Added: enumeration of the effective Entra ID tenant license

zh54321 · zh54321 · commit 46d709696587 · 2026-01-15T18:08:01.000+01:00
Change module import to be independent from the current directory.
diff --git a/modules/export_Summary.psm1 b/modules/export_Summary.psm1
@@ -94,6 +94,7 @@ return @"
     $headerHTML = [pscustomobject]@{ 
         "Tenant Name"                           = $($GlobalAuditSummary.Tenant.Name)
         "Tenant ID"                             = $($GlobalAuditSummary.Tenant.ID)
+        "Tenant License"                        = $($GlobalAuditSummary.TenantLicense.Name)
         "Subscriptions"                         = $SubscriptionCount
         "Start Time"                            = $($GlobalAuditSummary.Time.Start)
         "End Time"                              = $($GlobalAuditSummary.Time.End)
@@ -704,14 +705,15 @@ $CustomCss = @"
 
 $OutputCLI = @"
 Execution Information:
-    - Tenant Name:   $($GlobalAuditSummary.Tenant.Name)
-    - Tenant ID:     $($GlobalAuditSummary.Tenant.ID)
-    - Subscriptions: $SubscriptionCount
-    - Start:         $($GlobalAuditSummary.Time.Start)
-    - End:           $($GlobalAuditSummary.Time.End)
-    - EntraFalcon:   $($GlobalAuditSummary.EntraFalcon.Version)
-    - PowerShell:    V$($PSVersionTable.PSVersion.ToString())
-    - UserAgent:     $($GlobalAuditSummary.UserAgent.Name)
+    - Tenant Name:    $($GlobalAuditSummary.Tenant.Name)
+    - Tenant ID:      $($GlobalAuditSummary.Tenant.ID)
+    - Tenant License: $($GlobalAuditSummary.TenantLicense.Name)
+    - Subscriptions:  $SubscriptionCount
+    - Start:          $($GlobalAuditSummary.Time.Start)
+    - End:            $($GlobalAuditSummary.Time.End)
+    - EntraFalcon:    $($GlobalAuditSummary.EntraFalcon.Version)
+    - PowerShell:     V$($PSVersionTable.PSVersion.ToString())
+    - UserAgent:      $($GlobalAuditSummary.UserAgent.Name)
 
 Enhanced Checks:
     - Enumerate Azure IAM:                  $GLOBALAzurePsChecks
diff --git a/modules/shared_Functions.psm1 b/modules/shared_Functions.psm1
@@ -4,7 +4,6 @@
 #>
 
 ############################## Static variables ########################
-import-module ./modules/EntraTokenAid.psm1 -force
 
 $global:GLOBALMainTableDetailsHEAD = @'
 <div id="mainTableContainer">
@@ -3772,8 +3771,9 @@ function start-InitTasks {
 
     $Global:GlobalAuditSummary = @{
         Time                   = @{ Start = Get-Date -Format "yyyyMMdd HH:mm"; End = ""}
-        Tenant                 = @{ Name = "" ; Id = "" }
+        Tenant                 = @{ Name = ""; Id = "" }
         EntraFalcon            = @{ Version = "$EntraFalconVersion"; Source = "https://github.com/CompassSecurity/EntraFalcon" }
+        TenantLicense          = @{ Name = ""; Level = 0}
         Subscriptions          = @{ Count = 0 }
         UserAgent              = @{ Name = $UserAgent}
         Users                  = @{ Count = 0; Guests = 0; Inactive = 0; Enabled=0; OnPrem=0; MfaCapable=0; SignInActivity = @{ '0-1 month' = 0; '1-2 months' = 0; '2-3 months' = 0; '4-5 months' = 0; '5-6 months' = 0; '6+ months' = 0; 'Never' = 0 }}
@@ -3790,6 +3790,81 @@ function start-InitTasks {
     }
 }
 
