Entra Permission Hygiene

Microsoft Entra permission changes deserve their own detections because a new role or API grant can turn an ordinary account into a privileged one in minutes. (learn.microsoft.com) Microsoft Entra is Microsoft’s identity system for users, groups, apps, and service principals, and its audit logs record changes to those objects across a tenant. The logs show the actor, target resource, timestamps, and old-versus-new values for changed properties. (learn.microsoft.com) Microsoft says Entra role design should follow least privilege across three dimensions: the permission set, the scope, and the time period. The company also recommends Privileged Identity Management, which makes admins eligible for a role and removes access automatically when the activation window ends. (learn.microsoft.com) That makes permission hygiene a logging problem as much as an access problem. If a team cannot consistently capture fields like identity type, role name, scope, actor, target, and tenant, it will struggle to tell a routine change from a privilege escalation path. (au2mator.com) Microsoft’s own audit tooling is built around that kind of detail. Entra audit logs can answer who changed a user, group, application, or service principal, and the activity catalog is broad enough that Microsoft warns categories and activities change periodically. (learn.microsoft.com) The practical detections are straightforward: first-time role assignments, high-risk grants, and any privileged action that happens soon after a role or permission change. For application permissions, Microsoft documents audit views that show when API permissions are granted or removed, including for sensitive resource apps such as Microsoft Graph. (learn.microsoft.com) Scope is the part administrators often skip. Microsoft’s role guidance says organizations can restrict access with smaller scopes or custom roles instead of broad tenant-wide assignments, reducing the blast radius if an account is misused. (learn.microsoft.com) The same logic applies to standing admin rights. Microsoft’s best-practices page says to avoid broader roles at broader scopes for convenience, because a compromised security principal inherits everything attached to that assignment. (learn.microsoft.com) The operational signal comes from timing. A role granted at 10:03 a.m. and used at 10:05 a.m. is a different event from a role granted for a planned maintenance window and never activated, which is why elapsed time to first use belongs in the alert. (au2mator.com) For defenders, the takeaway is narrow and concrete: treat Entra role changes, app permission grants, and their first downstream use as one chain of evidence, not three separate logs. (learn.microsoft.com)