You can export the complete, unfiltered Privileged objects list to a .csv file, which can be shared with stakeholders and used for security assessment engagements.
To export the Privileged objects list:
From the Privileged Objects page, click Export to CSV.
The file is exported to your Downloads folder with the file name export_{timestamp}_{a GUID}.csv and includes the following information:
Display Name
Principal Name
Tenant
Object Type
Date Added
Added By
Certification Status
The Workload Identities page in Quest On Demand provides visibility into service principals and their associated security posture within your Entra ID environment. This feature helps administrators identify risky permissions, assess sign-in status, and monitor compliance with security standards.
Best Practices
Regularly review identities with Critical or High risk.
Ensure all identities have at least one owner.
Rotate secrets and remove expired credentials promptly.
Limit privileged access to essential identities only.
To access Workload Identities:
From the On Demand left navigation menu, choose Security | Workload Identities. The following information displays all service principals with key security attributes:
| Column | Description |
| Service Principal Name | The name of the service principal registered in Entra ID. |
| Application Tenant | The tenant ID or tenant name of the application for the workload identity and whether the application is local or external. |
| Category | Compliance category (such as FISMA, GDPR, HIPAA). |
| Owners | Number of assigned owners for the identity. |
| Risky Permissions | Count of permissions flagged as risky. |
| Sign-In Status | Displays if the identity has successfully signed-in in the last 30 days. |
| Secret Status | Indicates the state of credentials (for example, None, Current, Expired). |
| Assessed Risk | Risk level based on configuration and permissions (Critical, High, Medium, Low). |
| Last Reloaded | The last time the information was retrieved and from Entra ID and assessed. |
| Tenant | Tenant where the Service Principal resides. |
| Account Status | Indicator whether the workload identity is enabled or disabled. |
| Service Principal Type | Indicator showing the type of workload Identity (Application, Managed Identity, AI Agent). |
From this page you can:
The Workload Identity Details panel provides in-depth information about a selected service principal, including its properties, risk classification, ownership, and permissions. This helps administrators assess potential security risks and take corrective actions. It also provides an AI generated risk analysis assessment.
Best Practices
Review Critical or High risk identities immediately.
Determine if inactive identities should be disabled or removed.
Investigate permissions that are high risk or flagged for review.
Ensure ownership is assigned to avoid orphaned identities.
Rotate secrets regularly and remove expired credentials.
To review workload identity details:
Navigate to Security | Workload Identities.
Click on a service principal in the list to view the following information:
Key identifiers and metadata including Object ID, Category, Application Name, Application ID, Application Tenant ID, AI Agent Source, Azure Resource ID, and Malicious Indicator.
Risk Analysis: The risk analysis evaluates configuration and behavior to determine if the identity poses a security risk.
Sign-ins: Shows sign-in activity.
Owners: Lists assigned owners.
Certificates and Secrets: Displays credential status.
Permissions: Lists granted permissions.
Categories help administrators classify service principals in Entra ID based on compliance, security tiers, or functional roles. This classification improves filtering, reporting, and risk management.
Best Practices
Assign categories consistently across similar identities.
Use Tier levels to indicate privilege and risk.
Regularly review categories for accuracy.
To access category setting:
Navigate to Security | Workload Identities.
Select one or more service principals from the list.
Click Set Category in the toolbar.
From the Set Category window, assign up to five labels from a predefined list.
Click Save to apply the changes.
Available Categories
| Category | Description |
| Agentic AI | AI-related workloads or agents. |
| FISMA | Federal Information Security Management Act compliance. |
| GDPR | General Data Protection Regulation compliance. |
| GLBA | Gramm-Leach-Bliley Act compliance. |
| HIPAA | Health Insurance Portability and Accountability Act compliance. |
| PCI | Payment Card Industry standards. |
| SAS | Statistical Analysis System or similar workloads. |
| Security Scanning | Identities used for vulnerability or compliance scanning. |
| SOX | Sarbanes-Oxley Act compliance. |
| Tier 0–Tier 4 | Security tiers indicating privilege level and criticality. |
