SSPM Administration
  • SSPM Administration
  • SaaS Security Documentation
  • All Documentation
>
Assess Identity Security
Focus
Download PDF
Focus
  1. Home
  2. SaaS Security
  3. Assess Posture Security
  4. Assess Identity Security
Download PDF
SaaS Security

Assess Identity Security

Table of Contents

Assess Identity Security

Use the Identity Security component of SaaS Security Posture Management to identify misconfigurations in your identity posture.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • SaaS Security Posture Management license
Or any of the following licenses that include the Data Security license:
  • CASB-X
  • CASB-PA
SaaS Security Posture Management includes an Identity Security component to help you identify misconfigurations in your identity posture. Specifically, the Identity Security component gives you visibility into the following problems:
  • Issues with your multi-factor authentication (MFA) implementation. The Identity Security component of SSPM uses information from your identity provider to give you visibility into these problems, which include MFA enrollment and sign-in issues.
  • Issues with application accounts. The Identity Security component of SSPM uses information from an application instance to display risks for human accounts and also for non-human accounts. You can view account risks for the following application types:
    • GitHub Enterprise
    • Office 365
    • Salesforce
    The risks that the Identity Security component displays will vary depending on the application type. The risks include dormant accounts, overprivileged accounts, guest accounts, and accounts that have not had their credentials rotated for a specified period. The Identity Security component also uses information from your identity provider to identify local accounts, which are accounts that were not created through your identity provider.
You can integrate the Identity Security component with either the Microsoft Azure or the Okta identity provider. To integrate the Identity Security component with Okta, complete the onboarding instructions for Okta. To integrate the Identity Security component with Microsoft Azure, complete the onboarding instructions for Microsoft 365. Completing these onboarding steps enables SSPM to scan your Microsoft 365 or Okta instance for misconfigured settings, and also enables scans for the Identity Security issues.
  1. To navigate to the Identity Security dashboard, select ManageConfigurationSaaS SecurityPosture SecurityIdentity.
  2. Inspect the information displayed on the dashboard to understand the problems that the Identity Security component detected. Take action as needed to resolve these problems.

View MFA Misconfigurations on SSPM

The Identity Security component of SaaS Security Posture Management uses information from your identity provider to give you visibility into MFA enrollment and sign-in issues.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationSaaS SecurityPosture SecurityIdentity.
  3. View the information for MFA.
    If at least one instance of the Microsoft Azure or Okta identity provider was already onboarded to SSPM, the Identity Security dashboard displays identity-based issues that it derived from the identity provider. If no instance of the Microsoft Azure or Okta identity provider has been onboarded to SSPM, you're prompted to Add Provider.
    If more than one identity provider instance is connected to SSPM, you can select a different Identity Provider from the list. You can also Add Provider to onboard a different Microsoft Azure or Okta instance.
  4. Inspect the information displayed in the upper section of the dashboard for a high-level summary of the problems that the Identity Security component detected in your MFA implementation. The top section of the dashboard displays the following information.

    MFA Enrollment Issues

    Displayed InformationDescription
    Users with no MFA
    The number of users who are not enrolled in any additional factors for MFA. If MFA enforcement policy rules are not configured for the identify provider, these users can access SaaS apps through the identity provider by using only one factor. If those credentials are compromised, there is no additional layer of security to prevent unauthorized access to their account. These users should enroll in a strong second factor for MFA.
    Users with weak MFA
    The number of users who are enrolled in one or more additional factors for MFA, but whose factors are not resistant to phishing, social engineering, or interception attacks. The weak MFA factors include factors such as email verification and short message service (SMS) verification. Weak second factors offer less protection than stronger factors, such as biometric login or a hardware key.
    If MFA enforcement policy rules on the identity provider are not configured to prevent sign-ins using only weak factors, then the account can be more easily compromised. These users should enroll in a strong second factor for MFA.

    MFA Sign-In Issues

    Displayed InformationDescription
    Sign-ins with weak MFA
    The number of users who signed into SaaS apps by using only weak factors, which are not resistant to phishing, social engineering, or interception attacks.
    Although the users might have registered a strong second factor, such as biometric login or a hardware key, they used only a weak factors, such as email verification and short message service (SMS) verification, to sign in.
    Administrators should create or modify policy rules in the identity provider to require these users to sign in using a strong second factor for MFA.
    MFA misconfigurations by SaaS Application
    The number of sign-ins with no MFA or weak MFA, organized by SaaS app.
  5. Navigate to the User Details and MFA Configurations tab, which displays MFA information for each user managed by the identity provider. The displayed information includes the user's group memberships, enabled MFA types, and time since the user's last password change.
    To filter this table to show only users with particular MFA enrollment or sign-in issues, click any of the misconfiguration counts displayed in the upper section of the page, such as the number of users or administrators with no MFA or with weak MFA.
    In the table, you can also Add Filter to filter the table by user attributes, such as the MFA types enabled and the MFA strength.
    To export a CSV file with a list of the incidents, Download Report. The report will contain all users unless you applied a filter to the table.
  6. To view more information about a particular user's sign-in activities, navigate to the User Sign-in Activities tab and View Activity Log.
  7. Take action on MFA misconfigurations. Have users enroll in the strong second factors that your organization requires, and create or modify policy rules to close any MFA enforcement gaps.

View Account Risks on SSPM

The Identity Security component of SaaS Security Posture Management uses information from a an app instance and from your identity provider to give you visibility into human and non-human account risks.
The Identity Security component of SaaS Security Posture Management uses information from an instance of a supported application and, optionally, your identity provider to give you visibility into account risks. The Identity Security dashboard displays risks for human accounts and also for non-human accounts. Human accounts are accounts that are associated with an individual who accesses the app through a web interface with ID and password credentials. Non-human accounts are typically services that authenticate to the app's API by using a token or an API key. By connecting to a an instance of a supported application, the Identity Security component helps you identify common account risks so you can take action.
For most supported application types, the same onboarding process that enables regular configuration scans also enables scans for account risks. The exception is GitHub Enterprise. For GitHub Enterprise, the onboarding steps for configuration scans will not enable SSPM to detect account risks. To detect account risks for GitHub Enterprise, complete the separate process to onboard GitHub Enterprise for identity scans.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationSaaS SecurityPosture SecurityIdentity.
  3. View the information for Human/Non-Human Accounts.
    The dashboard displays information about human and non-human accounts for an instance of one of the supported application types:
    • GitHub Enterprise
    • Office 365
    • Salesforce
    If no instance of a supported application type is connected to SSPM, the dashboard prompts you to onboard one. If more than one instance or a supported application type is connected to SSPM, you can select a different instance from the SaaS Accounts list.
    From the selected app instance, the dashboard displays a summary of account risks for the app. The risk types displayed in the dashboard will vary depending on the app type (Salesforce or Office 365). Risks can include ACCOUNTS DORMANT FOR OVER a specified number of days, CREDENTIALS NOT ROTATED IN a specified number of days, OVER-PRIVILEDGED accounts, and GUEST ACCOUNTS. If at least one instance of the Microsoft Azure or Okta identity provider was onboarded to SSPM, the Identity Security dashboard also displays the ACCOUNTS MISSING IN IDP by comparing account information from the app instance with information from the identity provider. If more than one identity provider instance is connected to SSPM, you can select a different one from the Identity Providers list. You can also Add Provider to onboard a different Microsoft Azure or Okta instance.
  4. Inspect the information displayed in the upper section of the dashboard for a high-level summary of the account risks that the Identity Security component detected in your app instance. Depending on the type of app, the top section of the dashboard displays the following information.
    Displayed InformationDescription
    ACCOUNTS DORMANT FOR OVER a specified number of days.
    The number of human accounts that have not been accessed for the specified period. These might be accounts that weren’t deleted after the account owner left the organization, and were forgotten. Or a user might have set up a new account without deleting, or continuing to access, the older one. Dormant accounts represent a signification security risk because bad actors can use them to gain access. Accounts that have remained dormant for a significant period can represent the greatest risk, because they might predate enforced requirements for MFA and for password length and complexity.
    You can display the number of accounts that have been dormant over 30, 60, or 180 days, and can click the number of dormant accounts to filter the table of Human Accounts in the lower section of the page. The table provides more information about each dormant account. It shows when the account was created, when the account was last accessed, and when the account password was last updated.
    For GitHub Enterprise accounts, SSPM determines how long an account has been dormant based on last time the user performed certain Git repository activities. These activities include creating or deleting a repository, cloning a repository, pushing changes to a remote repository, or fetching changes from a remote repository.
    CREDENTIALS NOT ROTATED IN a specified number of days.
    The number of non-human accounts that have not had their credentials rotated for the period specified.
    This summary is the number of accounts with non-rotated credentials for non-human accounts only. However, from the table of Human Accounts, you can view when an account's credentials were last rotated.
    Non-human account credentials include service account passwords, as well as credentials for accessing APIs, such as API keys and OAuth tokens. Failure to rotate these non-human account credentials can represent a significant risk to your organization.
    Service account passwords that are not rotated are more vulnerable to brute-force attacks, especially if the password predates enforced requirements for password length, complexity, and reuse.
    API keys that are not rotated increase the window of opportunity for bad actors to exploit leaked or compromised keys. Similarly, if the client secret of an OAuth app isn’t rotated, a compromised refresh token will enable to a bad actor to continue to obtain valid access tokens.
    You can display the number of non-human accounts with credentials that have not been rotated in 30, 60, or 180 days. You can click the number of accounts to filter the table of Non-Human Accounts in the lower section of the page. The table provides more information about each account, such as when the account was created, and when the account credentials were last updated.
    ACCOUNTS MISSING IN IDP
    The number of human accounts that are local accounts, which are accounts that weren’t created through your identity provider. Local accounts are a security risk because the identity provider isn’t managing access for them. Because they have bypassed the identity provider, it's difficult to enforce security policy rules for them.
    The Identity Security component identifies these risky local accounts by comparing account information from the app instance with account information from the identity provider. For this reason, the dashboard will display the local account information only if the Identity Security component is integrated with an instance of either the Microsoft Azure or the Okta identity provider. If the dashboard isn’t displaying this information, you can Add Provider and follow the steps to onboard Okta or Microsoft 365.
    For GitHub Enterprises, if a user has selected the Keep my email addresses private option, the Identity Security component of SSPM will be unable to determine whether the account is local. In the table, the Local column for the account will display False.
    The identity provider that the Identity Security component uses for this comparison is the identity provider that is currently selected in the Identity Providers list. If more than one identity provider instance is connected to SSPM, you can select a different identity provider from the list.
    When you add a new identity provider or switch to a different identity provider, it can take approximately 15 minutes for the Identity Component to determine the local accounts based on the new identity provider's account information.
    You can click the number of accounts that are missing in the identity provider to filter the table of Human Accounts in the lower section of the page. From the table you can gain additional insights about the local accounts, such as the email address that is associated with the account.
    OVER-PRIVILEDGED ACCOUNTS
    Depending on the application, this information might apply to human or non-human accounts. The number of accounts that have excessive permissions, which are probably not required for the human user or non-human service to complete their tasks. Overpriviledged accounts are ordinary user accounts that have administrator permissions.
    For Salesforce, the overprivileged accounts are human accounts that have Modify All Data permissions.
    For GitHub Enterprise, the overpriviledged accounts are non-human accounts that have admin:write permissions to organization or repository.
    You can click the number of overprivileged accounts that are missing in the identity provider to filter the table of Human Accounts or Non-Human Accounts in the lower section of the page. From the table, you can gain additional insights about the local accounts, such as the email address that is associated with the account.
    GUEST ACCOUNTS
    This information applies to Office 365 instances only. Guest accounts in Office 365 enable you to collaborate with people who are outside of your organization. Although guest accounts are designed to give outside users access to your resources for legitimate purposes, they can represent a risk if their access isn’t properly restricted. For example, an external collaboration setting in Azure Active Directory might grant guest users the same access as members. Another Azure Active Directory setting might allow anyone in the organization to invite guest users, including guests and non-administrators.
    TOKEN EXPIRES IN a specified number of days.
    For GitHub Enterprises, the number of non-human accounts whose access token will expire in the specified number of days. To identify the tokens that represent the greatest risk, select the option Never from this list. Tokens that never expire represent the greatest threat, because, if a bad actor acquires the token, they could use it indefinitely.
    This number of expiring tokens includes only fine-grained personal access tokens. It does not include GitHub's personal access tokens (classic). GitHub recommends that you use fine-grained personal access tokens instead of personal access tokens (classic).
  5. Navigate to the Human Accounts tab, which displays details about the human accounts in the app instance.
    Human accounts are accounts that are associated with an individual who accesses the account through a web interface with ID and password credentials. The displayed information includes the email address of the account owner, when the account was last accessed, and when the account credentials were last rotated. If the Identity Security component is integrated with your identity provider, the table will also show whether the account is a local account that was created through the identity provider. In the table, you can also Add Filter to filter the table by the various account attributes.
  6. Navigate to the Non-Human Accounts tab, which displays details about the non-human accounts in your app instance.
    Non-human accounts are typically services that authenticate to your app instance through an API by using an OAuth token or an API key. The displayed information includes the email address of the human user who created the non-human account, when the account was created, and when the account credentials were last rotated. In the table, you can also Add Filter to filter the table by the various account attributes.
    When viewing either the Human Accounts or the Non-Human Accounts tab, you can click the download icon to export a CSV file with a list of the non-human or human accounts. The list will contain all users unless you applied a filter to the table.
  7. Take action to resolve issues with the non-human or human accounts.
    If SSPM is linked to an issue tracking system, you can create a ticket to resolve account issues. To do this, select one or more accounts on either the Human Accounts or Non-Human Accounts tab, and File Ticket. To view the tickets that were created, navigate to the table's Tickets tab.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.