The set of users, apps, groups, and roles that can be discovered or manipulated through Microsoft Graph. Reachability matters because identity relationships become machine-readable and therefore easier to chain into abuse when permissions are overexposed.
Expanded Definition
Graph API reachability is the practical scope of identity objects and permissions that can be found, queried, or acted on through Microsoft Graph. It matters because graph-based relationships turn access into a navigable map, making overexposed permissions easier to chain into privilege escalation, lateral movement, or mass manipulation. In NHI security, reachability is not just about whether an app can authenticate, but about what the app can enumerate and influence once authenticated.
Definitions vary across vendors and practitioners, because some use reachability to describe only directory enumeration while others include write paths, role assignment paths, and transitive relationships. For governance purposes, NHI Management Group treats it as the reachable attack surface created by app permissions, delegated scopes, app roles, and directory relationships. This is closely aligned with NIST Cybersecurity Framework 2.0 thinking around access control and asset visibility, but Microsoft Graph makes the problem especially operational because relationships are machine-readable by design.
The most common misapplication is assuming a token is safe because it is narrowly scoped, which occurs when reachable objects and transitive permissions are not reviewed before deployment.
Examples and Use Cases
Implementing Graph API reachability rigorously often introduces review overhead, requiring organisations to weigh discovery and automation benefits against the cost of tighter permission engineering.
- An internal provisioning app can read all users and groups, making every directory object reachable for inventory or abuse depending on its scope.
- A helpdesk workflow can update group membership, which turns reachable group relationships into a path for privilege expansion if approvals are weak.
- An agentic automation service can call Microsoft Graph to locate owners, apps, and role assignments, creating a rich operational map that may also expose high-value targets if over-permitted.
- A security team uses Microsoft Graph path analysis to identify which service principals can reach admin roles, then removes unused app permissions before attackers do.
- For a broader NHI context, the patterns described in Ultimate Guide to NHIs help frame why machine identities with broad reach are difficult to inventory once they multiply across SaaS and cloud tenants.
Microsoft’s permission model and directory graph are powerful, but the same structure that enables automation also creates an audit challenge. Reachability should therefore be tested as part of app onboarding, permission review, and conditional access design, not after production deployment. For reference on identity and access governance concepts, NIST Cybersecurity Framework 2.0 remains a useful baseline.
Why It Matters in NHI Security
Graph API reachability is a security issue because overexposed directory access turns a single compromised NHI into a recursive discovery mechanism. Once an attacker or malicious agent can enumerate users, service principals, groups, and roles, the path from initial access to meaningful impact becomes much shorter. This is especially dangerous in environments that rely on delegated automation, because reachability often extends beyond the original business need and into adjacent administrative objects.
NHI Management Group research shows that 97% of NHIs carry excessive privileges, which makes broad Graph reachability a common force multiplier for abuse. That means reachability is not a theoretical concern, but an operational signal that permissions, consent grants, and role exposure are already too wide. It also affects incident response, because responders must identify not only what was accessed, but what could have been reached next through graph relationships.
When reachability is unmanaged, incident scope expands faster than teams can contain it. Organisations typically encounter the consequence only after a service principal, agent, or api key is abused to enumerate sensitive identity paths, at which point Graph API reachability becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Reachability expands the blast radius of exposed NHI permissions and graph relationships. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions and least privilege directly govern how far Graph access can reach. |
| NIST Zero Trust (SP 800-207) | PA, PE | Zero Trust requires explicit verification before allowing machine identities to traverse directory relationships. |
Inventory Graph permissions and remove any that let an NHI discover or modify more identity objects than needed.
