EtcSecBeta
Microsoft Entra ID Security Audit

Audit Entra ID before cloud identity drift becomes a breach

EtcSec runs 158 detections across 9 Microsoft Entra ID categories. The coverage focuses on the controls attackers abuse first in Microsoft 365 and Azure: Conditional Access gaps, missing MFA, risky permanent admins, dangerous app permissions, guest access sprawl, and weak response to risky users or risky sign-ins.

Collection uses Microsoft Graph API with application permissions only. No delegated session is required, no endpoint agent is installed, and the audit does not change the tenant.

Cloud detections
158
Audit categories
9
Typical first report
8-30 sec
Coverage built around actual Entra attack paths
From the published catalogue
Conditional Access is treated as the control plane

The audit checks whether all users and admin roles are covered, whether MFA is enforced, whether legacy authentication is blocked, whether device compliance or token protection are used, and whether wide exclusions leave gaps.

Privileged access reviews go beyond counting Global Admins

The collector looks at PIM use, permanent assignments, emergency access accounts, approval and justification settings, activation duration, MFA on activation, and service principals holding admin roles.

Application risk is reviewed at consent, permission, and credential layers

The catalogue covers tenant-wide consent, admin consent policy, high-privilege Graph permissions, implicit grant, multi-tenant registrations, missing owners, expired secrets, and long-lived credentials.

Guest and external governance remains first-class

Guest admins, unrestricted invitations, stale guest accounts, guest MFA gaps, cross-tenant trust, and B2B exposure are all part of the base Entra review rather than an optional annex.

Audit scope

The 9 categories line up with how cloud identity is actually abused

The Entra audit is not a generic cloud security score. It is a control review organised around Conditional Access, privileged access, application consent, guest governance, and risk-based response.

Identity and MFA

25 detections covering registration policy, strong authentication methods, passwordless readiness, stale user accounts, weak SSPR, and password protection.

Applications and service principals

24 detections covering dangerous Graph permissions, tenant-wide consent, app ownership, implicit grant, multi-tenant registrations, and secret hygiene.

Conditional Access

20 detections for coverage of all users and admins, MFA, legacy auth blocking, device compliance, risk-based policies, token protection, exclusions, and session controls.

Privileged access and PIM

18 detections covering PIM deployment, permanent assignments, break-glass accounts, approval, justification, MFA on activation, and Global Admin count.

Guests, groups, and config

39 detections covering guest access, cross-tenant trust, dynamic groups, role-assignable groups, app registration defaults, diagnostics, and tenant-wide consent settings.

Compliance and risk protection

18 detections covering P2 licensing, access reviews, Identity Protection posture, risky users, risky sign-ins, and automated response gaps.

Why teams use EtcSec for Entra ID reviews

Cloud identity changes constantly. A useful Entra audit needs to be repeatable after policy edits, app onboarding, mergers, external collaboration changes, and privileged access review cycles.

Read-only Graph workflow

The audit uses application permissions and Graph API reads. No delegated user session and no tenant mutation are required to produce the findings.

Fast enough to review after change windows

Typical runtime is 8 to 30 seconds depending on tenant size and Graph throttling. That supports recurring control review instead of annual-only snapshots.

Named detections aligned with operator tasks

Conditional Access owners, IAM teams, app platform owners, and security governance can each see the findings relevant to their control set instead of reading one blended cloud score.

One collector for cloud and on-prem identity

The same ETC Collector workflow can audit Active Directory and Microsoft Entra ID, which matters for hybrid programmes where drift in one plane amplifies risk in the other.

Deep Dive

What a serious Entra ID security audit needs to make explicit

Cloud identity posture is often reduced to “do we have MFA?” The published Entra catalogue shows why that is too shallow: permission grants, tenant defaults, guest governance, and risk-response controls all interact.

Methodology

Read-only Graph collection and the endpoints that matter

Collection path
Microsoft Graph API with application permissions
Mutation risk
None. The audit does not change the tenant.
Main objects
Users, groups, applications, service principals, CA policies, role assignments, logs
Typical runtime
8 to 30 seconds depending on Graph throttling

The audit reads `/users`, `/groups`, `/applications`, `/servicePrincipals`, `/identity/conditionalAccess/policies`, `/roleManagement/directory`, `/policies/authorizationPolicy`, and relevant audit or identity protection endpoints. That matters because the findings can be traced back to concrete policy objects or app registrations rather than vague cloud posture claims.

Using application permissions also means the workflow is appropriate for automated or recurring review. Security teams do not need to sign in interactively every time they want to test whether a policy still protects all admins or whether new app registrations introduced dangerous consent paths.

Category Map

The 9 categories and the operator questions they answer

Published category breakdown from the Entra catalogue
CategoryChecksWhat the operator learns
Identity25Whether MFA, password policy, SSPR, registration, and stale-account controls are strong enough for modern phishing and credential attacks.
Applications24Whether app registrations, service principals, consent, and credentials grant excessive access or hide orphaned risk.
Conditional Access20Whether policy coverage is complete for all users, admins, legacy protocols, risky sign-ins, and session control.
Privileged Access18Whether PIM is used correctly, break-glass accounts exist, and permanent admin assignment is still common.
Guest External15Whether guest users, invitations, and cross-tenant collaboration are constrained and reviewable.
Config12Whether tenant-wide defaults, diagnostics, app registration, and consent settings support secure operation.
Groups12Whether dynamic, role-assignable, or externally owned groups create hidden privilege or governance gaps.
Compliance8Whether the tenant is licensed and configured for access reviews, Identity Protection, and governed access.
Risk Protection10Whether risky users and risky sign-ins are detected and automatically acted upon.
Named Detections

Detection families that usually trigger remediation

Conditional Access coverage gaps

Key findings include CA_NO_MFA_REQUIREMENT, CA_NO_POLICY_ALL_USERS, CA_NO_POLICY_ADMINS, CA_NO_LEGACY_AUTH_BLOCK, CA_NO_DEVICE_COMPLIANCE, CA_NO_RISK_BASED_SIGNIN, and CA_POLICY_REPORT_ONLY.

