Entra ID Health Check

Why It Matters

Identity Is the New Perimeter. Most Tenants Have It Wide Open.

Over 80% of breaches involve compromised credentials. Without proper Entra ID hardening, every user account is a potential entry point into your entire Microsoft 365 environment.

HIPAA PCI-DSS GDPR NIS2 SOC 2

Overprivileged Admin Accounts

Too many Global Admins with no MFA and no PIM is one of the most common and dangerous misconfigurations we see across Microsoft 365 tenants.
Conditional Access Gaps

Most tenants have Conditional Access policies set to Report-Only or missing entire platforms, leaving real access routes completely unprotected.
Ignored Risk Detections

Unresolved risky sign-ins and Identity Protection alerts sit in the portal for months, giving attackers persistent access that goes unnoticed.

Entra ID Identity Overview ✗ Critical Gaps Found

Total Users214

MFA Enrolled✗ 66 (31%)

Global Admins✗ 7 (Too Many)

Conditional Access Policies⚠ 2 Active / 9 Total

Active Guest Accounts⚠ 148

Risky Sign-ins (Unresolved)✗ 14

PIM Configured✗ Not Enabled

User Risk Distribution

High Risk

Medium

Low / Safe

What We Audit

A Complete Review of Your Entra ID Environment

We go deep into every layer of your identity and access setup, document every finding with evidence, and prioritize what needs fixing first.

User Accounts & Identity Hygiene

We review all user accounts for stale identities, licensing mismatches, inactive accounts, and naming inconsistencies that create management and security problems over time.

All Organizations

Stale & Inactive Accounts

Identify user accounts that have not signed in for 30, 60, or 90 days, disabled accounts still holding licenses, and accounts for departed employees.

Account Naming & UPN Consistency

Review UPN format alignment with the primary domain, inconsistencies between display names, mail attributes, and UPNs that cause issues with Teams and Outlook.

Self-Service Password Reset

Check SSPR registration rates, authentication method configuration, and whether SSPR bypass risks are properly controlled across user populations.

Licensing Assignment Review

Identify users with duplicate licenses, group-based vs direct assignment conflicts, and users assigned premium licenses they do not need or use.

Hybrid Identity & AD Connect

Review Azure AD Connect sync health, synchronization errors, password hash sync vs pass-through authentication, and seamless SSO configuration status.

Dynamic Groups & Group Hygiene

Audit dynamic membership rules, empty or redundant groups, nested group depth that causes performance issues, and groups with no owners assigned.

MFA, Authentication Methods & Passwordless

We audit your full authentication stack, from per-user MFA and Security Defaults to modern authentication methods and passwordless readiness across the tenant.

All Organizations

MFA Enrollment Coverage

Identify users with no MFA method registered, accounts using only SMS (vulnerable to SIM swap), and whether registration enforcement is in place via Conditional Access.

Authentication Methods Policy

Review the Authentication Methods Policy for which methods are enabled (Authenticator, FIDO2, SMS, Voice), method targeting, and whether legacy per-user MFA is still in use.

Legacy Authentication Blocking

Check whether legacy authentication protocols (Basic Auth, SMTP Auth, IMAP, POP3) are blocked for all users via Conditional Access or tenant-level policy.

Security Defaults vs. CA Policies

Determine whether Security Defaults should be replaced by Conditional Access policies for more granular control, and identify any configuration conflicts between the two.

Microsoft Authenticator Configuration

Review number matching, additional context features, and whether users are protected against MFA fatigue attacks through push notification configuration.

Passwordless Readiness

Assess readiness for FIDO2 security keys or Windows Hello for Business deployment, including device registration state and policy prerequisites.

Conditional Access Policies

We perform a full review of every Conditional Access policy, checking coverage gaps, report-only policies, exclusion overuse, and missing baseline protections that leave your tenant exposed.

All Paid Licenses

Policy Mode Review

Identify all policies in Report-Only mode that are not actually enforcing, and assess the risk of switching them to Enabled without breaking legitimate access flows.

Admin Account Exclusions

Review emergency access account configuration, break-glass account exclusions, and whether service account exclusions are tightly scoped or overly broad.

Named Location & IP Restrictions

Audit named location definitions, trusted IP ranges, country-based access restrictions, and whether location-based policies are correctly scoped to the intended user groups.

Device Compliance Requirements

Validate that key workloads like Exchange Online and SharePoint require compliant or Hybrid Azure AD joined devices, and that BYOD access is properly restricted.

Sign-in Risk & User Risk Policies

Check whether Identity Protection risk-based Conditional Access policies are configured to require MFA for medium risk and block access for high risk sign-ins and users.

App-Specific Access Controls

Review whether high-value apps like Exchange Online, SharePoint, Teams Admin, and Azure Portal have dedicated policies enforcing stricter controls than general user access.

Admin Roles, PIM & Privileged Access

We audit all role assignments across Entra ID, checking for over-privileged accounts, permanent assignments that should be time-bound, and service principals with excessive permissions.

Enterprise & Regulated

Global Admin Count & MFA

Identify all accounts with Global Administrator role, verify each has MFA enforced, and flag where the count exceeds the recommended maximum of 2 to 4 accounts.

Privileged Identity Management

Review PIM configuration for eligible vs permanent role assignments, activation requirements (MFA, justification, approval), and whether PIM access reviews are scheduled.

Least Privilege Role Assignments

Review all directory role assignments to identify users with Global Admin when a scoped role like User Administrator or Exchange Administrator would suffice.

Service Principal Permissions

Audit app registrations and enterprise applications with application-level permissions (not delegated), especially those with Mail.ReadWrite, Files.ReadWrite.All, or directory roles.

Access Reviews Configuration

Check whether Entra ID Access Reviews are configured for privileged roles, group memberships, and guest access to ensure ongoing access is periodically re-certified.

Admin Unit Scoping

Assess whether Administrative Units are used to restrict helpdesk and delegated admin scope, and identify admin accounts with tenant-wide permissions that should be scoped.

Guest Accounts, B2B & External Collaboration

We audit all external identities in your tenant, reviewing guest permissions, invitation policies, and lifecycle management to ensure external access does not become a long-term security liability.

Orgs with Partners or Clients

Stale Guest Account Inventory

Identify guest accounts with no sign-in activity for 30, 60, or 90 days, guests from domains that are no longer business partners, and guests who have never accepted their invitation.

Guest Invitation Permissions

Review who can invite guests to the tenant, whether non-admin users can invite externals, and whether invitation settings comply with your organization's sharing policy.

Guest MFA Requirements

Check whether Conditional Access policies enforce MFA for guest accounts, and whether guests can access SharePoint, Teams, or email without meeting compliance requirements.

Guest Permission Level

Audit the default guest permissions setting in Entra ID to ensure guests have restricted access to the directory and cannot enumerate users, groups, or other tenant properties.

Cross-Tenant Access Settings

Review Entra External Identities cross-tenant access policies, trusted MFA and compliant device claims for specific partner tenants, and B2B direct connect configuration.

Guest Access Reviews

Verify that Entra ID Access Reviews are scheduled for guest memberships in Teams and Microsoft 365 Groups, with automatic removal for guests who fail to confirm access.

What You Get

Four Deliverables. Zero Ambiguity.

Every Entra ID health check concludes with a structured set of deliverables designed to give you clarity, evidence, and a clear path forward.

Executive Summary

A concise 2-page overview of your identity security posture, key risk areas, and recommended priorities for leadership and stakeholders.

Detailed Findings Report

Every finding documented with screenshots, evidence, severity ratings, and affected resources. Organized by audit category with clear before-and-after context.

Prioritized Remediation Plan

A ranked action list with step-by-step fix instructions. Critical items first, then high, medium, and low. Each item includes estimated effort and compliance mapping.

