en-US/about_EntraIDSecurityScripts.help.txt
|
TOPIC about_EntraIDSecurityScripts SHORT DESCRIPTION PowerShell module for auditing and securing Microsoft Entra ID (Azure AD). Provides comprehensive security assessment functions for identity, authentication, Conditional Access, and application permissions. LONG DESCRIPTION EntraIDSecurityScripts is a PowerShell module designed for security professionals, IT administrators, and compliance teams working with Microsoft Entra ID (formerly Azure AD). The module provides twelve specialized audit functions covering: - Conditional Access policy exclusions - Legacy authentication sign-ins - MFA compliance for privileged users - PIM role assignments and Zero Trust compliance (NEW v2.5.0) - Shadow IT detection via user app consents - Excessive application permissions - Inactive user accounts without MFA - On-premises synced admin accounts - Unprotected service principals (with credential removal) - Mail.Send permission auditing for Application Access Policy scoping - Dormant enterprise applications GETTING STARTED 1. Install the module: Install-Module -Name EntraIDSecurityScripts -Scope CurrentUser 2. Import the module: Import-Module EntraIDSecurityScripts 3. Connect to Microsoft Graph: Connect-MgGraph -Scopes 'Directory.Read.All', 'AuditLog.Read.All' 4. Run your first audit: Get-LegacyAuthSignIns AVAILABLE FUNCTIONS Get-ConditionalAccessExclusions Audits all exclusions in Conditional Access policies. Identifies high-risk exclusions (large groups, privileged users). Example: Get-ConditionalAccessExclusions | Where-Object { $_.RiskLevel -eq 'HIGH' } Get-LegacyAuthSignIns Finds sign-ins using legacy authentication protocols (IMAP, POP3, SMTP). v2.4.0: Now queries each protocol separately for better performance. Example: Get-LegacyAuthSignIns -Days 30 Get-AdminsWithoutPhishingResistantMFA Identifies privileged users without FIDO2, Windows Hello, or Certificate MFA. Checks all critical admin roles. Example: Get-AdminsWithoutPhishingResistantMFA Get-PIMRoleAssignments (NEW v2.5.0) Audits Privileged Identity Management (PIM) role assignments. Identifies eligible (JIT) vs permanent assignments, policy gaps, and unused eligible assignments. Critical for Zero Trust compliance. Example: Get-PIMRoleAssignments Get-PIMRoleAssignments -ShowEligibleOnly $true Get-PIMRoleAssignments -IncludeInactive $true Get-PIMRoleAssignments -ShowActivationHistory $true Get-UserConsentedApplications Discovers "Shadow IT" by auditing user-consented applications. Performance optimized with parallel processing (PowerShell 7+). Example: Get-UserConsentedApplications -ThrottleLimit 20 Get-InactiveUsersWithoutMFA Finds dormant user accounts (90+ days inactive) without MFA enabled. Example: Get-InactiveUsersWithoutMFA -DaysInactive 180 Get-ExcessiveAppPermissions Audits applications with overprivileged Microsoft Graph API permissions. Example: Get-ExcessiveAppPermissions Get-SyncedPrivilegedAccounts Finds on-premises synced admin accounts (cloud-only recommended). Example: Get-SyncedPrivilegedAccounts Get-UnprotectedServicePrincipals Identifies service principals with credential issues (expired, no expiry). NEW: Can remove expired credentials with -RemoveExpiredCredentials. Supports -WhatIf for safe preview. Example: Get-UnprotectedServicePrincipals -RemoveExpiredCredentials -WhatIf Get-MailSendAppAudit Audits applications with Mail.Send permissions to determine if they can be scoped using Application Access Policies. Excludes Microsoft first-party apps and checks audit logs for actual send activity. Requires: Connect-IPPSSession (for audit log access) Example: Connect-MgGraph -Scopes "Application.Read.All" Connect-IPPSSession Get-MailSendAppAudit -Days 30 Get-DormantEnterpriseApplications (NEW) Finds enterprise applications with no recent sign-in activity. Can disable dormant apps with -DisableApps. Supports -WhatIf for safe preview. Example: Get-DormantEnterpriseApplications -DaysInactive 90 Get-DormantEnterpriseApplications -DisableApps -WhatIf Get-DormantEnterpriseApplications -DisabledOnly Test-EntraIDSecurityModuleConnection Verifies Microsoft Graph connection and required permissions. Example: Test-EntraIDSecurityModuleConnection REQUIRED PERMISSIONS This module requires the following Microsoft Graph API permissions: - Directory.Read.All (Read users, groups, roles) - AuditLog.Read.All (Read sign-in logs) - Policy.Read.All (Read Conditional Access policies) - RoleManagement.Read.Directory (Read PIM role assignments) - Application.Read.All (Read app registrations) - Application.ReadWrite.All (Remove credentials / disable apps) - DelegatedPermissionGrant.Read.All (Read OAuth consents) Connect with all permissions: Connect-MgGraph -Scopes @( 'Directory.Read.All' 'AuditLog.Read.All' 'Policy.Read.All' 'RoleManagement.Read.Directory' 'Application.Read.All' 'Application.ReadWrite.All' 'DelegatedPermissionGrant.Read.All' ) CREDENTIAL REMOVAL (Get-UnprotectedServicePrincipals) Remove expired credentials safely with WhatIf support: # Preview what would be removed (safe - no changes made) Get-UnprotectedServicePrincipals -RemoveExpiredCredentials -WhatIf # Actually remove expired credentials (prompts for confirmation) Get-UnprotectedServicePrincipals -RemoveExpiredCredentials # Skip confirmation (use with caution!) Get-UnprotectedServicePrincipals -RemoveExpiredCredentials -Confirm:$false Requires: Application.ReadWrite.All permission DORMANT APP MANAGEMENT (Get-DormantEnterpriseApplications) Find and manage unused enterprise applications: # Find apps inactive for 90+ days (default) Get-DormantEnterpriseApplications # Find apps inactive for 180+ days Get-DormantEnterpriseApplications -DaysInactive 180 # Preview which apps would be disabled Get-DormantEnterpriseApplications -DisableApps -WhatIf # Actually disable dormant apps Get-DormantEnterpriseApplications -DisableApps # List all currently disabled apps Get-DormantEnterpriseApplications -DisabledOnly # Export for review Get-DormantEnterpriseApplications -ExportPath "dormant-apps.csv" Requires: Application.ReadWrite.All permission for disabling RISK LEVELS All audit functions provide risk level assessments: CRITICAL - Immediate action required Examples: Dormant app with high-risk permissions HIGH - Review urgently Examples: IMAP/POP3 usage, Global Admin without MFA MEDIUM - Schedule for review Examples: Dormant user accounts, large group exclusions LOW - Monitor Examples: Low-privilege apps, compliant configurations PERFORMANCE TIPS Get-LegacyAuthSignIns (v2.4.0+): - Queries each legacy protocol separately (server-side filtering) - No more MaxResults limit - gets ALL legacy auth sign-ins - Much faster for large tenants Get-UserConsentedApplications: - Use -ThrottleLimit to control parallel processing (default: 10, max: 50) - Requires PowerShell 7+ for parallel processing (falls back to sequential on 5.1) All functions: - Use -Verbose for detailed progress information - Export to CSV for large result sets EXAMPLES Example 1: Find all legacy authentication sign-ins ----------------------------------------------- Get-LegacyAuthSignIns Returns legacy auth sign-ins from the last 7 days. Example 2: Quick Shadow IT scan ----------------------------------------------- Get-UserConsentedApplications | Where-Object { $_.RiskLevel -in @('CRITICAL', 'HIGH') } Shows only high-risk user-consented applications. Example 3: Check admin MFA compliance ----------------------------------------------- Get-AdminsWithoutPhishingResistantMFA | Export-Csv -Path admins-no-mfa.csv -NoTypeInformation Exports all privileged users without phishing-resistant MFA. Example 4: Clean up expired credentials ----------------------------------------------- Get-UnprotectedServicePrincipals -RemoveExpiredCredentials -WhatIf Preview which expired credentials would be removed. Example 5: Find and disable dormant apps ----------------------------------------------- Get-DormantEnterpriseApplications -DaysInactive 180 -DisableApps -WhatIf Preview disabling apps unused for 6+ months. COMMON WORKFLOWS Zero Trust Assessment: ---------------------- 1. Get-LegacyAuthSignIns 2. Get-AdminsWithoutPhishingResistantMFA 3. Get-ConditionalAccessExclusions 4. Get-UserConsentedApplications Application Hygiene: ------------------- 1. Get-DormantEnterpriseApplications -DaysInactive 180 2. Get-UnprotectedServicePrincipals 3. Get-ExcessiveAppPermissions 4. Get-MailSendAppAudit Compliance Audit: ---------------- 1. Get-InactiveUsersWithoutMFA 2. Get-SyncedPrivilegedAccounts 3. Get-UnprotectedServicePrincipals 4. Get-ExcessiveAppPermissions Pre-Legacy Auth Block: --------------------- 1. Get-LegacyAuthSignIns -Days 30 -IncludeFailed $true 2. Group-Object UserPrincipalName | Sort-Object Count -Descending 3. Contact affected users 4. Enable CA policy to block legacy auth TROUBLESHOOTING Problem: "Not connected to Microsoft Graph" Solution: Run Connect-MgGraph with required scopes Problem: "Insufficient privileges to complete the operation" Solution: Ensure you have the required Graph API permissions Problem: Slow performance Solution: Use PowerShell 7+ for parallel processing Use -Verbose to monitor progress Problem: Permission grants not found Solution: Ensure DelegatedPermissionGrant.Read.All scope is consented Problem: Cannot remove credentials / disable apps Solution: Reconnect with Application.ReadWrite.All scope SEE ALSO Get-Help Get-LegacyAuthSignIns -Full Get-Help Get-DormantEnterpriseApplications -Full Get-Help Get-UnprotectedServicePrincipals -Examples Online Resources: - PowerShell Gallery: https://www.powershellgallery.com/packages/EntraIDSecurityScripts - GitHub: https://github.com/kentagent-ai/EntraIDSecurityScripts - Blog: https://cloudidentity.se KEYWORDS Entra ID, Azure AD, Security, Audit, Conditional Access, MFA, Legacy Auth, Zero Trust, Compliance, Microsoft Graph, Identity, Authentication |