To view issue and remediation details:

1. Go to ITDR > Dashboard > Entra ID Change Detection > Default.

2. Select an Entra ID tenant from the Result for drop-down menu.

   See image.

   Close

   The changes detected in the Entra ID tenant are listed.

3. Double-click a change, or click the View icon under Actions to view the details.

   See image.

   Close

   The Issue Details window appears with the following details:

   • Change Date: The date and time when a change is detected in the identity.
   • Issue Name: The issue name.
   • Change: The description of the change.
   • Type of Risk: The type of risk (e.g., Excessive Privileges, Delegation Abuse, Account Management, Credential Exposure, etc.).
   • What is the issue?: The description of the issue.
   • What is the impact?: The impact status (Good, Bad, or Info).
   • Change Data: The details of the change that was detected in the identity, such as the operation name, the caller IP address, data source information, and role details.
   • Remediation: The remediation description and assessment (Easy, Moderate, or Difficult). For every remediation step, you can view:
     • How to fix?: Steps to manually remediate the issue.
     • Commands: A command that you can run in PowerShell to remediate the issue.
     • Caveats: Warnings to consider before remediating the issue.
     • References: Links to the Microsoft documentation or any other reference documentation. You can click a link to view guidance and best practices for remediation.
   • Raw Event: The raw event data received from the Entra ID tenant’s log provider. The data includes information such as who initiated the change, when it was initiated, what the change is, what the old value was, and what the new value is. The raw event data is represented in the JSON format that is easy to understand. The code is well-indented and has a key-value pair. Click Download JSON to download the JSON file for further investigation.

   See image.

   Close