icon-itdr.svg
ITDR

Viewing Entra ID Issue Details Grouped by Risk Type

You can view the issue donut chart grouped by the risk type on the Entra ID dashboard. This gives you an overview of the types of risk most prevalent in your Entra ID tenant. You can drill down to a specific issue on the chart to further investigate and remediate the issues.

ITDR detects the following risk types in an Entra ID tenant:

  • Best Practice Violations: Security best practices help you to secure your environment in the Entra ID tenant. For example, enabling security defaults, enforcing multi-factor authentication (MFA), limiting guest user permissions, revoking deprecated user roles, limiting the number of global administrators to less than 5, etc. Violating these best practices could lead to data breaches, system compromise, non-compliance with data protection, and operational disruptions.
  • Privilege Escalation: Entra ID has privileged roles and permissions that can be used to manage users, modify credentials, authenticate or authorize policies, or access restricted data. Privileged role assignments can lead to elevation of privilege if not used in a secure and intended manner. Adversaries exploit misconfigurations to take control of the accounts. When escalated, attackers launch attacks to gain full control of the environment and compromise sensitive data.
  • Hybrid Risk: The Entra ID hybrid-joined devices feature enables you to join your on-premises Active Directory (AD) with an Entra ID tenant. Hybrid-joined devices pose security risks, such as unauthorized access, compliance issues, and data breaches.
  • Privilege Leak: Providing unnecessary access rights to users or unintended exposure of privileged information in an Entra ID tenant leads to privilege leak. Due to administrative oversight, a user might gradually accumulate unnecessary permissions. If undetected, this can lead to serious consequences, including compliance violations, unauthorized access, and data breaches.
  • Excessive Privileges: An application, a user, or a role in an Entra ID tenant might have excessive permissions than what is required for their legitimate task. This can lead to various vulnerabilities. An adversary can perform a privilege escalation attack to gain unauthorized access to systems and data.
  • Weak Authentication Measures: Weak authentication mechanisms or misconfigured access controls in Entra ID can lead to unauthorized access to sensitive data and resources. Administrators without MFA requirements have a higher risk of compromise. They are severely unprotected against phishing and password brute force attacks.
  • Insecure Collaboration Settings: Cross-tenant synchronization feature in Entra ID enables organizations to collaborate with external tenants. These collaborations require robust security. Insecure collaboration settings can expose sensitive information to unauthorized individuals, jeopardizing privacy and security.
  • Data Loss: The security principal defines the access policy and permissions for the user or application in the Entra ID tenant. Over-permissioned service principals lead to security risk. For example, if a service principal with permissions to read all user email is compromised, the adversary can gain access to the email accounts of all users in the Entra ID tenant.

To view Entra ID issue details grouped by risk type:

  1. Go to ITDR > Dashboard > Entra ID.
  2. On the Entra ID Dashboard:
    1. Select an Entra ID tenant from the Result for drop-down menu.

    2. Select a timestamp from the scanned on drop-down menu.

      The scan result for the Entra ID tenant appears.

  3. Click Risk Analysis, or click a risk type on the donut chart.

  4. The Issues by Type of Risk page appears with the scanned Entra ID tenant and scan time details. The issues are grouped by risk type and are listed under the tabs (All, Best Practice Violations, Privilege Escalation, Hybrid Risk, etc.).

  5. Select a tab, and then select an issue to view the following information:

    • The scanned Entra ID tenant name and scan time.
    • Vulnerability issue and attack details:
      • Issue: The issue name.
      • Type Of Risk: The type of risk (e.g., Hybrid Risk, Privilege Leak, Data Loss, etc.).
      • Severity: The severity level of the risk (Critical, High, Medium, and Low).
      • Remediation: The remediation assessment (Easy, Moderate, or Difficult).
      • MITRE ATT&CK Tactics: The type of MITRE ATT&CK tactic (e.g., Privilege Escalation, Credential Access, etc.).
      • What is the issue?: The description of the vulnerability issue.
      • What is the impact?: The consequences of the attack.
      • References: Click the reference link to view the Microsoft documentation or any other reference document to understand the issue context and remediation.

      • Who is affected?: A list of affected identities that are vulnerable to attack.

        Click Export as CSV to export the affected identities as a CSV file, click Copy Table to copy specific columns from the table, and click Actions to automatically remediate Entra ID issues.

    • Remediation: The remediation description and assessment (Easy, Moderate, Difficult). For every remediation step, you can view:
      • How to fix?: Steps to manually remediate the issue.
      • Commands: A command that you can run in PowerShell to remediate the issue.
      • Caveats: Warnings to consider before remediating the issue.
      • References: A link to the Microsoft documentation or any other reference document that provides remediation details.

Related Articles
About the Entra ID DashboardViewing the Entra ID Vulnerability ReportDownloading the Entra ID Vulnerability ReportDownloading the Zscaler ITDR Microsoft Entra ID Executive Summary ReportDownloading the Entra ID Delta ReportViewing the Entra ID Detailed Findings and Recommendations DetailsViewing the Top Vulnerable Entra ID IdentitiesViewing Affected Entra ID Identity DetailsViewing the Entra ID Issue Details Grouped by SeverityViewing Entra ID Issue Details Grouped by Risk TypeViewing the Entra ID Risk Reduction RoadmapViewing the Entra ID Issue Details Grouped by MITRE ATT&CK TechniquesRunning Remediation Actions for Microsoft Entra ID IssuesViewing Entra ID Remediation HistoryDeleting an Entra ID Scan Report