Baseline Validation and Access Change Analysis
Focus: Identity validation, RBAC analysis, and drift comparison
Technology: Microsoft Entra ID, Microsoft Graph API, Graph Explorer
Domain: Identity and Access Management
Objective
This lab focuses on validating the current identity state in Microsoft Entra ID using Microsoft Graph and comparing it against a previously established event-driven identity snapshot from Lab 05.
The goals of this lab are to:
- Validate current user identity state
- Analyse group and role visibility under RBAC constraints
- Identify access boundaries and permission limitations
- Compare event-based and state-based identity models
- Build a structured identity baseline for future IAM investigations
Environment Overview
Component: Microsoft Entra ID
API Layer: Microsoft Graph API
Tooling: Microsoft Graph Explorer
Access Level: Standard user with least privilege
Data Sources: /me, /users, /memberOf, /organization
Identity Validation
The active identity was confirmed using Microsoft Graph.
Findings:
- Stable user object confirmed
- Persistent object ID observed
- Valid authentication context established
- Correct tenant association confirmed
User Identity Snapshot:
User: IAM Lab User 01
User Principal Name: iam-lab-user-01@ruialmeidadacunhagmail.onmicrosoft.com
Tenant Validation
The Entra ID tenant was verified using the organization endpoint.
Tenant Details:
- Tenant Type: Azure Active Directory (Entra ID)
- Display Name: Default Directory
- Domain: ruialmeidadacunhagmail.onmicrosoft.com
- Tenant ID: 2c0009ed-1f8d-41a1-9d6c-836d6fc700ab
This confirms:
- Correct directory context
- No cross tenant session conflict
- No Microsoft Account authentication interference
Group Membership Analysis
Group membership was partially visible using Microsoft Graph.
Findings:
- At least one group membership confirmed
- Group object ID is visible
- Group display name is restricted due to permissions
- Membership confirmed through memberOf endpoint
Interpretation:
- Access is controlled through group based RBAC
- Directory visibility is restricted under least privilege
- Identity exists within a controlled access boundary
Role and Privilege Visibility
Directory role query results returned an access denied response.
Findings:
- Directory roles are not accessible
- No privileged role visibility available
- No administrative role enumeration permissions
Interpretation:
- Standard user access level confirmed
- Least privilege model is enforced
- Privileged identity plane is restricted
Identity Drift Comparison Lab 05 versus Lab 06
Lab 05 was based on audit log analysis showing identity changes over time.
Lab 06 represents the current state of the identity using Microsoft Graph.
Lab 05 findings:
- Group membership removal observed
- Group membership re-addition observed
- Administrative identity performed changes
Lab 06 findings:
- Current group membership is stable
- No active identity drift detected
- No new access changes observed
Drift Summary:
- User identity drift: None
- Group membership drift: Historical only
- Role drift: None observed
- Access expansion: Not detected
Identity Model Architecture
Lab 05 represents the event-based identity model which captures changes over time through audit logs.
Lab 06 represents the state-based identity model which reflects current identity configuration.
Together these form a complete identity analysis structure:
Event Layer:
- Captures identity changes over time
- Based on audit logs
State Layer:
- Captures current identity configuration
- Based on Microsoft Graph API
Combined Model:
- Provides full identity behaviour visibility
- Enables drift and lifecycle analysis
Security Insights
Key findings from this lab:
- Identity operates under a dual model of event history and current state
- Access is group based and controlled through RBAC
- Directory role access is restricted for standard users
- Identity state is stable with no active drift
Governance Observations
- Group based RBAC is functioning as expected
- Audit logs provide historical visibility into access changes
- Current identity state reflects least privilege enforcement
- Directory visibility is intentionally restricted based on role
IAM Interpretation
This environment demonstrates a standard enterprise identity architecture.
Key characteristics:
- Identity is managed through groups
- Access is controlled through RBAC
- Visibility is constrained by permissions
- Identity state and identity history are separated
Key Takeaway
Microsoft Entra ID identity analysis requires correlation between event based audit logs and current state data from Microsoft Graph.
Neither dataset alone provides a complete understanding of identity behaviour.
Evidence
Outcome
This lab demonstrates:
- Microsoft Graph based identity validation
- RBAC constrained access analysis
- Identity drift comparison across event and state models
- Structured identity baseline creation
- Foundational IAM governance reasoning
Tags
Microsoft Entra ID
Identity and Access Management
Microsoft Graph API
RBAC
Identity Governance
Cloud Security
Detection Engineering Foundations