServicePrincipal.Read.All, IdentityRiskyUser.Read.All, MailboxSettings.Read, OnPremDirectorySynchronization.Read.All, Policy.Read.All, Reports.Read.All, RoleManagement.Read.All, Sites.Read.All, TeamsAppInstallation.ReadForUser.All, User.Read.All, UserAuthenticationMethod.Read.All
Office 365 Management APIsActivityFeed.Read
Management GroupsReader role
Key VaultReader role
Custom RBAC RoleBT Insights Custom AI Reader role
Power Platform Security RoleService Reader role for app user

Create the Connector

  1. Sign in to app.beyondtrust.io. From the navigation menu, select Insights > Connectors. The Connectors page displays.
  2. Click Total configured, then click Create Connector and select Microsoft Azure from the list. The Create Microsoft Azure Connector panel displays.
  3. Enter a human-readable name for the connector (for example, Contoso – Azure Production Tenant).
  4. Select your cloud environment. Use the table below to identify the correct environment for your Azure portal URL.
Azure Portal URLCloud Environment
https://portal.azure.comCommercial / GCC
https://portal.azure.usGCC High / DoD

FedRAMP compliance notice
Insights Commercial is not FedRAMP-compliant. Connecting it to Azure Government Community Cloud (GCC), GCC High, or Azure Government DoD environments may result in data residency issues and loss of compliance.

  1. Click the on-screen link to sign in to the Microsoft Azure Portal as a Global Administrator.
  2. In Entra ID, navigate to Properties and toggle Access management for Azure resources to Yes. You can toggle this back to No after running the onboarding script.
  3. Select an installation method: Azure CloudShell (recommended) or PowerShell on Windows. Follow the appropriate sub-section below.

Install Using Azure CloudShell

  1. Open Azure CloudShell and sign in by running:

    Connect-AzAccount -UseDeviceAuthentication

  2. Download the Azure onboarding script from Insights and upload it to Azure CloudShell.

  3. Run the command provided by Insights for your selections.

  4. In Insights, copy the tenant ID, directory name, client ID, and client secret from the script output into the appropriate fields.

  5. Remove the script after setup by running:

    Remove-Item -Path "./azuread_powerplatform_onboarding.ps1"

Install Using PowerShell on Windows

  1. Ensure the Azure PowerShell Az module is installed. See the Azure PowerShell documentation for installation instructions.

  2. Open PowerShell as a standard user and log in to Azure:

    Connect-AzAccount

  3. Confirm you are connected to the correct tenant. List all tenants you have access to:

    Get-AzTenant

  4. Set the correct tenant context, where TenantID is the ID of your target directory:

    Set-AzContext -Tenant "TenantID"

  5. Verify the selected context:

    Get-AzContext

  6. If scripts must be digitally signed in your environment, run the following before executing the onboarding script:

    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

  7. Download the onboarding script from Insights and run it using the command provided.

  8. In Insights, copy the tenant ID, directory name, client ID, and client secret from the script output into the appropriate fields.

Grant Admin Consent for the App Registration

  1. In the Microsoft Azure Portal, navigate to Azure Services > Microsoft Entra ID.
  2. Select App Registrations in the left menu.
  3. Select the BT-SP-Connector application.
  4. In the API permissions section, click Grant admin consent and confirm your selection.

Configure Azure Event Hub (Required for Tenants with 100,000+ Users)

ℹ️

Note

If your tenant has fewer than 100,000 users and you are not subscribed to Azure Event Hub, select No from the Use Azure Event Hub dropdown in Insights and skip this section.

  1. In Insights, copy the Insights-generated Azure Event Hub script.
  2. Paste and run the script in your Azure shell environment.
  3. Once complete, save the Fully Qualified Hub Namespace, Blob Container URL, and Hub Name in a secure location.
  4. Follow Microsoft's procedure to stream Entra ID logs to an event hub (see Microsoft documentation: howto-stream-logs-to-event-hub).
  5. Within Azure Diagnostics settings, enable the following log categories to stream:
    • SignInLogs
    • NonInteractiveUserSignInLogs
    • ServicePrincipalSignInLogs
    • ManagedIdentitySignInLogs
  6. In Azure Destination details, select Stream to an event hub and select the Fully Qualified Hub Namespace and Hub Name saved above.
  7. In Insights, enter the Fully Qualified Hub Namespace, Blob Container URL, and Hub Name in the appropriate fields, then click Create Connector.
ℹ️

After creating the connector, verify it is turned on. Navigate to the connector's Overview page in Insights and confirm the status is enabled.

