eG Help

Users are members of the Azure AD organization who are allowed access to apps/resources either directly or via AD groups. Since Azure AD resides on the cloud, tenants are vulnerable to ransomware attacks, password spraying, brute force attacks, etc. As an administrator, it is important for you to know which user accounts may pose a security threat. For instance, administrators should be able to determine which users are actively accessing the resources and which users are not. It is prudent to remove the inactive users to pre-empt the risk of attacks.

Like inactive/disabled users, unlicensed users should also be promptly captured. Since such users are not ‘authorized’ or licensed to access any Azure service, you may want to think about why you need these user accounts in Azure AD. It would be wise to remove unlicensed user accounts that are unlikely to be licensed in the near future.

From a security standpoint once again, administrators must know which user accounts are allowed to set ‘weak’ passwords and subject them to additional scrutiny. It is recommended that you encourage users to set ‘strong’ passwords, instead of ‘weak’ ones.

Users who have not signed in since their accounts were created in Azure AD should also be pulled up, as such ‘stale’ accounts are a security vulnerability and are often prone to misuse.

In the real world, an Azure AD organization may support hundreds of users with varying access rights. It will therefore take hours, even days, for an administrator to manually audit user accounts and capture pain points like the ones highlighted above. For quick and prompt identification of problematic user accounts, administrators can periodically run the AzrADUserTest.

This test monitors the user accounts managed by Azure AD, and reports the following:

These insights draw administrator attention to user accounts that may potentially become a security hole. Even if they do not pose any security risks, administrators may still want to identify the user accounts mentioned above, so they can remove them in an effort to declutter the AD organization.

Outputs of the test : One set of results for the Azure Active Directory tenant being monitored

Measurement	Description	Measurement Unit	Interpretation
Total_users	Indicates the total number of users managed by Azure AD.	Number	Use the detailed diagnosis of this measure to know which users are managed by Azure AD.
Enabled_account	Indicates the number of enabled users / users who can actively access Azure resources.	Number	Use the detailed diagnosis of this measure to know who the active/enabled users are.
Disable_account	Indicates the number of disabled/inactive users on Azure AD.	Number	Use the detailed diagnosis of this measure to know which users are inactive. Users who have been inactive for a long time can be removed.
Registered_users	Indicates the number of users who are registered with Azure AD.	Number	Use the detailed diagnosis of this measure to know which user s are registered.
Guest_users	Indicates the number of guest users on Azure AD.	Number	You can invite anyone to collaborate with your organization by adding them to your directory as a guest user. Then you can either send an invitation email that contains a redemption link or send a direct link to an app you want to share. Guest users can sign in with their own work, school, or social identities. To prevent the misuse of guest user credentials, you may want to periodically check the count and names of guest users. To know who the guest users are, use the detailed diagnosis of this measure.
Other_users	Indicates the number of users on Azure AD who cannot be classified as active / inactive / registered / guest users.	Number	Use the detailed diagnosis of this measure to know who the ‘other’ users are.
Weak_pwd_allowed	Indicates the number of users who are allowed to use weak passwords.	Number	Use the detailed diagnosis of this measure to know which users are allowed to use weak passwords. You may want to urge such users to set strong passwords instead, to address the security risk that this may pose.
Password_not_expired	Indicates the number of users who are configured with passwords that will never expire.	Number	Use the detailed diagnosis of this measure to know which users are configured with passwords that will never expire.
Cloud_only_users	Indicates the number of users whose identities are maintained only in the cloud.	Number	In the case of Cloud-only identity model, a user account only exists in the Azure AD tenant for your Microsoft 365 subscription. The Azure AD tenant for your Microsoft 365 subscription performs the authentication with the cloud identity account. To know which users' identities are authenticated by Azure AD, use the detailed diagnosis of this measure.
Synced_users	Indicates the number of users whose identities are maintained by on-premises Active Directory Domain Services (AD DS).	Number	In the case of the Hybrid identity model, a user account exists in an on-premises AD DS and a copy is also in the Azure AD tenant for your Microsoft 365 subscription. The identities that exist in an on-premises Active Directory are synchronized to Azure AD using a directory sync tool called “Azure AD Connect”. Use the detailed diagnoss of this measure to know who the synched / on-premises users are.
Licensed_users	Indicates the number of licensed users in Azure AD.	Number	Use the detailed diagnosis of this measure to know who the licensed users are, and what are their service plans.
Unlicensed_users	Indicates the number of unlicensed users in Azure AD.	Number	Use the detailed diagnosis of this measure to know who the unlicensed users are.
Users_in_member	Indicates the number of users who are direct members of one/more groups and directory roles.	Number	Use the detailed diagnosis of this measure to know who are the membered users.
Users_not_in_member	Indicates the number of users who are not direct members of any group or directory role.	Number	Use the detailed diagnosis of this measure to know who are not member users.