V20260414

Agent Identities (Beta)

• Added: Full enumeration of the Microsoft Entra agent identities: Agent Identity Blueprints, Agent Identity Blueprint Principals, Agent Identities and Agent Users. Note: legacy Agent objects are not covered (they should be visible as Enterprise Applications).
• Added: Effective API permission resolution per agent identity, including permissions inherited from the parent blueprint principal gated by the blueprint's inheritablePermissions rules (allAllowed / enumerated / none).
• Added: Impact and risk scoring across all three tiers, with inherited impact flowing from agent users → agent identities → blueprint principals → blueprints.
• Added: Agent users are recognized as a distinct user type in the Users report, enriched with their parent agent identity and blueprint principal context.
• Added: Agent identities are included in role enumeration and appear in role assignment charts.
• Added: Agent identity type breakdown and sign-in activity charts in the Summary report.
• Improved: Report navigation, preset views, and table filters for the new Agent Identity reports.

Conditional Access Policies

• Added: Conditional Access user coverage analysis. CAP reports now calculate effective user targeting after direct users, groups, roles, guest/external-user categories, and exclusions are evaluated. The report includes UserCoverage, effective included/excluded user counts, uncovered users, and detailed targeting breakdowns per policy.
• Added: Effective targeting details for CAP policies. Policy detail views now show how many users are reached directly, through groups, through roles, through external-user categories, and how many users remain uncovered after exclusions. Counts are marked as approximate where Graph data does not allow exact user resolution.
• Added: Tracking for potential PIM-based CAP coverage. Eligible users from targeted PIM groups or eligible role paths are reported separately as PotentialUsersViaGroups and PotentialUsersViaRoles. They are not counted as currently effective coverage.
• Added: -ExportCapUncoveredUsers switch to export per-policy CSV files for enabled CAP policies. The export lists enabled users not effectively covered by each policy and labels the reason as NotTargeted, Excluded, or PotentialViaPIM.
• Improved: CAP warnings now use effective targeting and exclusion context, making broad MFA/authentication-strength policy checks less dependent on raw selector counts.

Note: Conditional Access user coverage is a best-effort calculation based on enumerated users, group members, role assignments, and resolvable external-user categories. External-user selectors are only resolved for tenant guest users matching b2bCollaborationGuest. Other external-user types or external users with specified external tenants can make coverage values approximate.

Role Assignments (Azure)

• Added: Distinction between direct and PIM-activated Azure role assignments.
• Added: ActivatedViaPIM, Start, and Expires fields to Azure role assignment reporting.

Security Findings

• Added: USR-013 security finding for enabled synchronized on-premises accounts older than 90 days with no recorded Entra ID sign-in.
• Fixed: USR-005 is skipped when user sign-in activity could not be read, avoiding misleading inactive-user findings.
• Fixed: Security Findings JSON export now preserves Warnings as strings.
• Fixed: Several small robustness issues around null handling, report links, and generated report paths.
• Changed: PIM-002 now focuses on active Tier-0 user and group assignments that are not activated via PIM.
• Changed: CAP-005 evaluation no longer treats policies as passing when coverage is only based on unresolved or external-only targeting.

General

• Improved: Centralized application role lookups for more consistent API permission resolution across application and agent-related reports.
• Improved: Service principal sign-in activity is now fetched once and reused across dependent reports.
• Improved: Delegated API permission display-name resolution now uses the shared application reference cache, reducing repeated Graph calls.
• Fixed: Multiple small robustness issues across tenant, PIM, Azure role, and reporting logic.

Full Changelog: V20260327...V20260414

V20260327

Changelog

General

• Added: Support for AND (&&) filters in report tables.
• Fixed: Multiple small robustness issues across tenant, PIM, Azure role, and reporting logic.
• Added: CONTRIBUTING.md with basic contribution guidelines.
• Improved: Reworked preset views with clearer grouping and descriptions. They can now also be triggered via GET parameters.

Summary

• Added: Tenant domain enumeration, including the user count per domain, in the summary report.

