V20260121

Changelog

General

• Added: New report header and navigation bar, enabling:
  • Navigation between the different reports
  • Faster jumping between sections within the same report
  • Tenant information and execution time displayed at the top
  • Execution warnings accessible via the warnings button (if present)

Conditional Access Policies

• Improved: Updated condition counting and adjusted thresholds per policy type to reduce unnecessary warnings.
• Improved: Improved warning formatting and refined policy-related text.

Groups

• Fixed: Device display name issue.

Internal

• Updated: Bumped Send-GraphBatchRequest to the latest version.
• Improved: Various internal cleanups.

Full Changelog: V20260117...V20260121

V20260117

Changelog

General

• Added: Introduced a LogLevel parameter to show verbose CLI messages. The existing custom status messages have been migrated. Over time, more log messages will be added to the tool. Possible values:
  • Off (default): No additional status output.
  • Verbose: High-level status messages.
  • Debug: Includes Verbose plus additional details useful for debugging.
  • Trace: Includes Debug plus very detailed output (may be noisy).
• Added: Enumeration of the effective Entra ID tenant license.

PIM Report

• Fixed: Parsing issue when the role activation time is not a full hour.

Enterprise Applications

• Added: App roles now show app role assignments for other service principals as well.

Managed Identities

• Fixed: Improved $null protection for property AlternativeNames to address issue #5 .

Azure Roles

• Added: External partner objects (CSP groups) are now shown with the proper display name.
  Example: Foreign Principal for '%your CSP%' in Role 'TenantAdmins' (%your tenant name%)
• Improved: Performance in large tenants by switching from an array to a list.

Internal

• Improved: Reduced API calls for role enumerations when multiple subscriptions exist.
• Improved: Introduced caching for single object lookups in role lookup.
• Improved: Change module import to be independent from the current directory.

Full Changelog: V20260104...V20260117

V20260104

Changelog

General

• Added: Introduced BroCi Authentication (beta) via the -Broci switch. Benefits:
  • Only one interactive authentication is required (instead of two).
  • Does not rely on applications like Azure Active Directory PowerShell, which may require assignment.
  • Allows you to bring your own token for authentication via the -BroCiToken parameter.
    The token must be a refresh token for the client c44b4083-3bb0-49c1-b47d-974e53cbdf3c (Azure Portal).

Enterprise Applications

• Added: Classified Directory.AccessAsUser.All as a high-privilege Microsoft Graph permission.
• Added: Creation timestamp in the detail view and a days since creation column in the table.
• Improved: API permissions in the appendix are now sorted by API and then by severity.

App Registrations

• Added: Creation timestamp in the detail view and a days since creation column in the table.

Managed Identities

• Added: Creation timestamp in the detail view and a days since creation column in the table.
• Improved: API permissions in the appendix are now sorted by API and then by severity.

Users

• Added: User details now indicate whether the account is enabled.

Role Assignments Azure / Entra

• Fixed: The CSV export no longer contains HTML links in values or references to non-existent columns.

Internal

• Updated: Updated the EntraTokenAid version.
• Fixed: The JSON object was parsed twice in the HTML report.
• Improved: Authentication function that manages the different authentication flows with EntraTokenAid.

Full Changelog: V20251208...V20260104

V20251208

Changelog

Enterprise Application

• Added: Additional dangerous or high Tier-0 and Tier-1 Microsoft Graph privileges.
• Fixed: Error in the preset view for delegated API permissions.

PIM for Entra ID Roles

• Added: New preset view highlighting Tier-0 and Tier-1 roles where PIM is not used (active assignments without eligible assignments).

Groups

• Fixed: Removed dynamic groups from the Public M365 Groups preset view, as users cannot add themselves to these groups.

Full Changelog: V20251202...V20251208

V20251202

Conditional Access

• Fixed: Incorrect CAP count displayed in the CLI status message in PS 5.1 when only one CAP exists.
• Fixed: Missing tenant name encoding, which could break the links to the Entra ID role report when the tenant name contains spaces.

PIM for Entra ID Roles

• Fixed: Incorrect results in PIM role details for the fields "Allow Permanent Eligible Assignment" and "Allow Permanent Active Assignment".

Enterprise Applications

• Fixed: Incorrect "privileged" warning for low-privileged foreign apps.

Full Changelog: V20250928...V20251202

V20250928

Changelog

App Registration

• Added: New preset view Entra Connect Application to identify the Entra Connect application.
• Added: Marked the Entra Connect application in the warning text field for better visibility.
• Added: Warning if the Entra Connect app registration has an owner.
• Added: Checks for potential IoC:
  • Warns if the Entra Connect app registration has a client secret configured.
  • Warns if the Entra Connect app registration has more than one client certificate.

Enterprise Apps

• Added: New preset view Entra Connect Application to identify the Entra Connect application.
• Note: By default, warnings are already generated for enterprise applications that have owners or credentials.
  Therefore, no additional warning logic was added.

