drop entra id federation config audit · detect rogue federated trust additions
flags rogue domain federation · cert thumbprint swap · gold SAML trust additions · off-hours changes
heuristic screener · audit export schema varies by portal/API version — field mapping is best-effort · not definitive proof