Conditional Access Policies

• Improved: Detection of policies affecting scoped service principal assignments.
• Improved: Cleanup of Conditional Access warning handling and related edge cases.

PIM and Role Assignments

• Added: Distinction between direct and PIM-activated Entra role assignments.
• Added: ActivatedViaPIM, Start, and Expires fields to Entra role assignment reporting.
• Fixed: Improved handling of linked Conditional Access policies and null-safe role lookups.

App Registrations and Enterprise Applications

• Fixed: Corrected the ApiDelegated count in the App Registration appendix.
• Cleaned up: Minor Enterprise Application cleanup and report consistency fixes.

Security Findings

• Changed: PIM-002 now focuses on active Tier-0 user and group assignments outside PIM activation.
• Changed: CAP-005 no longer passes when only external identities are targeted.

Exports and UI

• Fixed: CSV downloads from the Security Findings report now include a UTF-8 BOM for better Excel compatibility.
• Fixed: Minor report link and wording issues.

Full Changelog: V20260321...V20260327

V20260321

Changelog

General

• Removed: Unused privileged branch for unknown Azure role scoring (Issue #17).
• Fixed: Null credential dates in detail reports are now handled correctly (Issue #19).

Groups

• Fixed: CAP warning check for public dynamic groups (Issue #20).

App Registrations

• Fixed: Initialized Expired per credential during app registration processing (Issue #16).
• Improved: Cached app and role assignment lookups during app registration processing (Issue #20).

Enterprise Applications

• Fixed: Service principal ownership debug log variable (Issue #21).

Managed Identities

• Removed: Unsupported app role assignment output from the Managed Identities report (Issue #15).

Users

• Fixed: AzureRoles value in user-owned service principal details (Issue #23).

Conditional Access Policies

• Fixed: Explicit null checks are now used in CAP detail rendering (Issue #24).

Roles

• Fixed: Azure role scope sorting for PowerShell 5.1 (Issue #26).

Security Findings Report

• Fixed: PIM-009 false positive in authentication context detection.

Full Changelog: V20260316...V20260321

V20260316

Changelog

General

• Improved: Refactoring of the authentication logic:
  • BroCi is now the default authentication method.
    • The -BroCi switch has been removed.
    • To manually provide a BroCi token, use -AuthFlow BroCiToken -BroCiToken "1.XXXX".
    • -AuthMethod has been renamed to -AuthFlow and now supports BroCi, AuthCode, DeviceCode, ManualCode, BroCiManualCode, and BroCiToken.
  • OS detection including warnings if incompatible authentication flows are used.
• Fixed: In Firefox, the chosen theme (Dark or Light mode) is now stored in session storage, making it persistent across all HTML pages.
• Fixed: Various typos and wording issues across all modules.
• Fixed: OR filter handling in GET parameters.
• Improved: Azure subscription names are now resolved and displayed instead of subscription IDs. This allows faster evaluation of whether a subscription is, for example, production or test.
• Changed: CSV versions of the main object tables are no longer generated automatically. Use -csv to generate them.
• Changed: The role Security Administrator is categorized as a Tier-0 role (as it can configure federation on existing domains).

Security Findings Report

Beta release of the Security Findings Report:

• More than 60 built-in checks across different areas
• Dynamic dashboard for overview
• Filtering options
• Export functions (CSV, JSON, and PDF)
• Detailed findings including description, threat, and high-level remediation recommendations, including details about affected objects
• If a finding has affected objects, they are listed in a sortable and filterable table and can also be exported
• Basic workflows are supported by tagging findings (for example: important, false positive, resolved, confirmed)

App Registrations

• Added: The new enabled property for App Registrations.
• Added: Enumeration of federated credentials.
• Changed: OwnerCount column renamed to Owners for consistency.
• Removed: The dedicated CSV report containing all App Registrations with secrets (AppRegistration_Secrets_XXX.csv) is no longer generated. The list can be manually exported as CSV from finding APP-001.

