cloud security

Auditing Azure Active Directory Configuration

Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies, overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite.

active-directoryazurecloud-securityconditional-accessentra-idiam-audit
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When performing a security assessment of an Azure tenant's identity configuration
  • When compliance audits require review of authentication policies, MFA enforcement, and role assignments
  • When onboarding a new Azure tenant after merger or acquisition
  • When investigating suspicious sign-in activity or compromised accounts
  • When validating conditional access policies adequately protect against identity-based attacks

Do not use for on-premises Active Directory auditing (use PingCastle or BloodHound AD), for Azure resource-level RBAC auditing without identity context, or for real-time threat detection (use Microsoft Defender for Identity).

Prerequisites

  • Global Reader or Security Reader role in the target Microsoft Entra ID tenant
  • Microsoft Graph PowerShell SDK installed (Install-Module Microsoft.Graph)
  • Az CLI authenticated to the target tenant (az login --tenant TENANT_ID)
  • ScoutSuite with Azure provider configured for automated assessment
  • Access to Azure AD audit logs and sign-in logs (requires Azure AD Premium P1/P2)

Workflow

Step 1: Enumerate Tenant Configuration and Security Defaults

Assess the tenant's baseline identity security settings including security defaults and legacy authentication status.

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Directory.Read.All","Policy.Read.All","AuditLog.Read.All"
 
# Get tenant details
Get-MgOrganization | Select-Object DisplayName, Id, VerifiedDomains
 
# Check if Security Defaults are enabled
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | Select-Object IsEnabled
 
# List authentication methods policies
Get-MgPolicyAuthenticationMethodPolicy | ConvertTo-Json -Depth 5
 
# Check legacy authentication status via Conditional Access
Get-MgIdentityConditionalAccessPolicy | Where-Object {
    $_.Conditions.ClientAppTypes -contains "exchangeActiveSync" -or
    $_.Conditions.ClientAppTypes -contains "other"
} | Select-Object DisplayName, State

Step 2: Audit Privileged Role Assignments

Review directory role assignments to identify over-privileged users, permanent admin accounts, and risky role configurations.

# List all Global Administrator assignments
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/directoryRoles/filterByIds" \
  --body '{"ids":["62e90394-69f5-4237-9190-012177145e10"]}' | \
  az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/directoryRoles?filter=displayName eq 'Global Administrator'" \
  --query "value[0].id" -o tsv
 
# List all privileged role assignments using Graph API
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?\$expand=principal" \
  --query "value[*].{Role:roleDefinitionId, Principal:principal.displayName, PrincipalType:principal.@odata.type}" \
  -o table
 
# Check for users with multiple admin roles
az ad user list --query "[].{UPN:userPrincipalName, DisplayName:displayName}" -o table
 
# List service principals with admin role assignments
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?\$filter=principalOrganizationId eq 'TENANT_ID'" \
  -o json

Step 3: Review Conditional Access Policies

Audit conditional access policies for coverage gaps, particularly around MFA enforcement, device compliance, and location-based restrictions.

# List all Conditional Access policies
Get-MgIdentityConditionalAccessPolicy | Select-Object DisplayName, State, @{
    N='GrantControls'; E={$_.GrantControls.BuiltInControls -join ', '}
} | Format-Table -AutoSize
 
# Identify policies in report-only mode (not enforced)
Get-MgIdentityConditionalAccessPolicy | Where-Object {$_.State -eq "enabledForReportingButNotEnforced"} |
    Select-Object DisplayName
 
# Check MFA enforcement coverage
Get-MgIdentityConditionalAccessPolicy | Where-Object {
    $_.GrantControls.BuiltInControls -contains "mfa"
} | Select-Object DisplayName, State, @{
    N='Users'; E={$_.Conditions.Users.IncludeUsers -join ', '}
}
 
# Find policies that exclude groups (potential bypass)
Get-MgIdentityConditionalAccessPolicy | Where-Object {
    $_.Conditions.Users.ExcludeGroups.Count -gt 0
} | Select-Object DisplayName, @{
    N='ExcludedGroups'; E={$_.Conditions.Users.ExcludeGroups -join ', '}
}

Step 4: Identify Stale Accounts and Guest Users

Find accounts that have not signed in recently, disabled accounts with active role assignments, and risky guest user configurations.

# Find users who haven't signed in for 90+ days
az ad user list --query "[?signInActivity.lastSignInDateTime < '2025-11-25T00:00:00Z'].{UPN:userPrincipalName, LastSignIn:signInActivity.lastSignInDateTime, Enabled:accountEnabled}" -o table
 
# List all guest users
az ad user list --filter "userType eq 'Guest'" \
  --query "[].{UPN:userPrincipalName, DisplayName:displayName, CreatedDate:createdDateTime}" \
  -o table
 
# Find guest users with privileged roles
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?\$expand=principal" \
  --query "value[?principal.userType=='Guest'].{Role:roleDefinitionId,Guest:principal.userPrincipalName}" \
  -o table
 
# Check for accounts with disabled MFA
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/reports/authenticationMethods/userRegistrationDetails" \
  --query "value[?!isMfaRegistered].{UPN:userPrincipalName,MfaRegistered:isMfaRegistered}" \
  -o table

Step 5: Analyze Sign-In Logs for Risky Activity

Review sign-in logs to identify anomalous authentication patterns, failed MFA challenges, and risky sign-in detections.

# Get risky sign-ins from last 7 days
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=riskLevelDuringSignIn ne 'none' and createdDateTime ge 2026-02-16T00:00:00Z" \
  --query "value[*].{User:userPrincipalName,Risk:riskLevelDuringSignIn,IP:ipAddress,App:appDisplayName,Status:status.errorCode}" \
  -o table
 
# Get sign-ins from unfamiliar locations
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=riskEventTypes_v2/any(r:r eq 'unfamiliarFeatures')" \
  --query "value[*].{User:userPrincipalName,Location:location.city,IP:ipAddress}" \
  -o table
 
# Check for legacy authentication sign-ins
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=clientAppUsed ne 'Browser' and clientAppUsed ne 'Mobile Apps and Desktop clients'" \
  --query "value[*].{User:userPrincipalName,ClientApp:clientAppUsed,Status:status.errorCode}" \
  -o table

Step 6: Run ScoutSuite Automated Assessment

Execute ScoutSuite for comprehensive automated checks across the Azure tenant configuration.

# Run ScoutSuite against Azure
python3 -m ScoutSuite azure --cli \
  --report-dir ./scoutsuite-azure-report \
  --all-subscriptions
 
# Review the generated HTML report
open ./scoutsuite-azure-report/azure-report.html

Key Concepts

Term Definition
Microsoft Entra ID Microsoft's cloud identity and access management service, formerly Azure Active Directory, providing authentication and authorization
Conditional Access Policy engine that evaluates signals (user, device, location, risk) to enforce access controls like MFA, device compliance, or block access
Security Defaults Microsoft's baseline identity protection settings that enforce MFA registration, block legacy auth, and protect privileged actions
Privileged Identity Management Azure AD Premium P2 feature enabling just-in-time privileged access with approval workflows and time-bound role activation
Legacy Authentication Older authentication protocols (POP3, IMAP, SMTP, ActiveSync) that do not support MFA and are commonly exploited for credential attacks
Risky Sign-In Microsoft Entra Identity Protection detection of sign-in anomalies including impossible travel, unfamiliar locations, and malware-linked IPs

Tools & Systems

  • Microsoft Graph API: Primary programmatic interface for querying Entra ID configuration, policies, roles, and audit logs
  • Microsoft Graph PowerShell SDK: PowerShell module for Entra ID management and security auditing tasks
  • ScoutSuite: Multi-cloud auditing tool with Azure provider support for IAM, storage, networking, and identity checks
  • AzureADRecon: Community tool for comprehensive Azure AD reconnaissance and security assessment reporting
  • Microsoft Defender for Identity: Cloud-based security solution for detecting identity-based threats and compromised credentials

Common Scenarios

Scenario: Post-Acquisition Azure Tenant Security Assessment

Context: After acquiring a company, the security team needs to assess the Azure tenant identity posture before integrating it with the corporate Entra ID.

Approach:

  1. Enumerate all Global Administrators and check for personal accounts in admin roles
  2. Review conditional access policies to verify MFA is enforced for all users, not just admins
  3. Identify guest users with privileged access that may indicate third-party vendor over-permissioning
  4. Check for stale accounts (no sign-in for 90+ days) that could be targets for credential attacks
  5. Review sign-in logs for legacy authentication usage that bypasses MFA
  6. Verify Security Defaults or equivalent CA policies block legacy auth protocols
  7. Produce a risk report with prioritized remediation steps before tenant integration

Pitfalls: Azure AD Premium P2 is required for risky sign-in detections and PIM. If the acquired tenant uses a lower license tier, many identity protection features will be unavailable. Guest users from partner tenants may have implicit access through dynamic groups that are not visible in standard role assignment queries.

Output Format

Azure Active Directory Security Audit Report
===============================================
Tenant: acme-acquired.onmicrosoft.com
Tenant ID: a1b2c3d4-e5f6-7890-abcd-ef1234567890
Audit Date: 2026-02-23
License: Azure AD Premium P2
 
IDENTITY CONFIGURATION:
  Security Defaults: Disabled (Conditional Access in use)
  Conditional Access Policies: 12 (8 enforced, 3 report-only, 1 disabled)
  Legacy Auth Blocked: Partial (blocked for admins only)
 
PRIVILEGED ACCESS:
  Global Administrators:              8 (recommended: <= 4)
  Permanent admin assignments:        6 (no PIM activation required)
  Service principals with admin:      3
  Guest users with privileged roles:  2
 
ACCOUNT HYGIENE:
  Total users:                        1,247
  Stale accounts (90+ days):          89
  Guest users:                        234
  Users without MFA registered:       156
 
SIGN-IN RISK:
  Risky sign-ins (last 30 days):      34
  Legacy auth sign-ins (last 7 days): 67
  Impossible travel detections:        5
  Unfamiliar location sign-ins:       12
 
CRITICAL FINDINGS:
  1. 8 Global Administrators with permanent assignments (use PIM)
  2. Legacy authentication not blocked for non-admin users
  3. 156 users without MFA registration
  4. 2 guest users with Privileged Role Administrator role
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.3 KB

API Reference: Auditing Azure Active Directory Configuration

azure-identity Authentication

from azure.identity import DefaultAzureCredential, ClientSecretCredential
 
# Default (managed identity, env vars, CLI)
credential = DefaultAzureCredential()
 
# Service principal
credential = ClientSecretCredential(tenant_id, client_id, client_secret)
 
# Get Graph API token
token = credential.get_token("https://graph.microsoft.com/.default")

Microsoft Graph API Endpoints

Endpoint Description
GET /organization Tenant info and verified domains
GET /directoryRoles List directory roles
GET /directoryRoles/{id}/members Members of a role
GET /identity/conditionalAccess/policies Conditional Access policies
GET /users?$filter=userType eq 'Guest' Guest users
GET /users?$select=signInActivity User sign-in activity
GET /auditLogs/signIns Sign-in logs
GET /reports/authenticationMethods/userRegistrationDetails MFA registration

Python Graph API Helper

import requests
 
def graph_get(token, endpoint, params=None):
    headers = {"Authorization": f"Bearer {token}"}
    url = f"https://graph.microsoft.com/v1.0{endpoint}"
    return requests.get(url, headers=headers, params=params).json()
 
# List Global Admins
roles = graph_get(token, "/directoryRoles")
for role in roles["value"]:
    if role["displayName"] == "Global Administrator":
        members = graph_get(token, f"/directoryRoles/{role['id']}/members")

Key Conditional Access Policy Fields

{
  "displayName": "Require MFA for admins",
  "state": "enabled",
  "conditions": {
    "users": {"includeUsers": ["All"], "excludeGroups": ["break-glass"]},
    "clientAppTypes": ["all"]
  },
  "grantControls": {
    "builtInControls": ["mfa"]
  }
}

azure-mgmt-authorization (RBAC)

from azure.mgmt.authorization import AuthorizationManagementClient
client = AuthorizationManagementClient(credential, subscription_id)
for assignment in client.role_assignments.list():
    print(assignment.principal_id, assignment.role_definition_id)

References

Scripts 1

agent.py6.7 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for auditing Azure Active Directory (Entra ID) configuration."""

import os
import json
import argparse
from datetime import datetime, timedelta

from azure.identity import DefaultAzureCredential, ClientSecretCredential
import requests


def get_graph_token(credential):
    """Obtain a Microsoft Graph API access token."""
    token = credential.get_token("https://graph.microsoft.com/.default")
    return token.token


def graph_get(token, endpoint, params=None):
    """Make an authenticated GET request to Microsoft Graph API."""
    headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
    url = f"https://graph.microsoft.com/v1.0{endpoint}"
    resp = requests.get(url, headers=headers, params=params, timeout=30)
    resp.raise_for_status()
    return resp.json()


def get_tenant_info(token):
    """Get tenant organization details."""
    data = graph_get(token, "/organization")
    orgs = data.get("value", [])
    if orgs:
        org = orgs[0]
        return {
            "display_name": org.get("displayName"),
            "tenant_id": org.get("id"),
            "verified_domains": [d["name"] for d in org.get("verifiedDomains", [])],
        }
    return {}


def list_global_admins(token):
    """List all Global Administrator role assignments."""
    roles = graph_get(token, "/directoryRoles")
    ga_role = None
    for role in roles.get("value", []):
        if role["displayName"] == "Global Administrator":
            ga_role = role["id"]
            break
    if not ga_role:
        return []
    members = graph_get(token, f"/directoryRoles/{ga_role}/members")
    return [
        {"displayName": m.get("displayName"), "upn": m.get("userPrincipalName"),
         "type": m.get("@odata.type", "").split(".")[-1]}
        for m in members.get("value", [])
    ]


