What is an Azure Managed Application?

An Azure Managed application is installed from Azure Marketplace. They are easy to deploy and operate for customers. They are fully managed by the publisher. To learn more, visit Microsoft's documentation.

Bsure Insights Data Collector Managed Application

When you install Bsure Insights:

1. The Managed Application Resource.

2. The Resource Group where the app is installed (provided by you under installation).

3. The Subscription you have chosen to install it to.

4. The Managed Resource Group contains the managed application components.

Bsure is responsible for the resources inside the Managed Resource Group. These resources are shown in the picture below.

• Container Apps and Jobs, for Compute and webpage hosting​

• Container Apps Environment, configuration buckets for Container Apps/Jobs

• Key Vault, for secrets ()​

• Log Analytics Workspace, stores log output (no personal information is logged)

By having a complete view of all identities, devices and applications organizations can optimize Microsoft 365 license usage and strengthen overall user security.

Our solution provides a simple and intuitive way for organizations to manage and monitor their Microsoft Entra identities. This visibility enables them to optimize Microsoft 365 license usage and enhance security. Bsure Insights is quick to install and helps organizations stay in control of their identity management.

This table describes how data flows between the parties: Bsure, Customer and Microsoft.

*Usage Metrics : We monitor unique users accessing different pages and how fast they load. This data is aggregated and anonymized before sent to Bsure.

All collected data is stored securely and anonymized, retained only for as long as necessary to fulfil the stated purposes, and is not disclosed to third parties except where required by law, pursuant to a valid legal basis, or with explicit user consent.

The User Guides explain how to work with the dashboards and reports in Bsure Insights.

These reports give you visibility into key areas of your Microsoft 365 environment, helping you monitor usage, identify risks, and support decision-making. Version 2 includes both dashboards and web-native reports, giving you flexibility in how you access and explore your data.

Each guide walks through the available insights and shows how they can be applied in practice. Whether you are looking for a high-level overview or detailed information about a specific area, the User Guides provide the context you need.

If you need clarification on terminology, see the glossary.

Note that the applications showing in this report consume applications, data and other resources your end-users will have to authenticate by using their Entra ID credentials

This is our main dashboard, which gives you a status of how tidy your Microsoft Entra ID is. We believe that Identity lifecycle management and good processes is the key to a tidy Microsoft Entra ID, and with Bsure you get the insight you need to make better decisions.

Users

In order to have a tidy Entra ID you need to know who your users are, and whether they are active or not.

• Disabled and Inactive users: This graph shows the percentage of users with access to the Entra ID who are not active. This overview includes both members and guests

• Members: Users owned and controlled by your Entra ID, or your internal users

• Guests: An Entra ID Guest user account is an account that is invited to your Entra ID from another identity catalogue. It can be assigned access and permissions to almost anything in you Entra ID tenant.

• Users: All members and guests

• Active: All users (members and guests) active in the Entra ID

• Inactive: All users (members and guests) that have not signed into the Entra ID the last 90 days

• Disabled: Disabled user accounts

Microsoft Licenses

In this dashboard we give you a flash of your total Microsoft license cost, as well as your potential monthly cost savings based on the analysis made

Potential savings: This number represents the total monthly savings divided by total monthly Microsoft license costs

License cost: Your total monthly Microsoft license costs

Potential monthly cost savings: The sum of savings related to unassigned, inactive and disabled licenses

Unassigned: Licenses not assigned to any users that can potentially be removed at next renewal date

Inactive: Licenses assigned to users that are inactive, meaning they have not logged on to Entra ID last 90 days

Disabled: Licenses assigned to users that are disabled

Security

In the security section of the dashboard we focus on multi-factor-authentication (MFA) status on the users, as well users or groups with administrative privileges in your Entra ID

Missing MFA registration: Members in the Entra ID without registered MFA

Administrative privileges: Overview of Entra ID roles with administrative privileges

If you found some applications in the Application - Usage report that you want to follow more closely and perhaps distribute cost based on usage, please note the names of these applications. You can right click the name in the Focus filter section and select copy value.

At first run the page will be empty with no applications configured:

Click Add New Application or Browse Applications buttons to get a list of all the applications. Enter the name to search for the application you want to add. Click the app you want to add and click Next.

Fill in information you want, like the cost per user in the app and how many you bought and press the Add New Application button

Continue adding your applications the same way.

When done You can press the refresh Power BI button on the top left corner in the page to see your changes in the Application Cost report.

You can at a later stage edit or remove each entry by clicking the square with the three dots to the right:

Download full resolution image

Azure Portal installation

1. Go to Bsure Insights for Microsoft 365 and Entra ID ()

2. Select plan

Top filter menu

Users: Showing the total number of guest users according to your filtering selections.

Created Date & Last Sign-in Date: Set periods for when users where created/invited or their last sign-in date.

User State: - Active - guest users having signed in the last 90 days - Inactive - guest users that has not signed in the last 90 days

This drilldown report will show all devices in you Intune environment with status and who's using the different devices.

Slicer menu:

• Devices : shows number of devices based on your filtering

• Device Activity: When it was last synced with intune

The Windows OS report displays details for Windows devices in your Microsoft Entra ID environment. The report focuses on OS versions and their support status to help you identify devices running out-of-support Windows versions.

The report provides a summary of Windows OS versions, including end-of-life (EOL) status, and detailed device information.

Focus Table - Windows Versions

Main focus in this report is End of Life for Windows versions.

Use the slicer menu for manual filter selections, or try the predefined

Gauges at the top displays current status of Country, Company, Department, Office, City, Manager, Job title, Mobile phone, Employee type and Employee ID.

The graph to the left shows percentages of missing data of the property selected in the graph selector over time.

The graph to the right shows how many users missing data of the property selected in the graph selector over time.

Use filter section to the right to refine users you want to monitor. These filters will affect both the current gauges in the top and the graphs in the lower section of the page.

