Β©οΈ2025 Created by Anuradha Samaranayake
Azure Access Assessment
π π‘οΈ
#Azure
#Security
#IAM
#EntraID
#ZeroTrust
#RBAC
π’ Last updated: May 2026 | Aligned with Microsoft best practices
How Many Accounts in Your Azure Tenant Have More Access Than They Need?
βοΈ Anuradha
β’
May 12, 2026
β’
β± 5 min read
β’
Security & Compliance
π‘οΈ Hey folks, welcome back! Let me ask you something. When did you last look at who actually has access to what in your Azure tenant? Not just the high-level stuff β I mean really look. Every role assignment, every service principal, every stale account sitting there doing nothing.
If you're like most teams I've worked with, the honest answer is "not recently enough." And that's not a criticism β it's just how cloud environments grow. One permission at a time, one project at a time, until one day you have a tenant full of access that nobody remembers granting.
This post is all about Access Assessment β what it is, why it matters, how to actually do it, and what Microsoft's own best practices say you should be doing. Let's get into it. π
π
The Uncomfortable Reality in Most Azure Tenants
82%
of cloud breaches involve excessive or unused privileges (Microsoft, 2024)
3Γ
more identities than actual employees exist in a typical tenant
40%
of user accounts haven't signed in within the last 90 days
Zero
That's how many over-permissioned accounts is acceptable in a healthy tenant
π€
What Is an Access Assessment?
An access assessment β or access review β is the process of looking at who has access to what in your Azure tenant and checking whether they actually still need it. Simple concept. Surprisingly powerful in practice.
In Microsoft's world, this is built directly into Microsoft Entra ID (formerly Azure Active Directory) through a feature called Access Reviews. It gives you a structured, repeatable way to audit permissions across users, groups, service principals, and privileged roles.
π‘ Microsoft's Guidance
Azure Access Reviews help organizations efficiently manage group memberships, access to enterprise applications, and role assignments. Access can be reviewed on a regular basis to make sure only the right people have continued access.
π
Access assessment is both a feature and a practice. It's regularly asking: does this person or service still need this permission to do their job today?
Microsoft Entra Access Reviews βπ¨ Why Should You Care?
Three scenarios that happen in real tenants β right now
π€
The Ex-Employee
A developer leaves. IT disables their M365 account. But the service principal they created for a pipeline still has Contributor access to production. Nobody removed it. That's a live attack surface if those credentials ever leaked.
β‘
The "Just This Once" Permission
Someone got Owner access to a resource group for a quick migration task. Task done β permission never revoked. Three months later they accidentally delete a production storage account. Honest mistake. But it shouldn't have been possible.
π€
The Orphan Service Principal
An old automation script registered a service principal two years ago. The creator left the company. The SP is still active, has a non-expiring secret, and has Contributor access to production resources. Nobody knows what it does or if it's even used anymore.
These aren't edge cases. They're the norm in tenants that haven't done a proper access assessment.
πΊ The Access Risk Pyramid β Where Does Your Tenant Sit?
π΄ No reviews ever done β ghost accounts with Owner access β breach waiting to happen
π Occasional manual checks β stale permissions accumulate over time
π‘ Some RBAC in place β reviews are ad-hoc, not scheduled
π’ Automated reviews β Least privilege β PIM enabled
Which level does your tenant sit at right now?
β
What Microsoft Says You Should Do
Microsoft's guidance under the Zero Trust framework and the Microsoft Cloud Security Benchmark is clear: use least privilege, always, and verify continuously.
π
Least Privilege
Every identity should have only the minimum access required to do their job β not "might need," not "could be useful." Minimum required.
π
Regular Access Reviews
Microsoft recommends quarterly reviews for privileged roles and at minimum annual reviews for all users. Match cadence to resource sensitivity.
β°
Just-In-Time Access
Using Microsoft Entra PIM, admins get elevated access only when they need it, for a specific duration, with justification or approval.
