Activity reports show what happened, but they do not prove whether access was appropriate, approved, or still needed. In Microsoft 365, that matters because service identities, delegated permissions, and inherited access can all generate legitimate-looking activity. Without entitlement context, reviews may certify noise instead of control.
Why Activity Reports Fail as an Access Review Control
Activity reports are useful for spotting usage, but they do not answer the control question: was the access appropriate, still needed, and properly authorised? That gap matters in Microsoft 365 because delegated permissions, inherited roles, and service identities can generate normal-looking events even when the underlying entitlement is excessive. The result is a false sense of assurance that can survive a review cycle and still leave exposed access in place. This is exactly why NHI governance focuses on entitlement context, not just telemetry, as described in the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10.
When reviews rely only on what an identity did, they miss what that identity can do. That distinction is critical for service principals, app registrations, shared mailboxes, and other non-human access paths that often operate quietly until a permissions issue becomes a security event. In practice, many security teams discover excessive access only after a misuse investigation, rather than through intentional review design.
What Proper Review Evidence Needs Beyond Activity Logs
effective access reviews should combine usage evidence with entitlement, ownership, and approval context. A reviewer needs to see not only recent sign-ins or API calls, but also the granted scope, the business purpose, the named owner, the last approved use case, and whether the access is still required. Without that context, a “used recently” verdict can accidentally bless dormant overprivilege or inherited access that no one intended to keep.
For Microsoft 365 environments, that means separating user activity from permission state. Service identities may generate activity through automation, which makes usage reports look healthy even when the permission set is far broader than needed. Current guidance suggests pairing activity reporting with periodic entitlement recertification, secret rotation evidence, and offboarding checks from the NHI Lifecycle Management Guide. The core question is whether the entitlement still matches the approved function, not whether the identity has been busy.
- Review granted roles, scopes, and delegated permissions, not just last activity.
- Confirm a named owner and a current business justification for each access path.
- Validate that service identities still need the same privileges after workflow changes.
- Separate “observed use” from “approved use” in the certification decision.
These controls tend to break down when organisations have tenant-wide delegated permissions, long-lived app registrations, or no reliable inventory of service identities, because activity data cannot reveal hidden inheritance or stale approval chains.
Common Edge Cases in Microsoft 365 Reviews
Tighter review discipline often increases operational overhead, requiring organisations to balance assurance against reviewer fatigue and incomplete asset inventories. That tradeoff becomes visible in Microsoft 365 tenants where one identity can hold multiple permission paths, such as direct assignment, group-based membership, and inherited application consent. A single activity report may show legitimate usage while masking the fact that several of those paths are redundant or no longer justified.
There is no universal standard for this yet, but best practice is evolving toward evidence packages that combine activity with access provenance. That approach aligns with the broader NHI risk picture in the Ultimate Guide to NHIs — Key Challenges and Risks, where excessive privileges and weak visibility are recurring failure modes. It also fits the OWASP view that non-human identities need lifecycle controls, not just monitoring. When the environment includes third-party apps, shared automation accounts, or mailbox delegation chains, a clean activity report can still certify the wrong access unless the entitlement path is explicitly reviewed.
In practice, the safest review outcome is not “active therefore approved,” but “active, justified, scoped, and owned.”
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Activity-only reviews miss entitlement scope and ownership for NHIs. |
| NIST CSF 2.0 | PR.AC-4 | Covers access authorization and review beyond simple usage evidence. |
| NIST AI RMF | GOVERN | Governance requires traceable accountability for automated access paths. |
Recertify NHI entitlements, not just logs, and require current owner justification.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