+
+#Function to get the applied Entra teant license
+function Get-EffectiveEntraLicense {
+    [CmdletBinding()]
+
+    $planPriority = @(
+        @{ Plan = 'AAD_PREMIUM_P2'; Name = 'Microsoft Entra ID P2';    Int = 4 }
+        @{ Plan = 'AAD_PREMIUM';    Name = 'Microsoft Entra ID P1';    Int = 3 }
+        @{ Plan = 'AAD_BASIC';      Name = 'Microsoft Entra ID Basic'; Int = 2 }
+        @{ Plan = 'AAD_FREE';       Name = 'Microsoft Entra ID Free';  Int = 1 }
+    )
+
+    $QueryParameters = @{
+        '$select' = "capabilityStatus,servicePlans"
+    }
+    try {
+        $response = Send-GraphRequest -AccessToken $GLOBALMsGraphAccessToken.access_token -Method GET -Uri '/subscribedSkus' -QueryParameters $QueryParameters -BetaAPI -UserAgent $($GlobalAuditSummary.UserAgent.Name) -ErrorAction Stop
+    } catch {
+        Write-Log -Level Debug -Message "Can't get Entra Tenant license. Request to /subscribedSkus failed"
+        return [pscustomobject]@{
+            EntraIDLicencesString = 'Unknown'
+            EntraIDLicencesInt    = 0
+        }
+    }
+    $skus =
+        if ($null -eq $response) { @() }
+        elseif ($response -is [System.Collections.IEnumerable] -and -not ($response -is [string])) { @($response) }
+        elseif ($response.PSObject.Properties.Name -contains 'value') { @($response.value) }
+        else { @($response) }
+
+    # Entra Free does not have any SKUs
+    if ($skus.Count -eq 0) {
+        return [pscustomobject]@{
+            EntraIDLicencesString = 'Microsoft Entra ID Free'
+            EntraIDLicencesInt    = 1
+        }
+    }
+
+    $observedPlans = New-Object System.Collections.Generic.HashSet[string]
+
+    foreach ($sku in $skus) {
+        if ($null -eq $sku) { continue }
+
+        $capabilityStatus = $sku.capabilityStatus
+        if ($capabilityStatus -ne 'Enabled' -and $capabilityStatus -ne 'Warning') { continue }
+
+        foreach ($plan in @($sku.servicePlans)) {
+            if ($null -eq $plan) { continue }
+
+            if ($plan.provisioningStatus -ne 'Success') { continue }
+
+            $servicePlanName = [string]$plan.servicePlanName
+            [void]$observedPlans.Add($servicePlanName)
+        }
+    }
+
+    foreach ($item in $planPriority) {
+        if ($observedPlans.Contains($item.Plan)) {
+            Write-Log -Level Verbose -Message "Entra Tenant license: $($item.Name)"
+            return [pscustomobject]@{
+                EntraIDLicencesString = $item.Name
+                EntraIDLicencesInt    = $item.Int
+            }
+        }
+    }
+
+    Write-Log -Level Verbose -Message "Entra Tenant license: Unknown"
+    return [pscustomobject]@{
+        EntraIDLicencesString = 'Unknown'
+        EntraIDLicencesInt    = 0
+    }
+}
+
+
+
 # Function to help built the TXT report (avoiding using slow stuff like format-table)
 function Format-ReportSection {
     param (
@@ -4328,4 +4403,4 @@ function Show-EntraFalconBanner {
     Write-Host ""
 }
 
-Export-ModuleMember -Function Show-EntraFalconBanner,AuthenticationMSGraph,Get-Devices,Get-UsersBasic,start-CleanUp,Format-ReportSection,Get-OrgInfo,Get-LogLevel, Write-Log,Invoke-MsGraphRefreshPIM,Write-LogVerbose,Invoke-AzureRoleProcessing,Get-RegisterAuthMethodsUsers,Invoke-EntraRoleProcessing,Get-EntraPIMRoleAssignments,AuthCheckMSGraph,RefreshAuthenticationMsGraph,Get-PimforGroupsAssignments,Invoke-CheckTokenExpiration,Invoke-MsGraphAuthPIM,EnsureAuthMsGraph,Get-AzureRoleDetails,Get-AdministrativeUnitsWithMembers,Get-ConditionalAccessPolicies,Get-EntraRoleAssignments,Get-APIPermissionCategory,Get-ObjectInfo,EnsureAuthAzurePsNative,checkSubscriptionNative,Get-AllAzureIAMAssignmentsNative,Get-PIMForGroupsAssignmentsDetails,Show-EnumerationSummary,start-InitTasks
+Export-ModuleMember -Function Show-EntraFalconBanner,AuthenticationMSGraph,Get-EffectiveEntraLicense,Get-Devices,Get-UsersBasic,start-CleanUp,Format-ReportSection,Get-OrgInfo,Get-LogLevel, Write-Log,Invoke-MsGraphRefreshPIM,Write-LogVerbose,Invoke-AzureRoleProcessing,Get-RegisterAuthMethodsUsers,Invoke-EntraRoleProcessing,Get-EntraPIMRoleAssignments,AuthCheckMSGraph,RefreshAuthenticationMsGraph,Get-PimforGroupsAssignments,Invoke-CheckTokenExpiration,Invoke-MsGraphAuthPIM,EnsureAuthMsGraph,Get-AzureRoleDetails,Get-AdministrativeUnitsWithMembers,Get-ConditionalAccessPolicies,Get-EntraRoleAssignments,Get-APIPermissionCategory,Get-ObjectInfo,EnsureAuthAzurePsNative,checkSubscriptionNative,Get-AllAzureIAMAssignmentsNative,Get-PIMForGroupsAssignmentsDetails,Show-EnumerationSummary,start-InitTasks
diff --git a/run_EntraFalcon.ps1 b/run_EntraFalcon.ps1
@@ -59,11 +59,11 @@
     Controls runtime status output.
     - `Off` (default): No additional status output
     - `Verbose`: High-level status messages
-    - `Debug`: Includes Verbose plus additional details usful for debugging
+    - `Debug`: Includes Verbose plus additional details useful for debugging
     - `Trace`: Includes Debug plus very detailed output (may be noisy)
 
     .PARAMETER QAMode
-    Dumps the AllGroups and AllUsers objects as JSON for QA tests.
+    Dumps the AllGroups and AllUsers objects as JSON for internal QA tests.
 