Recorded Review Session

A 60-minute video walkthrough of all findings. Share it with your team, IT leadership, or compliance officers. Available on-demand after the session.

Before You Book

What We Need From You

Our audit is non-invasive and read-only. Here is what we need to get started, and what you can expect from the process.

We never make changes to your tenant during the audit. All access is read-only, time-bound, and revoked immediately after the engagement is complete.

Global Reader or Security Reader Role

Temporary read-only access to your Entra ID tenant. We provide the exact steps to assign and revoke.
30-Minute Discovery Call

A brief call to understand your license tier, hybrid setup, and any specific identity concerns before the audit.
No Downtime or Changes Required

The audit runs silently against your tenant. No user impact, no downtime, no configuration changes during the review.
Report Delivered Within 24 Hours

After the audit completes, expect the full findings report and remediation plan in your inbox within one business day.

How It Works

From Booking to Full Remediation Plan in 4 Steps

A structured, low-disruption audit process that gives you a clear picture of your Entra ID posture and exactly what to fix.

Discovery Call

We learn your license tier, hybrid setup, and identity requirements to scope the audit and set the right expectations upfront.
30 minutes
Entra ID Audit

We perform a read-only review of your tenant covering users, MFA, Conditional Access, roles, guests, and Identity Protection signals.
2 to 4 hours
Report Delivery

You receive a detailed health check report with every finding categorized by severity, with screenshots and recommended actions.
Within 24 hours
Remediation Walkthrough

We walk you through the findings, prioritize the critical fixes, and give you an action plan or handle the remediation directly.
60 minutes

0

Clients Served

0

Satisfaction Rate

0

Average Turnaround

0

Languages Supported

Frequently Asked Questions

Common Questions About the Entra ID Health Check

Everything you need to know before booking your identity security audit.

What access do you need to perform the Entra ID health check?

We require read-only access to your Entra ID tenant via a Global Reader or Security Reader role. We never make changes during the audit. Access is scoped, time-bound, and revoked immediately after the engagement is complete. We provide step-by-step instructions for assigning and revoking the role.

How long does the Entra ID health check take?

The audit itself takes 2 to 4 hours depending on tenant size and complexity. You receive the full report within 24 hours, followed by a 60-minute remediation walkthrough session scheduled at your convenience.

What do I receive in the final report?

You receive four deliverables: an Executive Summary for leadership, a Detailed Findings Report with screenshots and evidence, a Prioritized Remediation Plan with step-by-step fix instructions organized by severity, and a recorded 60-minute review session your team can rewatch on demand.

Do you support hybrid environments with on-premises Active Directory?

Yes. We review Azure AD Connect sync health, password hash sync vs pass-through authentication, seamless SSO configuration, and hybrid join status as part of the User Identities audit category. We also flag common sync errors and attribute mismatches.

How much does the Entra ID health check cost?

Pricing depends on tenant size and complexity. Book a free 30-minute discovery call to receive a custom quote. The Entra ID health check is also included free with our Priority and Partner retainer plans starting from $299 per month.

Can you handle the remediation after the audit?

Absolutely. After the walkthrough, we can remediate findings directly under a separate remediation engagement or as part of an ongoing managed support retainer. Most clients choose a retainer plan for continuous coverage, so issues are prevented rather than just found.

What Microsoft 365 licenses are required?

The audit covers any Microsoft 365 license tier. However, some features we review, like Conditional Access, PIM, Identity Protection, and Access Reviews, require Entra ID P1 or P2 licenses. We flag unlicensed gaps in the report and advise on which license upgrades deliver the highest security ROI.

Does the health check help with compliance requirements like HIPAA, GDPR, or NIS2?

Yes. Our audit maps findings to common compliance frameworks including HIPAA, PCI-DSS, GDPR, NIS2, and SOC 2. The report highlights which identity gaps create compliance risk, which controls are needed, and what your current posture means for your regulatory obligations.