By default Bsure Insights will only gather all groups with names. To find the members of a specific group and possibly assign a cost to perform cost allocation, please follow this guide:

The page will be empty by default, so to add a group, please click Add Groups

You will then be able to search for the groups you want to see members of and click the group you want and click next

Add cost for being member in the group and a description:

Click Add New Group button.

When added all groups you want to monitor, you can choose to tell Bsure Insights to refresh all data in the solution and then refresh Power BI afterwards by clicking the Run Collector button in the top right corner.

You can follow progress by clicking the bell next to your name in the top right corner. It may take a while.

Bsure Insights will fetch all users in your Entra ID and you can add any of the member accounts as users in the application. Click Add Users button and select what role you want to assign to the users:

• System Administrator gives access to everything in the application

• Role Member gives access to all Power BI reports but not any configuration.

Tick off all the users you want to assign that role and press Next

If someone deleted or made changes to the Power BI workspace used by Bsure Insights, you have the option to create a new workspace, add all reports to it and set permissions and scheduled updates by clicking Recreate Workspace.

It will delete the old workspace if it still exists.

For assistance, please visit . Here, you have the option to schedule a meeting or send us an email.

Latest version:

This version will be automatically updated for everyone during week 44

October 29. 2025:

New features: Added Sponsors to guest accounts in Users - Guests, Member and Drilldown reports Improvements: Filter templates cleanup

Previous versions:

October 26. 2025:

New features:

Two new reports:

• Application Overview report shows usage of all applications, including the unused ones.

• Devices - Intune Drilldown: Report of all devices in Intune with serial number and users signed in to the devices

Improvements:

• Data collector improved - groups, intune devices and user purpose

• Improved stability in customer application (web app)

• Improved logging

Often when a third party app offers single sign-on or other interactions with your Entra ID they offer a solution to create a service principal. To get the integration running you will provide the system or vendor with your tenant id, application id and a corresponding secret. The application then need access to Entra ID for the integration to work as expected and the application is given permissions in your environment.

Sign-in from this application is not governed by identity protection, such as conditional access policies, meaning that the application id + secret would work from everywhere at any time.

The Service Principal report show the different service principals in your environment, permissions given and where they sign in from. Often third party vendors ask for too much permissions and you should review the report to make sure that permissions and sign-ins are as expected.

We've classified permissions in critical, high, medium and low but a read role that is classified as low could be potentially business critical if exposed. Eg. if a service principal has been given mail.read permissions and the secret is compromised someone out there could read all your company e-mails.

Based on experience and customer feedback we've created a playbook on how to secure and reduce license spend your Microsoft cloud environment.

Even if cost savings is important, we've created a balanced recommended action list, where you quickly will reduce security risk and then at the same time release licenses to reduce cost.

The License Cost Dashboard provides a basic overview of your total license expenses and potential monthly cost savings. In the graph on the bottom right you can see historical license utilization, and see if this has improved over time.

Dashboard Layout

Total Monthly License Costs

• This section gives a flash of the overall license cost for the company, split by company specific licenses, and user licenses.

  • Company specific licenses are general licenses, i.e related to storage or sandbox environments.

  • User licenses are licenses assigned to specific users

• Interactive table: If you click this table it will take you to license overview, which gives you a detailed breakdown of all the licenses you have, quantity and cost

Distribution of costs

• This chart provides a distribution of your license cost today, and the darker colors are active licenses (user licenses or company licenses), while the brighter colors means you have potential savings that needs to be looked further into

Potential monthly cost savings

• This table provides an overview of your potential savings, distributed by three different types

  • Unassigned licenses: Refers to licenses on stock that are available to be allocated to new users. If they remain unassigned when renewal date arrives, these licenses should not be renewed, resulting in cost savings. The reneweal date will depend on what kind of agreement you have, and if you are on a CSP agreement you will see the savings faster than if you are on a EA license agreement

  • Inactive: Refers to value of licenses assigned to users that are inactive, meaning they have not logged into their account the last 90 days. These users should be investigated, and if the licenses are unnecessary they should be removed.

Historical cost

• This graph provides an overview of historical license utilization, where your goal should be to make the bottom two colors (pink and yellow for inactive and disabled users) to be as small as possible. All unassigned licenses will be shown with a light yelloe color as a top bar in the graph

• Target: Prepare your company for the upcoming license renewal date by cleaning up licenses allocated to inactive and disabled users, so when renewal date comes all unassigned licenses can be removed and your company can reduce their monthly spend

Types of license agreements:

• CSP License Agreement:

  • Immediate Action: Licenses can be removed instantly, offering immediate cost-saving benefits.

• EA License Agreement:

In the application cost report we want you to add a cost and quantity purchased of each application, giving you the chance to leverage cost control for all your SaaS apps with single-sign-on (SSO) through Entra ID. We recommend you to run Bsure for at least 30 days to have enough data to consider whether you have a potential saving on an application.

User sign-ins will start from the day you install Bsure Insights or from the time Bsure patch your instance and keep information for the period you entered when installing Bsure Insights Azure Marketplace app. Contact [email protected] to change this setting if needed.

Filter alternatives

• User Purpose: Filter on the type of Exchange Online mailbox connected to the user.

  • User - A user account with a mailbox.

  • Guest - The user purpose for guest users is set to Guest.

  • Shared - A shared mailbox user.

• Last used period: Helps you filter on the time period you want to look into for application usage

• Sign-in Type: Select to view Interactive or Non-interactive sign-ins - or both.

• Microsoft app: Gives you the opportunity to filter between Microsoft apps and third party apps. Read more on

• Application filter: This filter includes all available apps, so you can choose a single app to filter on

• Resource filter: Filter on the resources consumed

• User principal name: Free search for user principal names

Focus table - Application cost

• In this table you will see all applications where you have configured cost and quantities purchased, and how many unique users have authenticated themselves towards since Bsure was installed. By entering cost and quantities purchased you can do cost control on all your SaaS applications with single-sign-on towards your Entra ID.

