Most organizations inherit thousands of ungoverned application accounts. Account discovery helps you find them and bring them under control.
Effective identity governance often starts with a simple question: who has access? Today, I am happy to introduce account discovery with Microsoft Entra ID Governance, a new capability designed to close this visibility gap from day one.
As organizations connect SaaS and on-premises applications to Microsoft Entra, they unlock critical identity governance capabilities. But applications are rarely greenfield. By the time an app is connected, it already contains users and permissions that were created outside modern governance workflows.
Account Discovery brings those existing accounts into view so teams can act on them with confidence. When you run a discovery, Microsoft Entra connects directly to the target application and retrieves the full list of user accounts and their properties. Each account is then evaluated against your Microsoft Entra directory using configurable matching attributes such as user principal name or email address. The service also checks whether matched users are already assigned to the enterprise application in Entra.
The result is a clear, actionable discovery report that shows exactly where governance is strong and where gaps still exist.
Why does this matter? Applications often contain access that was created manually, migrated from legacy systems, or provisioned directly—without consistent ownership or policy. Former employees can retain access. Service accounts can accumulate without owners. Local accounts can bypass MFA and Conditional Access entirely. These are not edge cases. Our latest Secure Access research found that 97% of organizations experienced an identity or access-related incident in the past year, and 22% of those had direct business impact. One of the most persistent contributors is fragmented access environments that limit visibility and slow response when risk emerges.
How account discovery classifies application accounts
Every account returned from a discovery run is cate into one of three categories:
- Matched and assigned: The user exists in Microsoft Entra and is assigned to the application. These accounts are already governed and subject to your existing access controls.
- Matched but unassigned: The user exists in Microsoft Entra but is not assigned to the application. Access exists directly in the application, outside of Entra governance controls such as Conditional Access, access reviews, and lifecycle policies.
- Orphaned or local accounts: No matching identity is found in Microsoft Entra. These accounts exist only in the application and have no corporate identity association.
This classification gives identity teams immediate visibility into the true access state of an application. More importantly, it provides a clear path forward. Govern what is already aligned. Bring unassigned users under policy. Investigate or remove orphaned accounts that introduce unnecessary risk.
Discover identities (Preview).
A real‑world example: Gaining visibility into Salesforce with account discovery
To see how account discovery works in practice, consider an organization onboarding Salesforce into Microsoft Entra ID Governance.
For Zava, Salesforce has been in use for several years. During that time, accounts were created through a mix of manual provisioning, direct sign‑ups, contractors, and a legacy identity system. While the organization is ready to standardize access using Microsoft Entra, the identity team does not yet have a clear picture of who already has access or how that access was granted.
Account discovery provides that visibility before any governance changes are made.
Phase 1: Establishing a baseline during application onboarding
As part of the onboarding process, the identity team runs an account discovery report directly from the Salesforce enterprise application in the Microsoft Entra admin center.
Within minutes, the report returns a complete, complete view of Salesforce users:
- Hundreds of users match identities in Microsoft Entra but are not assigned to the application.
- A small number of accounts have no matching Entra identity and appear to be local or orphaned.
- Several service and test accounts are clearly visible for separate review.
This baseline matters. Before provisioning, access packages, or Conditional Access policies are applied, the team now understands the true access state of the application. There are no assumptions and no spreadsheets. Every existing account is accounted for.
This visibility allows the identity team to plan governance intentionally instead of reacting to surprises after rollout.
Phase 2: Bringing existing users under policy‑driven access
With the discovery report in hand, the next priority is addressing the matched but unassigned users. These users are legitimate employees who already rely on Salesforce, but their access assignments exist entirely outside Entra governance.
The organization has already defined access packages in Entitlement Management aligned to job functions, such as sales and customer support. Each package includes approval workflows, expiration policies, and recurring access reviews.
With the discovery results, the identity team can then bring these users under governance by mapping them to the right Entitlement Management access packages—for example, assigning sales users to the sales package and support users to the support package. This turns “existing but unmanaged” access into access that’s explicitly owned and governed in Entra, with guardrails like approvals, time-bound access, and regular access reviews.
Orphaned accounts are handled separately. The identity team partners with application owners to determine whether these accounts should be removed, disabled, or linked to a valid corporate identity. Importantly, these decisions are now informed by data rather than guesswork.
Phase 3: Maintaining visibility with ongoing discovery
Once Salesforce is governed and provisioning is enabled, account discovery continues to play a role in detecting and reconciling any future drift.
Each month, the app owners run another discovery. This time, the report highlights a small number of new local accounts that were created directly in Salesforce outside the approved provisioning workflow. A closer look reveals a mix of expired contractor accounts, a temporary test user, and one former employee whose account was missed during offboarding.
None of these accounts are subject to Conditional Access or MFA policies. Without periodic discovery, they would likely remain unnoticed.
The team disables the accounts and updates internal processes so that future exceptions trigger investigation. Account Discovery becomes a recurring governance checkpoint that helps ensure access remains aligned with policy over time.
Closing the visibility gap
Effective identity governance includes having visibility into ungoverned access.
Most organizations inherit access across their applications. Without a clear view of who already has access, governance efforts begin with blind spots that introduce unnecessary risk. Account discovery helps close that gap by giving identity teams a practical, repeatable way to see existing application accounts and bring them under policy.
Whether you are onboarding an application for the first time or validating access in a long‑running environment, visibility provides the foundation for confident governance.
This is the first step in a broader journey to make identity governance more proactive, expanding visibility into access across groups and memberships, and adding enforcement controls to help prevent changes to access unless those changes come through a governed process.
Licensing and availability
Account discovery is available in public preview for organizations with Microsoft Entra ID Governance, Microsoft Entra Suite and Microsoft E7 licenses. The capability is accessible through the Microsoft Entra admin center and through Microsoft Graph APIs.
Get started
To get started, navigate to an enterprise application in the Microsoft Entra admin center and select account discovery. Run your first discovery in minutes and begin building a complete picture of application access across your environment.
We welcome your feedback as we continue to evolve this capability.
Joseph Dadzie
Vice President, Product Management
Microsoft Entra
Additional resources
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft