Devolutions.CIEM
0.2.60
Cloud Infrastructure Entitlement Management (CIEM) module for Azure identity and access security checks. Provides 46 identity-focused checks for Entra ID, IAM/RBAC, KeyVault, and Storage services.
Minimum PowerShell version
7.4
Installation Options
Owners
Copyright
(c) 2025 Devolutions Inc. All rights reserved.
Package Details
Author(s)
- Adam Bertram
Tags
Azure CIEM Security Identity IAM Entra RBAC Compliance PowerShellUniversal app
PSEditions
Dependencies
This module has no dependencies.
Release Notes
## 0.2.20 - Dashboard Function Scope Fix
- Fixed: Get-CIEMConfigPath not found at dashboard runtime
- Moved Get-CIEMConfigPath from nested function to Private module function
- Function is now dot-sourced at module load, available to PSU dashboard pages
## 0.2.19 - Code Quality Improvements
- Renamed Get-CIEMRequiredPermissions to Get-CIEMRequiredPermission (singular noun)
- Fixed PSScriptAnalyzer warnings for return statements
- Fixed helper function naming to avoid ShouldProcess requirements
- Improved code structure in Get-PSUInstalledEnvironment and Get-CIEMRequiredPermission
- Added proper begin/process block structure to Set-CIEMConfig
- Added suppression attributes for PSU dashboard callback return statements
## 0.2.14 - Multi-Provider Authentication Support
- Renamed "Azure Authentication" to "Cloud Provider Authentication"
- Added Provider dropdown (Azure enabled, AWS coming soon)
- Added comprehensive Azure authentication methods:
- Current Context (existing Az PowerShell session)
- Service Principal with Client Secret
- Service Principal with Certificate (thumbprint or file path)
- Managed Identity (system-assigned or user-assigned)
- Device Code (for MFA/restricted environments)
- Interactive Browser
- Dynamic input fields based on selected authentication method
- Updated config.json schema for multi-provider support
- Prepared AWS configuration structure for future release
## 0.2.12 - PSU Environment Auto-Detection
- Added Get-PSUInstalledEnvironment function to detect Azure Web App vs on-premises deployment
- Configuration page now displays deployment environment with visual indicator
- Managed Identity auth option shows warning when running on-premises
- Prevents saving Managed Identity configuration in unsupported environments
## 0.2.7 - PSResourceGet Publishing Fix
- Switched from Publish-Module to Publish-PSResource for publishing
- Root cause: PowerShellGet v2's Publish-Module uses Get-ChildItem WITHOUT -Force
- This excludes hidden directories (.universal) on Unix systems (macOS/Linux)
- PSResourceGet uses .NET Directory.GetFiles/GetDirectories which includes all files
- See: https://github.com/PowerShell/PowerShellGetv2/blob/master/src/PowerShellGet/public/psgetfunctions/Publish-Module.ps1
## 0.2.6 - FileList Fix for .universal Directory (Failed)
- Added explicit FileList to manifest to include .universal/dashboards.ps1
- Publish-Module was excluding dot-prefixed directories without FileList
## 0.2.5 - PSU App Auto-Registration (Republish)
- Republish to verify .universal directory is included in package
## 0.2.4 - PSU App Auto-Registration Fix
- Fixed: Include .universal directory in published module
- PSU now auto-discovers and creates the CIEM app when module is installed
- App registration uses -Module/-Command pattern for PSU Gallery compatibility
## 0.2.0 - PSU App Integration
- Added New-DevolutionsCIEMApp function for PSU module-based discovery
- Switched from -FilePath to -Module/-Command pattern for PSU Gallery compatibility
- App now auto-discovers when module is installed to PSU Modules directory
## 0.1.0 - Initial Release
- 46 Azure identity-focused security checks
- Entra ID: 15 checks (MFA, conditional access, security defaults, etc.)
