V20250715

Changelog

General

• Added: New ApiTop parameter to control the number of objects returned per API call. Useful for avoiding HTTP 504 errors caused by slow Microsoft infrastructure. Valid range: 5–999 (default: 999).
• Fixed: Corrected formatting issues in various TXT reports.
• Improved: Refined multiple texts for better clarity.
• Improved: Updated the README with instructions on cloning the repository and handling PowerShell execution policies.

PIM for Entra ID Roles

• Added: First Beta version of the PIM enumeration for Entra ID roles. The new report includes PIM settings for all Entra ID roles and performs several security checks:
  • Activation duration Tier-0 roles ≤ 4h / Tier-1 roles ≤ 12h
  • Permanent active assignment is disabled (except for GA because of breakglass accounts)
  • Checks whether:
    • Role activations require approval OR
    • Authentication Context (AC) is used and has a linked CAP
  • If an AC is used, it further verifies the linked Conditional Access Policy:
    • CAP is enabled
    • CAP is scoped to all users (no exclusions)
    • No other conditions are configured (e.g., Networks, Risks, Platforms, App Types, Auth Flow)
    • MFA or Authentication Strength is configured
    • Sign-in frequency is set to Every time

Entra ID Roles

• Improved: Enhanced sorting of roles based on their tier classification.

Conditional Access Policies

• Added: Sign-in frequency settings are now displayed in the Conditional Access Policies (CAP) table (hidden by default).

Groups Enumeration

• Fixed: In PIM for Groups scenarios, the eligible group ownership status was not shown correctly in the details section.
• Added: New preset view: PIM for Groups PrivEsc. This filter highlights protected groups that have unprotected groups as owners or members, indicating potential privilege escalation paths.

Full Changelog: V20250612...V20250715