π
Role-Based Access (RBAC)
Use Azure built-in roles wherever possible. Assign roles to groups, not individuals. Avoid custom roles unless absolutely necessary.
π€
Automate Everything
Manual reviews are better than nothing. But automated Entra Access Reviews with auto-remediation are far more reliable and consistent at scale.
π―
Assume Breach
Zero Trust means operating as if a breach is already possible. Minimize blast radius by ensuring no account has more access than it genuinely needs.
π οΈ How to Do an Access Assessment β Step by Step
Following Microsoft's recommended approach, start to finish
1
Get a Full Inventory First
Before reviewing anything, you need to know what's there. Use Microsoft Entra ID β Roles and administrators and Azure IAM (Access control) at each scope level β Management Group β Subscription β Resource Group β Resource. Export using Azure PowerShell or the CLI to get the full picture across all subscriptions.
2
Identify Stale Accounts and Inactive Identities
Look for accounts that haven't signed in within the last 30β90 days using Entra ID Sign-in Logs and Microsoft Entra Workbooks. Stale accounts are prime targets β they're forgotten by teams but still active in the directory. These are your quickest security wins.
3
Set Up Automated Access Reviews in Entra ID
Navigate to Microsoft Entra ID β Identity Governance β Access Reviews β New access review. Scope it to groups, privileged roles, or application assignments. Set a recurring schedule (quarterly for privileged roles, annually for general users) and configure auto-remediation so denied access is actually removed β not just flagged.
4
Enable and Configure PIM for Privileged Roles
Any privileged role β Global Admin, User Access Administrator, Owner β should go through Microsoft Entra PIM. Roles should be eligible, not permanently active. Users request activation when needed, for a limited window, with justification. This single change dramatically reduces your standing attack surface.
5
Review Service Principals and Managed Identities
Don't forget non-human identities β these are often the most forgotten. Audit all service principals: when did they last authenticate? What permissions do they have? Does the owning team still exist? Where possible, replace service principals with Managed Identities β they have no secrets to leak, and Azure handles credential rotation automatically.
6
Act on Findings β Remove, Downgrade, or Document
After reviewing, you have three options for each piece of access: remove it entirely, downgrade to a lower-privilege role, or document why the current level is justified. Don't just review β take action. An access review with no follow-through is the same as no review at all.
7
Track Progress with Defender for Cloud & Secure Score
Use Microsoft Defender for Cloud recommendations under "Manage access and permissions" to track improvement. The Identity Secure Score in Entra ID gives you a benchmark to measure against β watch that score improve as you clean things up.
π₯οΈ
Quick Start: Export All Role Assignments with PowerShell
Not sure where to start? Run this to get a flat list of every role assignment in your subscription β the perfect starting point for a first review:
# Connect to Azure first
Connect-AzAccount
# Export all role assignments to CSV
Get-AzRoleAssignment | Select-Object `
DisplayName, SignInName, RoleDefinitionName, Scope |
Export-Csv -Path "RoleAssignments.csv" -NoTypeInformation
# Find accounts with Owner role β keep this list SHORT
Get-AzRoleAssignment | Where-Object {
$_.RoleDefinitionName -eq "Owner"
} | Select-Object DisplayName, SignInName, Scope
π‘ Pro tip from experience: When you export role assignments, you'll often find "Unknown" entries in the DisplayName column. These are deleted accounts that still hold role assignments β ghost permissions. Remove these first. Easiest wins in your tenant.
π
Manual vs. Automated Reviews
Doing a manual review is infinitely better than doing nothing. But if you're running a serious production tenant, automating it is non-negotiable. The Entra ID P2 cost is a rounding error compared to the cost of a breach.
