Entra ID Roles

This page displays active assignments of Entra ID roles assigned to users, groups or service principals.

Entra ID roles gives a user, group or service principal permissions to manage Microsoft Entra.

Filter alternatives

  • Created date: Use the slicer to determine which period you want the user/group to be created

  • Last sign-in: Use the slicer to determine the last sign-in period of the user

  • User state: Choose if you want to filter on active or inactive users

  • User type: Helps you filter on members and guests in the tenant

  • MFA registration complete: Filter on whether MFA registration process has been completed or not

  • Entity type: Filter on whether entity is user, group og service principal

  • User principal name: Free search for user principal names

Focus table - Entra ID role assignments

  • The table provides an overview of all roles with administrative privileges, and number of entities that have the different role.

  • Groups and service principals with Entra ID roles should be reviewed.

This is an interactive table, and by clicking one of the roles you can see the details of who has the role in the entity details table below

Breakdown table - additional filter available for different user properties

  • This table shows the distribution of roles for the chosen user property in the breakdown filter. If a line is blank it means that this is a service principal or a group

  • Breakdown filter: Choose the preferred property you want to filter by, by using the breakdown filter on the right side. We have also included Extension attributes as this is often used by companies

Entity details table

  • In this table you can drill down on the specific users that have administrative privileges and investigate whether they should be removed or not.

  • The column selector on the right hand side gives you the opportunity to choose which information is the most interesting to see.

Be aware of users without MFA registered or users who have not been logged in for more than 90 days

NB: Bsure Insights will only display active assignments and not eligible assignments due to permissions needed to extract eligible roles via Microsoft Graph. The app must be given write access to roles in order to extract eligible roles. This is not something you should allow.

Last updated