Top 10 Microsoft Entra ID reports every admin should track daily

Identity management is essential for any organization, regardless of size or environment. Microsoft Entra ID (formerly Azure Active Directory) is a robust cloud-based IAM solution that streamlines and secures user management. To effectively manage your users, it's important to understand their attributes, activities, and any actions performed on them. Microsoft Entra ID provides built-in reports to help gather this data, which is critical for maintaining a secure environment.

We have compiled a list of Microsoft Entra ID reports that will help you keep an eye on the activities in your environment. Here are 10 reports your admins should track daily to keep your Microsoft Entra ID environment secure, and how M365 Manager Plus can improve your Microsoft 365 administration by enabling you to follow up on these insights.

These are the reports that we will explore in this article.

User life cycle reports

Admin activities reports

Honorable mentions

User life cycle reports

Managing users in a large environment involves overseeing their entire life cycle—from onboarding to offboarding. This requires careful attention at each stage, including account creation, role changes, and access adjustments. With users' roles frequently shifting, consistent oversight is essential. Since there are users at every stage of this process daily, admins must stay updated on ongoing changes. While most actions can be reviewed monthly, some are critical for security and need daily monitoring to ensure life cycle processes are functioning as expected and to detect any unauthorized changes.

Here are the five reports your admins should check on a daily basis to ensure your Microsoft Entra ID life cycle processes are functioning properly.

Recently created Microsoft Entra ID users

Regularly reviewing newly created users helps in managing and verifying that users have been added for valid reasons, such as new hires or creation of service accounts. New user accounts can sometimes be created due to malicious activities or unauthorized access. By monitoring account creations, you can quickly detect and address any suspicious or unauthorized account creation attempts.

The Recently Created Users report configured to display the recently created users within a one-month period.

Microsoft Entra ID Group membership updates

Monitoring group membership changes is crucial to ensure that users have appropriate access based on their current roles. It helps detect unauthorized additions or removals, which could indicate security breaches or insider threats. Regular reviews also support compliance with regulations and maintain accurate access records, preventing unauthorized access and operational disruptions.

The Recently Added Members to Group report with the configuration to search for members added to a group in the last seven days.

Employee role changes in Microsoft Entra ID

Monitoring changes to user roles is essential for verifying that access levels remain appropriate and secure. It helps identify unauthorized role modifications, which might signal security breaches or malicious activity. Regular monitoring also ensures compliance with security policies and maintains a clear audit trail, thereby preventing potential unauthorized access and enhancing overall security management.

The Recently Added Members to Role report configured to search for members added to a role in the last seven days

Disabled users in Microsoft Entra ID groups

Identifying disabled users within groups is vital for maintaining secure access control and effective resource management. It helps detect security risks posed by disabled users who may still have access to sensitive resources and complicate group management. Regularly reviewing and removing these users ensures that only active, authorized individuals have the appropriate access rights, preventing potential exploitation and maintaining accurate access records.

The Groups with Disabled Users report with the Generate Now button in the top-left of the report.

Deleted users in Microsoft Entra ID

Deleting user accounts in Microsoft Entra ID during the offboarding process is essential for protecting your organization's digital resources. Tracking these deletions helps ensure compliance, proper provisioning, and overall security. Regularly reviewing deleted accounts helps recover any mistakenly removed users and address operational disruptions, maintain accurate records, and safeguard against potential errors or security risks.

The Deleted Users report with the configuration and list of deleted users displayed.

Admin activities reports

Tracking admin activities in Microsoft Entra ID is crucial for securing your organization's identity management system. Given their elevated privileges, admins' actions can greatly affect security and stability. By tracking some of your admin actions on a daily basis, you can quickly detect any anomalies or suspicious behavior that may indicate an insider threat or unauthorized access by malicious actors posing as administrators.

Here are the five reports that should be checked on a daily basis to ensure that there are no suspicious activities being performed by your admins in your environment.

Password resets by Microsoft Entra ID admins

Tracking password resets by administrators is crucial for maintaining secure access and protecting against potential threats. Monitoring these changes, especially those occurring outside of regular business hours, ensures that only legitimate modifications are made, safeguarding admin accounts from being misused to lock out users or compromise data in Microsoft Entra ID.

The Azure AD User Audit Logs report with the Filter menu configured to track the Reset password (by admin) Activity Display Name.

Microsoft 365 self-service password resets

Monitoring password reset activity by users is essential for identifying potential security threats at the earlier stages. It helps reveal suspicious patterns, such as multiple failed attempts, resets from unusual locations, or unexpected surges in resets for specific user groups. These signs may indicate security breaches or compromised accounts. Keeping detailed records of password resets supports audits and investigations by offering a clear trail of user activity.

The Recently Password Reset Users (Self-Service) report configured to display self-service password resets by users.

Inactive Microsoft Entra ID users

Inactive users often remain in an organization due to improper deprovisioning of former employees and service accounts. Leaving these accounts unchecked can lead to wasted licenses and security vulnerabilities. Such accounts might grant attackers access to various sensitive groups associated with these users. To mitigate security risks, it's important to block or disable these inactive accounts.

A report generated for users who were inactive for the last 30 days.

Microsoft Entra MFA status

Ensuring that your users are secured with multi-factor authentication (MFA) is increasingly important. By monitoring MFA adoption across your organization, you can identify preferred authentication methods and prevent reliance on a single factor. Gaining insights into which users do not have MFA enabled helps you encourage or enforce MFA setup for their accounts without needing to review each user’s details individually.

The Multi Factor Authentication Status report with the MFA status of users and the  methods used by them in a tenant.

Microsoft Entra ID sign-in reports

Tracking your users' sign-ins is crucial for monitoring their activity and to identify if any attacker is trying to hack into your environment. Once you identify an unusual pattern in their sign-in attempts, like signing in from an unlikely location, IP address, or time range, you can block these accounts once you confirm your suspicions.

The Azure AD Logon Activity report with the details of all sign-in activities of users and applications over a month.

Honorable mentions

While the reports mentioned above are crucial, there are additional activities of equal importance that can be set up and reviewed as needed. However, these actions require you to configure them using PowerShell scripts in the native portal.

M365 Manager Plus offers these functionalities natively, without any scripting or additional subscriptions, thereby making these crucial processes simpler to approach and implement in your environment.

Inactive Microsoft 365 license management

Managing licenses for Microsoft services—like Outlook, PowerBI, and OneDrive—is key to aligning access with user roles and departments. As users change roles, their access needs evolve, requiring timely license updates. Manual management for many users is error-prone and costly, potentially leading to incorrect access or wasted expenses. Automating this process improves accuracy, security, and cost efficiency, making it essential for effective management.

Microsoft Entra ID can automate this process. However, that requires the use of complex PowerShell scripts and a Power Automate subscription. With M365 Manager Plus, you can track and remove inactive licenses from users script-free, without breaking a sweat.

The Create New Automation page with the settings configured to automate the removal of inactive licenses of users in Microsoft Entra ID on the 28th of every month at 00:00.

Custom Microsoft Entra ID report creation

Creating custom reports is essential for analyzing user behavior, access patterns, and security metrics, which aids in enhancing security and operational efficiency. It helps in obtaining detailed views of sign-in activities and application usage tailored to organizational needs.

However, the specific and exact filters required by Microsoft Entra ID can make report generation challenging and repetitive, especially for daily reports, impacting usability and efficiency. M365 Manager Plus simplifies creating new reports out of more than 700 templates with intuitive filters and the ability to save them as custom reports, all without any PowerShell scripting or additional tools.

The Azure AD Logon Activity report with a custom filter configured to generate the details of application sign-ins.

Get a clear overview of your Microsoft 365 environment with M365 Manager Plus

ManageEngine M365 Manager Plus is a comprehensive administration and security solution for Microsoft 365 used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments. You can gain a thorough understanding of not just your Microsoft Entra ID environment but also Exchange Online, SharePoint Online, OneDrive for Business, and other Microsoft 365 services, with detailed reports and intuitive visualizations, all from a single console.

There are also other benefits to using M365 Manager Plus to manage and monitor your Microsoft 365 environment.

Effortlessly schedule and export reports on your Microsoft 365 environment.

Try now for free
 

Streamline your Microsoft 365 governance and administration with M365 Manager Plus

Get Your Free Trial

Related Resources

 
x
A holistic Microsoft 365 administration and security solution
 
x