Entra ID Roles

Purpose

The Entra ID Roles report gives you a complete overview of privileged role assignments in your Microsoft Entra ID environment.

It is designed to answer simple but important questions:

• Who has administrative access?

• How many privileged roles are assigned?

• Are roles assigned permanently or eligible?

• Where in the organization are elevated permissions concentrated?

By making role assignments visible and easy to analyze, the report supports stronger security governance, least privilege practices, and audit readiness.

What you can use it for

• Improve security governance

• Identify users with high-privilege roles

• Detect excessive or unnecessary role assignments

• Review eligible vs permanent assignments

• Strengthen least privilege strategy

• Prepare for audits

• Document who has administrative access

• Validate access reviews

• Support security investigations

• Quickly identify privileged accounts

How to use the report

1. Review the summary at the top

The top section shows:

Total number of entities with roles assigned

You can filter by:

Object type (User / Service Principal)

Assignment type (Eligible / Permanent)

Membership (Direct / Group)

User state (Active / Inactive)

Account status (Enabled / Disabled)

Sign-in status

MFA registration status

License status

Search by principal display name

Use these filters to narrow down high-risk or relevant groups.

2. Start with the Focus Table

The Focus Table shows:

All active Entra ID role assignments

Number of entities per role

This helps you quickly understand:

• Which roles are most widely assigned

• Where privileged access is concentrated

• Whether sensitive roles (e.g., Global Admin, Application Admin) are broadly distributed

3. Break down by department or other properties

Use the Breakdown filter to group data by:

• Department

• Company

• Country

• Office

• Manager

• Other organizational attributes

This helps you:

See which departments hold administrative access

Identify unusual distribution patterns

Assign ownership for access reviews

4. Review individual role assignments

The Entity Details table shows:

• Principal display name

• Role name

• Assignment type (Eligible or Permanent)

• Membership (Direct or Group-based)

• Group name (if applicable)

• State

• Start date

• End date (if time-limited)

• Object type (User or Service Principal)

Use this table to:

Identify permanently assigned admin roles

Review time-bound role assignments

Detect inactive users with privileged access

Validate whether group-based assignments are appropriate

Understanding assignment types

Permanent assignment

The role is always active and available.

Eligible assignment

The role must be activated (typically through PIM). This supports least privilege and is generally preferred for high-privilege roles.

Direct membership

The role is assigned directly to the user.

Group membership

The user inherits the role through group membership. This should be reviewed carefully to ensure group control is strict.

Recommended review process

A simple governance approach:

Filter for Permanent assignments

Focus on high-privilege roles

Check for inactive or disabled accounts

Break down by department

Validate business need with role owners

Convert permanent assignments to eligible where possible

Remove unnecessary assignments

Repeat review monthly, quarterly or before audits

Best practices

Limit the number of Global and Application Administrators

Prefer Eligible over Permanent assignments

Avoid assigning roles to inactive users

Review group-based role assignments regularly

Document changes and approvals

Use MFA and Conditional Access for privileged users