No external user with permanent role assignment on Control Plane
Description
Permanent Assignments of high-privileged Entra ID directory roles will be checked to identify privileges for external users. Related roles will be identified based on the classification model from the EntraOps project which helps to identify directory roles with Control Plane (Tier0) permissions.
How to fix
Verify the affected external users, the user source (e.g., MSSP/partner or managing tenant) and if the privileged accounts pass your requirements for Conditional Access, Lifecycle Workflow and Identity Protection.