Documentation

What you can do with Identity Security Insights

Suggest Edits

See how the Insights delivers value — in one page

This page gives you a quick, example-driven overview of what Identity Security Insights enables.

You’ll see how Insights helps you:

  • Uncover hidden privilege escalation paths
  • Detect identity-based threats with context
  • Improve your identity security posture with guided remediation

By connecting identity, privilege, and activity data across systems, Insights gives you the visibility to act with confidence.

ℹ️

The examples below use demonstration data to illustrate how Identity Security Insights works. Access to the Pathfinder portal, the Insights application and tile, and a connected identity source is required to explore similar views in your own environment.

Start with the Big Picture

Before diving into specific investigations and examples, the Insights dashboard gives you a high-level view of your identity risk surface.

You’ll see key metrics like:

  • Total number of accounts
  • Accounts with high-risk privileges
  • Detected paths to admin-level access

These tiles help you quickly assess where privilege is concentrated — and where to start investigating.

Dashboard summary with three panels. The first panel shows "Total Accounts" with a count of 3,691, and links for "View 2,070 Dormant Accounts" and "View Accounts." The second panel shows "Accounts with High True Privilege" with a count of 564, including links for "535 Accounts with direct paths," "29 Accounts with indirect paths," and "View All True Privileged Accounts." The third panel shows "Escalation Paths" with a count of 1,982 and a link to "View Escalation Paths."

Key dashboard tiles highlight total accounts, high-privilege identities, and escalation paths.

Uncover Hidden Privilege Escalation Paths

Most identity attacks don’t start with a privileged user — they end with one.

Insights helps you uncover how privilege can be reached, not just who’s privileged now, but who could be. These hidden escalation paths are often missed by traditional tools — but they’re critical to reducing identity risk.

Understand Your Identity Blast Radius

Some identities accumulate access across roles, groups, and systems — creating a much larger blast radius if compromised.

Insights calculates True Privilege™ by analyzing:

  • Assigned privileges — roles, groups, or policies directly linked to an identity
  • Inherited access — nested group memberships or role hierarchies
  • Shadow privileges — indirect access paths, like policy attachments or trust relationships

Together, these form a complete picture of what an identity can do — not just what it has on paper.

Diagram titled “True Privilege” showing a user’s access path. A box labeled “User” points to “Entra ID Group A,” which connects downward into a red highlighted section labeled “Shadow / Indirect.” Inside this section, the path continues to “Entra ID Group B (nested)” and then to “Azure RBAC Role,” illustrating indirect privilege escalation through nested group membership.

Insights analyzes shadow and inherited privileges in the True Privilege Graph.

ℹ️

Key Concept: True Privilege™

Most identity tools only analyze direct assignments. Insights calculates True Privilege™ by combining direct, inherited, and shadow access into a single view.

Investigate Specific Identities

Once you understand how privilege accumulates, the next step is to investigate who has the most access — and how they got it.

Start by opening the Identities view from the dashboard. This table is sorted by True Privilege level, so you can quickly spot the riskiest users.

Select an identity — for this example, Amy Miller — to open the Identity Details page.

On the Insights page, a table displays user data with columns for Name, Email, True Privilege, and Accounts. The row for "amy miller" is highlighted.

The Identities table groups accounts under a single identity, sorted by True Privilege level.

Visualize Escalation Paths

Once you’ve identified a high-risk identity, you can explore exactly how it could escalate to admin-level access.

From the Identity Details page, click View True Privilege Graph to see how this identity can escalate to admin-level access.

The Identity Details screen displays details for "amy miller," showing highest direct privilege and true privilege, a job title of Engineer 3, and a button to "View True Privilege Graph".

Access the True Privilege Graph from Identity Details.

The graph outlines all Paths to Privilege — both direct and indirect. In the example below, Amy Miller can escalate to the Global Administrator role through two layers of Azure Entra role assignments.

A diagram depicting account and directory role assignments within a system. Lines connect user accounts to their respective roles, including 'Application Admin' and 'Global Admin,' with arrows indicating relationships.

The True Privilege Graph highlights escalation paths discovered for a given identity.

Use the Entitlements Table for Deeper Analysis

To view privilege relationships in a tabular format, open the Entitlements table — available as a standalone view or within the Identity Details page.

This table shows every instance where an entitlement (for example, a role assignment or policy attachment) is linked to an account.

  • Select the graph icon in the Actions column to view a compact escalation graph for that entitlement.
A settings dashboard displaying entitlement information. The table shows user roles with details such as privilege level, type, provider, account name, and actions, including an icon for more options. The splash icon in the Actions column will display a compact True Privilege graph.

The graph icon in the Actions column will display a compact escalation graph.

The Path to Privilege graph displays a network of identities and roles related to the user amiller@example.com. It includes roles like Application Admin, Service Principal, and Global Administrator, with the label indicating highest privilege levels.