• We recommend Bsure to be installed for at least 30 days before making decisions on whether to remove licenses or not

• This table consists the different applications and the number of times they have been accessed

Breakdown table - additional filter available for different user properties

• This table shows the distribution of logins for the chosen user property in the breakdown filter

• Breakdown filter: Choose the preferred property you want to filter by, by using the breakdown filter on the right side. We have also included Extension attributes as this is often used by companies

User details table - Cost

• In this table you can drill down on the specific users and which applications they have been authenticated towards since Bsure was installed, and which cost that application has

• The column selector on the right hand side gives you the opportunity to choose which information is the most interesting to see.

Authentication methods is a report that gives insights into Multi Factor Authentication configurations per user.

You will see the default MFA method used by each individual and should consider to run MFA campaigns to ensure that all your end-users uses a secure way to authenticate to your solutions and data. You will also see all MFA methods configured and available per user.

This is a quite complex subject and You should make sure that you've followed Microsoft best practice guidance

Worst case scenario is if someone guess the correct password to a member account haven't registered MFA and have not self service password registered. Most likely someone will configure MFA according to policy and start consuming your solutions and data.

You will find these users by selecting MFA registration complete = FALSE and SSPR Registered = FALSE

Description of the Users - Sign-in Locations report:

1. Users

   • Showing the number of users that has signed in according to your filtering selections.

2. Sign-in Period

   • Select period to show sign-ins for a specific interval.

3. User Type

   • Select to show Member or Guest sign-ins - or both.

4. Geo-filters for Region, Country, State and City

   • Filter on specific world regions, countries, states and cities.

5. Focus Table

   • Showing the sign-in country

6. Sign-in Locations Map

   • Map of daily sign-in locations according to your filtering selections.

7. Breakdown Table and Filter

   • Use the Breakdown Filter to choose the user property you would like to se in the Breakdown Table

8. User Details Table with Column Selector

   • User details for the sign-ins, according to your filtering selections.

9. User Principal Name Search

   • Free text search for a user name. Report will update accordingly.

Security​

To ensure confidentiality and privacy, our application has these features:

• All data is encrypted at rest and in transit​.

• Container App uses Entra Id and access token validation to enable SSO,

• Outbound data contains no personal data, only data used for billing or handcraftet operational signals to ensure no personal data in error messages.

• Billing information only contains the number of billable user accounts found in Entra Id and Managed Application identifier.

• The Managed Application uses to access MS Graph with read only​.

• Azure Keyvault for secrets (Bsure personnel cannot access these secrets)​.

• SQL only supports identities from the customer tenant, Entra Id only login.

Example Bsure personnel accessing the Key Vault:

The Keyvault resides in the Managed Resource Group, but Bsure have no access to access the secrets.

Bsure have the Contributor RBAC role, which is not sufficient to read secrets, or elevate permission.

References:

Azure built-in RBAC roles:

Azure built-in roles for Key Vault data plane operations:

The Windows Management report displays details for Windows devices in your Microsoft Entra ID environment. The report focuses on management status to help you identify unmanaged devices.

The report provides a summary of Windows device management states and detailed device information.

Focus Table - Windows Management State

View Windows device management states.

Use the Focus Table to get a quick view on the different Windows management states of your devices:

• Unmanaged disabled devices

• Managed disabled devices

• Unmanaged enabled devices

• Managed enabled devices

Or try the predefined Filter Templates to look for more specific use cases.

Looking for devices that maybe should have been managed? Try the Show Active Entra ID Registered Devices with Owners.

The Windows Inactive Devices report displays details for Windows devices in your Microsoft Entra ID environment that have had no activity in the last 90 days. Use this report to identify and remove stale devices to reduce security risks and optimize your device management.

The report provides a summary of inactive Windows devices, categorized by removal priority, and detailed device information to assist with cleanup.

Focus Table

This section categorizes inactive devices by removal priority.

Inactivity State

• Disabled, Not Used and Ownerless Devices Devices that are disabled, inactive, and not assigned to a user.

• Enabled, Not Used and Ownerless Devices Devices that are enabled, inactive, and not assigned to a user.

• Disabled, Inactive and Ownerless Devices Devices that are disabled, inactive for 90 days, and not assigned to a user.

• Enabled, Inactive and Ownerless Devices

Breakdown Table & Filter

Group inactive devices by selected user properties, to see where the devices with a registered owner belongs in your organization.

Remove Stale Devices

Use the Windows Inactive Devices report to identify devices for removal. Follow Microsoft’s best practices for in Microsoft Entra ID:

1. Review Removal Priority: Use the Focus Table to identify high-priority devices, such as "Disabled, Not Used and Ownerless Devices" or "Enabled, Not Used and Ownerless Devices."

2. Check Device Details: Review the Device Details Table to confirm device status, ownership, and compliance. Use the Column Selector to add properties for more context.

3. Export Data: Export the Device Details Table to Excel to create a worklist for your IT team.

4. Follow Best Practices

Top filter menu

Users: Showing the total number of users according to your filtering selections.

User Purpose: Filter on the type of Exchange Online mailbox connected to the user.

User - A user account with a mailbox. Guest - The user purpose for guest users is set to Guest. Shared - A shared mailbox user. Room - A user with a mailbox that represents a conference room. Equipment - A user with a mailbox that represents a piece of equipment. Others - A mailbox was found but the user purpose is not specified. Unknown - User has no Exchange Online mailbox, or we were not able to read it.

Created Date & Last Sign-in Date: Set periods for when users where created or their last sign-in date.

User State: - Active - users having signed in the last 90 days - Inactive - users that has not signed in the last 90 days

Sign-in Status: Filter for users that have Never signed in and users that have Signed in.

Account: Filter for showing Disabled or Enabled users - or both.

User Source: Filter for showing if the users are Cloud native (created in your Entra ID) or if they are On-premises synced from your on-premises Active Directory.

User Principal Name: Free text search for a user name. Report will update accordingly.

Focus and Breakdown section

Focus Table: The focus table shows the distribution of Active, Inactive and Disabled member and guest accounts in your tenant.

Breakdown Table and Filter: Use the Breakdown filter to see the distribution of member and guest users based on selected user properties.

User details table with column selector

The user details table lists all member and guest users in scope of your filtering selection. The table has a default set of columns. You can change these to your preferences using the column selector.

Microsoft has a great guide on how to bulk delete users using Entra admin center

This process of deleting users in bulk is quick (5 minutes), easy and safe to use.

When you export a list of users from User Details Table to excel format, verify the list once more and copy the User Principal Name column (except from column header and bottom row) into column A from line 4 in the CSV template referred to in the Microsoft documentation.

Follow the instructions in the documentation.

Tip to verify deleted users:

• Sign in to the Microsoft Entra admin center as at least a User Administrator.

• Select Microsoft Entra ID.

• Click Users and then Deleted users

It may take a few minutes for the Microsoft Entra ID admin center to show the recently deleted users

The Drilldown report displays details for devices in your Microsoft Entra ID environment. The report allows you to choose your area of focus for a customizable analysis of device properties.

The report provides a flexible summary of devices based on a selected focus area, with detailed device information.

Focus Table and Focus Filter

Select your own focus area using the Focus Filter. Select from all available device properties.

Filter Templates

Use the Filter Templates as inspiration on what to look for.

In this report we combine the information from the previous reports and give you the chance to drill down on all user- and license specific data

Filter alternatives

• User Purpose: Filter on the type of Exchange Online mailbox connected to the user.

  • User - A user account with a mailbox.

In the Application Usage report we give you insight in which applications users in your Entra ID is consuming. The report is based on the sign-in logs from Entra ID, and we start collecting this from the day Bsure is installed, meaning that you will get more insights the longer Bsure Insights have been running.

Filter alternatives

• User Purpose: Filter on the type of Exchange Online mailbox connected to the user.

  • User - A user account with a mailbox.

This report provides you with a detailed breakdown of licenses allocated to inactive and disabled users, which should be considered removed to reduce license spend.You can drill down on the different license types as well as the individual users and which licenses they have assigned. All tables in this report are interactive and if you filter/click on one object the other tables will respond to this.

How Bsure Insights differentiates:

At Bsure, privacy is not an afterthought—it is the foundation of everything we build. From the very beginning, our solutions have been developed according to the principles of privacy by design and by default, ensuring that protection of personal data is embedded into our architecture, systems, and processes.

Key Difference: Unlike traditional SaaS applications—where customer data is typically transferred to vendor-hosted environments under broad data processing agreements—Bsure ensures that no customer user data is ever exposed to us or to any third parties.

Entra ID roles gives a user, group or service principal permissions to manage Microsoft Entra.

Filter alternatives

• Entity type: Filter on whether entity is user, group og service principal

• Created date: Use the slicer to determine which period you want the user/group to be created

Migrate data from version 1

This wizard will transfer your previous configuration and history in version 1:

• Microsoft license prices - NB: Go to to set price per subscription after migration

In this report you can choose whether to use Microsoft's list prices, or your own prices in your own currency when viewing your data.

In addition you will see how many users we bill your company every day.

Billed users

This is the numbers of users used for billing of your subscription

You can specify which groups You want to include in the report, set a cost per member of each group and give the groups a friendly name.

Key benefits with report

Bsure Insights Azure Managed Application is billed through your existing subscription. You will find the cost for Bsure Insights under Service Family "Azure Marketplace Services" on your detailed Microsoft invoice.

You can also monitor the cost in

This report is designed to give you a comprehensive understanding of your Microsoft cloud subscriptions. It details the types and quantities of subscriptions you have purchased and their respective expiration dates, helping you plan ahead effectively. If you have unassigned licenses on subscriptions set to expire, don't renew them and save costs

Tip: Set your focus period to your choice in the filter, and subscribe to this report at your preferred frequency. That way you will get a reminder of upcoming renewal dates and potential savings/focus areas in the near-term.

Filters/Selection choices

Filters

Users: Showing number of users. Will change according to your filtering selections

Created Date: Filter on users create date

Last Sign-in: Filter on users last sign-in date

User State:

All subscriptions in your tenant will be listed in this view. You can search for licenses and sort each column the way you prefer.

To add your price on a specific subscription, click the square with the three dots to the right and press Edit subscription. Make a note on the Renewal date and Total (amount of licenses) to find the price on that specific subscription:

Enter a note on terms (monthly, yearly) and perhaps source (csp partner, credit card etc) and set the correct value in you currency and click Save

The cost allocation report gives you the opportunity to allocate licenses All tables in this report is interactive and if you filter/click on one object the other tables will respond to this

Filter alternatives

• Allocation period shows the period of which you have chosen for allocation

• Selection period gives you the opportunity to select a certain period of which you want to allocate the cost from

Bsure Insights Data Collector

• is installed from Microsoft Azure Marketplace costs 0.5 USD/month per user with a license assigned in Entra ID.

This report will show you how many users that have signed into the specific application, and also if the application have been signed into by a service principal or a managed identity.

The report will help you find applications in use and also the applications not in use.

Slicer menu:

• Applications: number of applications based on you filter choices

• Microsoft App: Gives you the opportunity to filter between Microsoft apps and third party apps. Read more on

• App Used: If neither used by end-users nor service principal/Managed identity = No, else Yes

• User Sign-In: If used by End-users or not

• App Sign-in: If used by Service Principal or Managed Identity or not

• Latest User Sign-In: To filter on a specific period when end-users signed into the applications

• Latest Application Sign-in: To filter on a specific period when Service Principal or Managed Identity signed into the applications

Use report to find application usage and track Service Principals.

Bsure Insights is deployed as an Azure Managed Application, which automatically provisions all required components in your own Azure environment:

• Azure Container Apps: run the data collection services that connect to Microsoft Entra ID via Microsoft Graph, and also host the web application.

• SQL Server and database: securely store and process the collected data inside your Azure subscription.

• Power BI workspace: automatically deployed with pre-built reports and dashboards, embedded directly into the solution for immediate use.

Quick self-service installation

Installing Bsure Insights is simple and takes less than 30 minutes, provided all are met. The deployment is fully automated through the Azure Marketplace, with all components provisioned in your environment.

To begin, follow the , which walks you step by step through the process.

This section offers a detailed view of all licenses, including the quantity purchased, type, and categorization into user-specific and company-specific licenses. You will also see potential savings broken down on license type, and see if you are compliant (under licensed) within certain license types

Dashboard Layout

1. Table - Monthly User License Cost

• Shows all user licenses, their price, total cost and how many that have been assigned to people in the organization.

• Tip: A discrepancy between total licenses bought and allocated indicates surplus licenses, which can be assigned to new employees or considered for removal at the next Microsoft license agreement renewal.

1. Table - Monthly User License Overuse Value

• Highlights non-compliance by showing where more licenses are allocated than purchased.

• Action Required: To achieve compliance, either purchase additional licenses as indicated or reallocate licenses from inactive or disabled users.

• Compliance Indicator: A blank table signifies full compliance.

1. Table - Monthly Company License Cost

• Provides an overview of company-specific licenses that are not allocated to any users.

1. Table - Monthly Potential Cost Savings

• Details potential savings from unassigned licenses, inactive, and disabled users.

• Unassigned Licenses: Licenses purchased but not assigned. These can be allocated to new users or not renewed during upcoming license negotiations with Microsoft.

• Inactive Licenses: Licenses assigned to users inactive for over 90 days. Consider downgrading or removing these licenses.

1. Table – Monthly suspended licenses

• This table displays licenses you have terminated, yet they remain allocated to users. It’s important to know that licenses listed here are correct, as users connected to these licenses will lose functionality upon removal

When you run the permissions script during the installation process, you give the Microsoft Graph permissions below to a Managed Identity used by a Container App in the Managed Resource Group.

Permissions Bsure have in your environment:

To monitor jobs and provide updates and new features the solution provider Bsure will be given contributor and owner access during installation to the Managed Resource Group inside the managed application.

Users Overview Tiles

Users: Total number of users in your tenant.

• Members: Total number of member users

• Guests: Total number of guest users

Active: Users signed in the last 90 days

• Members: Member users signed in the last 90 days

• Guests: Guest users signed in the last 90 days

Disabled: Total number of disabled users in your tenant

• Members: Total number of disabled member users

• Guests: Total number of disabled guest users

Inactive: Users not signed in the last 90 days

• Members: Member users not signed in the last 90 days

• Guests: Guest users not signed in the last 90 days

User Data Quality

The User Data Quality section tracks missing member user properties over time for these commonly used user properties:

• Company

• Department

• Manager

• Job Title

When working with improving your data quality, you can get a quick overview of the effect in this dashboard.

The Devices per Person report displays details for devices in your Microsoft Entra ID environment. The report focuses on the number of devices per Registered Owner (user) to help you assess device distribution in your organization.

The report provides a summary of device counts per user and detailed device information.

User Device Distribution

The Focus Table shows the number of devices per user (where user is a registered owner of the device). Use the filter options in the Slicer Menu to look for different types of devices, activity and management states.

Use the Breakdown Table and Breakdown Filter to choose your view of the distribution in your organization based on the user properties available.

Try the predefined Filter Templates to get inspiration on what to look for.

Errors during installation

If you experience any issues during the third stage of the installation, you'll need to remove the managed application and initiate the process again. Instructions on how to find and delete your managed application are provided below. Please wait until deletion is completed before starting again. If the installation fails for a second time, please examine the deployment logs to identify the necessary corrective measures. If you need further , don't hesitate to reach out to us.

• The most frequent issue during installation occurs when the Azure Resource Manager is unable to deploy resources due to unspecified reasons, such as not being able to find the subscription while deploying certain Azure Resources.

Problem description:

Many software solutions is made to enhance or offer functionality/features on your data in Microsoft 365 cloud. Most organizations does not have a fully functional application governance process.

Entra ID allows organizations to provide single sign-on (SSO) to applications, services and systems, represented as Enterprise Apps and App Registrations.

Prime examples of such enterprise applications are Salesforce and Workday for end-user usage and Keepit (backup), Avepoint Fly (migration tool) or Sharegate teams management for operational purposes.

There are thousands of applications that offers functionality "needed" by your end-users available. End-users is allowed by default to consent to install any of these applications, and if one of your users are compromised they could install an application to copy, delete, manipulate all data in all resources that user have access to.

The Windows Dashboard displays metrics for Windows devices in your Microsoft Entra ID environment. Use this dashboard to monitor device health, identify security risks, and optimize device management.

The Windows Dashboard is divided into three main categories—Devices, Security, and Managed—each focusing on a critical aspect of your Windows device ecosystem. Each category includes high-level metrics and detailed breakdowns to help you understand the status of your devices at a glance.

Devices

This section shows the activity and ownership status of Windows devices.

Find Bsure Insights web app URL

1. When deployment is done select Go to resource.
2. Select the application
3. Select the Managed resource group.
4. Open the Container App called customer-app-<random string>.
5. Open the Application Url.
6. Wait until configuration page is loaded.

Grant permissions

In this part you will give Bsure Insights permissions to read data from your tenant through Microsoft Graph.

1. (Optional) Select Show Script to read the script.

2. Select Copy Script to add the script to your clipboard.

3. Select Launch Azure Cloud Shell

   • Opens in a new tab

Create Azure SQL database

1. Select Let's start.
2. Select Configure to set up the Azure SQL Database

   This might take a few minutes...
3. When done, select

Set Retention Settings

1. Configure Retention Settings and select Save.

   • USER STORAGE TIME: How long Bsure Insights will store information about users.

   • SIGN-IN DATA STORAGE TIME: How long Bsure Insights will store information from sign-in logs.

