Microsoft Entra ID Identity Drift & Access Evolution Analysis (Evidence-Based IAM Lab)

1. Objective

This lab extends Microsoft Entra ID identity analysis by focusing on identity drift, access evolution, and event-driven state reconstruction using audit log telemetry.

The objective is to analyse how identity state changes over time through:

  • group membership modifications (RBAC changes)
  • administrative control-plane actions
  • authentication-related identity context signals
  • temporal sequencing of identity events

Unlike static IAM configuration analysis, this lab treats identity as an evolving system driven by discrete events rather than persistent state.

2. Evidence Sources and Analysis Method

This analysis is based exclusively on exported Microsoft Entra ID audit logs in CSV format.

No live portal interaction, endpoint telemetry, or SIEM integration was used.

The analysis was performed by:

  • filtering audit events by operation type and timestamp
  • identifying actor vs target relationships
  • reconstructing chronological sequences of identity changes
  • inferring access state transitions from group membership activity

Log Types Analysed

  • Entra ID Audit Logs → directory-level identity and access changes
  • Group management events → RBAC assignment modifications
  • Authentication-related service activity → MFA and identity verification context

3. Evidence Storage Structure

All supporting datasets are stored in a structured repository:

  • evidence/audit_logs.csv

This ensures full traceability and reproducibility of all conclusions derived in this analysis.

No external monitoring tools or SIEM correlation systems were used.

4. Identity Environment

The lab was conducted within a Microsoft Entra ID tenant acting as the identity authority for authentication and access control operations.

The dataset contains three primary identity contexts:

  • a primary lab identity used for authentication and RBAC testing
  • an administrative control identity responsible for directory modifications
  • an external authentication identity context associated with Microsoft live authentication

A security group (IAM-Lab-Group) was used as the primary RBAC mechanism for access control assignment.

5. Identity Lifecycle Evidence

Audit logs confirm multiple identity state transitions within the Entra ID directory.

Key observed lifecycle events:

  • removal of a user from IAM-Lab-Group
  • re-addition of the same user to IAM-Lab-Group
  • administrative identity acting as the sole modifier of group membership state

Interpretation

These events demonstrate that identity access state in Entra ID is:

  • dynamic rather than static
  • dependent on group membership at a given time
  • fully controlled through administrative actions

This introduces a non-linear identity lifecycle, where access can be temporarily revoked and later restored without identity recreation.

6. Access Drift Analysis

Definition

Access drift refers to:

the divergence between expected identity permissions and the actual evolving access state over time.

Observations

1. Group-based RBAC introduces state mutation

Identity permissions are not stored as fixed attributes but derived from group membership.

2. Identity state must be reconstructed from events

Audit logs reflect changes, not current effective permissions.

3. Administrative identity controls all access transitions

No self-modification of privileges is observed.

Security Interpretation

This creates key IAM considerations:

  • RBAC systems require continuous state reconstruction
  • short-term access changes may not reflect final privilege state
  • identity drift can occur without explicit escalation events

7. Authentication Evidence (Contextual Layer)

Authentication logs provide supporting identity context rather than primary analysis focus.

Observed authentication behaviour includes:

  • successful authentication events from user identity context
  • multiple session-based authentication interactions
  • consistent token-based validation across sessions

Interpretation

Authentication behaviour reflects:

  • standard identity verification lifecycle
  • separation between authentication identity and control-plane identity
  • no anomalous authentication patterns or abuse indicators

8. IAM Governance Considerations

At enterprise scale, similar telemetry would be used to evaluate:

  • RBAC consistency and effectiveness
  • identity lifecycle stability
  • group membership change frequency (drift indicators)
  • authentication behaviour patterns and session persistence
  • MFA satisfaction and token lifecycle behaviour
  • cross-tenant (B2B) identity interactions

These factors contribute to identity governance maturity and access control assurance in cloud environments.

9. Evidence Classification

High-confidence evidence:

  • group membership changes
  • administrative identity actions
  • directory-level identity modifications

Medium-confidence inference:

  • identity drift interpretation
  • access state reconstruction
  • behavioural access evolution patterns

No indicators of compromise, privilege escalation abuse, or malicious authentication activity were identified.

10. Outcome

This lab demonstrates structured analysis of Microsoft Entra ID identity behaviour, including:

  • event-driven identity lifecycle reconstruction
  • RBAC-based access evolution analysis
  • group membership as the primary access control mechanism
  • identity drift interpretation from audit telemetry

All conclusions are derived exclusively from raw Entra ID audit logs.

11. Detection Engineering Extension (Preview)

This dataset can be extended into detection engineering by modelling identity instability patterns as detectable behaviour.

Detection Hypothesis

Identify users experiencing repeated group membership changes within a defined time window.

Microsoft Sentinel KQL Prototype

AuditLogs| where OperationName in ("Add member to group", "Remove member from group")| extend Actor = tostring(InitiatedBy.user.userPrincipalName)| extend Target = tostring(TargetResources[0].userPrincipalName)| summarize    ActionCount = count(),    Actions = make_set(OperationName),    FirstSeen = min(TimeGenerated),    LastSeen = max(TimeGenerated)    by Actor, Target, bin(TimeGenerated, 1h)| where ActionCount > 1| order by ActionCount desc

Detection Interpretation

This logic highlights:

  • RBAC instability patterns
  • repeated identity state transitions
  • potential misconfiguration or administrative churn
  • early signals for identity drift monitoring

12. Portfolio Value Statement

This project demonstrates capability in:

  • Microsoft Entra ID audit log interpretation
  • RBAC and group-based access control analysis
  • identity lifecycle reconstruction
  • access drift reasoning
  • foundational detection engineering thinking

It represents a transition from IAM analysis toward identity-focused detection engineering, where identity behaviour is treated as a measurable and queryable signal.

Evidence Files

All supporting evidence is stored in the repository under: