Microsoft Entra Account Discovery closes identity visibility gaps

Introduction

Identity governance only works when administrators can see who already has access. Microsoft is addressing that problem with Account Discovery in Microsoft Entra ID Governance, a new public preview feature designed to surface existing accounts inside connected SaaS and on-premises apps.

This matters because many applications were deployed long before modern governance controls were enabled. As a result, organizations often inherit unmanaged access, orphaned accounts, and direct app assignments that sit outside Conditional Access, access reviews, and lifecycle policies.

What’s new

Account Discovery connects to a target application, retrieves user accounts and properties, and compares them against identities in Microsoft Entra using configurable matching attributes such as:

• User principal name
• Email address

It then checks whether matched users are already assigned to the enterprise application in Entra and produces a discovery report with three classifications:

• Matched and assigned: Users exist in Entra and are already assigned to the app
• Matched but unassigned: Users exist in Entra, but access was granted directly in the application
• Orphaned or local accounts: No matching Entra identity exists for the app account

This gives IT teams a fast baseline for understanding which accounts are already governed and which ones need remediation.

Why it matters for administrators

For identity and security teams, the biggest benefit is visibility before enforcing policy. During app onboarding, admins can use Account Discovery to find users who already have access through legacy processes, manual provisioning, or direct sign-up.

Microsoft’s example uses Salesforce, where discovery can reveal:

• Employees with valid identities but no Entra app assignment
• Local or orphaned accounts that may need removal or investigation
• Service and test accounts that require separate review

Once identified, admins can move legitimate users into Entitlement Management access packages and apply approvals, expiration rules, and recurring access reviews. They can also investigate local accounts that may bypass MFA and Conditional Access.

Ongoing governance and next steps

Account Discovery is not just for initial onboarding. Microsoft positions it as an ongoing governance checkpoint to detect drift over time, such as:

• New local accounts created outside approved workflows
• Missed offboarding cases
• Temporary contractor or test accounts that remain active longer than expected

What IT teams should do now

• Review which enterprise applications have legacy or manually managed access
• Run Account Discovery during onboarding of newly governed apps
• Use findings to map users into Entra governance workflows
• Investigate and remediate orphaned, service, and local accounts
• Schedule periodic discovery reviews to detect access drift

Availability

Account Discovery is available in public preview for organizations licensed with:

• Microsoft Entra ID Governance
• Microsoft Entra Suite
• Microsoft E7

The feature is accessible through the Microsoft Entra admin center and Microsoft Graph APIs.