- IAM/RBAC: 3 checks (custom roles, permissions)
- KeyVault: 10 checks (access policies, RBAC, expiration)
- Storage: 18 checks (access controls, encryption, network rules)
- Parallel check execution with ForEach-Object -Parallel
- Auto-detect Azure authentication (Managed Identity, CLI, Interactive)
FileList
- Devolutions.CIEM.nuspec
- AzureChecks.schema.json
- Public\Get-PSUInstalledEnvironment.ps1
- Public\Sync-ProwlerCheck.ps1
- Private\Initialize-EntraService.ps1
- Private\Get-AzureAuthContext.ps1
- Private\Assert-CIEMAuthenticated.ps1
- Checks\Azure\Test-StorageDefaultNetworkAccessRuleIsDenied.ps1
- Checks\Azure\Test-KeyvaultLoggingEnabled.ps1
- Checks\Azure\Test-StorageDefaultToEntraAuthorizationEnabled.ps1
- Checks\Azure\Test-EntraPolicyEnsureDefaultUserCannotCreateApp.ps1
- Checks\Azure\Test-KeyvaultRecoverable.ps1
- Checks\Azure\Test-StorageAccountKeyAccessDisabled.ps1
- config.json
- Public\Get-CIEMRequiredPermission.ps1
- Public\Get-CIEMCheck.ps1
- Private\Test-AzureChecksSchema.ps1
- Private\Convert-ProwlerCheck.ps1
- Private\Invoke-AzureApi.ps1
- Checks\Azure\Test-KeyvaultPrivateEndpoint.ps1
- Checks\Azure\Test-IamSubscriptionRolesOwnerCustomNotCreated.ps1
- Checks\Azure\Test-StorageEnsureEncryptionWithCustomerManagedKey.ps1
- Checks\Azure\Test-StorageEnsureFileSharesSoftDeleteIsEnabled.ps1
- Checks\Azure\Test-EntraPolicyGuestInviteOnlyForAdminRole.ps1
- Checks\Azure\Test-StorageEnsurePrivateEndpointInStorageAccount.ps1
- Devolutions.CIEM.psm1
- Public\New-PSUAzureServicePrincipal.ps1
- Public\Get-ProwlerCheck.ps1
- Private\Test-AzureConnection.ps1
- Private\Test-KeyVaultItemExpiration.ps1
- Private\Initialize-StorageService.ps1
- Checks\Azure\Test-KeyvaultRbacSecretExpirationSet.ps1
- Checks\Azure\Test-KeyvaultKeyExpirationSetInNonRbac.ps1
- Checks\Azure\Test-KeyvaultNonRbacSecretExpirationSet.ps1
- Checks\Azure\Test-IamCustomRoleHasPermissionToAdministerResourceLock.ps1
- Checks\Azure\Test-EntraSecurityDefaultsEnabled.ps1
- Checks\Azure\Test-EntraPolicyDefaultUserCannotCreateSecurityGroup.ps1
- Devolutions.CIEM.psd1
- Public\New-CIEMAzureManagedIdentity.ps1
- Public\Save-CIEMConfig.ps1
- Private\New-CIEMFinding.ps1
- Private\Get-CheckMetadata.ps1
- Checks\Azure\Test-IamRoleUserAccessAdminRestricted.ps1
- Checks\Azure\Test-StorageEnsureMinimumTlsVersion12.ps1
- Checks\Azure\Test-StorageGeoRedundantEnabled.ps1
- Checks\Azure\Test-StorageBlobVersioningIsEnabled.ps1
- Checks\Azure\Test-EntraGlobalAdminInLessThanFiveUsers.ps1
- Checks\Azure\Test-StorageEnsureAzureServicesAreTrustedToAccessIsEnabled.ps1
- Checks\Azure\Test-EntraTrustedNamedLocationExist.ps1
- .env
- Public\Get-CIEMProvider.ps1
- Public\Invoke-CIEMScan.ps1
- Private\Test-EntraAuthorizationPolicyBooleanSetting.ps1
- Private\Test-GitRemote.ps1
- Checks\Azure\Test-StorageBlobPublicAccessLevelIsDisabled.ps1
- Checks\Azure\Test-EntraNonPrivilegedUserHasMfa.ps1
- Checks\Azure\Test-StorageSmbChannelEncryptionWithSecureAlgorithm.ps1
- Checks\Azure\Test-EntraPolicyEnsureDefaultUserCannotCreateTenant.ps1
