|
| 1 | +--- |
| 2 | +title: How to use Azure Active Directory recommendations | Microsoft Docs |
| 3 | +description: Learn how to use Azure Active Directory recommendations. |
| 4 | +services: active-directory |
| 5 | +author: shlipsey3 |
| 6 | +manager: amycolannino |
| 7 | +ms.service: active-directory |
| 8 | +ms.topic: how-to |
| 9 | +ms.workload: identity |
| 10 | +ms.subservice: report-monitor |
| 11 | +ms.date: 03/06/2023 |
| 12 | +ms.author: sarahlipsey |
| 13 | +ms.reviewer: hafowler |
| 14 | +--- |
| 15 | + |
| 16 | +# How to: Use Azure AD recommendations |
| 17 | + |
| 18 | +The Azure Active Directory (Azure AD) recommendations feature provides you with personalized insights with actionable guidance to: |
| 19 | + |
| 20 | +- Help you identify opportunities to implement best practices for Azure AD-related features. |
| 21 | +- Improve the state of your Azure AD tenant. |
| 22 | +- Optimize the configurations for your scenarios. |
| 23 | + |
| 24 | +This article covers how to work with Azure AD recommendations. Each Azure AD recommendation contains similar details such as a description, the value of addressing the recommendation, and the steps to address the recommendation. Microsoft Graph API guidance is also provided in this article. |
| 25 | + |
| 26 | +## Role requirements |
| 27 | + |
| 28 | +There are different role requirements for viewing or updating a recommendation. Use the least-privileged role for the type of access needed. |
| 29 | + |
| 30 | +| Azure AD role | Access type | |
| 31 | +|---- |---- | |
| 32 | +| Reports Reader | Read-only | |
| 33 | +| Security Reader | Read-only | |
| 34 | +| Global Reader | Read-only | |
| 35 | +| Cloud apps Administrator | Update and read | |
| 36 | +| Apps Administrator | Update and read | |
| 37 | +| Security Operator | Update and read | |
| 38 | +| Security Administrator | Update and read | |
| 39 | + |
| 40 | +Some recommendations may require a P2 or other license. For more information, see [Recommendation availability and license requirements](overview-recommendations.md#recommendation-availability-and-license-requirements). |
| 41 | + |
| 42 | +## How to read a recommendation |
| 43 | + |
| 44 | +To view the details of a recommendation: |
| 45 | + |
| 46 | +1. Sign in to Azure using the appropriate least-privilege role. |
| 47 | +1. Go to **Azure AD** > **Recommendations** and select a recommendation from the list. |
| 48 | + |
| 49 | +  |
| 50 | + |
| 51 | +Each recommendation provides the same set of details that explain what the recommendation is, why it's important, and how to fix it. |
| 52 | + |
| 53 | + |
| 54 | + |
| 55 | +- The **Status** of a recommendation can be updated manually or automatically by the system. If all resources are addressed according to the action plan, the status automatically changes to *Completed* the next time the recommendations service runs. The recommendation service runs every 24-48 hours, depending on the recommendation. |
| 56 | + |
| 57 | +- The **Priority** of a recommendation could be low, medium, or high. These values are determined by several factors, such as security implications, health concerns, or potential breaking changes. |
| 58 | + |
| 59 | + - **High**: Must do. Not acting will result in severe security implications or potential downtime. |
| 60 | + - **Medium**: Should do. No severe risk if action isn't taken. |
| 61 | + - **Low**: Might do. No security risks or health concerns if action isn't taken. |
| 62 | + |
| 63 | +- The **Impacted resource type** for a recommendation could be applications, users, or your full tenant. This detail gives you an idea of what type of resources you need to address. If the impacted resource is at the tenant level, you may need to make a global change. |
| 64 | + |
| 65 | + |
| 66 | + |
| 67 | +- The **Status description** tells you the date the recommendation status changed and if it was changed by the system or a user. |
| 68 | + |
| 69 | +- The recommendation's **Value** is an explanation of why completing the recommendation will benefit you, and the value of the associated feature. |
| 70 | + |
| 71 | +- The **Action plan** provides step-by-step instructions to implement a recommendation. The Action plan may include links to relevant documentation or direct you to other pages in the Azure AD portal. |
| 72 | + |
