1. Objective
This lab extends Entra ID identity analysis into identity drift and access evolution modelling using audit log telemetry.
The objective is to reconstruct how identity state changes over time through:
- group membership modifications
- administrative control-plane actions
- authentication-related identity context
- temporal sequencing of access changes
Unlike a static IAM snapshot, this analysis treats identity as an event-driven system rather than a fixed configuration.
2. Evidence Sources and Analysis Method
This investigation is based exclusively on exported Microsoft Entra ID audit logs (CSV format).
No SIEM, Sentinel workspace, or live directory interaction was used.
The analysis method focused on:
- filtering identity-related audit events
- identifying actor vs target relationships
- reconstructing chronological event sequences
- inferring access state transitions from group membership changes
Log Types Analysed
- Directory audit logs → identity and access modifications
- Group management events → RBAC and membership changes
- Authentication-related service events → MFA and identity verification context
3. Evidence Storage Structure
All supporting evidence is stored in structured form within the repository:
evidence/audit_logs.csv
This ensures full traceability of:
- identity modifications
- access control changes
- authentication-related system events
No external telemetry sources or monitoring tools were used.
4. Identity Environment
The lab operates within a Microsoft Entra ID tenant acting as the identity authority.
The dataset contains three primary identity contexts:
- Primary lab user identity: IAM test user account
- Administrative control identity: tenant-level administrator account
- Authentication identity context: external Microsoft live identity
A security group (IAM-Lab-Group) was used as the primary RBAC mechanism for access assignment.
5. Identity Lifecycle Evidence
Audit logs confirm multiple identity state transitions within the group-based RBAC model.
Key observed lifecycle events:
- removal of a user from IAM-Lab-Group
- re-addition of the same user to IAM-Lab-Group
- administrative actor responsible for both changes
Interpretation
These events demonstrate a non-linear identity lifecycle, where access is:
- revoked temporarily
- restored within a short timeframe
- fully dependent on group membership state
This reflects real-world IAM behaviour where access is not static, but continuously adjusted through administrative control actions.
6. Access Drift Analysis
Definition
Access drift is defined as:
The divergence between expected identity permissions and the actual evolving access state over time.
Observations
1. Group-based RBAC introduces cumulative behaviour
Membership changes directly modify effective permissions without persisting a fixed identity state.
2. Identity state is event-derived, not stored explicitly
Entra ID logs represent changes, not current access snapshots.
3. Administrative actions are the primary driver of drift
All observed access modifications originate from a privileged identity.
Security Interpretation
This introduces key IAM considerations:
- RBAC systems require continuous state reconstruction
- short-term access changes may not reflect final permissions
- identity drift can occur without explicit escalation events
7. Authentication Context (Supporting Evidence Layer)
Although not central to this lab, authentication logs provide contextual identity validation signals:
- successful authentication events from user identity context
- multiple IP address changes across sessions
- consistent token-based authentication validation
Interpretation
Authentication behaviour indicates:
- normal session-based identity validation
- no evidence of authentication abuse
- separation between authentication identity and control-plane identity
8. IAM Governance Insights
At enterprise scale, this type of dataset would support:
- RBAC effectiveness monitoring
- identity lifecycle auditing
- group membership drift detection
- privileged access change tracking
- authentication context validation
9. Evidence Classification
High-confidence evidence:
- group membership changes
- administrative control actions
- identity lifecycle transitions
Medium-confidence inference:
- identity drift interpretation
- access state reconstruction logic
- behavioural access patterns
No indicators of compromise, privilege abuse, or anomalous authentication activity were identified.
10. Outcome
This lab demonstrates structured analysis of Entra ID identity behaviour, focusing on:
- event-driven identity lifecycle reconstruction
- RBAC-based access evolution
- group membership as the primary access control mechanism
- identity drift interpretation from audit telemetry
All conclusions are derived directly from raw Entra ID audit logs.
11. Detection Engineering Extension (Preview)
This dataset can be extended into detection engineering by modelling identity instability patterns.
Example Detection Hypothesis
Detect users experiencing repeated group membership changes within a short time window.
Microsoft Sentinel KQL Prototype
AuditLogs| where OperationName in ("Add member to group", "Remove member from group")| extend Actor = tostring(InitiatedBy.user.userPrincipalName)| extend Target = tostring(TargetResources[0].userPrincipalName)| summarize ActionCount = count(), Actions = make_set(OperationName), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Actor, Target, bin(TimeGenerated, 1h)| where ActionCount > 1| order by ActionCount desc12. Portfolio Value Statement
This project demonstrates capability in:
- Microsoft Entra ID audit log interpretation
- RBAC and group-based access control analysis
- identity lifecycle reconstruction
- access drift reasoning
- foundational detection engineering concepts
It represents a transition from IAM analysis toward cloud detection engineering thinking, particularly in identity-centric environments.
Evidence Files
All supporting evidence is stored in: