Privileged Objects
Privileged objects are the most critical assets within Microsoft Entra ID. Within the Microsoft enterprise access model, Privileged objects in Entra ID include permissions that can delegate management of resources, modify credentials, authentication or authorization policies, and access restricted data.
Security Guardian supports the following Privileged types:
-
Groups
-
Roles
-
Service Principals
-
Tenants
-
Users
The Privileged Objects provider (Security Guardian or BloodHound Enterprise), identifies Entra ID Privileged objects within the Microsoft 365 tenant(s). These objects are then collected and displayed in Security Guardian.
Privileged Objects List
The Privileged Objects list displays all of the Privileged objects that have been collected by the Privileged objects provider (Security Guardian or BloodHound Enterprise) as well as any that have been manually-added by users.
|
|
NOTE: If BloodHound Enterprise is configured and you see the message No New Privileged Objects, check the BloodHound Enterprise Configuration Status from within On Demand Audit. Review the configuration connection message details to determine whether the connection to SpecterOps has been successful. Review the Last Configuration Received, Next Configuration Synchronization, and the status of the configuration. |
To access the Privileged Objects list:
From the On Demand left navigation menu, choose Security | Privileged Objects. The following information displays for each Privileged object:
|
|
NOTE: If you click the Filter button, you can filter displayed results by any one of these criteria. |
From the Privileged Objects list, you can:
Viewing Privileged Object Details
To view a Privileged object's details:
From the Dashboard Uncertified Privileged Objects tile or from the Privileged Objects list, click the object's Display Name.
The following Object Properties are identified for the selected Privileged object:
-
Certification Status
-
Added By (Security Guardian, BloodHound Enterprise or User)
-
Display Name
-
Object ID
-
Object Type
-
Principal Name, Tenant, and Tenant ID (for Tenant objects)
-
Service Principal type (for Service Principal objects)
-
|
|
NOTE: This field may be populated only if On Premises Sych is enabled. |
-
Role Template ID (for Role objects)
-
User Type (for User objects)
-
Security Identified (for Group objects)
-
Principal Name
-
On Premises Name (for User and Group objects, if On Premises Synch is enabled)
-
On Premises SID for User and Group objects, if On Premises Synch is enabled)
-
On Premises Domain (for User and Group objects, if On Premises Synch is enabled)
-
Date Added
-
|
|
NOTE: This field displays the signed-in user's local date and time. |
-
Information Last Updated
Why Privileged?
This section provides the reason why the object is considered Privileged. If the object was added by the provider (Security Guardian or Bloodhound Enterprise), the reason is returned by the provider. If the object was manually added by a user, the reason is "Manually added as Tier Zero" or "manually added as Privileged" by <user_principal_that_added_object>".
Adding Privileged Objects Manually
You can add Privileged objects manually for Entra ID objects that were not identified as Privileged by the Privileged provider but are considered critical assets in your organization.
-
Use one of the following options:
-
For each Privileged object you want to add:
-
Enter the object's Principal Name, or type at least two characters then select the object from the drop-down. (Note that a message will display if the object is already Privileged.)
The object will be added to the Principal Name list.
-
In the Principal Name list, select object(s) you want to add.
-
Click Save.
