V20260208

Changelog

General

• Improved: Filters on the main overview tables are now also applied to the objects in the details sections, meaning the views are now synchronized. This allows navigating through the details sections more efficiently.
• Improved: The content of items in the details section is now loaded only when an item is expanded. This improves the performance of the HTML reports, especially for large tenants.
• Improved: Updated the text of several table header tooltips.
• Added: Additional categorization of various application and delegated permissions.

Enterprise Applications

• Added: Check whether an application is configured for SAML and populate the SAML property accordingly. This allows filtering these apps in the preset view Enterprise Apps with Credentials and avoids false positives.

Internal

• Updated: Updated Chart.js to version 4.5.1.

Full Changelog: V20260127...V20260208

V20260127

Changelog

General

• Fixed: Issue #6 . Microsoft revoked the FOCI status of the Azure CLI client. As a result, token refresh to the Managed Meeting Rooms client (eb20f3e3-3dce-4d2c-b721-ebb8d4414067) is no longer possible.
  The client has been replaced with the Dynamics 365 Example Client Application (51f81489-12ee-4a9e-aaae-a2591f45987d).
  Due to this change, the standard authentication flow now requires three interactive sign-ins.
  The README has been updated to better explain the available authentication flows and their respective advantages and limitations.

Groups

• Fixed: Issue that could cause non-existent role assignments to be displayed.

Internal

• Updated: Bumped EntraTokenAid to the latest version.
• Improved: Internal restructuring to support upcoming features.

Full Changelog: V20260125...V20260127

V20260125

Changelog

General

• Fixed: An issue with the help text introduced by the navigation bar.

Full Changelog: V20260121...V20260125

V20260121

Changelog

General

• Added: New report header and navigation bar, enabling:
  • Navigation between the different reports
  • Faster jumping between sections within the same report
  • Tenant information and execution time displayed at the top
  • Execution warnings accessible via the warnings button (if present)

Conditional Access Policies

• Improved: Updated condition counting and adjusted thresholds per policy type to reduce unnecessary warnings.
• Improved: Improved warning formatting and refined policy-related text.

Groups

• Fixed: Device display name issue.

Internal

• Updated: Bumped Send-GraphBatchRequest to the latest version.
• Improved: Various internal cleanups.

Full Changelog: V20260117...V20260121

V20260117

Changelog

General

• Added: Introduced a LogLevel parameter to show verbose CLI messages. The existing custom status messages have been migrated. Over time, more log messages will be added to the tool. Possible values:
  • Off (default): No additional status output.
  • Verbose: High-level status messages.
  • Debug: Includes Verbose plus additional details useful for debugging.
  • Trace: Includes Debug plus very detailed output (may be noisy).
• Added: Enumeration of the effective Entra ID tenant license.

PIM Report

• Fixed: Parsing issue when the role activation time is not a full hour.

Enterprise Applications

• Added: App roles now show app role assignments for other service principals as well.

Managed Identities

• Fixed: Improved $null protection for property AlternativeNames to address issue #5 .

Azure Roles

• Added: External partner objects (CSP groups) are now shown with the proper display name.
  Example: Foreign Principal for '%your CSP%' in Role 'TenantAdmins' (%your tenant name%)
• Improved: Performance in large tenants by switching from an array to a list.

Internal

• Improved: Reduced API calls for role enumerations when multiple subscriptions exist.
• Improved: Introduced caching for single object lookups in role lookup.
• Improved: Change module import to be independent from the current directory.

Full Changelog: V20260104...V20260117

V20260104

Changelog

General

• Added: Introduced BroCi Authentication (beta) via the -Broci switch. Benefits:
  • Only one interactive authentication is required (instead of two).
  • Does not rely on applications like Azure Active Directory PowerShell, which may require assignment.
  • Allows you to bring your own token for authentication via the -BroCiToken parameter.
    The token must be a refresh token for the client c44b4083-3bb0-49c1-b47d-974e53cbdf3c (Azure Portal).

Enterprise Applications

• Added: Classified Directory.AccessAsUser.All as a high-privilege Microsoft Graph permission.
• Added: Creation timestamp in the detail view and a days since creation column in the table.
• Improved: API permissions in the appendix are now sorted by API and then by severity.

App Registrations

• Added: Creation timestamp in the detail view and a days since creation column in the table.

Managed Identities

• Added: Creation timestamp in the detail view and a days since creation column in the table.
• Improved: API permissions in the appendix are now sorted by API and then by severity.

Users

• Added: User details now indicate whether the account is enabled.

Role Assignments Azure / Entra

• Fixed: The CSV export no longer contains HTML links in values or references to non-existent columns.

Internal

• Updated: Updated the EntraTokenAid version.
• Fixed: The JSON object was parsed twice in the HTML report.
• Improved: Authentication function that manages the different authentication flows with EntraTokenAid.

Full Changelog: V20251208...V20260104

V20251208

Changelog

Enterprise Application

• Added: Additional dangerous or high Tier-0 and Tier-1 Microsoft Graph privileges.
• Fixed: Error in the preset view for delegated API permissions.

PIM for Entra ID Roles

• Added: New preset view highlighting Tier-0 and Tier-1 roles where PIM is not used (active assignments without eligible assignments).

Groups

• Fixed: Removed dynamic groups from the Public M365 Groups preset view, as users cannot add themselves to these groups.

Full Changelog: V20251202...V20251208

V20251202

Conditional Access

• Fixed: Incorrect CAP count displayed in the CLI status message in PS 5.1 when only one CAP exists.
• Fixed: Missing tenant name encoding, which could break the links to the Entra ID role report when the tenant name contains spaces.

PIM for Entra ID Roles

• Fixed: Incorrect results in PIM role details for the fields "Allow Permanent Eligible Assignment" and "Allow Permanent Active Assignment".

Enterprise Applications

• Fixed: Incorrect "privileged" warning for low-privileged foreign apps.

Full Changelog: V20250928...V20251202

V20250928

Changelog

App Registration

• Added: New preset view Entra Connect Application to identify the Entra Connect application.
• Added: Marked the Entra Connect application in the warning text field for better visibility.
• Added: Warning if the Entra Connect app registration has an owner.
• Added: Checks for potential IoC:
  • Warns if the Entra Connect app registration has a client secret configured.
  • Warns if the Entra Connect app registration has more than one client certificate.

Enterprise Apps

• Added: New preset view Entra Connect Application to identify the Entra Connect application.
• Note: By default, warnings are already generated for enterprise applications that have owners or credentials.
  Therefore, no additional warning logic was added.

Full Changelog: V20250715...V20250928

V20250715

Changelog

General

• Added: New ApiTop parameter to control the number of objects returned per API call. Useful for avoiding HTTP 504 errors caused by slow Microsoft infrastructure. Valid range: 5–999 (default: 999).
• Fixed: Corrected formatting issues in various TXT reports.
• Improved: Refined multiple texts for better clarity.
• Improved: Updated the README with instructions on cloning the repository and handling PowerShell execution policies.

PIM for Entra ID Roles

• Added: First Beta version of the PIM enumeration for Entra ID roles. The new report includes PIM settings for all Entra ID roles and performs several security checks:
  • Activation duration Tier-0 roles ≤ 4h / Tier-1 roles ≤ 12h
  • Permanent active assignment is disabled (except for GA because of breakglass accounts)
  • Checks whether:
    • Role activations require approval OR
    • Authentication Context (AC) is used and has a linked CAP
  • If an AC is used, it further verifies the linked Conditional Access Policy:
    • CAP is enabled
    • CAP is scoped to all users (no exclusions)
    • No other conditions are configured (e.g., Networks, Risks, Platforms, App Types, Auth Flow)
    • MFA or Authentication Strength is configured
    • Sign-in frequency is set to Every time

Entra ID Roles

• Improved: Enhanced sorting of roles based on their tier classification.

Conditional Access Policies

• Added: Sign-in frequency settings are now displayed in the Conditional Access Policies (CAP) table (hidden by default).

Groups Enumeration

• Fixed: In PIM for Groups scenarios, the eligible group ownership status was not shown correctly in the details section.
• Added: New preset view: PIM for Groups PrivEsc. This filter highlights protected groups that have unprotected groups as owners or members, indicating potential privilege escalation paths.

Full Changelog: V20250612...V20250715