  • Shows whether the tenant relies on partial policy coverage.
  • Separates risk-based controls from baseline MFA enforcement.
  • Makes policy exclusions visible instead of hidden in JSON.

Privileged access drift

PA_PIM_NOT_ENABLED, PA_PERMANENT_ADMIN_ASSIGNMENTS, PA_NO_EMERGENCY_ACCOUNTS, PA_GLOBAL_ADMIN_NOT_MFA, PA_TOO_MANY_GLOBAL_ADMINS, and PA_SERVICE_PRINCIPAL_ADMIN define whether privileged access is still standing and weakly protected.

  • Useful for IAM, cloud platform, and governance owners.
  • Breaks down emergency access design separately from PIM hygiene.
  • Highlights service principal privilege because MFA cannot compensate there.

Application consent and credential risk

APP_USER_CONSENT_UNRESTRICTED, APP_DANGEROUS_PERMISSION_DIR, APP_DANGEROUS_PERMISSION_ROLE, APP_NO_OWNER, APP_SECRET_EXPIRED, APP_SECRET_LONG_EXPIRY, and SP_HIGH_PRIVILEGE expose the most common escalation and data-exposure paths.

  • Combines app registration review with service principal posture.
  • Surfaces credential hygiene, not just permission names.
  • Supports app-owner clean-up work after mergers or cloud sprawl.

Guest and cross-tenant governance

GUEST_ADMIN_ROLE, GUEST_NO_MFA_REQUIRED, GUEST_INVITATION_UNRESTRICTED, B2B_CROSS_TENANT_OPEN, GUEST_STALE_90_DAYS, and GUEST_NO_ACCESS_REVIEW explain whether collaboration remains bounded.

  • Especially relevant in M&A or partner-heavy environments.
  • Separates invitation policy from actual stale guest population.
  • Shows where guest access is present in privileged or security groups.

Identity Protection and response gaps

RISK_NO_SIGNIN_RISK_POLICY, RISK_NO_USER_RISK_POLICY, RISK_HIGH_RISK_USERS_ACTIVE, RISK_LEAKED_CREDENTIALS, and RISK_USERS_NOT_REMEDIATED show whether the tenant can react when Microsoft marks a user or sign-in as risky.

  • Important because detection without response still leaves active compromise unresolved.
  • Ties licensing and policy configuration to operational response.
  • Helps distinguish raw telemetry from enforced protection.
Operator Workflow

How the findings map to real ownership boundaries

Conditional Access owners usually care about the CA category, but their settings also determine whether admins, guests, or risky users are protected. Application platform owners need the Applications findings because consent and service principal privilege are often introduced outside central IAM workflows. Governance owners look at Compliance and Risk Protection because those categories reveal whether PIM, Identity Protection, and access reviews are actually being used rather than merely licensed.

A useful Entra landing page therefore needs to do more than say “we audit Entra ID”. It should show how the findings attach to concrete operating models: app onboarding, admin role assignment, partner collaboration, risk-response automation, and hybrid identity oversight.

  • IAM and cloud engineering own Conditional Access and PIM decisions.
  • App platform teams own registration sprawl, owners, and secret rotation.
  • Security governance owns access reviews, compliance evidence, and risk response.
  • Hybrid identity programmes need cloud and on-prem findings in one workflow.
Collector Fit

Why the collector matters even for a cloud-native review

The published collector documentation makes a useful point: the workflow is not split into a completely separate cloud product and on-prem product. The same collector can query Graph for Entra and LDAP or SMB for Active Directory. That matters because many hybrid identity issues are compound problems. An on-prem service account with stale privilege and a cloud admin account without MFA can both contribute to the same escalation narrative.

EtcSec adds the dashboard and operating layer on top of the collector. The result is a path from raw cloud control review into recurring remediation and historical tracking rather than a one-off CSV or checklist exercise.

Frequently asked questions

What does the Entra ID audit actually cover?

The published catalogue lists 158 detections across Identity (29), Applications (28), Conditional Access (20), Privileged Access (24), Guest External (15), Config (12), Groups (12), Compliance (8), and Risk Protection (10).

Does the audit require delegated permissions or an interactive admin session?

No. The review is built around Microsoft Graph application permissions and does not require an interactive delegated sign-in. That keeps the workflow automation-friendly and avoids the need to impersonate a user.

Can I review Entra and Active Directory in the same workflow?

Yes. ETC Collector supports both Entra ID and Active Directory so hybrid identity teams can run both reviews through one collection model and one operating workflow.

Why are application permissions and guest governance treated as first-class findings?

Because many real-world cloud identity incidents start with consent phishing, excessive Graph permissions, stale service principals, or weak guest collaboration defaults rather than only with a missing MFA checkbox.

Read-only Graph review

Start your Microsoft Entra ID audit

Connect with read-only Graph permissions, review Conditional Access, privileged access, applications, guests, and risk controls, and turn the output into recurring remediation work.