- Checks\Azure\Test-KeyvaultRbacEnabled.ps1
- Checks\Azure\Test-EntraPolicyGuestUserAccessRestriction.ps1
- Checks\Azure\Test-KeyvaultRbacKeyExpirationSet.ps1
- AzureChecks.json
- Public\Get-CIEMAuthenticationContext.ps1
- Public\Write-CIEMLog.ps1
- Private\Initialize-IAMService.ps1
- Private\Get-CIEMConfig.ps1
- Checks\Azure\Test-StorageSmbProtocolVersionIsLatest.ps1
- Checks\Azure\Test-EntraPrivilegedUserHasMfa.ps1
- Checks\Azure\Test-KeyvaultPublicNetworkAccessDisabled.ps1
- Checks\Azure\Test-EntraUserCannotCreateMicrosoft365Group.ps1
- Checks\Azure\Test-EntraConditionalAccessPolicyRequireMfaForManagementApi.ps1
- Checks\Azure\Test-StorageSecureTransferRequiredIsEnabled.ps1
- Checks\Azure\Test-StorageCrossTenantReplicationDisabled.ps1
- Public\Test-CIEMAuthenticated.ps1
- Public\Connect-CIEM.ps1
- Private\Initialize-KeyVaultService.ps1
- Private\Set-CIEMConfig.ps1
- Checks\Azure\Test-EntraPolicyUserConsentForVerifiedApp.ps1
- Checks\Azure\Test-KeyvaultKeyRotationEnabled.ps1
- Checks\Azure\Test-StorageInfrastructureEncryptionIsEnabled.ps1
- Checks\Azure\Test-StorageEnsureSoftDeleteIsEnabled.ps1
- Checks\Azure\Test-StorageKeyRotation90Day.ps1
- Checks\Azure\Test-EntraUserWithVmAccessHasMfa.ps1
- Checks\Azure\Test-EntraPolicyRestrictUserConsentForApp.ps1
- .universal\dashboards.ps1
- Public\Get-CIEMConfigPath.ps1
- Private\Get-AllGraphPage.ps1
- Private\Test-StorageAccountProperty.ps1
- Private\Get-SupportedProvider.ps1
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 0.2.60 (current version) | 4 | 1/30/2026 |
| 0.2.59 | 4 | 1/30/2026 |
| 0.2.58 | 3 | 1/30/2026 |
| 0.2.57 | 3 | 1/30/2026 |
| 0.2.56 | 3 | 1/30/2026 |
| 0.2.55 | 3 | 1/30/2026 |
| 0.2.54 | 4 | 1/30/2026 |
| 0.2.53 | 3 | 1/30/2026 |
| 0.2.52 | 3 | 1/30/2026 |
| 0.2.51 | 3 | 1/30/2026 |
| 0.2.50 | 3 | 1/30/2026 |
| 0.2.49 | 3 | 1/30/2026 |
| 0.2.48 | 3 | 1/30/2026 |
| 0.2.47 | 4 | 1/30/2026 |
| 0.2.46 | 3 | 1/30/2026 |
| 0.2.45 | 3 | 1/30/2026 |
| 0.2.44 | 4 | 1/30/2026 |
| 0.2.43 | 3 | 1/30/2026 |
| 0.2.42 | 3 | 1/30/2026 |
| 0.2.41 | 5 | 1/29/2026 |
| 0.2.40 | 4 | 1/29/2026 |
| 0.2.39 | 4 | 1/29/2026 |
| 0.2.38 | 4 | 1/29/2026 |
| 0.2.37 | 4 | 1/29/2026 |
| 0.2.36 | 5 | 1/29/2026 |
| 0.2.35 | 3 | 1/29/2026 |
| 0.2.34 | 4 | 1/29/2026 |
| 0.2.33 | 3 | 1/29/2026 |
| 0.2.32 | 4 | 1/29/2026 |
| 0.2.31 | 4 | 1/29/2026 |
| 0.2.30 | 4 | 1/29/2026 |
| 0.2.29 | 5 | 1/29/2026 |
| 0.2.28 | 3 | 1/29/2026 |
| 0.2.27 | 5 | 1/29/2026 |
| 0.2.26 | 5 | 1/29/2026 |
| 0.2.24 | 4 | 1/29/2026 |
| 0.2.23 | 5 | 1/29/2026 |
| 0.2.22 | 3 | 1/29/2026 |
| 0.2.21 | 6 | 1/28/2026 |
| 0.2.18 | 4 | 1/28/2026 |
| 0.2.17 | 5 | 1/28/2026 |
| 0.2.15 | 4 | 1/28/2026 |
| 0.2.13 | 5 | 1/28/2026 |
| 0.2.11 | 5 | 1/28/2026 |
| 0.2.10 | 3 | 1/28/2026 |
| 0.2.9 | 4 | 1/28/2026 |
| 0.2.7 | 6 | 1/27/2026 |
| 0.2.5 | 4 | 1/27/2026 |
| 0.2.4 | 7 | 1/27/2026 |
| 0.2.3 | 4 | 1/27/2026 |
| 0.2.1 | 6 | 1/27/2026 |
| 0.2.0 | 4 | 1/27/2026 |
| 0.1.1 | 5 | 1/27/2026 |
| 0.1.0-alpha | 3 | 1/27/2026 |