The following table describes the vulnerabilities identified in the pre-defined Entra ID Discovery for Privilege Escalation.

Vulnerability Template Vulnerability Risk What to find
Number of Global Administrators

Name:

More than recommended number of Global Administrators in the organization

Default scope:

N/A

 

Users who are assigned the Global Administrator role can read and modify almost every administrative setting in your Microsoft Entra organization. Microsoft recommends that you assign the Global Administrator role to fewer than five people in your organization.

Remediation:

Review the users assigned the Global Administrator role, determine the access required, and assign a more appropriate privileged role to the user.

 Total number of Global Administrators in the organization is more than or equal to 5

NOTE: The number of Global Administrators is editable.

Entra ID Role with Guest members

Name:

Guest accounts assigned to the Global Administrator role

Default scope:

N/A

 

 

Cyber-attackers use credential theft attacks to target administrator accounts and other privileged access to try to gain access to sensitive data.

Remediation:

Remove Guest accounts from the Global Administrator role.

If the Guest account is the initial Microsoft account used when the Entra ID was first setup, replace the Microsoft account with an individual cloud-based or synchronized account.

Roles in scope that have more than 0 Guest accounts as members

NOTE: The number of Guest accounts is editable.

Number of privileged role assignments

Name:

More than recommended number of privileged role assignments

Default Scope:

N/A

Some roles include privileged permissions, such as the ability to update credentials. Since these roles can potentially lead to elevation of privilege, the use of these privileged role assignments should be limited to fewer than 10 in the organization.

Remediation:

Review the privileged role assignments and reduce the number of assignments by removing access to principals that do not require it. If all principals require the access, use role-assignable groups to manage the access to privileged roles.

Total number of privileged role assignments in the organization is more than or equal to 10

NOTE: The number of privileged role assignments is editable.

Entra ID Conditional Access Continuous Access Evaluation disabled status

Name:

Entra ID Conditional Access policy configured to disable Continuous Access Evaluation for users

Default scope:

All users

 

Continuous access evaluation is auto enabled as part of the organization's Conditional Access policies. The key benefits of continuous access evaluation are:

  • user termination or password change/reset

  • user session revocation is enforced in near real time, network location change

  • Conditional Access location policies are enforced in near real time, and token export to a machine outside of a trusted network can be prevented with Conditional Access location policies. Remediation:

    Any Conditional Access policy that has disabled continuous access evaluation should be reviewed to ensure there is a legitimate reason it was created. The setting to disable Continuous Access Evaluation is located in “Session”, “Customize continuous access evaluation”, “Disable”.

 Entra ID user accounts in scope that are assigned a Conditional Access policy with Continuous Access Evaluation set todisabled