High

Role-assignable groups review

Reviews role-assignable groups for missing owners and excessive count

Category: Privileged Access
Default severity: High
Rule key: CHECK_ROLE_ASSIGNABLE_GROUPS
Last updated: February 22, 2026

How to fix it

Ensure all role-assignable groups have owners and limit their count.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Directory.Read.All

Further reading

Search Microsoft Learn for related guidance →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →