Identity Explorer

Permissions: To access the configuration and data visualization for Microsoft Entra ID, your user role must have the appropriate permissions. For more information, see Set Permissions for a Role.

Tenable Identity Exposure's Identity Explorer view unifies identities across both Active Directory and Microsoft Entra ID . This view shows the Identity Risk Score (beta) for each listed asset and the potential reach of compromised identities.

To access the Identity Explorer:

Note: The Identity Explorer is only visible if you use the Microsoft Entra ID feature. For more information, see Azure Active Directory Support.

  • In Tenable Identity Exposure, click on the Identity Explorer icon in the left navigation bar.

    The Identity Explorer pane opens.

The Identity Explorer pane shows the following information for total accessible resources:

  • Identity Name — Name of the user account under the identity provider.

  • Account Provider — The Identity Provider.

  • Exposure ScoreTenable Identity Exposure calculates this metric by assessing the criticality of an asset or identity and its vulnerabilities for each identity provider, and aggregates it to provide an overall exposure score for a given identity.

    Note: Tenable Identity Exposure only shows the Exposure Score if you have the Tenable One license.

  • Open Risks — The number of findings that an Microsoft Entra ID Indicator of Exposure detects when it scans the asset.

    Note: The Identity Explorer feature currently displays weakness-related data based on the default Tenable profile and does not automatically reflect the status of deviances on AD objects you whitelisted in other profiles.

    Therefore:

    • If you have whitelisted an AD object for a specific Indicator of Exposure (e.g., "Native admin group member"), Identity Explorer will still flag it as a security weakness if the default profile identified it as deviant.

    • This can create the impression that the issue has not been addressed, even though the object has already been whitelisted under a different profile.

    • If a remediation action (such as removing group membership) is taken based on the Identity Explorer display, the object will disappear from the view— but this may not have been necessary if the object was already whitelisted elsewhere.

  • Total Accessible Resources — The number of resources of any type to which this asset has access (read, write, etc.)

  1. In the Identity Explorer pane's Search box, type the name of the user or account.

  2. Click the icon.

    Tenable Identity Exposure shows the matching results.

  1. At the bottom of the Identity Explorer pane, click Export all.

    The Export Identities pane opens.

  2. Click Export all.

    Tenable Identity Exposure downloads the file to the local machine.