Conditional Access Policies

• Added: IncUsersViaGroups and ExcUsersViaGroups properties representing the number of users in those groups. This allows faster evaluation of how many users are included or excluded through groups.
• Improved: The effective number of excluded users through groups is now evaluated instead of simply counting the excluded group objects.
• Improved: Detection logic for phishing-resistant MFA enforcement.
• Improved: Fine-tuned security-info registration check (it is now OK to exclude guests).

Enterprise Applications

• Improved: Removed the noisy warning Foreign with permission.
• Improved: Impact rating logic (increased impact score for dangerous delegated API permissions).
• Improved: Entra and Azure role assignments through groups now also increase the counts in the EntraRoles and AzureRoles fields.
• Added: EntraMaxTier and AzureMaxTier fields representing the highest tier Entra / Azure role an enterprise application has (direct or through groups, excluding PIM for Groups).

Managed Identities

• Improved: Impact scoring for privileged API permissions (increased the impact score for dangerous or highly privileged API permissions).
• Improved: Entra and Azure role assignments through groups now also increase the counts in the EntraRoles and AzureRoles fields.
• Added: EntraMaxTier and AzureMaxTier fields representing the highest tier Entra / Azure role a managed identity has (direct or through groups, excluding privileges through PIM).

Groups

• Added: EntraMaxTier and AzureMaxTier fields representing the highest tier Entra / Azure role a group has (direct, via PIM, or through other groups).
• Fixed: Score inheritance behavior.

Users

• Fixed: Incorrect AppLock status for service principal ownerships in the warning message.
• Added: EntraMaxTier and AzureMaxTier fields representing the highest tier Entra / Azure role a user has (direct, via PIM, or through groups).
• Added: PerUserMFAState field showing the state (disabled, enabled, or enforced) for each user.
• Added: Agent field indicating whether the user is an Agent User. These users are also filtered out in certain preset views and security findings (e.g., missing MFA).
• Removed: The dedicated CSV report containing all inactive users (Users_XXXX_Inactive.csv) is no longer generated. The list can be manually exported as CSV from finding USR-005.

Summary

• Fixed: Added the missing date range to the chart Last Successful Sign-In.
• Improved: Restyled the general information, enumerated objects, and chart sections.
• Improved: Added a chart showing Azure tiering.

PIM for Entra

• Fixed: Error when multiple CAPs were linked to an authentication context.

Agent Identities

Note: Agent identities are currently under active research. Future releases will include additional enumeration and checks related to Agent Identities.

• Added: The API permissions AgentIdentityBlueprint.ReadWrite.All and AgentIdentityBlueprint.AddRemoveCreds.All are categorized as High.
• Added: The role Agent ID Administrator is categorized as a Tier-1 role.
• Added: The API permission AgentIdentity.CreateAsManager is categorized as Low.
• Removed: Agent Identity Blueprints are excluded from the App Registration enumeration.
• Removed: Agent Identity Blueprint principals are excluded from the Enterprise Application enumeration.

Internal

• Updated: Send-GraphBatchRequest version.
• Updated: Send-GraphRequest version.
• Added: Custom API request module for requests to ARM and api.azrbac.mspim.azure.com. The module handles pagination, throttling, and related behaviors.

Full Changelog: V20260208...V20260316

V20260208

Changelog

General

• Improved: Filters on the main overview tables are now also applied to the objects in the details sections, meaning the views are now synchronized. This allows navigating through the details sections more efficiently.
• Improved: The content of items in the details section is now loaded only when an item is expanded. This improves the performance of the HTML reports, especially for large tenants.
• Improved: Updated the text of several table header tooltips.
• Added: Additional categorization of various application and delegated permissions.

Enterprise Applications

• Added: Check whether an application is configured for SAML and populate the SAML property accordingly. This allows filtering these apps in the preset view Enterprise Apps with Credentials and avoids false positives.

Internal

• Updated: Updated Chart.js to version 4.5.1.

