How to use Microsoft Entra Recommendations
The Microsoft Entra recommendations feature provides you with personalized insights with actionable guidance to:
- Help you identify opportunities to implement best practices for Microsoft Entra related features.
- Improve the state of your Microsoft Entra tenant.
- Optimize the configurations for your scenarios.
This article covers how to work with Microsoft Entra recommendations. Each Microsoft Entra recommendation contains similar details such as a description, the value of addressing the recommendation, and the steps to address the recommendation. Microsoft Graph API guidance is also provided in this article.
Prerequisites
There are different role requirements for viewing or updating a recommendation. Use the least-privileged role for the type of access needed. For a full list of roles, see Least privileged roles by task.
Microsoft Entra role | Access type |
---|---|
Reports Reader | Read-only |
Security Reader | Read-only |
Global Reader | Read-only |
Authentication Policy Administrator | Update and read |
Exchange Administrator | Update and read |
Security Administrator | Update and read |
DirectoryRecommendations.Read.All |
Read-only in Microsoft Graph |
DirectoryRecommendations.ReadWrite.All |
Update and read in Microsoft Graph |
Some recommendations might require a P2 or other license. For more information, see Recommendation availability and license requirements.
How to read a recommendation
Most recommendations follow the same pattern. You're provided information about how the recommendation works, its value, and some action steps to address the recommendation. This section provides an overview of the details provided in a recommendation, but aren't specific to one recommendation.
Sign in to the Microsoft Entra admin center as at least a Reports Reader.
Browse to Identity > Overview > Recommendations.
Select a recommendation from the list.
Each recommendation provides the same set of details that explain what the recommendation is, why it's important, and how to fix it. The recommendation service runs every 24-48 hours, depending on the recommendation.
Status
The Status of a recommendation can be active, completed, dismissed, or postponed. The recommendation service automatically marks a recommendation as completed when all impacted resources are addressed.
- Active: The recommendation has resources that need to be addressed. A dismissed, postponed, or completed recommendation can be manually changed back to active.
- Completed: All resources in the recommendation have been addressed. The status is updated automatically by the system when all resources are addressed according to the action plan.
- Dismissed: If the recommendation is irrelevant or the data is wrong, you can dismiss the recommendation. You must provide a reason for dismissing the recommendation.
- Postponed: If you want to address the recommendation at a later time, you can postpone it. The recommendation becomes active when the selected date occurs. You can postpone a recommendation for up to a year.
Priority
The Priority of a recommendation could be low, medium, or high. These values are determined by several factors, such as security implications, health concerns, or potential breaking changes.
- High: Must do. Not acting will result in severe security implications or potential downtime.
- Medium: Should do. No severe risk if action isn't taken.
- Low: Might do. No security risks or health concerns if action isn't taken.
Recommendation details
The Status description tells you the date the recommendation status changed.
The recommendation's Value is an explanation of why completing the recommendation benefits your organization and the value of the associated feature.
The Action plan provides step-by-step instructions to implement a recommendation. The Action plan might include links to relevant documentation or direct you to other pages in the Azure portal.
Some recommendations might include a User impact that describes the user experience when the recommendation is addressed.
Impacted resources
The Impacted resources for a recommendation could be applications, users, or your full tenant. If the impacted resource is at the tenant level, you might need to make a global change.
The Impacted resources table contains a list of resources identified by the recommendation. The resource's name, ID, date it was first detected, and status are provided. The resource could be an application or resource service principal, for example.
- Not all recommendations populate the impacted resources table. For example, the "Remove unused applications" recommendation lists all applications that were identified by the recommendation service. Tenant-level recommendations, however, won't have any resources listed in the table.
- In the Microsoft Entra admin enter, the impacted resources are limited to a maximum of 50 resources. To view all impacted resources for a recommendation, use the following Microsoft Graph API request:
GET /directory/recommendations/{recommendationId}/impactedResources
How to update a recommendation
You can update the status of a recommendation or a related resource in the Microsoft Entra admin center or using Microsoft Graph.
Tip
Steps in this article might vary slightly based on the portal you start from.
Sign in to the Microsoft Entra admin center as at least a Reports Reader.
Browse to Identity > Overview > Recommendations.
Select a recommendation from the list.
Review the Action plan.
If applicable, select more details for a specific resource in the Impacted resources table to view the resource's details.
The recommendation service automatically marks the recommendation as complete, but if you need to manually change the status of a recommendation, select Mark as from the top of the page and select a status.
- Mark a recommendation as Dismissed if you think the recommendation is irrelevant or the data is wrong.
- In the panel that opens, select a dismissed reason so we can improve the service.
- Mark a recommendation as Postponed if you want to address the recommendation at a later time.
- In the panel that opens, select a date within the next year to postpone the recommendation.
- The recommendation becomes active when the selected date occurs.
- Mark a dismissed, postponed, or completed recommendation as Active to reassess the resources and resolve the issue.
- Recommendations change to Completed when all impacted resources were addressed.
- If the service identifies an active resource for a completed recommendation the next time the service runs, the recommendation automatically changes back to Active.
- Completing a recommendation is the only action collected in the audit log. To view these logs, go to Microsoft Entra ID > Audit logs and filter the service to "Microsoft Entra recommendations."
- Mark a recommendation as Dismissed if you think the recommendation is irrelevant or the data is wrong.
Continue to monitor the recommendations in your tenant for changes.