EntraIDSecurityScripts.psd1
|
@{ # Module identification RootModule = 'EntraIDSecurityScripts.psm1' ModuleVersion = '2.2.1' GUID = 'a3b5c7d9-e1f2-4a6b-8c0d-2e4f6a8b0c2d' # Author information Author = 'Kent Agent (kentagent-ai)' CompanyName = 'Cloud Identity AB' Copyright = '(c) 2026 Kent Agent. MIT License.' # Module description Description = 'PowerShell module for auditing and securing Microsoft Entra ID (Azure AD). Includes functions for auditing Conditional Access exclusions, legacy authentication sign-ins, and privileged user MFA configuration.' # Minimum PowerShell version PowerShellVersion = '7.0' # Required modules (commented out to allow installation without Graph pre-installed) # Users should install Microsoft.Graph.Authentication separately # RequiredModules = @('Microsoft.Graph.Authentication') # Functions to export FunctionsToExport = @( 'Get-ConditionalAccessExclusions' 'Get-LegacyAuthSignIns' 'Get-AdminsWithoutPhishingResistantMFA' 'Get-UserConsentedApplications' 'Get-InactiveUsersWithoutMFA' 'Get-ExcessiveAppPermissions' 'Get-SyncedPrivilegedAccounts' 'Get-UnprotectedServicePrincipals' 'Test-EntraIDSecurityModuleConnection' ) # Cmdlets to export (none - this is a script module) CmdletsToExport = @() # Variables to export (none) VariablesToExport = @() # Aliases to export AliasesToExport = @() # Private data / PSData for PowerShell Gallery PrivateData = @{ PSData = @{ # Tags for PowerShell Gallery discovery Tags = @( 'EntraID' 'AzureAD' 'Security' 'Audit' 'ConditionalAccess' 'MFA' 'Identity' 'Microsoft365' 'Graph' 'Compliance' 'ZeroTrust' ) # License URI LicenseUri = 'https://github.com/kentagent-ai/EntraIDSecurityScripts/blob/main/LICENSE' # Project URI ProjectUri = 'https://github.com/kentagent-ai/EntraIDSecurityScripts' # Icon URI (optional) # IconUri = '' # Release notes ReleaseNotes = @' ## Version 2.2.1 - March 2026 DOCUMENTATION UPDATE - Complete help system! ### New Documentation: - README.md with comprehensive examples and quick start guide - about_EntraIDSecurityScripts.help.txt for PowerShell's help system - All functions now fully discoverable via Get-Help - Quick reference cards and workflow examples ### Help Commands: ```powershell # Module overview Get-Help about_EntraIDSecurityScripts # Function help Get-Help Get-LegacyAuthSignIns -Full Get-Help Get-UserConsentedApplications -Examples # List all commands Get-Command -Module EntraIDSecurityScripts ``` ## Version 2.2.0 - March 2026 MAJOR PERFORMANCE UPDATE - Parallel processing & smart batching! ### Performance Improvements: - Get-UserConsentedApplications: * Parallel processing with ForEach-Object -Parallel (PowerShell 7+) * Batched user lookups (15 users per API call vs 1 per user) * Property selection (-Select) reduces payload size * Progress tracking for long operations * **5-10x faster** on large tenants - Get-LegacyAuthSignIns: * Combined interactive/non-interactive queries into single paginated fetch * Server-side property selection reduces bandwidth * Smart pagination with progress tracking * MaxResults parameter for quick scans * **3-5x faster** with lower memory usage ### New Parameters: - Get-UserConsentedApplications: -ThrottleLimit (default 10, max 50) - Get-LegacyAuthSignIns: -MaxResults (default 5000, controls scan depth) ### Breaking Changes: None - fully backward compatible. PowerShell 7+ recommended for parallel processing. ## Version 2.1.0 PERFORMANCE UPDATE - Significant speed improvements! ### Performance Improvements: - Get-InactiveUsersWithoutMFA: Filter at API level (5-10x faster) - Get-ExcessiveAppPermissions: Filter Microsoft apps at API level - All functions: Use -Select to only retrieve needed properties - Added -MaxResults parameter for quick scans - Optimized MFA checks (only check inactive users) ### Breaking Changes: None - fully backward compatible ## Version 2.0.0 MAJOR UPDATE - 5 new security audit functions! ### New Functions: - Get-UserConsentedApplications - Discover "Shadow IT" via user consents - Get-InactiveUsersWithoutMFA - Find dormant accounts without MFA - Get-ExcessiveAppPermissions - Audit overprivileged Graph API permissions - Get-SyncedPrivilegedAccounts - Find on-prem synced admin accounts - Get-UnprotectedServicePrincipals - Service principals with credential issues ### Improvements: - Risk scoring across all functions (CRITICAL/HIGH/MEDIUM/LOW) - Better summary output with color-coded warnings - Enhanced documentation ## Version 1.0.0-1.0.2 Initial release with the following functions: ### Get-ConditionalAccessExclusions - Audits all exclusions in Conditional Access policies - Resolves GUIDs to display names - Risk assessment for large group exclusions - Export to CSV support ### Get-LegacyAuthSignIns - Finds sign-ins using legacy authentication (IMAP, POP3, SMTP, etc.) - Queries both interactive AND non-interactive sign-ins - Risk level assessment per protocol - Summary statistics and recommendations ### Get-AdminsWithoutPhishingResistantMFA - Identifies privileged users without FIDO2/WHfB/Certificate MFA - Checks all critical admin roles - Risk level based on role criticality - Compliance summary ### Test-EntraIDSecurityModuleConnection - Verifies Microsoft Graph connection - Checks for required permission scopes '@ # Prerelease tag (for beta versions) # Prerelease = 'beta' # Require license acceptance RequireLicenseAcceptance = $false # External module dependencies (not in PSGallery) # ExternalModuleDependencies = @() } } # Help info URI HelpInfoURI = 'https://github.com/kentagent-ai/EntraIDSecurityScripts/blob/main/docs/' } |