Use the Microsoft Entra recommendations API to implement Microsoft Entra ID best practices for your tenant
Microsoft Entra recommendations are personalized and actionable insights for you to implement Microsoft Entra ID best practices in your tenant. The Microsoft Entra recommendation service runs daily to check your tenant against predefined conditions for every recommendation. If the service detects that a recommendation applies to your tenant, the corresponding recommendation object is generated and its status is set to active.
Use the recommendations API in Microsoft Graph to identify and track the insights, assess and apply the guidance provided for implementing the best practices, and keep your tenant healthy, secure, and optimized.
Manage recommendations
Microsoft Entra recommendations are made up of two building blocks: recommendations and the Microsoft Entra resources they apply to.
A single recommendation can apply to one or more Microsoft Entra resource instances. For example, a recommendation relating to expiring application credentiareferencence all apps in your tenant that have expiring application credentials.
For each recommendation, you have the following data:
- The type of recommendation. A limited number is currently supported. For more information, see Types of recommendations.
- The Microsoft Entra resources to which the recommendation applies. These include users, groups, and applications.
- The recommended action plan to address the recommendation.
- Where applicable, when Microsoft Entra ID recommends the recommendation to have been completed before it impacts the associated service.
- The impact of the recommendation, which can be tenant-wide or resource-specific.
- A Microsoft-assigned priority ranking for the recommendation.
- The status of the recommendation such as whether it's still active or has been completed, dismissed, or postponed to a future date.
Types of recommendations
Eight types of recommendations are currently available in Microsoft Entra recommendations. These recommendations are identified in a recommendationType property that's part of the recommendation resource type in Microsoft Graph.
The following table lists the recommendation types that are available, and maps the Microsoft Graph values to the user-friendly names that are used on the Microsoft Entra admin center.
| recommendationType | Friendly name in the Microsoft Entra admin center | Comments |
|---|---|---|
| adfsAppsMigration | Migrate your eligible applications from AD FS to Microsoft Entra ID for more security, productivity and automation | For more information, see Migrate apps from ADFS to Microsoft Entra ID |
| aadGraphDeprecationApplication, aadGraphDeprecationServicePrincipal | Migrate from Azure AD Graph APIs to Microsoft Graph | For more information, see Migrate from Azure AD Graph APIs to Microsoft Graph |
| adalToMsalMigration | Migrate from the Azure Active Directory Authentication Library to the Microsoft Authentication Libraries | For more information, see Migrate from the Azure Active Directory Authentication Library to the Microsoft Authentication Libraries |
| applicationCredentialExpiry | Renew expiring application credentials | For more information, see Renew expiring application credentials |
| mfaServerDeprecation | Migrate from MFA server to Microsoft Entra multifactor authentication (MFA) | For more information, see Migrate from MFA server to Microsoft Entra multifactor authentication (MFA) |
| servicePrincipalKeyExpiry | Renew expiring serivce principal credentials | For more information, see Renew expiring service principal credentials |
| staleApps | Remove unused applications | For more information, see Remove unused applications |
| staleAppCreds | Remove unused credentials from applications | For more information, see Remove unused credentials from apps |
| switchFromPerUserMFA | Convert per-user MFA to Conditional Access MFA | For more information, see Convert per-user MFA to Conditional Access MFA |
| tenantMFA | Minimize MFA prompts for your users signing in from known devices | For more information, see Minimize MFA prompts from known devices |
| useAuthenticatorApp | Migrate eligible users from SMS and voice call to Microsoft Authenticator App for a better MFA user experience | For more information, see Migrate to Microsoft authenticator |
API scenarios
You manage recommendations through the recommendation resource type and its associated methods. This resource type exposes the impactedResources relationship that you use to query the Microsoft Entra resource to which the recommendations apply.
The following are some of the most popular requests for working with the Microsoft Graph recommendations API:
| Scenarios | API |
|---|---|
| Retrieve all recommendations and their associated data, including the impacted resources. | List recommendations |
| Retrieve a recommendation and its associated data, including the impacted resources. | Get recommendation |
| Act on a recommendation | Dismiss Postpone Complete Reactivate |
| Retrieve details of all impacted resources for a recommendation. | List impactedResources |
| Retrieve details of an impacted resource for a recommendation. | Get impactedResource |
| Act on a recommendation for an impacted resource | Dismiss Postpone Complete Reactivate |
| Get the historical Secure Score data for your tenant. | Get tenantSecureScores |
License requirements
The various recommendations have different license requirements. For more information about licenses for each type of recommendation, see Microsoft Entra recommendations: Roles and licenses.