Share via


Getting Started - Microsoft Entra ID On-Demand Assessment

The On-Demand Assessment - Microsoft Entra ID is a cloud service that analyzes and provides identity and access management (IAM) guidance for Microsoft Entra ID and related components. The analysis generates a list of recommendations to address with remediation guidance and best practices to improve the health and security of Azure resources. Also, the assessment identifies features that can be turned on to expand Microsoft Entra ID capabilities. Assessments are available through Services Hub to help optimize the availability, security, and performance of Microsoft technology investments. These assessments use Microsoft Azure Log Analytics, which is designed to simplify IT and security management across the environment.

This assessment is designed to provide specific actionable guidance grouped in focus areas to mitigate risks to Microsoft Entra ID and the organization.

Key pillars of the Microsoft Entra ID Assessment

  • Identity and Access Management
  • Governance
  • Operations
  • Authentication
  • Security

Run the Microsoft Entra ID Assessment

Prerequisites

To take full advantage of the On-Demand Assessments available through Services Hub, you need to:

  1. Have an active Azure Subscription linked to Services Hub, plus the Microsoft Entra ID assessment added. For more information, see Getting Started with On-Demand Assessments or watch how to link video.

  2. Have an assessment scheduled task account (domain or local user) with the following rights:

    • Administrative access to the data collection machine
    • Log on as a batch job privileges on the data collection machine
  3. Have Microsoft Entra ID account for the setup of the Microsoft Entra ID registered application with the following properties:

    • Global Administrator
    • Non-federated

Note

On average, it takes two hours to initially configure your environment to run an On-Demand Assessment. Once you run an assessment, you can review the data in Azure Log Analytics. The data provides you with a prioritized list of recommendations, categorized across six focus areas. This list allows you and your team to quickly understand risk levels, the health of your environments, act to decrease risk, and improve your overall IT health.

Set up the Microsoft Entra ID Assessment on the data collection machine

Note

You'll only be able to successfully set up the assessment once you've linked your Azure Subscription to Services Hub and added the Microsoft Entra ID Assessment from IT Health -> On-Demand Assessments in Services Hub.

Register the Microsoft Assessments application in the in-scope Microsoft Entra ID tenant

  1. On the data collection machine, create the following folder: C:\OMS\AzureAD (or any other folder you want).

  2. Open regular PowerShell (not ISE) in Administrator mode and run the following cmdlet to create the registered app in the Microsoft Entra ID tenant being assessed:

    New-MicrosoftAssessmentsApplication
    

    Note

    If the command New-MicrosoftAssessmentsApplication isn't available, the module isn't yet found. It can take some time after installing the agent before it shows up.

  3. Provide the required Microsoft Entra ID account credentials that satisfy the requirements mentioned in this article earlier. Select "Accept" on the admin consent prompt for the read permissions this application requires for the assessment.

Create the assessment scheduled task

  1. Open regular PowerShell (not ISE) in Administrator mode and run the following cmdlet using the parameters following, replacing <Directory> and <AccountName> with assessment working directory, and assessment scheduled task account name:

    Important

    Don't use the "C:\ODA" as a working directory path, as it's reserved by the system!

     Add-AzureAssessmentTask -WorkingDirectory <Directory> -ScheduledTaskUsername <accountname>
    

    WorkingDirectory is a path to an existing directory used to store the files created while collecting and analyzing the data from the environment

    Workspace Id – provide id for the Log Analytics workspace that will be used to store the uploaded data

    Note

    If the command Add-AzureAssessmentTask isn't available, the module isn't yet found. It can take some time after installing the agent before it to shows up.

  2. The script continues with the necessary configuration and creates a scheduled task that triggers the data collection.

  3. Data collection is triggered by the scheduled task named AzureAssessment within an hour of running the previous script and then every seven days. The task can be modified to run on a different date/time or even forced to run immediately from the task scheduler library -> Microsoft -> Operations Management Suite -> AOI*** -> Assessments -> AzureAssessment

Assessment execution

  1. During collection and analysis, data is temporarily stored under the Working Directory folder that was configured during setup.

  2. After a few hours, your assessment results will be available on your Log Analytics and Services Hub. Navigate to see the results by going into Services Hub -> Health -> Assessments and then selecting "View all recommendations" in the active assessment.

  3. If you wish to get a Microsoft Accredited Engineer to go over the issues about your Microsoft Entra ID Assessment with you, contact your Microsoft Representative and ask them about the Remote or Onsite CSA led delivery.

Agreement Remote Engineer Onsite Engineer
Premier Microsoft Entra ID Remote Datasheet Microsoft Entra ID Onsite Datasheet
Unified Microsoft Entra ID Remote Datasheet Microsoft Entra ID Onsite Datasheet