EntraIDSecurityScripts
2.2.0
PowerShell module for auditing and securing Microsoft Entra ID (Azure AD). Includes functions for auditing Conditional Access exclusions, legacy authentication sign-ins, and privileged user MFA configuration.
Minimum PowerShell version
7.0
Installation Options
Owners
Copyright
(c) 2026 Kent Agent. MIT License.
Package Details
Author(s)
- Kent Agent (kentagent-ai)
Tags
EntraID AzureAD Security Audit ConditionalAccess MFA Identity Microsoft365 Graph Compliance ZeroTrust
Functions
Get-ConditionalAccessExclusions Get-LegacyAuthSignIns Get-AdminsWithoutPhishingResistantMFA Get-UserConsentedApplications Get-InactiveUsersWithoutMFA Get-ExcessiveAppPermissions Get-SyncedPrivilegedAccounts Get-UnprotectedServicePrincipals Test-EntraIDSecurityModuleConnection
Dependencies
This module has no dependencies.
Release Notes
## Version 2.2.0 - March 2026
MAJOR PERFORMANCE UPDATE - Parallel processing & smart batching!
### Performance Improvements:
- Get-UserConsentedApplications:
* Parallel processing with ForEach-Object -Parallel (PowerShell 7+)
* Batched user lookups (15 users per API call vs 1 per user)
* Property selection (-Select) reduces payload size
* Progress tracking for long operations
* **5-10x faster** on large tenants
- Get-LegacyAuthSignIns:
* Combined interactive/non-interactive queries into single paginated fetch
* Server-side property selection reduces bandwidth
* Smart pagination with progress tracking
* MaxResults parameter for quick scans
* **3-5x faster** with lower memory usage
### New Parameters:
- Get-UserConsentedApplications: -ThrottleLimit (default 10, max 50)
- Get-LegacyAuthSignIns: -MaxResults (default 5000, controls scan depth)
### Breaking Changes:
None - fully backward compatible. PowerShell 7+ recommended for parallel processing.
## Version 2.1.0
PERFORMANCE UPDATE - Significant speed improvements!
### Performance Improvements:
- Get-InactiveUsersWithoutMFA: Filter at API level (5-10x faster)
- Get-ExcessiveAppPermissions: Filter Microsoft apps at API level
- All functions: Use -Select to only retrieve needed properties
- Added -MaxResults parameter for quick scans
- Optimized MFA checks (only check inactive users)
### Breaking Changes:
None - fully backward compatible
## Version 2.0.0
MAJOR UPDATE - 5 new security audit functions!
### New Functions:
- Get-UserConsentedApplications - Discover "Shadow IT" via user consents
- Get-InactiveUsersWithoutMFA - Find dormant accounts without MFA
- Get-ExcessiveAppPermissions - Audit overprivileged Graph API permissions
- Get-SyncedPrivilegedAccounts - Find on-prem synced admin accounts
- Get-UnprotectedServicePrincipals - Service principals with credential issues
### Improvements:
- Risk scoring across all functions (CRITICAL/HIGH/MEDIUM/LOW)
- Better summary output with color-coded warnings
- Enhanced documentation
## Version 1.0.0-1.0.2
Initial release with the following functions:
### Get-ConditionalAccessExclusions
- Audits all exclusions in Conditional Access policies
- Resolves GUIDs to display names
- Risk assessment for large group exclusions
- Export to CSV support
### Get-LegacyAuthSignIns
- Finds sign-ins using legacy authentication (IMAP, POP3, SMTP, etc.)
- Queries both interactive AND non-interactive sign-ins
- Risk level assessment per protocol
- Summary statistics and recommendations
### Get-AdminsWithoutPhishingResistantMFA
- Identifies privileged users without FIDO2/WHfB/Certificate MFA
- Checks all critical admin roles
- Risk level based on role criticality
- Compliance summary
### Test-EntraIDSecurityModuleConnection
- Verifies Microsoft Graph connection
- Checks for required permission scopes
FileList
- EntraIDSecurityScripts.nuspec
- EntraIDSecurityScripts.psd1
- Public\Get-UserConsentedApplications.ps1
- Public\Get-SyncedPrivilegedAccounts.ps1
- Public\Get-LegacyAuthSignIns.ps1
- Public\Get-ConditionalAccessExclusions.ps1
- Public\Get-AdminsWithoutPhishingResistantMFA.ps1
- Private\Resolve-GraphObjectName.ps1
- EntraIDSecurityScripts.psm1
- Public\Get-InactiveUsersWithoutMFA.ps1
- Public\Get-ExcessiveAppPermissions.ps1
- Public\Get-UnprotectedServicePrincipals.ps1
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 2.5.0 | 7 | 3/17/2026 |
| 2.4.0 | 9 | 3/12/2026 |
| 2.3.6 | 5 | 3/12/2026 |
| 2.3.4 | 4 | 3/12/2026 |
| 2.3.3 | 3 | 3/12/2026 |
| 2.3.2 | 4 | 3/12/2026 |
| 2.3.1 | 4 | 3/12/2026 |
| 2.3.0 | 5 | 3/12/2026 |
| 2.2.5 | 5 | 3/12/2026 |
| 2.2.4 | 4 | 3/12/2026 |
| 2.2.3 | 4 | 3/12/2026 |
| 2.2.2 | 5 | 3/12/2026 |
| 2.2.1 | 5 | 3/12/2026 |
| 2.2.0 (current version) | 3 | 3/12/2026 |
| 2.1.0 | 4 | 3/11/2026 |
| 2.0.1 | 5 | 3/11/2026 |
| 2.0.0 | 3 | 3/11/2026 |
| 1.0.2 | 4 | 3/11/2026 |
| 1.0.1 | 3 | 3/11/2026 |
| 1.0.0 | 6 | 3/11/2026 |