Security Widgets

Three security-focused widgets surface posture, runtime alerts, and access risk on the dashboard. They share the layout described in Shared Widget Behavior, this page covers what each widget's numbers mean and where every click lands.

Defender Assessments

Active Defender for Cloud assessments at the latest scan, broken out by severity. The external-link icon on the title opens All Recommendations. Requires the Defender Read permission.

Three metric cards count active assessments by severity (High, Medium, Low). Click any card to open All Recommendations filtered to that severity.

Recent Changes

Time-window dropdown defaults to 3 days, with options 1 day, 3 days, 7 days, 14 days, and 31 days. The list shows scans where the count moved, so quiet days do not appear. Each row carries pill-shaped badges for assessments added (green), removed (red), and modified (orange). Click a row to open the Defender Changes page with the two scans pre-selected for comparison.

Security Alerts

Active and In Progress runtime alerts from Microsoft Defender for Cloud. The external-link icon on the title opens the Alert Explorer. Requires the Defender Read permission.

Four metric cards count active and in-progress alerts by severity (High, Medium, Low, Informational). Click any card to open Alert Explorer filtered to that severity. The Informational count is often the largest, click through to triage.

Recent Changes

Identical structure to Defender Assessments. Clicking a row opens Alert Changes with both scans pre-selected.

Access Optimization

Principal-level access risks across your tenant. The external-link icon on the title opens the full Access Optimization page. The analysis window is fixed at the last 30 days and does not change with the dashboard's other time controls. Requires the Data Read permission.

Three metric cards count principals with at least one optimization opportunity flagged, broken out by principal type (Users, Service Principals, Groups). Click any card to open Access Optimization filtered to that principal type.

Top Optimization Opportunities

Categories with a count greater than zero appear below the metric cards in this order. The label Sprawl is the same signal documented elsewhere as Excessive Sprawl; the widget shortens it to fit.

Unused

Principals with role assignments that have not been exercised in the analysis window.

Stale

Principals whose activity has dropped off significantly.

Over-Privileged

Principals using only a small subset of the actions their role grants.

Over-Scoped

Role assigned at a broader scope than the principal's activity actually requires.

Sprawl

Principals with unusually many role assignments.

Redundant

Principals with role assignments that overlap each other.

Click any row to open Access Optimization filtered to that opportunity type across all principal types, useful for working through one signal at a time across the whole tenant.

Shared Behavior

• Defender Assessments and Security Alerts use scan-to-scan change detection. Only scans where the count moved appear in Recent Changes.
• Access Optimization uses a fixed 30-day analysis window regardless of dashboard time controls.
• Severity and category filters carry through the click. You land on a pre-filtered detail page so you can keep triaging without re-applying filters.
• Default time window for the two Defender widgets is 3 days. Override per-dashboard in the editor.

Troubleshooting

Defender Assessments shows 0 across the board but I know I have findings