Some of my personal favorites for auditing Microsoft environments

My Favorite Things - OG Box Logo T-Shirt White / Black

Professionals are always finding out ways to report M365 or Azure environments, automating activities or remediating threats.

There is insane amount of content available to achieve these goals but I want to list some of my favorites in this post.

Connect all O365 service with or without MFA

Save script and just run it if You don’t have MFA in our account (Why You wouldn’t?) or with -MFA switch if You do (of course You do!)

Old modules?

Using the old modules as the new ones (Azure Active Directory PowerShell for Graph) don’t completely replace the old ones.

Access tokens

There is also an option for Access tokens but some of the services don’t support it the same way and Teams CS* commands will brake, so I will go with the “easiest” solution here.

Here is more information on the access tokens from Andrés Gorzelany and how to generate them. I will also do some experiments in my future blogs about these.

The script

With this script You can disconnect all sessions with -disconnect switch or choose the ones You want with -services switch

The script will install all the newest versions (not previews) of the modules available in PowerShell gallery.

You can use this script with PowerShell 6 not above and this is also stated inside Microsoft documentation.

https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide

Office 365 for IT Pros GitHub

One repository that has excellent scripts is Office 365 for IT Pros PowerShell examples.

For guest users

Azure AD Access reviews

For access reviews I really like this one.

This PowerShell sample script is meant to create a high-level overview over external identity use in a tenant, outlining if and where external identities are used:

  • group membership
  • application assignment
  • assignment to privileged roles
  • membership through rules in a dynamic group

The script is enumerating membership and assignments in Azure AD. It does not reach out to services that keep membership or role assignments outside of Azure AD (e.g. SharePoint Online with direct user-to-role assignment outside of group membership).

Admindroid version

Or this one from Admindroid.

It will generate a csv-file that has information from the guest accounts.

If You are using AzureADPreview instead of AzureAD module, You can just switch the AzureAD to the preview one.

And all the rest of Admindroid scripts are conveniently in this repo, all in one.

Teams reporting

Teams users

This one will generate TeamsUserReport.csv for users and their settings.

Teams configs

Backup-TeamsConfig is a PowerShell script allowing you to backup various parts of Microsoft Teams configuration and package it up in to a single file for safe keeping – this includes policies, configurations and voice applications (inc. audio files).

Microsoft365DSC

DSC is still work in progress but it getting there. New versions popping up all the time.

Basically 365DSC is for getting Your tenant config and keeping the config up-to-date with a pipeline or just to compare the config to another tenant for auditing purposes.

So make baselines for different scenarios and compare them against tenants. You will get a verbose report about the differences You have. All isn’t in the report but like said it’s getting there.

Exchange Online and Azure

Crowdstrike

There is a lot different scripts for EXO but I really like this from Crowdstrike.

It will get the following information:

Exchange Online (O365):

  • Federation Configuration
  • Federation Trust
  • Client Access Settings Configured on Mailboxes
  • Mail Forwarding Rules for Remote Domains
  • Mailbox SMTP Forwarding Rules
  • Mail Transport Rules
  • Delegates with ‘Full Access’ Permission Granted
  • Delegates with Any Permissions Granted
  • Delegates with ‘Send As’ or ‘SendOnBehalf’ Permissions
  • Exchange Online PowerShell Enabled Users
  • Users with ‘Audit Bypass’ Enabled
  • Mailboxes Hidden from the Global Address List (GAL)
  • Collect administrator audit logging configuration settings.

Azure AD:

  • Service Principal Objects with KeyCredentials
  • O365 Admin Groups Report
  • Delegated Permissions & Application Permissions

Azure AD Exporter

The Azure AD Exporter is a PowerShell module that allows you to export your Azure AD and Azure AD B2C configuration settings to local .json files.

DCToolbox

DCToolbox is made by Daniel Chronlund. The PowerShell module contains a collection of tools for Microsoft 365 security tasks, Microsoft Graph functions, Azure AD management, Conditional Access, zero trust strategies, attack and defense scenarios, etc.

This is an excellent swiss knife toolbox but especially I like these four.

Export-DCConditionalAccessPolicyDesign

This CMDlet uses Microsoft Graph to export all Conditional Access policies in the tenant to a JSON file. This JSON file can be used for backup, documentation or to deploy the same policies again with Import-DCConditionalAccessPolicyDesign.

Import-DCConditionalAccessPolicyDesign

This CMDlet uses Microsoft Graph to automatically create Conditional Access policies from a JSON file. The JSON file can be created from existing policies with Export-DCConditionalAccessPolicyDesign or manually by following the syntax described in the Microsoft Graph documentation.

New-DCConditionalAccessPolicyDesignReport

Automatically generate an Excel report containing your current Conditional Access policy design.

New-DCConditionalAccessAssignmentReport

Automatically generate an Excel report containing your current Conditional Access assignments.

Azure infrastructure

Azure Visualizer, aka ‘AzViz’

PowerShell module to automatically generate Azure resource topology diagrams by just typing a PowerShell cmdlet and passing the name of one or more Azure Resource Group(s).

It is capable of:

  • Finding Resources in a Azure Resource Group and identifying their dependencies.
  • Plot nodes and edges to represent Azure Resources and their dependencies on a graph.
  • Insert appropriate Azure Icons on basis of resource category/sub-category.
  • Label each resource with information like Name, Category, Type etc.
  • Generate visualization in formats like: .png and .svg
  • Output image can be in ‘light’, ‘dark’ or ‘neon’ theme.
  • Can target more than one resource group at once.
  • Change direction in which resource groups are plotted, i.e, left-to-right or top-to-bottom.

ORCA (Office 365 Recommended Configuration Analyzer)

ORCA is a PowerShell module that you can run thru Exchange Online V2 PowerShell module. ORCA will gather your tenants security policy information and compare it against 61 policies from Microsoft best practices.

Then it will write a report saying how compliant your tenant is and what to do to get more compliant.

Installing ORCA

You can install ORCA from PowerShell Gallery.

https://www.powershellgallery.com/packages/ORCA/1.10.6

And you also need Exchange Online PowerShell module V2 as a pre-requisite.

More info from Github

That all for today. hopefully these tips will help You to cover some caveats in Your toolbox.

Thanks for reading and stay safe!

KEEP CALM AND BRING THE AUDIT ON Poster | John | Keep Calm-o-Matic
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *