Detections
Analytics
Indicators of Exposure
| Name | Description | Severity | Type |
|---|---|---|---|
| Temporary Access Pass Feature Enabled | The Temporary Access Pass (TAP) feature is a temporary authentication method that uses a time-limited or limited-use passcode. While it is a legitimate feature, it is safer to disable it to reduce the attack surface if your organization does not require it. | LOW | |
| Admin Consent Workflow for Applications Not Configured | The admin consent workflow in Entra ID enables non-administrator users to request application permissions through a structured approval process. If the workflow isn't configured, users who try to access applications may encounter errors without a way to request consent. | MEDIUM | |
| Authentication Methods Migration Not Complete | Migrating to the "Authentication methods" policy streamlines and modernizes authentication management in Microsoft Entra ID. This transition simplifies administration, enhances security, and enables support for the latest authentication methods. To avoid disruptions caused by the deprecation of legacy policies, complete your migration by September 2025. | MEDIUM | |
| Dangerous Application Permissions Affecting the Tenant | Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services on their own (called "application permissions"). Certain permissions can pose a serious threat to the entire Microsoft Entra tenant. | HIGH | |
| Dangerous Delegated Permissions Affecting the Tenant | Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services on behalf of users (called "delegated permissions"). Certain permissions can pose a serious threat to the entire Microsoft Entra tenant. | HIGH | |
| Disabled Account Assigned to Privileged Role | Having a sane account management process requires monitoring assignments to privileged roles. | LOW | |
| Dormant Non-Privileged User | Dormant non-privileged users pose security risks as attackers can exploit them for unauthorized access. Without regular monitoring and deactivation, these stale users create potential entry points for malicious activities by expanding the attack surface. | LOW | |
| Dormant Privileged User | Dormant privileged users pose security risks as attackers can exploit them for unauthorized access. Without regular monitoring and deactivation, these stale users create potential entry points for malicious activities by expanding the attack surface. | MEDIUM | |
| Guest Account With a Privileged Role | Guest accounts are external identities that can pose a security risk when they have privileged roles assigned to them. This grants substantial privileges within the tenant to individuals outside your organization. | HIGH | |
| High Number of Administrators | Administrators have elevated privileges and can pose security risks when there is a high number of them since it increases the attack surface. This is also the sign that the least-privileged principle is not respected. | HIGH | |
| Missing MFA for Privileged Account | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, especially with privileged accounts. Accounts without an MFA method registered cannot benefit from it. | HIGH | |
| Never Used Non-Privileged User | Never used non-privileged user accounts are vulnerable to compromise as they often evade detection from defensive measures. Additionally, their potential default passwords make them prime targets for attackers. | LOW | |
| Users Allowed to Join Devices | Allowing all users to join unrestricted devices to the Entra tenant opens the door for threat actors to plant rogue devices into the organization's identity system and give them a foothold for further compromise. | LOW |