Network access for Microsoft Foundry (optional, AI agents only)

This section applies only if you are enabling AI Agents in Identity Security Insights. By default, Foundry environments are set to All networks and no changes are required. If your Foundry environment uses restricted network access, add the following BeyondTrust IP addresses to the firewall allowlist.

RegionIP Addresses to Allowlist
US50.16.236.14, 54.163.153.193, 54.225.135.48
EU3.72.126.244, 3.78.41.126, 3.125.93.216
UK18.130.205.142, 18.133.85.99, 18.135.255.23
CA35.182.121.100, 3.97.211.0, 3.96.180.135
IN65.2.101.179, 52.66.21.171, 3.108.43.201
AU52.64.252.137, 54.252.35.200, 54.153.250.211

Rotate the Client Secret (ongoing maintenance)

App registration client secrets expire according to the policy set when they were created. When a secret is approaching its expiry date, follow these steps to rotate it without disrupting the connector.

In Microsoft Azure

  1. Search for Microsoft Entra ID in the Azure Portal and select it.
  2. Under Manage in the left menu, select App registrations.
  3. Locate and select BT-SP-Connector. Note the Application (client) ID for reference.
  4. Under Manage, select Certificates & Secrets.
  5. Click + New client secret. Provide a description and set an expiry date according to your organization's policy, then click Add.
  6. Copy the Secret Value immediately and store it in a secure location. The value is only shown once.

In Identity Security Insights

  1. Navigate to the navigation menu > Insights > Connectors. The Connectors page displays.
  2. Locate and select the Microsoft Azure connector in the Configured Connectors list.
  3. Open the Settings tab. Confirm the Client ID matches the one noted in the Azure steps.
  4. Paste the new Secret Value into the client secret field and click Save Changes.

Tip
Set a calendar reminder or Azure Policy alert approximately 30 days before the client secret expiry date to ensure you have time to rotate it before the connector loses access.

Step 1: Review the Home Dashboard

After the Azure connector has been configured and data has been ingested, the Identity Security Insights Home page provides a centralised view of privilege risk across your Entra ID tenant. From here, you can see the total number of identities with Highest and High True Privilege, spot escalation chains originating from Azure RBAC roles and Entra ID groups, and navigate directly into the areas that need attention.

Why this matters

The Home Dashboard gives you an immediate snapshot of Azure privilege posture across your entire Entra ID and Azure RBAC environment. Before drilling into individual identities or accounts, the dashboard orients you to the most pressing areas of risk so you can focus the review where it matters most. Security managers will find the summary tiles particularly useful for communicating Azure privilege risk to stakeholders.

Steps

  1. Sign in to app.beyondtrust.io. The BeyondTrust Home page displays.
  2. From the top left, click the navigation menu icon and select Insights. The Insights Home page (dashboard) displays.
  3. Review the Identities by True Privilege summary. This tile shows the count and percentage of identities with Highest and High True Privilege. In an Azure estate, these typically include Global Administrators, Privileged Role Administrators, and users with broad Owner or Contributor assignments across subscriptions.
  4. Note the four identity count tiles: Risky privileged identities, Identities with dormant accounts, Identities with escalations, and Identities with multiple providers. Each tile is a quick count of identities that warrant closer review.
  5. Click View Escalation Paths (or navigate to Entitlements) to see a visualisation of privilege escalation chains. Apply the Provider filter and select your Azure connector to focus on Azure-specific escalation paths.
  6. Review the Top 5 identities with the most accounts. In a hybrid environment, these are often users with both an on-premises AD account (synced to Entra ID) and one or more cloud-native accounts — a common source of unintended accumulated privilege.

Reference: Identity Count Tiles

TileWhat It FlagsAzure Relevance
Risky privileged identitiesIdentities with Highest or High True Privilege that also have active DetectionsEntra ID Global Admins or Azure subscription Owners with concurrent detections — the highest-urgency cases.
Identities with dormant accountsIdentities owning at least one account inactive for 60+ daysFormer employees or service accounts still active in Entra ID after off-boarding or project completion.
Identities with escalationsIdentities with at least one known Paths to Privilege escalationUsers in Entra ID groups or Azure RBAC roles that can reach Global Admin through misconfigured permissions.
Identities with multiple providersIdentities linked to accounts in more than one connected source systemHybrid users with both on-premises AD (synced to Entra ID) and cloud-native Azure accounts.

Step 2: Review overprivileged identities

Why this matters

In Azure, identities accumulate privilege through Entra ID role assignments, group-based access, and Azure RBAC inheritance. Reviewing identities by True Privilege surfaces the users who could reach Global Administrator or subscription Owner — whether through direct assignment or through escalation chains invisible in the Azure Portal. Shadow administrators (users whose group or role memberships grant admin-level access without an explicit admin role assignment) are particularly common in mature Azure tenants and rarely visible without a tool like Identity Security Insights.

Overview

The Identities page ranks every user by their True Privilege level across all connected providers. Filtered to your Azure connector, it shows you who in your Entra ID tenant has the highest potential blast radius if their account were compromised — including users who are overprivileged through Entra ID group membership, Azure RBAC role inheritance, or misconfigured Conditional Access exclusions.

Steps

  1. Navigate to Insights > Identities. The Identities page displays all identities ranked by True Privilege.
  2. Confirm the grid is sorted by True Privilege descending (Highest first). This is the default sort order.
  3. Review the Identities by True Privilege summary panel. Note the count of Highest and High privilege identities from your Azure connector — these are your priority candidates for the review.
  4. Apply a True Privilege filter: select Highest to see identities that could reach Global Administrator-level access in your Entra ID tenant.
  5. Set Has Detections = Yes to surface identities that combine high Azure privilege with active security findings — the highest-urgency cases.
  6. Apply the Dormant filter (e.g., 60 days) to find highly privileged Entra ID identities that have not logged in recently. These are common targets for attackers, especially in organisations that have had staff changes.
  7. Review the Accounts column. Identities with a high account count in an Azure estate often have both an on-premises synced account and cloud-native accounts — check whether all linked accounts are still required.
  8. Export the filtered list as a .csv using the Download button for use in a formal privilege review or security report.

Reference: Identities Page Controls (Azure Context)

FilterRecommended Setting for Azure ReviewRationale
True PrivilegeHighest, then HighCaptures all identities that can reach Global Admin or near-admin access in Azure.
Has DetectionsYesPrioritises identities with active Azure risk findings for immediate attention.
Has RecommendationsYesSurfaces identities with outstanding Entra ID hardening guidance.
Dormant60 (days)Finds Entra ID accounts that have not signed in and may represent incomplete off-boarding.
TypeHuman (then repeat for Service)Separate human Entra ID users from service accounts or managed identities for targeted remediation.
ℹ️

An identity's True Privilege in Azure can be significantly higher than what is visible in the Entra ID Portal. A user with only the 'User' role may still have Highest True Privilege if they are a member of an Entra ID group assigned the Global Administrator role, or if they own a group that grants admin access. True Privilege captures these indirect relationships; the portal does not.

Step 3: Investigate Individual Identities

Why this matters

Once high-priority Azure identities are identified, the side panel gives you everything needed to understand the risk and decide on remediation. The True Privilege graph is especially powerful in Azure environments: it makes visible the Entra ID group and Azure RBAC chains that allow a seemingly low-privileged user to reach Global Administrator or subscription Owner — relationships that are impossible to see in a single Azure Portal blade.

Overview

Clicking any identity opens a side panel with six tabs: Overview, Accounts, Detections, Recommendations, Entitlements, and Paths. For an Azure estate, the key tabs are Accounts (to see all Entra ID and Azure accounts linked to this person), Entitlements (to see the specific Azure RBAC roles and Entra ID roles that create elevated access), and Paths (to visualizze escalation chains in the True Privilege graph).

Steps

  1. On the Identities page, click an identity name to open the side panel.
  2. Review the Overview tab. Note the True Privilege level and whether the identity is flagged as a shadow administrator. Click View True Privilege Graph.
  3. Open the Accounts tab. For each linked account, note the Provider (this will show Azure / Entra ID). Identify accounts from Azure tenants or subscriptions the identity no longer needs access to.
  4. Open the Detections tab. Review all Azure-specific detections for this identity — look in particular for detections related to suspicious service principal changes, logins from anonymized IPs, Conditional Access bypasses, or MFA fatigue.
  5. Open the Recommendations tab. In Azure estates, common recommendations include enabling Conditional Access policies for the Azure AD Connector account, enrolling high-privilege accounts in Password Safe, and removing Global Administrator from accounts that no longer require it.
  6. Open the Entitlements tab. Review the Azure RBAC roles (Owner, Contributor, User Access Administrator) and Entra ID directory roles (Global Administrator, Privileged Role Administrator) held by this identity's linked accounts.
  7. Open the Paths tab or click the True Privilege graph icon to launch the interactive node graph. Trace the escalation chains from the identity through its accounts and entitlements.
  8. In the graph, look for choke points: Entra ID groups or Azure RBAC roles connected to many identities via orange escalation lines. These are the highest-value remediation targets — fixing one group or role assignment can reduce privilege for many users at once.
  9. Click any node to open a detail panel. For an Entra ID group node, this shows membership count and the entitlements granted. For an Azure RBAC role node, it shows the scope (subscription, resource group, or resource) and the accounts assigned.

Reference: Identity Side Panel Tabs (Azure Context)

TabWhat to Look For in AzureKey Action
OverviewTrue Privilege level; shadow administrator flagClick View True Privilege Graph to inspect Entra ID and Azure RBAC escalation chains.
AccountsMultiple Entra ID accounts; Azure accounts from subscriptions the identity may no longer needFlag accounts from Azure environments outside the identity's current scope of work.
DetectionsEntra ID-specific detections: suspicious service principal changes, password spray, MFA fatiguePrioritise detections on Highest-privilege Azure identities.
RecommendationsAzure-specific guidance: Conditional Access policies, Password Safe enrolment, Global Admin removalCross-reference with Recommendations page in Stage 7 for status tracking.
EntitlementsAzure RBAC roles (Owner, Contributor) and Entra ID directory roles (Global Admin, Priv. Role Admin)Identify roles that can be downscoped or removed.
PathsEscalation chains: identity > Entra ID group > Azure RBAC role > subscription-level Owner accessFind and document choke points for remediation in Stage 5.

Step 4: Review Overprivileged Accounts

Why this matters

In Azure, not every account belongs to an active, managed identity. Service accounts, legacy local accounts, and break-glass emergency accounts often exist outside the visibility of normal identity governance processes. The Accounts page surfaces all accounts discovered by the Azure connector — including those not linked to any managed identity — so you can assess whether high-privilege accounts are justified, still in use, and properly controlled.

Overview

The Accounts page provides a view of every account discovered by the Azure connector, ranked by True Privilege. It shows account type, activation state, dormancy, key entitlements, active detections, and outstanding recommendations. Use this page to find Azure accounts that are highly privileged but dormant, unmanaged, or outside your federated identity setup.

Steps

  1. Navigate to Insights > Accounts. The Accounts page displays all accounts ranked by True Privilege.
  2. Apply the Provider filter: select your Azure connector to focus the view on Entra ID and Azure accounts only.
  3. Confirm the sort order: True Privilege descending (Highest first). Review all Highest and High accounts before moving to Moderate.
  4. Filter Account Type to review specific categories in sequence. Start with service accounts and managed identities — these are common sources of excessive Azure privilege that are rarely reviewed in routine access reviews.
  5. Apply the Dormant filter (60 days). High-privilege Azure accounts that have not been used in 60 or more days should be reviewed for disablement particularly accounts outside your Entra ID-managed lifecycle.
  6. Review the Detections column. Accounts with multiple detections especially on accounts with Highest True Privilege are the highest-urgency cases. Click the count to see the specific detections.
  7. Review the Key Entitlements column. Azure accounts with a high count of key entitlements may have accumulated access across multiple subscriptions or resource groups over time.
  8. Click an account name to open the side panel. Review the Detections, Entitlements, and Recommendations tabs. For accounts linked to an identity, click the True Privilege graph icon to view the full privilege chain.
  9. Document any accounts that should be disabled, have their Azure RBAC roles downscoped, or be onboarded to BeyondTrust Password Safe for managed credential rotation.

Reference: Accounts Page Filters for Azure Review

FilterRecommended ValueWhat It Surfaces in Azure
ProviderYour Azure connectorRestricts the view to accounts discovered by the Azure connector only.
True PrivilegeHighest, then HighEntra ID accounts that can reach Global Admin or near-admin access.
TypeService account, Managed identity, UserSeparates non-human accounts (service principals, managed identities) from user accounts.
Dormant60Azure accounts inactive for 60+ days — common off-boarding gaps.
StateActivatedConfirms you are reviewing live, active accounts.
LabelDormant, External userQuickly surfaces labelled account categories that are common risk vectors in Azure.

Step 5: Review Entitlements

The Entitlements page lists every entitlement discovered by the Azure connector, ranked by privilege level. For an Azure estate, this includes Entra ID directory roles (such as Global Administrator, Privileged Role Administrator, Security Administrator), Azure RBAC roles (Owner, Contributor, User Access Administrator), API permissions, and group memberships that confer elevated access. The Paths to Privilege graph shows the escalation chains that connect these entitlements to identities.

Why this matters

In Azure, overprivilege is most often conferred through Entra ID directory roles and Azure RBAC role assignments rather than directly to individual accounts. A single overprivileged Entra ID group or RBAC role can be the root cause behind dozens of overprivileged identities. The Entitlements page lets you find these root causes directly, so you can fix the source, not just the symptoms, and reduce privilege for many users at once.

Steps

  1. Navigate to Insights > Entitlements. Apply the Provider filter and select your Azure connector.
  2. The page defaults to Privilege descending. Review all Highest-privilege entitlements first. In Azure, these typically include Global Administrator, Privileged Role Administrator, and subscription-level Owner roles.
  3. For each Highest-privilege entitlement, review the Accounts count. An Entra ID directory role or Azure RBAC role with a high account count represents a large blast radius. Investigate any entitlement where the number of accounts seems higher than business requirements justify.
  4. Apply the Type filter. Select Role to see Azure RBAC roles and Entra ID directory roles. Select Group member to see Entra ID security groups that grant elevated access. Select Permission (API permission) to see app registrations or service principals with broad Microsoft Graph permissions.
  5. Click any entitlement name to open the detail panel. Review the list of accounts assigned this entitlement, their source provider, and whether any are dormant or external.
  6. For Highest and High-privilege entitlements, click the True Privilege graph icon to open the Paths to Privilege graph. Inspect the chains that connect accounts to this entitlement. Identify choke points — groups or roles that grant access to many accounts simultaneously.
  7. Apply the Scope filter for Azure RBAC roles to narrow results to a specific subscription, resource group, or resource. This is essential in large Azure environments with many subscriptions.
  8. Use the Export settings to save a filtered PDF view for inclusion in an access review report.

Reference: Azure Entitlement Privilege Levels

LevelAzure ExamplesRemediation Approach
HighestGlobal Administrator, Privileged Role Administrator, subscription-level OwnerRemove from all accounts not explicitly requiring it. Ensure remaining holders are enrolled in Password Safe.
HighSecurity Administrator, User Access Administrator, Contributor (broad scope), Exchange AdministratorValidate business justification; consider scoping RBAC roles to a more specific resource group.
ModerateReader (broad scope), specific resource-scoped Contributor roles, Helpdesk AdministratorReview whether scope is appropriate; ensure Conditional Access policies apply.
LowStandard group membership, scoped read permissions, licence assignmentsLow priority; include in periodic access certifications.

Reference: Key Azure Entitlement Types in ISI

Entitlement CategoryDescriptionWhat to Look For
RBAC role (Azure)Azure built-in or custom roles assigned at subscription, resource group, or resource scopeOwner and User Access Administrator roles assigned at subscription scope — these confer the highest blast radius.
Role (Entra ID directory)Entra ID built-in directory roles (Global Admin, Priv. Role Admin, etc.)Roles assigned to more accounts than the minimum required; check for permanent vs. PIM-eligible assignments.
Group member (Entra ID)Membership of an Entra ID security group that carries Azure RBAC or directory role assignmentsGroups with high-privilege RBAC assignments and many members — classic choke points.
API permission (Microsoft Graph)Application or delegated Microsoft Graph permissions on app registrationsBroad permissions (Directory.ReadWrite.All, RoleManagement.ReadWrite.All) on externally-accessible app registrations.
ℹ️

If your organization uses Azure Privileged Identity Management (PIM), entitlements in Identity Security Insights may reflect both active and eligible role assignments, depending on connector configuration. Review eligible assignments as carefully as active ones — eligible Global Administrator assignments can be activated without additional approvals in some PIM configurations.

Step 6: Review Detections

The Detections page summarizes active risk findings across all connected providers. Filtered to your Azure connector, it shows Entra ID and Azure-specific findings including suspicious login activity, service principal misuse, password attacks, dormant account activity, and anomalous Azure infrastructure changes. Detections are ranked by Importance (Critical, High, Medium, Low) and listed in order of discovery date by default.