Bottom Line
Start manual if you're new to this. Get your first review done. Then use what you find to justify investing in Entra ID P2 and proper automation. One review will probably be all the justification you need.
| Aspect | Manual Review | Automated (Entra) |
|---|---|---|
| Consistency | β Prone to gaps | β Same process every time |
| Scale | β Hard with 500+ accounts | β Handles thousands |
| Auto-remediation | β Manual action needed | β Auto-removes denied access |
| Audit Trail | β Spreadsheets & emails | β Built-in Entra logs |
| Cost | Free | Entra ID P2 / Governance required |
π What Do You Actually Gain?
π‘οΈ
Reduced Attack Surface
Fewer over-permissioned accounts means an attacker has far less they can leverage if one account is compromised. Containment happens naturally.
β
Easier Compliance
ISO 27001, SOC 2, NIST, PCI-DSS β most frameworks require evidence of access reviews. Automated evidence makes audits significantly smoother.
π°
Cost Savings
Removing unused licenses tied to stale accounts and decommissioning idle service principals can actually save real money β especially in large tenants.
π
Better Visibility
You'll finally know exactly who can do what in your tenant. That clarity alone reduces accidental misconfigurations and speeds up incident response.
π€
Shared Accountability
Access reviews put responsibility back on resource owners and managers β not just IT. That's how governance should work.
π
Zero Trust Readiness
Access reviews are a core pillar of Zero Trust. Nailing this accelerates your entire Zero Trust maturity journey across the Microsoft stack.
π§ Tools You Need β Quick Reference
All Microsoft-native, all available in your tenant today
π’ Entra ID β Identity Governance β Access Reviews
Primary tool for recurring automated access reviews. Supports users, groups, apps, and Entra roles. Has built-in auto-remediation.
Learn more β
π Microsoft Entra PIM
Just-In-Time access for privileged roles. Every critical admin role should be eligible via PIM β not permanently assigned.
Learn more β
π‘οΈ Microsoft Defender for Cloud
Surfaces actionable recommendations like "MFA should be enabled on privileged accounts" and "Deprecated accounts should be removed." Free tier covers a lot.
π Microsoft Entra Workbooks
Pre-built workbooks for analyzing sign-in activity, stale accounts, risky sign-ins, and more. Built into Entra ID β massive time saver.
π· Azure Resource Graph + PowerShell/CLI
For bulk exporting role assignments across subscriptions and management groups. Essential for large tenants. Azure Resource Graph queries can surface role assignments at scale without throttling.
π¬
My Take β What I'd Do First If I Walked Into Your Tenant
I get asked this a lot. If someone handed me access to a tenant and said "find the biggest risk," here's exactly where I'd look first β in this order:
01
Owner-level assignments at subscription scope. Anyone with Owner can do basically anything β including giving themselves more access. This list should be very short and very intentional. More than 5 names? Red flag.
02
Global Administrators in Entra ID. Microsoft recommends 2β4 emergency break-glass accounts maximum. I've seen tenants with 20+ Global Admins. That's not just risky β it's unmanageable. And every one of those is a potential breach point.
03
Service principals with non-expiring client secrets. Any SP with a secret that never expires, holding Contributor or Owner access, is a ticking clock. These go unnoticed for years. Replace with Managed Identities wherever you can.
π Where to start if you have zero access reviews today: Don't try to fix everything at once. Start with privileged roles only β Global Admin, Owner, User Access Administrator. Get that list, validate each one with the actual manager, remove what shouldn't be there. That single exercise will probably be eye-opening enough to justify the full automation investment.
π―
Access Creep Is Slow. Breaches Are Fast.
Permissions accumulate gradually β one request at a time, one project at a time β until you look at the report and wonder how it got this way. Breaches happen in minutes to hours. One compromised over-permissioned account is all it takes.
The good news? Access assessment is one of the highest-impact, lowest-cost security improvements you can make. You don't need fancy tooling to start β just clarity on who has what, a process for reviewing it regularly, and the willingness to remove what shouldn't be there.
Start small, start now, build from there. Your future self will thank you. π
π Useful Microsoft Docs
#azure
#Security
#AccessReview
#EntraID
#PIM
#ZeroTrust
#RBAC
#IAM