What is Azure Active Directory recommendations?
Keeping track of all the settings and resources in your tenant can be overwhelming. The Azure Active Directory (Azure AD) recommendations feature helps monitor the status of your tenant so you don't have to. Azure AD recommendations helps ensure your tenant is in a secure and healthy state while also helping you maximize the value of the features available in Azure AD.
The Azure AD recommendations feature provides you with personalized insights with actionable guidance to:
- Help you identify opportunities to implement best practices for Azure AD-related features.
- Improve the state of your Azure AD tenant.
- Optimize the configurations for your scenarios.
This article gives you an overview of how you can use Azure AD recommendations. As an administrator, you should review your tenant's recommendations, and their associated resources periodically.
What it is
Azure AD recommendations is the Azure AD specific implementation of Azure Advisor, which is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. Azure Advisor analyzes your resource configuration and usage data to recommend solutions that can help you improve the cost effectiveness, performance, reliability, and security of your Azure resources.
Azure AD recommendations uses similar data to support you with the roll-out and management of Microsoft's best practices for Azure AD tenants to keep your tenant in a secure and healthy state. Azure AD recommendations provide a holistic view into your tenant's security, health, and usage.
How it works
On a daily basis, Azure AD analyzes the configuration of your tenant. During this analysis, Azure AD compares the data of a recommendation with the actual configuration of your tenant. If a recommendation is flagged as applicable to your tenant, the recommendation appears in the Recommendations section of the Azure AD Overview area. Recommendations are listed in order of priority so you can quickly determine where to focus first.
Recommendations contain a description, a summary of the value of addressing the recommendation, and a step-by-step action plan. If applicable, impacted resources associated with the recommendation are listed, so you can resolve each affected area. If a recommendation doesn't have any associated resources, the impacted resource type is Tenant level. so your step-by-step action plan impacts the entire tenant and not just a specific resource.
Each recommendation provides the same set of details that explain what the recommendation is, why it's important, and how to fix it.
The Status of a recommendation can be updated manually or automatically. If all resources are addressed according to the action plan, the status will automatically change to Completed the next time the recommendations service runs. The recommendation service runs every 24-48 hours, depending on the recommendation.
The Priority of a recommendation could be low, medium, or high. These values are determined by several factors, such as security implications, health concerns, or potential breaking changes.
- High: Must do. Not acting will result in severe security implications or potential downtime.
- Medium: Should do. No severe risk if action isn't taken.
- Low: Might do. No security risks or health concerns if action isn't taken.
The Impacted resources for a recommendation could be things like applications or users. This detail gives you an idea of what type of resources you'll need to address. The impacted resource could also be at the tenant level, so you may need to make a global change.
The Status description tells you the date the recommendation status changed and if it was changed by the system or a user.
The recommendation's Value is an explanation of why completing the recommendation will benefit you, and the value of the associated feature.
The Action plan provides step-by-step instructions to implement a recommendation. May include links to relevant documentation or direct you to other pages in the Azure AD portal.
Roles and licenses
The following roles provide read-only access to recommendations:
- Reports Reader
- Security Reader
- Global Reader
The following roles provide update and read-only access to recommendations:
- Global Administrator
- Security Administrator
- Security Operator
- Cloud apps Administrator
- Apps Administrator
Azure AD recommendations is automatically enabled. If you'd like to disable this feature, go to Azure AD > Preview features. Locate the Recommendations feature, and change the State.
Azure AD only displays the recommendations that apply to your tenant, so you may not see all supported recommendations listed. Some recommendations are available in all tenants, regardless of the license type, but others require the Workload Identities premium license.
Recommendations available for all Azure AD tenants
The recommendations listed in the following table are available to all Azure AD tenants. The table provides the impacted resources and links to available documentation.
|Convert per-user MFA to Conditional Access MFA||Users||Generally available|
|Migrate applications from AD FS to Azure AD||Users||Generally available|
|Migrate to Microsoft Authenticator||Users||Preview|
|Minimize MFA prompts from known devices||Users||Generally available|
Recommendations available for Workload Identities premium licenses
The recommendations listed in the following table are available to Azure AD tenants with a Workload Identities premium license.
|Remove unused applications||Applications||Preview|
|Remove unused credentials from applications||Applications||Preview|
|Renew expiring application credentials||Applications||Preview|
|Renew expiring service principal credentials||Applications||Preview|
How to use Azure AD recommendations
Go to Azure AD > Recommendations.
Select a recommendation from the list to view the details, status, and action plan.
Follow the Action plan.
If applicable, right-click on a resource in a recommendation, select Mark as, then select a status.
If you need to manually change the status of a recommendation, select Mark as from the top of the page and select a status.
- Mark a recommendation as Completed if all impacted resources have been addressed.
- Active resources may still appear in the list of resources for manually completed recommendations. If the resource is completed, the service will update the status the next time the service runs.
- If the service identifies an active resource for a manually completed recommendation the next time the service runs, the recommendation will automatically change back to Active.
- Completing a recommendation is the only action collected in the audit log. To view these logs, go to Azure AD > Audit logs and filter the service to "Azure AD recommendations."
- Mark a recommendation as Dismissed if you think the recommendation is irrelevant or the data is wrong.
- Azure AD will ask for a reason why you dismissed the recommendation so we can improve the service.
- Mark a recommendation as Postponed if you want to address the recommendation at a later time.
- The recommendation will become Active when the selected date occurs.
- You can reactivate a completed or postponed recommendation to keep it top of mind and reassess the resources.
- Mark a recommendation as Completed if all impacted resources have been addressed.
Continue to monitor the recommendations in your tenant for changes.
Use Microsoft Graph with Azure Active Directory recommendations
Azure Active Directory recommendations can be viewed and managed using Microsoft Graph on the
/beta endpoint. You can view recommendations along with their impacted resources, mark a recommendation as completed by a user, postpone a recommendation for later, and more.
To get started, follow these instructions to work with recommendations using Microsoft Graph in Graph Explorer. The example uses the Migrate apps from Active Directory Federated Services (ADFS) to Azure AD recommendation.
Sign in to Graph Explorer.
Select GET as the HTTP method from the dropdown.
Set the API version to beta.
Add the following query to retrieve recommendations, then select the Run query button.
To view the details of a specific
recommendationType, use the following API. This example retrieves the detail of the "Migrate apps from AD FS to Azure AD" recommendation.
GET https://graph.microsoft.com/beta/directory/recommendations?$filter=recommendationType eq 'adfsAppsMigration'
To view the impacted resources for a specific recommendation, expand the
GET https://graph.microsoft.com/beta/directory/recommendations?$filter=recommendationType eq 'adfsAppsMigration'&$expand=impactedResources
For more information, see the Microsoft Graph documentation for recommendations.