Why this matters

Azure-specific detections in Identity Security Insights go beyond what Entra ID Identity Protection surfaces on its own. They cross-correlate sign-in risk signals, configuration changes, anomalous account behavior, and BeyondTrust product activity to provide a broader picture of active risk. A detection on an account with Highest True Privilege is your most urgent remediation priority — a compromise of that account could grant an attacker Global Administrator access to your entire Entra ID tenant.

Steps

  1. Navigate to Insights > Detections. Apply the Provider filter and select your Azure connector to focus on Azure-specific findings.
  2. Review detections sorted by Importance descending. Triage Critical and High detections before addressing lower-severity findings.
  3. Click any detection name to open the Overview panel. Read the full description: the trigger condition, the concern it raises, and the recommended remediation action.
  4. Cross-reference detections with the Identities and Accounts pages. Click through from a detection to the affected account or identity to understand their full privilege context before deciding on a response.
  5. For anomaly-based detections (AI-backed): read the detail carefully. These may describe unusual Azure infrastructure changes or unexpected service principal behavior that does not match a known attack signature — determine whether the activity is legitimate in context.
  6. Download the detection list to a .csv file for use in an incident response workflow, to raise tickets in ServiceNow or Jira, or to include in a security review report.

Reference: Key Azure-Specific Detections

DetectionAzure ConcernRecommended Action
Azure AD Connector account behaving strangelyThe Entra Connect service account may have been compromised using tools like AADInternals to extract its password from memory.Investigate whether the account is compromised; review recent AAD Connect activity logs.
Azure AD Identity Protection detected a privileged user login from an anonymized IPPrivileged Entra ID accounts accessed via VPN or Tor may indicate a compromise or interception of credentials.Investigate the sign-in for malicious activity; enforce Conditional Access to block anonymized IPs for privileged accounts.
Azure AD Identity Protection detected a password spray attackA password spray could compromise Entra ID credentials and lock out multiple accounts.Investigate whether any accounts were compromised; reset credentials for affected users.
Attacker obtained a user's password and attempted login via Azure ADThe user's password is likely compromised and an attacker may have successfully signed in from a different IP.Rotate the user's credentials immediately and investigate sign-in activity around the time of the alert.
Suspicious changes to a service principalAttackers may have modified a service principal as a backdoor after breaching your Azure environment.Audit the service principal change; verify it was authorised and check for new credential assignments.
Sign-in with user agent used by Azure AD attack toolsThe user agent string matches known Azure AD offensive tooling — credentials may be compromised.Ensure the user rotates their password and investigate peripheral activity for signs of compromise.
A potentially highly privileged IAM policy attached to a userA high-privilege Azure policy change may create privilege escalation or data exposure risk.Review the policy change; validate it follows least privilege and was properly authorised.
Activity found on partially disabled identityAn identity with its Entra ID account disabled but other cloud accounts still active may indicate incomplete off-boarding.Audit and disable all linked accounts for the off-boarded identity.
Successful MFA fatigue attempt identifiedAn attacker may have obtained the user's Azure AD password and bypassed MFA by repeatedly sending push notifications.Investigate whether the authentication was legitimate; rotate credentials and review Conditional Access policies.
ℹ️

The Azure connector ingests activity logs from Entra ID sign-in events, audit logs, and (if configured) from Azure Event Hub. Richer anomaly-based detection coverage — particularly for service principal activity and infrastructure changes — is available when Azure Event Hub is configured with the full set of log categories (SignInLogs, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ManagedIdentitySignInLogs).

Step 7: Review recommendations and remediate

Overview

The Recommendations page groups security posture guidance by recommendation type, ranked by importance and the number of impacted accounts. For an Azure estate, the most common high-priority recommendations relate to the Azure AD Connector account, missing Conditional Access policies, unrotated passwords on privileged accounts, dormant privileged users, and accounts that should be managed by Password Safe. Authorised users can update the status of each recommendation and add comments to track progress.

Why this matters

Azure Recommendations in Identity Security Insights surface the specific Entra ID and Azure RBAC misconfigurations that create the privilege risk you have identified in the previous stages. Acting on these recommendations directly reduces your attack surface. Tracking remediation status in ISI creates an auditable record of Azure privilege posture improvements — useful for internal security governance, compliance reporting, and demonstrating progress to stakeholders.

