Findings library
EntraAnalyzer runs 79 security checks against your Microsoft Entra ID tenant. Every check below is documented — what it detects, why it matters, and how to fix it.
Looking for general questions about how EntraAnalyzer works? See the Frequently asked questions →
Severity
Category
79 findings shown
-
Medium
Access reviews not configured Checks whether access reviews are configured for groups and applications. Governance
-
Critical
Active risky sign-ins Identifies ongoing risky sign-ins that need investigation. Identity Protection
-
Medium
Admin consent workflow not enabled Checks whether admin consent workflow is configured so that users can request access to apps that require administrator approval. Identity
-
High
Administrators with anomalous sign-in patterns Identifies administrator accounts that have never signed in or show unusual sign-in patterns. Privileged Access
-
Critical
Administrators Without MFA Checks if administrator accounts have MFA enabled Authentication
-
Medium
Application credentials expiring soon Identifies app registrations with credentials expiring within 30 days Application Security
-
High
Application credentials without expiration Identifies app registrations with client secrets or certificates that have long or no expiration dates. Application Security
-
High
Application owned only by non-admins Detects applications whose sole owners are non-privileged users. Any owner can add credentials and assume the application's permissions. Applications
-
High
Applications using implicit grant flow Identifies app registrations using the deprecated implicit grant OAuth flow. Application Security
-
Medium
Applications using password credentials only Flags apps that use client secrets but no certificates Application Security
-
High
Applications with excessive permissions Identifies apps with high-risk Graph API permissions Application Security
-
High
Applications with high-privilege permissions Identifies apps requesting dangerous Graph API application permissions Application Security
-
High
Applications with insecure redirect URIs Identifies app registrations with wildcard or HTTP (non-HTTPS) redirect URIs. Application Security
-
Medium
Applications with long-lived credentials Detects application secrets or certificates with a lifetime greater than 2 years. Applications
-
Medium
Applications without owners Identifies app registrations with no assigned owners Application Security
-
Medium
Authentication strength not configured Checks whether authentication strength policies are used in Conditional Access to require phishing-resistant authentication methods for sensitive applications. Authentication
-
Medium
Conditional Access policies stuck in report-only Detects Conditional Access policies that have been in report-only mode for more than 30 days without being enforced. Authentication
-
Medium
Cross-tenant access policies not configured Checks whether cross-tenant access policies are configured to control B2B collaboration. Guest Users
-
Low
Disabled Conditional Access policies Identifies Conditional Access policies that are in the "disabled" state and may indicate abandoned or obsolete protection. Authentication
-
Medium
Disabled service principal retains grants Detects service principals disabled while still holding OAuth2 permission grants. Applications
-
High
Disabled users still assigned to roles Detects disabled user accounts that are still members of directory roles Identity
-
Medium
Disabled users still hold licenses Identifies disabled users that still have one or more assigned licenses. Identity
-
Low
Duplicate display names Detects multiple enabled users sharing the same display name. Identity
-
Low
Entitlement management not configured Checks whether entitlement management packages exist for governing access requests. Governance
-
High
Excessive Global Administrators Checks for too many Global Administrator accounts (best practice: 2-4) Roles
-
Medium
Excessive members in privileged roles Checks for privileged directory roles with more than 5 members Privileged Access
-
Medium
Expired application credentials Identifies applications with expired secrets or certificates Application Security
-
Medium
Expiring App Credentials Checks for application credentials expiring within 30 days Applications
-
Medium
External User Access Reviews external user access and permissions Identity
-
Medium
Federated domains in use Detects domains using federated authentication (ADFS or third-party IdP). Authentication
-
Critical
Global Admin synced from on-premises Identifies Global Administrators whose accounts are synchronized from on-premises Active Directory. Roles
-
High
Global Admin with productivity license Identifies Global Administrators that also hold productivity licenses (mailbox, Teams, SharePoint). Roles
-
Medium
Groups without owners Identifies Microsoft 365 groups and security groups without assigned owners. Identity
-
Medium
Guest users from consumer email providers Identifies guest users invited from consumer domains (gmail, outlook.com, hotmail, yahoo, etc.). Identity
-
Critical
Guest Users in Admin Groups Identifies guest users assigned to administrative groups Identity
-
Low
Guest users not reviewed regularly Identifies if guest user access reviews are configured Guest Users
-
High
Guests have full member access External guest users are assigned the built-in "User" role granting full directory enumeration and member-level access. External Collaboration
-
High
Identity Protection risk policies not configured Checks if sign-in and user risk policies are enabled Identity Protection
-
High
Inactive administrator accounts Identifies admin accounts that have not signed in for 90+ days Privileged Access
-
Medium
Inactive User Accounts Identifies user accounts inactive for 90+ days Identity
-
High
Legacy Authentication Usage Detects usage of legacy authentication protocols Authentication
-
Critical
Missing break-glass accounts The tenant has fewer than two cloud-only Global Administrators dedicated as emergency access accounts. Roles
-
High
Missing Conditional Access Policies Checks if Conditional Access policies are configured Access Control
-
Low
Multi-tenant applications Flags apps configured to accept sign-ins from other tenants Application Security
-
Medium
Multi-tenant applications Identifies app registrations configured as multi-tenant, which allow sign-in from external organizations. Application Security
-
Medium
My Custom Security Rule Description of what this rule checks Configuration
-
Critical
No CA policy enforces MFA for all users No enabled Conditional Access policy requires MFA (or an authentication strength) for the "All users" scope, and Security Defaults is not enabled. Authentication
-
Medium
No CA policy enforces sign-in frequency No enabled Conditional Access policy configures a sign-in frequency session control, meaning tokens may remain valid indefinitely. Authentication
-
High
No CA policy requires compliant or hybrid-joined devices No enabled Conditional Access policy enforces device compliance or hybrid Azure AD join for access. Authentication
-
High
No Conditional Access policy uses sign-in risk signals The tenant has Entra ID P2 but no enabled Conditional Access policy consumes sign-in risk levels. Risky sign-ins (anonymous IP, unfamiliar location, token replay) go unchallenged. Authentication
-
High
No Conditional Access policy uses user-risk signals The tenant has Entra ID P2 but no enabled Conditional Access policy consumes user-risk levels from Identity Protection. Compromised accounts therefore trigger no automated response. Authentication
-
Low
No custom verified domain The tenant has no verified custom domain — only the default *.onmicrosoft.com domain is in use. Governance
-
Medium
No location-based access restrictions Checks if Conditional Access policies block untrusted locations Conditional Access
-
Medium
Non-compliant devices Identifies registered devices that do not meet compliance requirements. Devices
-
Low
Orphaned application registrations Identifies app registrations without owners Application Security
-
Medium
Over-provisioned administrator roles Identifies users with broad roles (Global Admin, Exchange Admin) who should have more limited role assignments. Roles
-
Low
Password expiration disabled Checks if password expiration policy is disabled Password Policy
-
Medium
Password set to never expire Identifies users with DisablePasswordExpiration policy Password Policy
-
High
Permanent privileged role assignments (PIM not used) The tenant has Entra ID P2 (Privileged Identity Management) but still has permanent privileged role assignments. Permanent assignments expose accounts to standing privilege and reduce audit quality. Roles
-
Medium
Permissive guest invite policy Guest invitations are allowed from all members or everyone, making external user sprawl difficult to govern. External Collaboration
-
Low
Persistent browser session allowed Checks whether persistent browser sessions are allowed without restrictions in Conditional Access. Conditional Access
-
Medium
Privileged Identity Management not configured Checks if PIM is configured for privileged roles Privileged Access
-
Low
Public Microsoft 365 groups Detects M365 groups with public visibility Guest Users
-
Critical
Risky OAuth consent grants Identifies OAuth consent grants with high permissions such as Mail.ReadWrite, Files.ReadWrite.All, or Directory.ReadWrite.All. Application Security
-
High
Role-assignable groups review Reviews role-assignable groups for missing owners and excessive count Privileged Access
-
Low
Self-service password reset not enabled Checks if SSPR is enabled for users Password Policy
-
Medium
Stale device objects Identifies device objects that have not signed in for 90+ days. Devices
-
Medium
Stale Guest Users Identifies guest users who have not signed in for 90+ days Identity
-
Critical
Tenant security baseline check Evaluates whether the tenant has baseline identity protection via either Security Defaults or Conditional Access policies. Authentication
-
Medium
Tenant-wide consent grants Detects OAuth2 grants with AllPrincipals consent type Application Security
-
High
Too many users with administrative roles Flags when more than 10% of users hold at least one admin role Privileged Access
-
Medium
Unmanaged devices Identifies enabled devices not managed by Intune/MDM Guest Users
-
Low
Unverified tenant domains Detects domains configured in the tenant that are not currently verified. Governance
-
Medium
Users can consent to third-party applications The tenant allows regular users to grant consent to third-party applications, enabling illicit consent grant (phishing) attacks. External Collaboration
-
High
Users flagged as risky Identifies users currently flagged with risk detections Identity Protection
-
Medium
Users that have never signed in Detects enabled users created more than 30 days ago that have never signed in. Identity
-
High
Users Without MFA Identifies users who do not have Multi-Factor Authentication enabled Authentication
-
High
Weak MFA methods enabled (SMS or Voice) SMS and voice-call MFA are enabled in the authentication methods policy. These factors are vulnerable to SIM-swap, interception and social engineering attacks. Authentication
-
Medium
Weak password protection Verifies if banned password list is enabled Password Policy
No findings match your filters.