def list_conditional_access_policies(token):
    """List all Conditional Access policies with their state and grant controls."""
    policies = graph_get(token, "/identity/conditionalAccess/policies")
    results = []
    for p in policies.get("value", []):
        results.append({
            "name": p.get("displayName"),
            "state": p.get("state"),
            "grant_controls": p.get("grantControls", {}).get("builtInControls", []),
            "excluded_groups": p.get("conditions", {}).get("users", {}).get("excludeGroups", []),
        })
    return results


def find_stale_users(token, days=90):
    """Find users who have not signed in for specified number of days."""
    cutoff = (datetime.utcnow() - timedelta(days=days)).strftime("%Y-%m-%dT00:00:00Z")
    users = graph_get(
        token, "/users",
        params={
            "$select": "displayName,userPrincipalName,signInActivity,accountEnabled",
            "$top": "999",
        }
    )
    stale = []
    for u in users.get("value", []):
        sign_in = u.get("signInActivity", {})
        last_sign_in = sign_in.get("lastSignInDateTime")
        if last_sign_in and last_sign_in < cutoff:
            stale.append({
                "upn": u.get("userPrincipalName"),
                "display_name": u.get("displayName"),
                "last_sign_in": last_sign_in,
                "enabled": u.get("accountEnabled"),
            })
    return stale


def list_guest_users(token):
    """List all guest users in the tenant."""
    users = graph_get(
        token, "/users",
        params={"$filter": "userType eq 'Guest'", "$select": "displayName,userPrincipalName,createdDateTime"}
    )
    return [
        {"upn": u.get("userPrincipalName"), "display_name": u.get("displayName"),
         "created": u.get("createdDateTime")}
        for u in users.get("value", [])
    ]


def check_mfa_registration(token):
    """Check users without MFA registered."""
    try:
        data = graph_get(token, "/reports/authenticationMethods/userRegistrationDetails")
        no_mfa = [
            {"upn": u.get("userPrincipalName"), "mfa_registered": u.get("isMfaRegistered")}
            for u in data.get("value", []) if not u.get("isMfaRegistered")
        ]
        return no_mfa
    except Exception:
        return []


def get_risky_signins(token, days=7):
    """Get risky sign-in events from the last N days."""
    since = (datetime.utcnow() - timedelta(days=days)).strftime("%Y-%m-%dT00:00:00Z")
    try:
        data = graph_get(
            token, "/auditLogs/signIns",
            params={"$filter": f"riskLevelDuringSignIn ne 'none' and createdDateTime ge {since}"}
        )
        return [
            {"user": s.get("userPrincipalName"), "risk": s.get("riskLevelDuringSignIn"),
             "ip": s.get("ipAddress"), "app": s.get("appDisplayName")}
            for s in data.get("value", [])
        ]
    except Exception:
        return []


def main():
    parser = argparse.ArgumentParser(description="Azure AD Configuration Audit Agent")
    parser.add_argument("--tenant-id", default=os.getenv("AZURE_TENANT_ID"))
    parser.add_argument("--client-id", default=os.getenv("AZURE_CLIENT_ID"))
    parser.add_argument("--client-secret", default=os.getenv("AZURE_CLIENT_SECRET"))
    parser.add_argument("--stale-days", type=int, default=90)
    parser.add_argument("--output", default="azure_ad_audit.json")
    args = parser.parse_args()

    if args.client_id and args.client_secret and args.tenant_id:
        credential = ClientSecretCredential(args.tenant_id, args.client_id, args.client_secret)
    else:
        credential = DefaultAzureCredential()

    token = get_graph_token(credential)
    report = {"audit_date": datetime.utcnow().isoformat(), "findings": {}}

    report["findings"]["tenant_info"] = get_tenant_info(token)
    print(f"[+] Tenant: {report['findings']['tenant_info'].get('display_name')}")

    admins = list_global_admins(token)
    report["findings"]["global_admins"] = admins
    print(f"[+] Global Admins: {len(admins)}")

    ca_policies = list_conditional_access_policies(token)
    report["findings"]["conditional_access"] = ca_policies
    print(f"[+] Conditional Access policies: {len(ca_policies)}")

    stale = find_stale_users(token, args.stale_days)
    report["findings"]["stale_users"] = stale
    print(f"[+] Stale users ({args.stale_days}+ days): {len(stale)}")

    guests = list_guest_users(token)
    report["findings"]["guest_users"] = guests
    print(f"[+] Guest users: {len(guests)}")

    no_mfa = check_mfa_registration(token)
    report["findings"]["users_without_mfa"] = no_mfa
    print(f"[+] Users without MFA: {len(no_mfa)}")

    risky = get_risky_signins(token)
    report["findings"]["risky_signins"] = risky
    print(f"[+] Risky sign-ins (7d): {len(risky)}")

    with open(args.output, "w") as f:
        json.dump(report, f, indent=2, default=str)
    print(f"[+] Report saved to {args.output}")


if __name__ == "__main__":
    main()
Keep exploring