Over the past few months, I have shared a set of workbooks focused on closing visibility gaps across identity and endpoint security data. These were built from real-world scenarios where the signals existed, but the connections between them were not always obvious.
Today I am releasing major updates to both, expanding their scope and making them more useful for investigation, validation, and ongoing review.
Entra Admin & Risky User Review
This workbook started with a very practical need. When we need to contact the owner or admin of an Azure compute resource like a VM, it can be difficult to identify the right person. Even if the admin account is known, there is often an additional step to map that admin identity back to an email-enabled user account for communication and remediation.
That was the starting point.
From there, the focus shifted. Not just identifying admins, but understanding how those privileged accounts are being used. Incidents like the Stryker cyber attack helped raise awareness around insider admin risk, where activity may be technically valid but still concerning.
Instead of only answering who is the admin, the workbook now helps answer:
Is this admin behaving as expected?
The updated workbook brings together:
Risk signals such as risky sign-ins and identity protection indicators
Privilege context including role assignments and PIM activation history
Administrative activity across audit logs, policy changes, and account operations
Indicators that may suggest automation or scripted behavior
The intent is to support both investigation and ongoing review of privileged activity, where misuse or compromise can otherwise blend into normal operations.
This workbook builds on earlier work around validating Defender for Endpoint coverage across Azure VMs, and now expands to include Arc-enabled servers with a broader view of resource security health.
The core question remains:
Are all of my compute resources actually protected?
The updated version improves how that question is answered by using a merge-based approach across multiple data sources, including Azure resource inventory, activity signals, and Defender for Endpoint data.
This enables clearer identification of gaps such as:
Resources that exist but are not onboarded
Systems that appear onboarded but show little or no recent activity
Mismatches between resource state and security telemetry
By correlating these datasets, the workbook provides a more accurate view of coverage, drift, and blind spots.
If you liked the original MDE workbook, there is still a revised version available with minor improvements and bug fixes in the archive. No further updates are planned for that version, but the approach may still be useful depending on your environment and use case.
If you find these useful, consider forking the repositories, submitting pull requests, or opening discussions on GitHub. Feedback, improvements, and real-world adaptations are always valuable.