| 73 | +- The **Impacted resources** table contains a list of resources identified by the recommendation. The resource's name, ID, date it was first detected, and status are provided. The resource could be an application or resource service principal, for example. |
| 74 | + |
| 75 | +## How to update a recommendation |
| 76 | + |
| 77 | +To update the status of a recommendation or a related resource, sign in to Azure using a least-privileged role for updating a recommendation. |
| 78 | + |
| 79 | +1. Go to **Azure AD** > **Recommendations**. |
| 80 | + |
| 81 | +1. Select a recommendation from the list to view the details, status, and action plan. |
| 82 | + |
| 83 | +1. Follow the **Action plan**. |
| 84 | + |
| 85 | +1. If applicable, *right-click on the status* of a resource in a recommendation, select **Mark as**, then select a status. |
| 86 | + |
| 87 | + - The status for the resource appears as regular text, but you can right-click on the status to open the menu. |
| 88 | + - You can set each resource to a different status as needed. |
| 89 | + |
| 90 | +  |
| 91 | + |
| 92 | +1. The recommendation service automatically marks the recommendation as complete, but if you need to manually change the status of a recommendation, select **Mark as** from the top of the page and select a status. |
| 93 | + |
| 94 | +  |
| 95 | + |
| 96 | + - Mark a recommendation as **Dismissed** if you think the recommendation is irrelevant or the data is wrong. |
| 97 | + - Azure AD asks for a reason why you dismissed the recommendation so we can improve the service. |
| 98 | + - Mark a recommendation as **Postponed** if you want to address the recommendation at a later time. |
| 99 | + - The recommendation becomes **Active** when the selected date occurs. |
| 100 | + - You can reactivate a completed or postponed recommendation to keep it top of mind and reassess the resources. |
| 101 | + - Recommendations change to **Completed** if all impacted resources have been addressed. |
| 102 | + - If the service identifies an active resource for a completed recommendation the next time the service runs, the recommendation will automatically change back to **Active**. |
| 103 | + - Completing a recommendation is the only action collected in the audit log. To view these logs, go to **Azure AD** > **Audit logs** and filter the service to "Azure AD recommendations." |
| 104 | + |
| 105 | +Continue to monitor the recommendations in your tenant for changes. |
| 106 | + |
| 107 | +### How to use Microsoft Graph with Azure Active Directory recommendations |
| 108 | + |
| 109 | +Azure Active Directory recommendations can be viewed and managed using Microsoft Graph on the `/beta` endpoint. You can view recommendations along with their impacted resources, postpone a recommendation for later, and more. |
| 110 | + |
| 111 | +To get started, follow these instructions to work with recommendations using Microsoft Graph in Graph Explorer. The example uses the "Migrate apps from Active Directory Federated Services (ADFS) to Azure AD" recommendation. |
| 112 | + |
| 113 | +1. Sign in to [Graph Explorer](https://aka.ms/ge). |
| 114 | +1. Select **GET** as the HTTP method from the dropdown. |
| 115 | +1. Set the API version to **beta**. |
| 116 | +1. Add the following query to retrieve recommendations, then select the **Run query** button. |
| 117 | + |
| 118 | + ```http |
| 119 | + GET https://graph.microsoft.com/beta/directory/recommendations |
| 120 | + ``` |
| 121 | +
|
| 122 | +1. To view the details of a specific `recommendationType`, use the following API. This example retrieves the detail of the "Migrate apps from AD FS to Azure AD" recommendation. |
| 123 | +
|
| 124 | + ```http |
| 125 | + GET https://graph.microsoft.com/beta/directory/recommendations?$filter=recommendationType eq 'adfsAppsMigration' |
| 126 | + ``` |
| 127 | +
|
| 128 | +1. To view the impacted resources for a specific recommendation, expand the `impactedResources` relationship. |
| 129 | +
|
| 130 | + ```http |
| 131 | + GET https://graph.microsoft.com/beta/directory/recommendations?$filter=recommendationType eq 'adfsAppsMigration'&$expand=impactedResources |
| 132 | + ``` |
| 133 | +
|
| 134 | +For more information, see the [Microsoft Graph documentation for recommendations](/graph/api/resources/recommendations-api-overview). |
| 135 | +
|
| 136 | +## Next steps |
| 137 | +
|
| 138 | +- [Review the Azure AD recommendations overview](overview-recommendations.md) |
| 139 | +- [Learn about Service Health notifications](overview-service-health-notifications.md) |
0 commit comments