Isolated privilege escalation graph from the Entitlements page.

What You Can Do

With the Identities and Entitlements views, you can:

  • Investigate how specific users gain elevated access
  • Visualize escalation paths in graph or table form
  • Pinpoint and remediate risky privilege relationships

Detect and Prioritize Identity-Based Threats

Login anomalies are everywhere — but without context, they’re just noise. Insights helps you focus on what matters by correlating:

  • Who the user is
  • How privileged they are
  • What else they did

This lets you distinguish between harmless anomalies and real threats.

Example: A High-Risk Identity in Action

Start by navigating to the Identities page and selecting a high-risk identity. In this case, the identity’s True Privilege™ rating is Highest.

The Identity Details page for an user named David Faulk. Display includes options for viewing Direct Privilege and True Privilege, both marked as Highest.

Identity with the highest True Privilege rating selected for investigation.

Open the Detections tab to view recent suspicious activity. In this example, the identity:

  • Logged in from a Tor node — a sign of anonymized or evasive access
  • Enrolled a new Okta IdP — potentially introducing an unapproved identity provider
  • Signed into Entra ID from a new country — suggesting location-based risk
A dashboard displaying security detections. Three entries are visible with columns for detection summary, account name, severity, provider, and detection date. The detections include high, critical, and moderate alerts, all in the month of February.

Detections table showing concerning behavior within a single week.

A week later, the identity continues to show suspicious behavior across multiple platforms.

A second dashboard displaying three detections related to the David Faulk account. Each row shows detection summary, account name, severity level, provider name, and detection date and time. The detections include low, critical, and moderate alerts, all on March 4.

The user exhibits multiple signs of malicious behavior within a short time span, across multiple technology domains (Entra, Okta).

Each behavior is concerning on its own — but when chained together, the risk is greater than the sum of its parts.

Click into any detection row for full context — including timestamps, affected systems, and recommended actions.

What You Can Do

With Insights, you can:

  • Correlate privilege and behavior to prioritize real threats
  • Investigate suspicious identities across multiple platforms
  • Act with confidence, knowing the full picture

Improve Identity Posture

Reducing identity risk isn’t just about detecting threats — it’s about fixing what’s misconfigured. The Recommendations view helps you do exactly that.

Insights surfaces posture-related findings across your environment and provides guided remediation steps to address them.

Example: External Users with Privileged Roles

From the dashboard, open the Recommendations widget. In this example, we’re investigating the finding:
External Users with Privileged Entra ID Directory Role.

The Recommendations dashboard displaying for items. The highlighted item, "External Users with Privileged Entra ID Directory Role", is marked as high importance, alongside other recommendations with varying importance levels.

The Recommendations table contains a list of remediation activities that can improve your identity security posture.

Click into the finding to view:

  • A summary of the issue
  • Recommended remediation steps
  • A list of affected identities
The recommendation details page showing external users with privileged Entra ID directory roles. It mentions concerns about potential security risks posed by these users and displays account information and action options. The Quick View button is highlighted.

Recommendation Details outlines practical remediation steps to address the security misconfiguration or posture improvement.

Use Quick View in the Actions column to open a flyout with additional context.

A flyout screen displaying a security recommendation for external users with a privileged Microsoft Entra ID directory role. It highlights account details, status, a warning about policy differences, and a summary regarding privileges for the "Application Administrator" role.

The Recommendation Details flyout provides additional context.

Take Action with Automation

Once you’ve identified a recommendation, you can streamline remediation using the Take Action button — but first, you’ll need to configure your integrations.

The dropdown includes options for:

  • Triggering automation through your configured integrations (for example, ServiceNow, Teams, or Slack)
  • Setting up new integrations via the Configure Webhook option
Set up integrations with notification apps, change management systems, or BeyondTrust products.

Set up integrations with notification apps, change management systems, or BeyondTrust products.

📘

Note:

Integrations must be configured before they appear in the Take Action menu. Supported destinations include ticketing systems, messaging platforms, SIEMs, and more.

What You Can Do

With Insights, you can:

  • Identify posture gaps across identity systems
  • Follow guided remediation for misconfigurations and risky setups
  • Automate fixes using integrations with your existing tools

What You Can Do with Identity Security Insights

Identity Security Insights gives you the visibility and context to take action — not just react.

With Insights, you can:

Uncover hidden privilege escalation paths across cloud and on-prem environments

Detect identity-based threats with full context and correlation

Improve your identity posture through guided, actionable recommendations

Automate remediation using integrations with your existing tools

And that’s just the beginning.

You can also:

  • View identities stitched together from multiple sources
  • Audit passwords and credential hygiene across platforms
  • Explore tailored reports based on your role or use case
  • Investigate all accounts across connected identity sources
  • Track posture improvements over time

Whether you're investigating a threat, cleaning up privilege sprawl, or tightening posture, Insights helps you reduce identity risk with clarity and confidence.

Updated 7 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.