EntraIDSecurityScripts
2.0.0
PowerShell module for auditing and securing Microsoft Entra ID (Azure AD). Includes functions for auditing Conditional Access exclusions, legacy authentication sign-ins, and privileged user MFA configuration.
Minimum PowerShell version
7.0
Installation Options
Owners
Copyright
(c) 2026 Kent Agent. MIT License.
Package Details
Author(s)
- Kent Agent (kentagent-ai)
Tags
EntraID AzureAD Security Audit ConditionalAccess MFA Identity Microsoft365 Graph Compliance ZeroTrust
Functions
Get-ConditionalAccessExclusions Get-LegacyAuthSignIns Get-AdminsWithoutPhishingResistantMFA Get-UserConsentedApplications Get-InactiveUsersWithoutMFA Get-ExcessiveAppPermissions Get-SyncedPrivilegedAccounts Get-UnprotectedServicePrincipals Test-EntraIDSecurityModuleConnection
Dependencies
This module has no dependencies.
Release Notes
## Version 2.0.0
MAJOR UPDATE - 5 new security audit functions!
### New Functions:
- Get-UserConsentedApplications - Discover "Shadow IT" via user consents
- Get-InactiveUsersWithoutMFA - Find dormant accounts without MFA
- Get-ExcessiveAppPermissions - Audit overprivileged Graph API permissions
- Get-SyncedPrivilegedAccounts - Find on-prem synced admin accounts
- Get-UnprotectedServicePrincipals - Service principals with credential issues
### Improvements:
- Risk scoring across all functions (CRITICAL/HIGH/MEDIUM/LOW)
- Better summary output with color-coded warnings
- Enhanced documentation
## Version 1.0.0-1.0.2
Initial release with the following functions:
### Get-ConditionalAccessExclusions
- Audits all exclusions in Conditional Access policies
- Resolves GUIDs to display names
- Risk assessment for large group exclusions
- Export to CSV support
### Get-LegacyAuthSignIns
- Finds sign-ins using legacy authentication (IMAP, POP3, SMTP, etc.)
- Queries both interactive AND non-interactive sign-ins
- Risk level assessment per protocol
- Summary statistics and recommendations
### Get-AdminsWithoutPhishingResistantMFA
- Identifies privileged users without FIDO2/WHfB/Certificate MFA
- Checks all critical admin roles
- Risk level based on role criticality
- Compliance summary
### Test-EntraIDSecurityModuleConnection
- Verifies Microsoft Graph connection
- Checks for required permission scopes
FileList
- EntraIDSecurityScripts.nuspec
- EntraIDSecurityScripts.psd1
- Public\Get-UserConsentedApplications.ps1
- Public\Get-SyncedPrivilegedAccounts.ps1
- Public\Get-LegacyAuthSignIns.ps1
- Public\Get-ConditionalAccessExclusions.ps1
- Public\Get-AdminsWithoutPhishingResistantMFA.ps1
- Private\Resolve-GraphObjectName.ps1
- EntraIDSecurityScripts.psm1
- Public\Get-InactiveUsersWithoutMFA.ps1
- Public\Get-ExcessiveAppPermissions.ps1
- Public\Get-UnprotectedServicePrincipals.ps1
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 2.5.0 | 7 | 3/17/2026 |
| 2.4.0 | 9 | 3/12/2026 |
| 2.3.6 | 5 | 3/12/2026 |
| 2.3.4 | 4 | 3/12/2026 |
| 2.3.3 | 3 | 3/12/2026 |
| 2.3.2 | 4 | 3/12/2026 |
| 2.3.1 | 4 | 3/12/2026 |
| 2.3.0 | 5 | 3/12/2026 |
| 2.2.5 | 5 | 3/12/2026 |
| 2.2.4 | 4 | 3/12/2026 |
| 2.2.3 | 4 | 3/12/2026 |
| 2.2.2 | 5 | 3/12/2026 |
| 2.2.1 | 5 | 3/12/2026 |
| 2.2.0 | 3 | 3/12/2026 |
| 2.1.0 | 4 | 3/11/2026 |
| 2.0.1 | 5 | 3/11/2026 |
| 2.0.0 (current version) | 3 | 3/11/2026 |
| 1.0.2 | 4 | 3/11/2026 |
| 1.0.1 | 3 | 3/11/2026 |
| 1.0.0 | 6 | 3/11/2026 |