Create Power BI workspace

1. Create your Power BI Workspace

   • Select Launch Power BI to verify to check that you have access to Power BI. In Power BI, look at your profile (top right) and verify you have minimum a Power BI Pro license
   • Return to the Bsure app tab in your browser and select Create Power BI Workspace.

Data collection starts automatically

Data collection will start automatically. How long it will take depends on your organization's size. You can follow the status on the Bsure Insights system status landing page.

When both Power BI and Data Collector are in sync, you can start exploring our reports.

Next steps: Add users and set your subscription prices

After installation and data collection is complete, follow these guides to add users to Bsure, and set your own subscription prices:

• Follow our guide to add other users to Bsure.

• Follow our guide to add your own license prices.

The overlapping licenses report gives you an overview of users that have licenses with license types that have overlapping functionalities. You can drill down on the different license types as well as the individual users and which licenses they have assigned. All tables in this report is interactive and if you filter/click on one object the other tables will respond to this

Filter options

• User Purpose: Filter on the type of Exchange Online mailbox connected to the user.

  • User - A user account with a mailbox.

  • Guest - The user purpose for guest users is set to Guest.

  • Shared - A shared mailbox user.

  • Room - A user with a mailbox that represents a conference room.

• Created date: Helps you filter on when users were created

• Last sign-in: Helps you filter on showing all users from when they were last created. In this overview you can i.e exclude users created last two weeks

• User state: Choose if you want to see overview of active or inactive users or both

• Sign-in status: Helps you filter on users who have never signed in and users that have

• Account: Filter for showing Disabled or Enabled users - or both.

• User Source: Filter on Cloud users and users synced from on-premises

• User Principal Name: Free text search for a user name. Report will update accordingly.

Focus table - licenses

• This table gives you an overview of the license combinations that have overlapping licenses. The license on the left side is the most comprehensive license package, while the license on the right side is the overlapping license that can be removed.

Breakdown table - additional filter available for different user properties

• This table shows the distribution of cost for the chosen property

• Breakdown filter: Choose the appropriate property you want to by using the breakdown filter on the right side. We have also included Extension attributes as this is often used by companies

User details table

• In this table you can drill down on the specific users that have licenses allocated to them and investigate whether they should be removed or not.

• The column selector on the right hand side gives you the opportunity to choose which information is the most interesting to see. Some of the most interesting properties to see based on our experience is:

1. Created

2. Last sign-in

3. Days since last sign-in

4. Cost

Problem description:

Most companies started an MFA registration campaign to make sure that all users use MFA when signing in. Many have also trained their end-users in how to detect phishing and so on.

One big problem is to handle all the inactive users, service accounts, resources and such. It's common to allow end-user to register MFA from anywhere. The password is then the only protection of those accounts. These accounts are then vulnerable for password sprays.

If the account to your previous CFO that left the company 7 years ago wasn't deleted due to issues in the offboarding routine, is that account protected with registered MFA?

Token theft is also popular amongst the evil ones. Helping your end-users to protect themselves by providing phishing resistant MFA or passwordless sign-in would prevent tokens being stolen by fake/malicious websites and other phishing attacks. Adopting a passwordless and phishing resistant strategy is easier than you might think. Jonathan Edwards created a great video for inspiration/demo on how to achieve .

MFA is the fundament in securing your environment, and we encourage everyone to spend an hour watching John Savill explaining

General considerations:

Normal user accounts should be protected from time of creation, meaning you should ensure no one else than the person/service account was created for could start using the account by guessing the correct username and password.

Some organisations choose to create the users with extremely long and complex passwords, some creates them as disabled and end-users needs contact support to get them enabled and some preregister an authentication method like phone or sms.

Using Temporary Access Pass (TAP) in combination with MFA requirement to register security information could be a great way of enhancing your

Many accounts like meeting rooms, shared resources and service accounts doesn't support a traditional two factor. You should protect these accounts by creating specific conditional access rules to protect the usage of these accounts.

report will list all accounts available for everyone guessing the correct username and password:

Bsure recommendations:

Require MFA for all users:

Create conditional access rule to

• Require that all users register MFA regardless of location

• Provide only the

• Exceptions only for service accounts and location based users. Create specific network locations and create separate conditional access rules to allow usage of these accounts from specific ip

Protect registration of security information

Ensure that the security information registration page is protected. Guessing correct username and password will then not be sufficient to take over an unused identity within your Entra ID.

Create a conditional access policy to require MFA ever time user want to register security information.

• Under session - add sign-in frequency = Every time

• Make sure you exclude all guest accounts (already taken care of if you use the provided)

Change the process on how you onboard new users.

Requires that users are allowed to change their password in Entra ID if passwords are needed.

Create new users as you always done but with a crazy long and complex password that you just forget.

Create and provide a temporary access pass when the user or manager requests it.

End-user goes to and type in username and gets asked for temporary access pass:

Sign in and follow wizard to register security information

When done, user should set a new password if needed using the link provided on

Follow the self service password reset instructions

This way you ensure that inactive accounts without MFA registration completed can't be taken over by attackers.

Problem description:

Reports states that 85% of all attacks starts with a compromised identity, and we've learned that companies has a 10-30% cost saving potential of their total license cost on Microsoft OnlineServices.

Most organizations will find many inactive or unwanted user accounts in their Entra ID. Test-, administrator-, guest- and member-accounts can be created by anyone (with permissions to do so). In most organizations between 30-50% of the identities in Entra ID is not in use. A normal finding is that many user accounts were created years ago and have not been used for years, if ever used. Many of these accounts have not registered MFA, and in most cases, we see that organizations allow new users to register MFA from anywhere. The first person guessing the correct username and password combination will then register MFA.

These users also represent a quite significant cost since they in many cases have licenses assigned.

What It Is

The Device Code Flow is a way of logging in to Microsoft systems when the machine you’re using doesn’t have a normal web browser. Instead of opening a login window, the system shows you a short code. You then go to on your phone or computer, type in the code, and approve the login. Once you’re done, the headless system (for example, a container or the Azure web console) gets the access it needs.