     .NOTES
     Author: Christian Feuchter, Compass Security Switzerland AG, https://www.compass-security.com/
@@ -129,14 +129,30 @@ if ($BroCi -and $AuthMethod -eq "DeviceCode") {
 }
 
 #Constants
-$EntraFalconVersion = "V20260112"
+$EntraFalconVersion = "V20260115"
+
+# Import shared functions
+$ScriptRoot = if ($PSScriptRoot) { $PSScriptRoot } else { Split-Path -Parent $MyInvocation.MyCommand.Path }
+Import-Module (Join-Path $ScriptRoot 'modules\EntraTokenAid.psm1') -Force
+Import-Module (Join-Path $ScriptRoot 'modules\shared_Functions.psm1') -Force
+Import-Module (Join-Path $ScriptRoot 'modules\check_Groups.psm1') -Force
+Import-Module (Join-Path $ScriptRoot 'modules\check_EnterpriseApps.psm1') -Force
+Import-Module (Join-Path $ScriptRoot 'modules\check_AppRegistrations.psm1') -Force
+Import-Module (Join-Path $ScriptRoot 'modules\check_Users.psm1') -Force
+Import-Module (Join-Path $ScriptRoot 'modules\check_ManagedIdentities.psm1') -Force
+Import-Module (Join-Path $ScriptRoot 'modules\check_Roles.psm1') -Force
+Import-Module (Join-Path $ScriptRoot 'modules\check_CAPs.psm1') -Force
+Import-Module (Join-Path $ScriptRoot 'modules\Send-GraphBatchRequest.psm1') -Force
+Import-Module (Join-Path $ScriptRoot 'modules\Send-GraphRequest.psm1') -Force
+Import-Module (Join-Path $ScriptRoot 'modules\export_Summary.psm1') -Force
+Import-Module (Join-Path $ScriptRoot 'modules\check_PIM.psm1') -Force
 
 
 #Splat AuthMethods
 $Global:GLOBALAuthMethods = @{ 
     AuthMethod = $AuthMethod
-    Verbose = $VerbosePreference
  }
+
 if ($BroCi) { $GLOBALAuthMethods.BroCi = $true }
 if (-not [string]::IsNullOrWhiteSpace($BroCiToken)) {
 
@@ -179,20 +195,6 @@ if ($QAMode) {
     $optionalParamsUserandGroup['QAMode'] = $QAMode
 }
 
-# Import shared functions
-import-module ./modules/shared_Functions.psm1 -force
-import-module ./modules/check_Groups.psm1 -force
-import-module ./modules/check_EnterpriseApps.psm1 -force
-import-module ./modules/check_AppRegistrations.psm1 -force
-import-module ./modules/check_Users.psm1 -force
-import-module ./modules/check_ManagedIdentities.psm1 -force
-import-module ./modules/check_Roles.psm1 -force
-import-module ./modules/check_CAPs.psm1 -force
-import-module ./modules/Send-GraphBatchRequest.psm1 -force
-import-module ./modules/Send-GraphRequest.psm1 -force
-import-module ./modules/export_Summary.psm1 -force
-import-module ./modules/check_PIM.psm1 -force
-
 #Define summary array and show banner
 Start-InitTasks -EntraFalconVersion $EntraFalconVersion -UserAgent $UserAgent
 Show-EntraFalconBanner -EntraFalconVersion $EntraFalconVersion
@@ -205,6 +207,7 @@ if (-Not(EnsureAuthMsGraph)) {
     Return
 }
 
+
 if (-not($SkipPimForGroups)) {
 write-host ""
 write-host "********************************** PIM for Groups: Pre-Collection Phase **********************************"
@@ -222,6 +225,10 @@ $StartTimestamp = Get-Date -Format "yyyyMMdd_HHmm"
 $GlobalAuditSummary.Tenant.Name = $CurrentTenant.DisplayName
 $GlobalAuditSummary.Tenant.Id = $CurrentTenant.Id
 
+$licenseResult = Get-EffectiveEntraLicense
+$GlobalAuditSummary.TenantLicense.Name  = $licenseResult.EntraIDLicencesString
+$GlobalAuditSummary.TenantLicense.Level = $licenseResult.EntraIDLicencesInt
+
 #Define output folder if not defined
 if ($null -eq $OutputFolder -or "" -eq $OutputFolder) {
     $OutputFolder = "Results_$($CurrentTenant.DisplayName)_$($StartTimestamp)"