Full Changelog: V20250715...V20250928

V20250715

Changelog

General

• Added: New ApiTop parameter to control the number of objects returned per API call. Useful for avoiding HTTP 504 errors caused by slow Microsoft infrastructure. Valid range: 5–999 (default: 999).
• Fixed: Corrected formatting issues in various TXT reports.
• Improved: Refined multiple texts for better clarity.
• Improved: Updated the README with instructions on cloning the repository and handling PowerShell execution policies.

PIM for Entra ID Roles

• Added: First Beta version of the PIM enumeration for Entra ID roles. The new report includes PIM settings for all Entra ID roles and performs several security checks:
  • Activation duration Tier-0 roles ≤ 4h / Tier-1 roles ≤ 12h
  • Permanent active assignment is disabled (except for GA because of breakglass accounts)
  • Checks whether:
    • Role activations require approval OR
    • Authentication Context (AC) is used and has a linked CAP
  • If an AC is used, it further verifies the linked Conditional Access Policy:
    • CAP is enabled
    • CAP is scoped to all users (no exclusions)
    • No other conditions are configured (e.g., Networks, Risks, Platforms, App Types, Auth Flow)
    • MFA or Authentication Strength is configured
    • Sign-in frequency is set to Every time

Entra ID Roles

• Improved: Enhanced sorting of roles based on their tier classification.

Conditional Access Policies

• Added: Sign-in frequency settings are now displayed in the Conditional Access Policies (CAP) table (hidden by default).

Groups Enumeration

• Fixed: In PIM for Groups scenarios, the eligible group ownership status was not shown correctly in the details section.
• Added: New preset view: PIM for Groups PrivEsc. This filter highlights protected groups that have unprotected groups as owners or members, indicating potential privilege escalation paths.

Full Changelog: V20250612...V20250715

V20250612

Changelog

General

• Improved: Added new internal function Format-ReportSection for faster TXT formatting.

Enterprise Apps Enumeration

• Improved: User GUID is now resolved for delegated permissions
• Fixed: Corrected formatting issues in the TXT report.

Groups Enumeration

• Improved: Multiple adjustments for faster processing in large tenants.

Users Enumeration

• Fixed: Added $null check to prevent errors when user creation date is $null.
• Improved: Multiple adjustments for faster processing in large tenants.

App Registration

• Fixed: Corrected formatting issues in the TXT report.

Conditional Access Policies

• Fixed: Named location name was not displayed.
• Fixed: Corrected formatting issues in the TXT report.

Full Changelog: V20250522...V20250612

V20250522

Changelog

General

• Improved: API requests now use the $top parameter to retrieve more objects per request, reducing the total number of HTTP calls. (Performance improvement in large tenants)
• Improved: Tuned status reporting for each section.
• Fixed: Ensured cleanup of a previously missed global variable.
• Improved: Updated Send-GraphBatchRequest to the latest version.

Groups Enumeration

• Improved: Replaced additional += operations in loops with preallocated lists. (Performance improvement)
• Added: Verbose mode now includes a performance summary.

Users Enumeration

• Added: Verbose mode now includes a performance summary.

Full Changelog: V20250517...V20250522

V20250517

Changelog

General

• Improved: Updated Send-GraphBatchRequest – all pagination requests are now batched, drastically reducing the number of HTTP requests. (Performance improvement)
• Added: New parameter -LimitResults to limit the number of groups / users in the report (after sorting by risk). Useful for large tenants.

Groups

• Improved: Replaced all += array operations in loops with preallocated lists. (Performance improvement)
• Added: Warning displayed for tenants with a high number of groups or transitive member relationships, recommending the use of -LimitResults.
• Improved: Transitive memberships are now built locally instead of retrieved from the Graph API. (Performance improvement)
• Improved: More detailed output in Verbose mode.
• Improved: Reduced the number of properties requested from the Graph API; values are now resolved later using hashtables. (Performance improvement)
• Improved: Migrated code away from Where-Object pipelines to more efficient logic. (Performance improvement)
• Improved: Optimized processing of nested groups. (Performance improvement)
• Removed: User department and job title details removed from the group report. (Performance improvement)
• Improved: Reduced object size passed to other enumeration functions. (Performance improvement)
• Improved: Adjusted object formatting for TXT output to avoid the expensive Format-Table operation. (Performance improvement)
• Improved: Group likelihood scoring based on member users now uses square root scaling to prevent score inflation in large tenants.

Users

• Improved: Migrated portions of code using Where-Object to optimized alternatives. (Performance improvement)
• Improved: Reduced unnecessary Graph API parameters; properties are resolved using hashtables. (Performance improvement)
• Improved: Replaced some += in loops with more efficient structures. (Performance improvement)
• Improved: Updated Send-BatchRequest with a new parameter that allows disabling automatic pagination. (Performance improvement a specific case)
• Improved: Reduced object size passed to other enumeration functions. (Performance improvement)
• Improved: More detailed output in Verbose mode.

Full Changelog: v20250508...V20250517