Think of it like authorizing a smart TV to use Netflix: the TV shows you a code, you approve it on your phone, and then the TV is trusted.

Security tiles

• User accounts: User accounts not logged in last 90 days should be reviewed to ensure that they should still be active, and if not they should be disengaged

Before installing Bsure Insights from the Azure Marketplace, make sure the following requirements are in place:

• Azure Subscription

• Tenant at Entra ID P1 level (minimum 1 license)

• User with Global Administrator

Introduction

The Devices Reports section of Bsure Insights provides valuable insights into your organization's device ecosystem. The section revolves around devices registered with Microsoft Entra ID.

An Entra ID device is a physical or virtual endpoint - such as laptops, desktops, mobile phones, or tablets - that is registered or joined to your Entra ID tenant. These devices can be user-owned (registered) or organization-owned (joined, either Microsoft Entra joined or Microsoft Entra hybrid joined), and may be managed through solutions like Microsoft Intune, enabling secure access to corporate resources and enforcement of IT policies.

Microsoft documentation: What is a device identity?

Data Source

All device data in the reports are collected from the Microsoft Graph endpoint.

In Microsoft Entra, this data is found in the view:

Properties

The properties we collect, and the name we use in reports

Problem description:

Most organizations assign the built-in Entra ID roles to users, groups and service principals to operate their environment. It is common that highly privileged roles with excessive permission levels are used for performing daily tasks.

Microsoft has made over 30 different built-in roles to give administrators just enough privileges to do their job, but most organizations have adopted just a few of them.

Users or service principals holding these roles are rarely reviewed and from a security perspective this is a huge problem. There are also some decisions to be made when it comes to how you distribute these roles and how you protect them.

General considerations:

Highly privileged roles should be assigned individual identities using and it is also a good practice to enforce for activating such roles.

These users should be cloud native and you should configure .

These features requires an Entra ID P2 license per user benefitting from PIM and Identity Protection.

All identities having privileged roles should be . Licensing these identities with access to services like Exchange Online or Teams should be avoided and handled with care.

Due to the nature of newer web browsers it is not recommended to use the same computer for administrative tasks as daily consumption of email and teams. Most web browsers have support for running several profiles running different user contexts. When clicking an external link you must avoid that the link starts in a browser signed in as an elevated user.

Considering implementing is a good idea to avoid usability of stolen credentials and unintentional behaviour like a click on an external link ending up in an elevated browser.

Considerations assigning roles to different identities:

Personal user accounts:

Entra ID roles are often assigned to normal user accounts on a permanent basis, meaning that if a user falls for a phishing attack or clicks on a malicious link in teams or email the result could be catastrophic. Users change roles over time and if a user needed Sharepoint Administrator role years ago we find that most organizations don’t have good routines in removing this access when no longer needed. If you enforce proper security measures on these "admin" users to protect Entra ID, usability on these accounts would be limited.

Personal administrator accounts:

It is considered better to use separate dedicated personal administrator accounts to operate the environment. But technicians could still end up clicking a link ending up in the web browser that holds privileged permissions. These administrator accounts also tend to be unmanaged, and based on our experience, it’s normal to find several accounts not registered MFA or not been used for a very long time with permanent assigned privileged roles. It is also considered a security risk to license these accounts to Exchange and/or Teams. The requirement of in combination with the usage of should be the minimum requirement for such users.

Guest accounts:

Even guest accounts can be assigned these roles, but these accounts are, in most organizations, unmanaged. If you assign permissions to a guest account, you automatically trust the organization, from where the account resides, to have very good on- and off-boarding routines and you trust their security setup. We’ve had several major incidents in Norway where guest accounts were compromised and resulted in organizations being attacked.

If You decide to assign Entra ID roles to guest accounts, you must use and set the eligibility to each role to expire in the very near future. It could also be a good idea to require an before elevating the guest user.

Groups:

Assigning roles to groups is also a common way of distributing permissions. It is an easy way of distributing permissions, but it is harder to figure out which user has which role and there is some downsides, like the possibility for self elevation from lower permissions and running automated access reviews on Entra ID roles. If you still want to use groups please read and follow best practices from Microsoft:

You should also carefully review membership in these groups on a schedule. is a great way to review membership in such groups.

If You still want to use groups for eligible role assignments, you should require additional on highly privileged roles.

Service principals:

It is common to use SaaS solutions and integrate them into your environment. Migration tools, backup tools and normal production software often need some sort of access into your environment to function properly. Very often providers of such software ask for way more permissions than they need. We’ve seen follow me print solutions holding SharePoint administrator role and systems controlling meeting room panels holding full access permissions to all mailboxes within organizations. If the application provider gets a security breach, how exposed are you, since the attacker then will have access to your environment with the permissions given the application?

As a side comment it is also important to evaluate from where these service principals sign in in from. If you gave an application provider a service principal to consume your data, you should evaluate from where the application is processing your data. Is your data protection officer informed?

How to clean-up your environment:

1. Review your current environment by using the

2. Remove roles and permissions from users, groups and service principals not needing them.

3. Ensure that all accounts holding such permissions are protected with or ensure to protect them with conditional access policies ensuring that they can only be used from a specific ip or other measures that decreases usability of the account.

4. Ensure that all privileged accounts holds an Entra ID P2 license and configure to get these features:

This brings us to the core of identity governance in Microsoft Entra.

Non-interactive sign-ins are often skipped from conditional access and in the Application - Sign-in Locations we do show all successful sign-ins regardless if they're interactive or non-interactive.

If you filter on interactive sign-ins in the report you can verify your conditional access policies. But remember that non-interactive sign-ins re-uses a valid token.

AI put together a well-documented, community-verified breakdown of common flows that either bypass CA completely or only partially evaluate it.

✅ Conditional Access Coverage Overview

🚫 Common Non-Interactive Flows That Bypass or Partially Apply Conditional Access

🛡️ What does enforce Conditional Access?

