ITDR
About the Entra ID Change Detection Dashboard
Watch a video on Entra ID Change Detection.
The Entra ID Change Detection dashboard monitors and detects active changes in an Entra ID tenant and classifies these changes as a good, bad, or info impact. It also provides additional issues and remediation details.
Here are a few examples of changes or issues that the Entra ID Change Detection dashboard detects in an Entra ID tenant:
- Users without multi-factor authentication (MFA): MFA acts as an additional layer of security to prevent unauthorized users from accessing Entra ID tenants. If any user is exempted from MFA to sign in, the change is detected and marked as a bad impact.
- Privileged guest accounts: Whenever a guest user is assigned a privileged role, this action is detected and marked as a bad impact. It is recommended to assign the least required permissions to the guest users.
- Revoked roles on a service principal: When permissions to access private data are revoked from a service principal, the overall attack surface reduces and stops the application's ability to read private data. This is marked as a good impact.
To view the change detection data, you need to configure an AD Entra ID tenant for a scan. The Entra ID Change Detection dashboard uses the Entra ID scan results to collect data.
The Entra ID Change Detection dashboard provides the following benefits:
- Provides near real-time visibility into new misconfigurations and security risks introduced to your Entra ID tenant.
- Improves the security posture of your Entra ID.
About the Entra ID Change Detection Dashboard
On the Entra ID Change Detection dashboard (3rd-Party App Governancevariable:itdr]] > Dashboard > Entra ID Change Detection > Default), you can do the following:
- Filter change detection results by an Entra ID tenant.
- Copy specific columns from the table.
View change detection data for the Entra ID tenant. For each change, you can view:
- Change Date: The date and time when a change is detected in the Entra ID tenant.
- Issue: The issues for which the change is detected (e.g., Insecure permissions on application, Privileged guest accounts, etc.).
- Identity: The name of the Entra ID user or service principal (identity) for which the change is detected.
- Initiated By: The details of identity who initiated this change.
- Reason: The reason for the change.
- Impact: Indicates the following change status. You can filter the column to view a specific change:
- Good: A good or safe change.
- Bad: A risky change. The system administrators can review the bad impacts, view the issue details, and remediate the issues.
- Info: A significant change to the Entra ID tenant that might have a good or bad impact based on the environment. The system administrators can review the impact and take necessary actions.
- Type: The type of Entra ID identity (User or Service Principal). You can filter the changes by identity type.
You can double-click a change to view issue and remediation details.
- View the Entra ID change detection issue details and remediation.
- Add an Entra ID change detection issue to the safelist.
- Add an Entra ID change detection object to the safelist.
