Skip to content
Recued
Menu
← Back to recipes

Microsoft Entra access hygiene digest

by recued-core v1

Scheduled read-only Microsoft Entra ID access governance digest. It reads bounded pages of users, groups, applications, service principals, directory audit logs, and sign-in logs through recued-core.microsoft-entra, renders compact tables, and optionally sends an in-app nudge when matching audit or sign-in events are visible. It never creates or deletes users, resets passwords, mutates MFA, changes role assignments, creates app credentials, changes conditional access policies, assigns licenses, or calls arbitrary Graph APIs.

How it works 33 steps

Inspect the data fetches, transforms, gates, and output this recipe runs.

Process (33 steps)
users_raw ?
groups_raw ?
applications_raw ?
service_principals_raw ?
audits_raw ?
sign_ins_raw ?
users default
Apply default
groups default
Apply default
applications default
Apply default
service_principals default
Apply default
audits default
Apply default
sign_ins default
Apply default
user_count count
Count items in users
group_count count
Count items in groups
application_count count
Count items in applications
service_principal_count count
Count items in service principals
audit_count count
Count items in audits
sign_in_count count
Count items in sign ins
has_audits compare
Check if audit count is greater than 0
has_sign_ins compare
Check if sign in count is greater than 0
has_events any
Check if any of the conditions are true
notify_enabled compare
Check if setting notify when events equals true
should_notify all
Check if all conditions are true
notify ?
skip: step.should_notify not_equal true
user_rows slice
Take a subset of
group_rows slice
Take a subset of
audit_rows slice
Take a subset of
sign_in_rows slice
Take a subset of
user_table to_table
Format results as a data table
group_table to_table
Format results as a data table
audit_table to_table
Format results as a data table
sign_in_table to_table
Format results as a data table
card to_summary
Format results as a summary card
Settings 13 configurable

Configurable at install. Defaults shown — change them anytime in Recued.

channels setting = in_app
end hour setting = 10
weekdays setting = 1,2,3,4,5
microsoft setting =
row limit setting = 20
start hour setting = 8
user filter setting = accountEnabled eq false
audit filter setting = category eq 'UserManagement' or category eq 'GroupManagement'
group filter setting = securityEnabled eq true
sign in filter setting = status/errorCode ne 0
application filter setting =
notify when events setting = true
service principal filter setting = accountEnabled eq true

Trust & control

What installing this recipe would let it do. Recued grants these permissions at install — review them there before approving.

Where it runs

Device + server Runs on your device (browser) or your server.

Permissions it requires

Send notificationsRead your Microsoft connection
Declared by the recipe — Recued grants these at install, where you review them before approving.

About

Tags

microsoft-entra microsoft-entramicrosoft-graphidentityaccess-governanceusersgroupsapplicationsaudit-logssign-insdigestnotificationpack:microsoft-entra

Details

33 steps 13 configurable settings recipe_id: microsoft-entra-access-hygiene-digest