CA is only evaluated on:

• Interactive sign-ins via browser or modern authentication (OAuth2 Authorization Code Flow)

• Token issuance events that require a fresh auth

• Apps explicitly targeted by CA

• Session controls (like Sign-in Frequency, CAE)

🔍 How to monitor these flows

Use the Bsure Insights Application - Sign-in Locations report and filter on non-interactive sign-ins. You can create your own favourite selecting only apps and countries you want to monitor closely.

A manual option is to use Microsoft Entra ID > Sign-in logs with the following filters:

• Sign-in type = Non-interactive

• Client app = Mobile apps and desktop clients or Other clients

• Add Location to see IP or country

• Conditional Access = Not applied or Report-only

💡 Recommendations

🔁 1. Enable Sign-in Frequency + Token Lifetime Policies

Force reauthentication at regular intervals to make Conditional Access re-evaluation more predictable.

• 🔗

• 🔗

🔄 2. Enable Continuous Access Evaluation (CAE)

Allows near-real-time revocation of access when location, risk, or device state changes — even after token issuance.

• 🔗

• 🔗

🛠 3. Use Conditional Access for Workload Identities (Service Principals / Apps)

Helps enforce CA on non-user service-to-service auth flows (like Power BI service principals, automation, Graph API jobs, etc.)

• 🔗

• 🔗

🧠 Note: Workload identity CA requires Microsoft Entra Workload ID license that has a list price of $3.00 workload identity/month, paid yearly (annual commitment)

🧼 4. Monitor Sign-ins (especially Non-Interactive ones)

Track token reuse, service principal usage, and mobile clients that bypass CA.

• Monitor sign-ins using Bsure Insights reports:

  • Non-interactive user sign-ins :

  • Service Principal usage:

• 🔗

🔒 5. Block Legacy Authentication

Legacy protocols (like SMTP, POP, IMAP, basic auth) bypass CA entirely and should be blocked unless required.

• 🔗

👁 6. Leverage Microsoft Defender for Cloud Apps (optional but powerful)

Provides real-time session controls, detection of risky activity in apps like Teams, Graph, Exchange — even when CA doesn’t fire.

• 🔗

• 🔗

How do I get assistance?

Please see our support page

Which permissions are required for installation?

Entra ID

The plays a vital role during the installation of the Bsure Datacollector. You will require a highly privileged user account due to the . Although the may also be used, we've skipped that in the prior steps. This decision was influenced by the familiarity of most customers with the Global Administrator Role

Azure Subscription

When installing the Bsure Datacollector, the Azure Resource Manager has to assign permissions to certain identities. The task of assigning permissions within an Azure Subscription is reserved for the . Additionally, access to the actual resources within the subscription is required, rendering the insufficient for this purpose

Can we add last logon info from on-premises AD?

Bsure Insights show users last successful sign-in date in Entra ID. Our app does not have information about when users last logged on to your on-premises Active Directory.

Hybrid customers may have users synced to Entra ID, showing as inactive in Bsure Insights, because they have not signed in to any Microsoft cloud resources recently. But they can still be active in your local AD.

To bring the last logon information from AD in to Bsure Insights, you have to add this information to a user attribute that is being synced to Entra ID.

Our recommended approach:

• Run a PowerShell script against your local AD to write Last Logon date to an unused Extension Attribute.

• Schedule the script to run daily, using Task Scheduler or an automation tool of your choice.

Script example:

You have to adapt this script to your local environment. Change the OU path, and change extensionattribute2 to the extension attribute you choose.

How can we delete the Managed Application?

To find the Managed Application Center, enter "Managed Application Center" into the search bar at the top of the page on . Then, select the "Managed Application Center" option from the search results.

Navigate to "All Applications" and find the application you installed. The name of the application will be the same as the one you selected during the installation process. Click on the application name to access the Managed Application.

Click on the "Delete" button and confirm your action to initiate the deletion process.

Last sign-in date for users used in Bsure Insights

Last sign-in date for users is defined as the date of the user's most recent successful interactive or non-interactive sign-in. It is the property from Entra ID.

In Entra ID you will see date and time for "Last interactive sign-in" and "Last non-interactive sign-in":

These dates represent the latest sign-in attempt regardless if it was successful or not. An unsuccessful user sign-in from a browser in e.g. a conditional access blocked country would update the "Last interactive sign-in" on that specific user, ref

In Bsure Insights we set a blank sign-in date if Microsoft graph returns a blank value for the property .

According to Microsoft they started populating this field December 1. 2023, but it seems like was populated from .

It is not possible to provide a "last sign-in" date for users not signed in since then, and in Bsure Insights reports they will have a blank "Last sign-in", since we simply don't know when or if they ever signed in successfully.

Sign-in logs: What information is collected and how it's stored in Bsure Insights

Bsure Insights data collector store the latest successful unique sign-in, unique combination of appId, location_countryOrRegion and userid. It also stores when sign-in event happened, and resourcename, resourceid, applicationname and sign-in type (interactive or non-interactive) related to that unique sign-in event.

Meaning we only store the latest successful sign-in a specific user made to a specific app from a specific country.

Add your own custom domain name / change URL

Bsure will add this capability in the customer app later. If you would like to rename the the url to a more friendly one, like bsure.yourorg.com, now, please contact us at

Process takes approximately 15 minutes. You would need access to your DNS hosting "yourorg.com" and Entra ID as an Application Owner or higher.

We will then schedule a meeting for 30 minutes to configure your wanted custom domain name.

Top filter menu

Users: Showing the total number of users according to your filtering selections.

User Purpose: Filter on the type of Exchange Online mailbox connected to the user.

User - A user account with a mailbox. Shared - A shared mailbox user. Room - A user with a mailbox that represents a conference room. Equipment - A user with a mailbox that represents a piece of equipment. Others - A mailbox was found but the user purpose is not specified. Unknown - User has no Exchange Online mailbox, or we were not able to read it.