Steps

  1. Navigate to Insights > Recommendations. Apply the Provider filter and select your Azure connector.
  2. The page defaults to Grouped view, sorted by Importance descending. Review High-importance recommendations first.
  3. Review the Accounts column. Azure recommendations affecting many accounts — such as 'MFA Not Enabled' or 'Privileged user with an old, unrotated password' — may be more efficiently addressed through an Entra ID policy change than account-by-account remediation.
  4. Click a recommendation name to open the Recommendation Details page. Review the affected accounts, their True Privilege levels, and providers.
  5. Click Quick View on any row for a high-level summary before deciding whether to action it.
  6. Click an account name to open the Instance Details page — this shows the full recommendation description, importance level, the underlying Azure-specific concern, and specific resolution steps.
  7. Select one or more accounts and click Update Status. Choose the appropriate status: New, In Progress, Resolved, False Positive, or Ignored.
  8. Add a comment to document the action taken — for example, a ServiceNow or Jira ticket reference, the name of the engineer who performed the remediation, or the reason for marking an item as a False Positive.
  9. Click Update Status to save. The status and comment history are preserved for audit purposes.
  10. After completing a remediation round, export the Recommendations grid as a .csv for reporting or integration with your ticketing system.

Reference: Key Azure-Specific recommendations

RecommendationAzure ConcernSuggested Resolution
Overprivileged Azure AD Connector accountThe Entra Connect service account has Global Administrator — no longer required for Entra Connect to function.Remove the Global Administrator role from the Azure AD Connector account.
Azure AD Connector account not protected by Conditional Access PoliciesWithout CAP, a stolen Entra Connect credential can be used from any location.Add a Conditional Access policy restricting the connector account to its source server IP.
Entra Connect account not managed by Conditional Access policiesEntra Connect accounts not protected by CAP can be abused from attacker infrastructure using stolen credentials.Add a Conditional Access policy. This is a separate recommendation from the classic Azure AD Connector account.
MFA Not EnabledInteractive Entra ID accounts without MFA are at high risk if credentials are leaked.Enable MFA for all interactive accounts via Entra ID > Security > Authentication methods.
Privileged user with an old, unrotated passwordPrivileged Entra ID accounts with passwords not rotated in over a year are more likely to have been exposed.Use Password Safe to manage and rotate passwords for privileged Entra ID accounts.
Privileged Azure AD account not managed by Password SafeHigh-privilege Azure accounts not in Password Safe have unmanaged credentials and higher compromise risk.Onboard the account to Password Safe for automated credential management.
Identity with dormant accountsDormant Entra ID accounts may be unnecessary attack surface, especially if the identity has left the organisation.Disable dormant accounts in Entra ID; confirm with the identity's manager before disabling service accounts.
Partially-revoked identityIncomplete off-boarding — primary Entra ID account disabled but secondary cloud accounts still active.Audit and disable all accounts linked to the identity across your Azure estate.
Privileged user not in the 'Protected Users' groupEntra ID's Protected Users group adds security safeguards against credential theft for privileged accounts.Add interactive privileged users to the Protected Users group in Active Directory / Entra ID. Do not add non-interactive service accounts.

Reference: Recommendation Status Values

StatusMeaningWhen to Use
NewDefault — not yet reviewedLeave as New until investigation begins.
In ProgressRemediation started but not completeSet when a ticket is raised or Entra ID / Azure RBAC change is in progress.
ResolvedThe underlying Azure misconfiguration has been correctedSet after confirming the change is in place. For example, CAP applied, role removed, account disabled.
False PositiveThe recommendation does not apply to this account in contextUse for accepted configurations. For example, a break-glass Global Admin account intentionally excluded from MFA.
IgnoredAcknowledged but intentionally not actionedUse for accepted risks with a documented business justification and management sign-off.

Tip

If your organization uses Microsoft Sentinel, Identity Security Insights supports a Microsoft Sentinel webhook integration that can forward Detections to Sentinel as security alerts. This allows your SOC team to triage ISI findings within their existing investigation workflow. See the Integrations section of the Insights documentation for setup steps.

Summary

Overprivilege in an Azure estate is a continuous problem, not a one-time event. Entra ID group memberships accumulate, Azure RBAC role assignments persist after project completion, and new accounts are created without always following least-privilege conventions. Consider establishing a regular cadence for privilege reviews using this workflow.

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.