ITDR
About the Entra ID Custom Change Detection Dashboard
Watch a video on Entra ID Change Detection.
Zscaler ITDR allows you to customize the active changes you want to detect and monitor in an Entra ID tenant. You can detect and monitor the following change types in the Entra ID properties for each identity type:
- Users: Role assignment changes, password changes, multi-factor authentication (MFA) changes, users flagged as risky, delegated permission grants to applications, administrative units, and group memberships.
- Service Principals: Secret or Certificate changes, added or revoked admin permissions, added or removed API permissions, added or removed app roles, ownership changes, and group membership changes.
- Entra Roles: Additions and removals of roles.
- RBAC and Custom Roles: Additions and removals of roles.
To view the change detection data for the Entra ID properties, you must first configure a change detection policy and deploy it. ITDR makes API calls to Entra ID every 15 minutes to detect any changes in Entra identity properties. The detected changes are analyzed and displayed on the Entra ID Custom Change Detection dashboard for further analysis.
The Entra ID Custom Change Detection dashboard provides the following benefits:
- Provides near real-time visibility into new misconfigurations and security risks introduced to your Entra ID tenant.
- Monitors critical Entra ID identity properties for changes and sends email notifications about these changes.
- Improves the security posture of your Entra ID.
About the Entra ID Custom Change Detection Dashboard
On the Entra Change Detection dashboard (ITDR > Dashboard > Entra ID Change Detection > Custom), you can do the following:
- Filter change data by an Entra ID tenant.
- Copy specific columns from the table.
- View change data for the Entra ID properties. For each change, you can view:
- Change Date: The date and time when a change is detected in the Entra ID tenant.
- Identity: The name of the Entra ID identity, such as users, service principals, and Entra and RBAC roles. You can filter the column to view data for a specific identity.
- Policy Name: The name of the Entra ID change detection policy. You can filter the column to view data for a specific policy.
- Identity Type: The type of Entra ID identity (User, Service Principal, or Role). You can filter the column to view data for a specific identity type.
- Change Type: The type of active changes detected in the Entra ID properties.
- View the history of Entra ID properties changes.
- Delete an Entra ID property change.
