Troubleshooting
ESLZ And Permission Gaps
Why some ESLZ checks show as not verified and how to interpret that safely.
What this page is for
This page explains why ESLZ sometimes reports not verified and how to think about that without misreading the result.
When to use it
Use it when:
- the ESLZ tab shows
not verified - a stakeholder assumes
not verifiedmeans pass - you need to decide whether to rerun with broader visibility
How to understand it
Some ESLZ checks need broader visibility than a simple resource read.
Common causes include:
- limited management group visibility
- missing identity or Entra context
- incomplete estate-wide access
If the review cannot see enough to make a trustworthy call, it should say so.
What it means in practice
Not verified means:
- not enough evidence to call it a pass
- not automatically a fail
- more visibility or follow-up may be needed
What to expect
This is a safer result than a false green pass. It is the product being explicit about what it could not prove.
Common mistakes
- treating
not verifiedas if it were good news - assuming the issue is always a product bug rather than a permission boundary
- using ESLZ totals without understanding the evidence states underneath them