Auditing Azure Active Directory Configuration

What Is This

The "Auditing Azure Active Directory Configuration" skill enables security professionals, cloud administrators, and auditors to systematically review and assess the security posture of Microsoft Entra ID (formerly Azure Active Directory) tenants. This skill focuses on identifying risky authentication policies, overly permissive role assignments, stale or orphaned accounts, conditional access policy gaps, and guest user risks. The auditing process uses tools such as AzureAD PowerShell, Microsoft Graph API, and ScoutSuite to extract, analyze, and report on critical identity and access management (IAM) configuration elements within Azure AD.

Unlike on-premises Active Directory auditing, which addresses local AD security, this skill is specifically tailored for cloud-based identity environments. It emphasizes the evaluation of authentication and authorization controls that directly impact cloud resource access, user security, and organizational compliance requirements.

Why Use It

Auditing Azure Active Directory is crucial because identity is a primary attack vector in cloud environments. Misconfigurations, excessive permissions, and weak or missing authentication controls can facilitate privilege escalation, account compromise, and unauthorized access to sensitive resources. The dynamic nature of cloud environments, with frequent onboarding and offboarding of users, external collaborations, and evolving security policies, increases the risk of configuration drift and unnoticed vulnerabilities.

Key reasons to use this skill include:

• Security Assessments: To uncover misconfigurations and reduce the attack surface.
• Compliance: To ensure alignment with frameworks such as NIST CSF (e.g., PR.IR-01, ID.AM-08, GV.SC-06, DE.CM-01).
• Incident Response: To investigate the root cause and blast radius of identity-related incidents.
• Operational Hygiene: To regularly validate that conditional access, multi-factor authentication (MFA), and role assignments are appropriate and up-to-date.

How to Use It

Prerequisites

• You must have the Global Reader or Security Reader role in the target Entra ID tenant.

• Install the Microsoft Graph PowerShell SDK:

  powershell

  Install-Module Microsoft.Graph

• For broader analysis, install and configure ScoutSuite (https://github.com/nccgroup/ScoutSuite).

1. Review Authentication

Policies

Authentication policies define how users prove their identity. Weak or incomplete policies can expose the tenant to brute force, phishing, and token replay attacks.

List Sign-in Methods and MFA Registration

Connect-MgGraph -Scopes "Directory.Read.All"

## List users and their MFA registration status
Get-MgUserAuthenticationMethod -UserId <user@domain.com>

## List all users without MFA
Get-MgUser -Filter "strongAuthenticationMethods/any() eq false"

Audit Legacy Authentication

Legacy protocols bypass modern authentication protections. Identify accounts with legacy authentication enabled:

Get-MgUser -Filter "accountEnabled eq true and userType eq 'Member'" | 
  Where-Object { $_.AuthenticationPolicies -match "AllowBasicAuthProtocols" }

2. Analyze Role

Assignments

Overly permissive or unnecessary role assignments increase the risk of privilege abuse.

List Directory Role Members

## List all directory roles and their members
Get-MgDirectoryRole | ForEach-Object {
    $role = $_
    Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id | 
      Select-Object @{Name="Role";Expression={$role.DisplayName}}, Id, UserPrincipalName
}

Look for users or service principals assigned to high-privilege roles such as Global Administrator, Privileged Role Administrator, or Application Administrator.

3. Identify Stale and Guest

Accounts

Inactive or orphaned accounts are common targets for attackers.

Find Inactive Accounts

## List users who have not signed in during the last 90 days
Get-MgUser -Filter "accountEnabled eq true" | 
  Where-Object { $_.LastSignInDateTime -lt (Get-Date).AddDays(-90) }

Audit Guest Users

## List guest users
Get-MgUser -Filter "userType eq 'Guest'"

Evaluate the necessity and permissions of each guest account.

4. Assess Conditional Access

Policies

Conditional access policies enforce adaptive controls based on risk, device, location, and user context.

## List all conditional access policies
Get-MgConditionalAccessPolicy

Verify policies enforce MFA, restrict risky locations, and apply to all critical user groups.

5. Use ScoutSuite for Configuration

Review

ScoutSuite provides a comprehensive, automated assessment of Azure AD (and other cloud services):

• Run ScoutSuite with Azure credentials.
• Review the generated HTML report for findings related to authentication, IAM, guest access, and policy gaps.

When to Use It

• During periodic security reviews of Azure AD tenants
• When onboarding new tenants or after organizational changes such as mergers or acquisitions
• For regulatory or internal compliance audits focused on identity and access management
• When suspicious activity or potential account compromise is detected
• To validate the effectiveness of recent changes to authentication or access policies

Important Notes

• This skill is not intended for on-premises Active Directory auditing. For that, use specialized tools such as PingCastle or BloodHound for AD.
• It does not cover real-time threat detection. For ongoing monitoring, use Microsoft Defender for Identity.
• Always use the least privilege principle: restrict auditing tool access to authorized personnel only.
• Review the output of each audit step with stakeholders to ensure remediation actions are tracked and completed.
• Regularly update PowerShell modules and ScoutSuite to leverage the latest features and security updates.
• Be mindful of privacy and data protection requirements when exporting or sharing audit results.

By regularly auditing Azure Active Directory configuration, organizations can significantly reduce the risk of identity-based attacks and ensure ongoing compliance with security best practices.