icon-itdr.svg
ITDR

Downloading the Entra ID Delta Report

Security teams often face challenges in monitoring and responding to changes in their identity security posture due to frequent updates on Microsoft Entra ID tenants. A static snapshot of security posture lacks the ability to track changes over time. This limitation makes it difficult to identify improvements, regressions, and emerging risks.

Zscaler ITDR allows you to compare two historical Entra ID scans and generate a delta report. This report provides detailed insights into changes in the Entra ID security posture, and highlights newly identified risks, resolved issues, and updates to previously known risks. ITDR automates this comparison, enabling security teams to quickly identify new risks, address key changes, and prepare targeted responses efficiently.

To support further analysis and collaboration, ITDR allows you to download the Entra ID delta report in PDF and Excel formats. With these reports, you can analyze data offline, share insights with stakeholders, and streamline remediation efforts to improve the security posture of your Entra ID tenant.

To download the Entra ID delta report:

  1. Go to ITDR > Dashboard > Entra ID.

  2. On the Entra ID Dashboard, click Downloads and select one of the following options from the drop-down menu:

      1. In the Delta Report PDF window, select the Entra ID scans that you want to compare.

        1. Select the first Entra ID scan timestamp from the drop-down menu, and click Next.

        2. Select the second Entra ID scan timestamp (an older date) from the drop-down menu, and click Submit.

        The delta report is downloaded to your system in the PDF format. The report displays the following information in a structured and concise format with clear insights into the security posture changes between the two Entra ID scans:

        • The timestamps of the two compared scans, with the first scan referred to as Scan B and the second as Scan A.
        • Scan Summary: The issue comparison summary includes:
          • The total number of issues in Scan A and Scan B.
          • New Issues: The total number of new issues introduced in Scan B.
          • Resolved Issues: The total number of issues resolved and no longer detected in Scan B.
          • Updated Issues: Existing issues with a change in the number of affected Entra ID identities (User, Service Principal, etc.).
        • Risk Summary: Risk Score (Scan A → Scan B): A unified risk severity comparison between Scan A and Scan B. Severity levels are categorized as Critical, High, Medium, or Low. The risk posture gets better as the severity level decreases.
        • Graphical Overview of Changes: A bar chart visually representing the total number of new, resolved, and updated issues, providing a quick snapshot of changes.
        • Key Highlights: The key highlights on the security posture of the Entra ID tenant, such as top new issues, areas showing improvement, and remaining critical issues requiring attention.
        • Detailed Changes: A tabular representation of issue changes and severity levels (High, Medium, and Low) offering an in-depth view of affected Entra ID identities.
        • Recommendations Summary: Actionable recommendations to improve the security posture of the Entra ID tenant.

      Close

      1. In the Delta Report Excel window, select the Entra ID scans that you want to compare.

        1. Select the first Entra ID scan timestamp from the drop-down menu, and click Next.

        2. Select the second Entra ID scan timestamp (an older date) from the drop-down menu, and click Submit.

        The delta report is downloaded to your system in the Excel format. The first scan is referred to as Scan B and the second as Scan A. The Excel report displays the following Entra ID identity-level information in separate tabs for in-depth analysis:

        • Export Summary: A list of all the tab names included in the delta Excel report.
        • Delta Summary: The issue comparison summary including scan timestamps; the total number of new, resolved, and updated issues; unified risk severity; and the total number of affected Entra ID identities.
        • New Issues: The total number of new issues introduced in Scan B, including issue name, severity levels (High, Medium, and Low), and affected Entra ID identities (User, Service Principal, etc.) details.
        • Resolved Issues: The total number of issues resolved and no longer detected in Scan B, including issue name, severity levels, and affected Entra ID identity details.
        • Updated Issues: The total number of existing issues with a change in the number of affected Entra ID identities, including issue name and severity levels.
        • Detailed Changes: The details of affected Entra ID identities that were added or removed based on the changes recorded in the Updated Issues tab.

      Close
Related Articles
About the Entra ID DashboardViewing the Entra ID Vulnerability ReportDownloading the Entra ID Vulnerability ReportDownloading the Zscaler ITDR Microsoft Entra ID Executive Summary ReportDownloading the Entra ID Delta ReportViewing the Entra ID Detailed Findings and Recommendations DetailsViewing the Top Vulnerable Entra ID IdentitiesViewing Affected Entra ID Identity DetailsViewing the Entra ID Issue Details Grouped by SeverityViewing Entra ID Issue Details Grouped by Risk TypeViewing the Entra ID Risk Reduction RoadmapViewing the Entra ID Issue Details Grouped by MITRE ATT&CK TechniquesRunning Remediation Actions for Microsoft Entra ID IssuesViewing Entra ID Remediation HistoryDeleting an Entra ID Scan Report