Full Changelog: V20260127...V20260208

V20260127

Changelog

General

• Fixed: Issue #6 . Microsoft revoked the FOCI status of the Azure CLI client. As a result, token refresh to the Managed Meeting Rooms client (eb20f3e3-3dce-4d2c-b721-ebb8d4414067) is no longer possible.
  The client has been replaced with the Dynamics 365 Example Client Application (51f81489-12ee-4a9e-aaae-a2591f45987d).
  Due to this change, the standard authentication flow now requires three interactive sign-ins.
  The README has been updated to better explain the available authentication flows and their respective advantages and limitations.

Groups

• Fixed: Issue that could cause non-existent role assignments to be displayed.

Internal

• Updated: Bumped EntraTokenAid to the latest version.
• Improved: Internal restructuring to support upcoming features.

Full Changelog: V20260125...V20260127

V20260125

Changelog

General

• Fixed: An issue with the help text introduced by the navigation bar.

Full Changelog: V20260121...V20260125

V20260121

Changelog

General

• Added: New report header and navigation bar, enabling:
  • Navigation between the different reports
  • Faster jumping between sections within the same report
  • Tenant information and execution time displayed at the top
  • Execution warnings accessible via the warnings button (if present)

Conditional Access Policies

• Improved: Updated condition counting and adjusted thresholds per policy type to reduce unnecessary warnings.
• Improved: Improved warning formatting and refined policy-related text.

Groups

• Fixed: Device display name issue.

Internal

• Updated: Bumped Send-GraphBatchRequest to the latest version.
• Improved: Various internal cleanups.

Full Changelog: V20260117...V20260121

V20260117

Changelog

General

• Added: Introduced a LogLevel parameter to show verbose CLI messages. The existing custom status messages have been migrated. Over time, more log messages will be added to the tool. Possible values:
  • Off (default): No additional status output.
  • Verbose: High-level status messages.
  • Debug: Includes Verbose plus additional details useful for debugging.
  • Trace: Includes Debug plus very detailed output (may be noisy).
• Added: Enumeration of the effective Entra ID tenant license.

PIM Report

• Fixed: Parsing issue when the role activation time is not a full hour.

Enterprise Applications

• Added: App roles now show app role assignments for other service principals as well.

Managed Identities

• Fixed: Improved $null protection for property AlternativeNames to address issue #5 .

Azure Roles

• Added: External partner objects (CSP groups) are now shown with the proper display name.
  Example: Foreign Principal for '%your CSP%' in Role 'TenantAdmins' (%your tenant name%)
• Improved: Performance in large tenants by switching from an array to a list.

Internal

• Improved: Reduced API calls for role enumerations when multiple subscriptions exist.
• Improved: Introduced caching for single object lookups in role lookup.
• Improved: Change module import to be independent from the current directory.

Full Changelog: V20260104...V20260117

V20260104

Changelog

General

• Added: Introduced BroCi Authentication (beta) via the -Broci switch. Benefits:
  • Only one interactive authentication is required (instead of two).
  • Does not rely on applications like Azure Active Directory PowerShell, which may require assignment.
  • Allows you to bring your own token for authentication via the -BroCiToken parameter.
    The token must be a refresh token for the client c44b4083-3bb0-49c1-b47d-974e53cbdf3c (Azure Portal).

Enterprise Applications

• Added: Classified Directory.AccessAsUser.All as a high-privilege Microsoft Graph permission.
• Added: Creation timestamp in the detail view and a days since creation column in the table.
• Improved: API permissions in the appendix are now sorted by API and then by severity.

App Registrations

• Added: Creation timestamp in the detail view and a days since creation column in the table.

Managed Identities

• Added: Creation timestamp in the detail view and a days since creation column in the table.
• Improved: API permissions in the appendix are now sorted by API and then by severity.

Users

• Added: User details now indicate whether the account is enabled.

Role Assignments Azure / Entra

• Fixed: The CSV export no longer contains HTML links in values or references to non-existent columns.

Internal

• Updated: Updated the EntraTokenAid version.
• Fixed: The JSON object was parsed twice in the HTML report.
• Improved: Authentication function that manages the different authentication flows with EntraTokenAid.

Full Changelog: V20251208...V20260104