High

Administrators with anomalous sign-in patterns

Identifies administrator accounts that have never signed in or show unusual sign-in patterns.

Category: Privileged Access
Default severity: High
Rule key: CHECK_ADMIN_SIGN_IN_ANOMALIES
Last updated: February 20, 2026

How to fix it

Review administrator accounts that have never signed in or show unusual sign-in behavior. Inactive admin accounts can be abused.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Directory.Read.All
AuditLog.Read.All
RoleManagement.Read.Directory

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →