Baseline Validation and Access Change Analysis (Graph API + RBAC Interpretation)
In this lab, I focused on validating identity state within Microsoft Entra ID using Microsoft Graph and comparing it against a previously established identity snapshot derived from audit log analysis (Lab 05).
The objective was to bridge event-based identity analysis with state-based identity validation, reflecting how identity is actually managed in enterprise Entra ID environments.
1. Objective
The primary goal of this lab was to:
- Validate current Entra ID identity state using Microsoft Graph
- Analyse user, group, and role visibility within a constrained RBAC context
- Identify access boundaries and privilege limitations
- Compare current state against historical identity drift patterns (Lab 05)
- Build a structured identity baseline for future IAM investigations
This lab builds directly on prior work involving authentication analysis, RBAC interpretation, and identity drift reconstruction.
2. Environment and Tools
This lab was conducted using:
- Microsoft Entra ID (Azure AD tenant)
- Microsoft Graph Explorer
- Microsoft Graph API (
/users,/me,/memberOf,/organization) - Audit log-based identity snapshot from Lab 05
The environment was intentionally operated under standard user RBAC constraints, without directory-wide administrative privileges.
This allowed realistic observation of least-privilege behaviour in Entra ID.
3. Key Findings — Identity State Validation
3.1 User Identity Confirmation
The current authenticated identity was validated using /me, confirming:
- Stable user object
- Persistent object ID
- Valid Entra ID authentication context
This confirmed that Graph authentication was correctly bound to the intended tenant and user context.
3.2 Tenant Validation
The tenant was confirmed via /organization, ensuring:
- Correct Entra ID directory context
- Valid tenant ID alignment
- No cross-tenant or MSA (Microsoft Account) interference
This step was critical in eliminating earlier authentication ambiguity.
3.3 Group Membership Visibility
Group membership was partially visible using /me/memberOf.
Key observations:
- At least one group membership confirmed
- Group metadata partially restricted (display name not available)
- Group object ID accessible but not fully readable
This indicates RBAC-restricted directory visibility, where membership exists but descriptive metadata is hidden.
3.4 Role and Directory Access Restrictions
Attempts to query directory roles using /directoryRoles resulted in:
- Authorization_RequestDenied errors
This confirmed:
- No directory role enumeration permissions
- No privileged role visibility
- Standard user-level Entra ID access model
4. Identity Drift Comparison (Lab 05 vs Lab 06)
Lab 05 provided an audit-log-based view of identity lifecycle events, including:
- Group membership removal events
- Group re-addition events
- Administrative identity-driven access changes
Lab 06 provides the current state snapshot of that same identity.
Key comparison outcome:
- No active identity drift detected in current state
- Historical group membership volatility exists in audit logs
- Current identity state is stable and consistent
- No evidence of privilege escalation or access expansion
This highlights a key IAM principle:
Identity drift is only visible when combining event logs with current state data.
5. Identity Model Interpretation
This lab demonstrates two complementary identity views in Microsoft Entra ID:
Event-Based Model (Lab 05)
- Captures identity changes over time
- Shows group membership modifications
- Enables drift and lifecycle reconstruction
State-Based Model (Lab 06)
- Shows current identity configuration
- Enforces RBAC-based visibility restrictions
- Represents “current truth” of access
Together, these form a complete identity analysis model used in enterprise IAM operations.
6. Security and IAM Observations
From an identity governance perspective, the following observations were made:
- Identity operates under least-privilege RBAC enforcement
- Group-based access control is present and functional
- No privileged role exposure is available to the user context
- Historical access changes do not indicate ongoing drift
- Directory visibility is intentionally restricted based on permissions
This reflects a standard Entra ID security posture in enterprise environments.
7. Operational IAM Interpretation
From an IAM analyst perspective, this environment demonstrates:
- Stable identity lifecycle (no joiner/mover/leaver events in current state)
- Group-based access control model
- Restricted role visibility aligned with least privilege
- Separation between historical event data and current state representation
No security anomalies or privilege escalation patterns were observed.
8. Key Learning Outcome
This lab reinforces an important IAM principle:
Microsoft Entra ID identity analysis requires correlation between event-based audit logs and state-based Graph API data.
Neither model alone provides a complete view of identity behaviour.
9. Conclusion
This lab successfully demonstrates:
- Microsoft Graph-based identity validation
- RBAC-constrained directory visibility analysis
- Cross-lab identity drift comparison (event vs state)
- Structured IAM baseline construction
- Foundational identity governance interpretation
It represents a progression from identity interrogation toward identity engineering analysis, where identity is treated as both a real-time state system and an event-driven lifecycle model.
Evidence is available in the GitHub repository and includes Microsoft Graph API outputs validating identity state, tenant configuration, group membership visibility, and RBAC-enforced access restrictions. This includes /me identity confirmation, /organization tenant validation, /memberOf group membership results, and directory role access denial responses. All evidence supports the comparison between current state-based identity (Lab 06) and historical event-driven identity drift analysis (Lab 05).
Tags
Microsoft Entra ID · IAM · Graph API · Identity Governance · RBAC · Cloud Security · Detection Engineering Foundations