Need4Admin

Read-only · In-browser · No tenant data stored by the app

Privileged identity reporting for Microsoft Entra and Azure

Clear visibility into who holds privileged access, which apps expose risky permissions, and where to focus first.

No scripts needed- run from any OS from your browser

Sign in to run reports
Speed

Answers in minutes

Privileged users and applications are surfaced in sortable, filterable reports so security and identity teams can prioritize reviews and evidence requests quickly.

Coverage

Users and applications

Two reports

Privileged users

Entra and Azure eligible and active privileged roles with Azure scope, PIM groups, sign in info, authentication methods etc.

Applications

API permissions, auth methods, sign in data, consent type, owners etc.

Required API permissions

Required API permissions

Need4Admin requests read-only API permissions on first sign-in. These permissions allow the app to query your Microsoft 365 tenant directly from your browser — no data ever leaves your environment. Everything is fetched in real time and displayed only in your current browser session. Need4Admin does not store, log, or transmit any of your tenant data to external servers or databases. You can revoke permissions, remove consent, or delete/disable the app at any time.

Microsoft Graph

Permission Purpose in Need4Admin
User.Read Signed-in user profile (display name, UPN) for the session.
Directory.Read.All Directory roles and members, users, groups, service principals, and OAuth permission grants.
Group.Read.All Group membership expansion for role and Azure RBAC resolution via groups.
RoleManagement.Read.Directory Directory role eligibility schedules (Entra PIM-related visibility in the privileged users report).
AuditLog.Read.All Audit sign-in logs for service-principal activity samples (applications report: last sign-in).
Reports.Read.All Authentication methods registration (MFA and phishing-resistant posture on privileged users).
Application.Read.All Application and delegated permissions, app role assignments, and resource app role metadata.

Azure Resource Manager

Permission Purpose in Need4Admin
https://management.azure.com/user_impersonation Delegated access to Azure Resource Manager to read Azure RBAC role assignments and PIM eligibility instances for the signed-in user and their groups (privileged users report: Azure roles).

Sign-in only: standard OpenID scopes (openid, profile, email, offline_access) are used for authentication and token refresh; they do not grant directory data by themselves.

Because your identities deserve this.

Because this is the core of cybersecurity.

Sign in to run reports