Delegated Permissions Report

The Azure Delegated permissions in Microsoft Entra ID are used to define the level of access that an application has on behalf of a user. When delegated permissions are used, the application perform actions as an authenticated user does. This is particularly useful when the application needs to access user-specific data or perform operations under the user's identity, rather than using its own identity. The Delegated Permissions report helps administrators figure out the type of delegated permissions assigned by the application as an authenticated user.

To generate the report, do the following:

  1. Select the Delegated Permissions Analysis option from the App Registrations sub node by following the menu sequence: REPORTS BY FUNCTION -> Domain-specific Reports -> Microsoft Entra ID.

  2. Figure 1 then appears. In Figure 1, select a criteria for analysis from the Analyze By list box.

    Figure 1 : Specifying the criteria for generating the Delegated Permissions report

  3. Using this report, you can analyze the type of delegated permissions assigned by the application to access resources on one/more managed components, or those that are part of a zone, service or segment. The options provided by the Analyze By list box are discussed hereunder:

    • Component: Select this option to choose the component(s) from across all the managed components in the environment.
    • Zone: To generate a report for one/more components that are included in a zone, pick the Zone option. A Zone drop-down list will then appear, from which you would have to select the zone to which the components of interest to you belong. A Sub zone flag also appears. Indicate whether the components present within the sub-zones of the chosen zone are also to be to be considered for report generation, by setting the Sub zone flag to Yes.
    • Segment: If you want to generate a report for one/more chosen components that belong to a segment, select the Segment option from Analyze By list box, and then pick the Segment from the drop-down list that appears.
    • Service: If you want to generate a report for one/more components involved in the delivery of a service, select the Service option from Analyze By, and then pick the required Service from the drop-down list that appears.
  4. Choose a Component Type for which the report is to be generated.

  5. The Components list will now be populated with all the components that are managed in your environment for the chosen component type. If the Components list consists of too many components, then viewing all the components and selecting the ones you need for report generation could require endless scrolling. To avoid this, you can click the button next to the Components list. A Components pop up window will then appear using which you can view almost all the components in a single interface and Select the ones to be included in this report.

  6. By default, Sensitive Permissions option is specified in the See Details list indicating that this report will be generated based on the type of delegated permissions (i.e., sensitive permissions) assigned by the application to access the resources. Sensitive permissions include Write only and Read/Write permissions. However, if you want to generate the report based on all delegated permissions , then, you can specify All Permissions option in the See Details list. All permissions include Read only, Write only and Read/Write only permissions.

  7. In addition to the settings discussed above, this report comes with a set of default specifications. These settings are hidden by default. If you do not want to disturb these default settings, then you can proceed to generate the report by clicking the Run Report button soon after you pick one/more components for report generation. However, if you want to view and then alter these settings (if required), click on the icon. The default settings will then appear in the MORE OPTIONS drop down window (See Figure 2). The steps below discuss each of these settings and how they can be customized.

    Figure 2 : The default settings for generating the report 

  8. In large environments, reports generated using months of data can take a long time to complete. Administrators now have the option of generating reports on-line or in the background. When a report is scheduled for background generation, administrators can proceed with their other monitoring, diagnosis, and reporting tasks, while the eG manager is processing the report. This saves the administrator valuable time. To schedule background processing of a report, you can either select the Background Save - PDF option from the Report Generation list. To process reports in the foreground, select the Foreground Generation - HTML option from this list.

    Note:

    • The Report Generation list will appear only if the EnableBackgroundReport flag in the [BACKGROUND_PROCESS] section of the eg_report.ini file (in the <EG_INSTALL_DIR>\manager\config directory) is set to Yes.
    • The default selection in the Report Generation list will change according to the Timeline specified for the report. If the Timeline set is greater than or equal to the number of days specified against the MinDurationForReport parameter in the [BACKGROUND_PROCESS] section of the eg_report.ini file, then the default selection in the Report Generation list will be Background Save - PDF. On the other hand, if the Timeline set for the report is lesser than the value of the MinDurationForReport parameter, then the default selection in the Report Generation list will be Foreground. This is because, the MinDurationForReport setting governs when reports are to be processed in the background. By default, this parameter is set to 2 weeks - this indicates that by default, reports with a timeline of 2 weeks and above will be processed in the background.
  9. Click the Done button if any changes were made to the More Options drop down window.
  10. Finally, click the Run Report button to generate the report.

  11. If the Report type is Foreground Generation - HTML, then Figure 3 will appear as soon as you click the Run Report button.

    Figure 3 : The generated Delegated Permissions report for the chosen component

    The generated report (see Figure 3) will display the following details:

    • the number of applications and the corresponding Sensitive app permissions assigned to those applications.

    • the number of applications and the corresponding All app permissions assigned to those applications.

  12. In the generated report (see Figure 3), administrators can figure out the type of delegated permissions assigned to the applications. In the Sensitive App Permissions section, a horizontal bar chart represents the count of applications with the corresponding Sensitive app permissions assigned to those applications. In the All App Permissions section, a horizontal bar chart represents the count of applications with the corresponding All app permissions assigned to those applications.

  13. The Azure Delegated Permissions Details section shows a table representing Application Name, Application ID, Created Date, Owner, and Sensitive Permission (with Yes/No status) columns. Expanding each row in the Azure Delegated Permissions Details section with Sensitive Permission column showing "Yes" status (see Figure 3), administrators can figure out the Sensitive Permissions List for the respective application.