{"id":13742593,"url":"https://github.com/DanielChronlund/DCToolbox","last_synced_at":"2025-05-09T00:31:29.094Z","repository":{"id":39584970,"uuid":"311105359","full_name":"DanielChronlund/DCToolbox","owner":"DanielChronlund","description":"Tools for Microsoft cloud fans","archived":false,"fork":false,"pushed_at":"2023-12-14T11:44:57.000Z","size":213,"stargazers_count":253,"open_issues_count":36,"forks_count":37,"subscribers_count":13,"default_branch":"main","last_synced_at":"2023-12-14T12:47:40.318Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DanielChronlund.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-11-08T16:29:14.000Z","updated_at":"2023-12-20T15:18:56.640Z","dependencies_parsed_at":"2023-12-20T15:18:55.121Z","dependency_job_id":"40e1b0ee-e0d3-4243-a310-cc4cc946d9cb","html_url":"https://github.com/DanielChronlund/DCToolbox","commit_stats":null,"previous_names":[],"tags_count":0,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanielChronlund%2FDCToolbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanielChronlund%2FDCToolbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanielChronlund%2FDCToolbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanielChronlund%2FDCToolbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DanielChronlund","download_url":"https://codeload.github.com/DanielChronlund/DCToolbox/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253170943,"owners_count":21865273,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T05:00:33.911Z","updated_at":"2025-05-09T00:31:29.058Z","avatar_url":"https://github.com/DanielChronlund.png","language":"PowerShell","funding_links":[],"categories":["Tools","PowerShell","0x02 工具 :hammer_and_wrench:"],"sub_categories":["CLI","1 云服务工具"],"readme":"# DCToolbox\r\n\r\nA PowerShell toolbox for Microsoft 365 security fans.\r\n\r\n*Author: Daniel Chronlund (https://danielchronlund.com)*\r\n\r\n---------------------------------------------------\r\n\r\n\r\n## About DCToolbox\r\n\r\nThis PowerShell module contains a collection of tools for Microsoft 365 security tasks, Microsoft Graph functions, Entra ID management, Conditional Access, zero trust strategies, attack and defense scenarios, etc.\r\n\r\n---------------------------------------------------\r\n\r\n\r\n## Get Started\r\n\r\nInstall the module from the PowerShell Gallery by running:\r\n\r\n    Install-Module DCToolbox\r\n\r\nIf you already installed it, update to the latest version by running:\r\n\r\n    Update-Module DCToolbox\r\n\r\nPowerShell Gallery package link: https://www.powershellgallery.com/packages/DCToolbox\r\n\r\nWhen you have installed it, to get started, run:\r\n\r\n    Get-DCHelp\r\n\r\nExplore and copy script examples to your clipboard with:\r\n\r\n    Copy-DCExample\r\n\r\n---------------------------------------------------\r\n\r\n## Included Tools\r\n\r\n### Add-DCConditionalAccessPoliciesBreakGlassGroup\r\n\r\n**Synopsis:**\r\n\r\nExcludes a specified Entra ID security group from all Conditional Access policies in the tenant.\r\n\r\n**Details:**\r\n\r\nExcludes a specified Entra ID security group from all Conditional Access policies in the tenant.\r\n\r\nPlease create the group and add your break glass accounts before running this command.\r\n\r\nYou can filter on a name prefix with -PrefixFilter.\r\n\r\n**Parameters:**\r\n\r\n\t-PrefixFilter\r\n\tDescription:\tOnly modify the policies with this prefix. The filter is case sensitive.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-ExcludeGroupName\r\n\tDescription:\tThe name of your exclude group in Entra ID. Please create the group and add your break glass accounts before running this command.\r\n\tRequired:\t\ttrue\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tAdd-DCConditionalAccessPoliciesBreakGlassGroup -PrefixFilter 'GLOBAL - ' -ExcludeGroupName 'Excluded from Conditional Access'\r\n\r\n---\r\n\r\n### Confirm-DCPowerShellVersion\r\n\r\n**Synopsis:**\r\n\r\nCheck that a supported PowerShell version is running.\r\n\r\n**Details:**\r\n\r\n\r\n\r\n**Parameters:**\r\n\r\n**Examples:**\r\n\r\n\t    \r\n\tConfirm-DCPowerShellVersion\r\n\t    \r\n\tConfirm-DCPowerShellVersion -Verbose\r\n\r\n---\r\n\r\n### Connect-DCMsGraphAsApplication\r\n\r\n**Synopsis:**\r\n\r\nConnect to Microsoft Graph with application credentials.\r\n\r\n**Details:**\r\n\r\nThis CMDlet will automatically connect to Microsoft Graph using application permissions (as opposed to delegated credentials). If successfull an access token is returned that can be used with other Graph CMDlets. Make sure you store the access token in a variable according to the example.\r\n\r\nBefore running this CMDlet, you first need to register a new application in your Entra ID according to this article:\r\nhttps://danielchronlund.com/2018/11/19/fetch-data-from-microsoft-graph-with-powershell-paging-support/\r\n\r\n**Parameters:**\r\n\r\n\t-ClientID\r\n\tDescription:\tClient ID for your Entra ID application.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-ClientSecret\r\n\tDescription:\tClient secret for the Entra ID application.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-TenantName\r\n\tDescription:\tThe name of your tenant (example.onmicrosoft.com).\r\n\tRequired:\t\ttrue\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\t$AccessToken = Connect-DCMsGraphAsApplication -ClientID '8a85d2cf-17c7-4ecd-a4ef-05b9a81a9bba' -ClientSecret 'j[BQNSi29Wj4od92ritl_DHJvl1sG.Y/' -TenantName 'example.onmicrosoft.com'\r\n\r\n---\r\n\r\n### Connect-DCMsGraphAsUser\r\n\r\n**Synopsis:**\r\n\r\nConnect to Microsoft Graph with the Microsoft Graph PowerShell module as a user (using delegated permissions in Graph).\r\n\r\n**Details:**\r\n\r\n\r\n\r\n**Parameters:**\r\n\r\n\t-Scopes\r\n\tDescription:\tThe required API permission scopes (delegated permissions). Example: \"Policy.ReadWrite.ConditionalAccess\", \"Policy.Read.All\"\r\n\tRequired:\t\ttrue\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tConnect-DCMsGraphAsUser -Scopes 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All', 'Directory.Read.All'\r\n\t    \r\n\tConnect-DCMsGraphAsUser -Scopes 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All', 'Directory.Read.All' -Verbose\r\n\r\n---\r\n\r\n### Copy-DCExample\r\n\r\n**Synopsis:**\r\n\r\n\r\nCopy-DCExample \r\n\r\n\r\n**Details:**\r\n\r\n\r\n\r\n**Parameters:**\r\n\r\n**Examples:**\r\n\r\n\r\n---\r\n\r\n### Deploy-DCConditionalAccessBaselinePoC\r\n\r\n**Synopsis:**\r\n\r\nAutomatically deploy the latest version of the Conditional Access policy design baseline from https://danielchronlund.com.\r\n\r\n**Details:**\r\n\r\nAutomatically deploy the latest version of the Conditional Access policy design baseline from https://danielchronlund.com. It creates all necessary dependencies like exclusion groups, named locations, and terms of use, and then deploys all Conditional Access policies in the baseline.\r\n\r\nAll Conditional Access policies created by this CMDlet will be set to report-only mode.\r\n\r\nThe purpose of this tool is to quickly deploy the complete baseline as a PoC. You can then test, pilot, and deploy it going forward.\r\n\r\nYou must be a Global Admin to run this command (because of the admin consent required) but no other preparations are required.\r\n\r\n**Parameters:**\r\n\r\n\t-AddCustomPrefix\r\n\tDescription:\tAdds a custom prefix to all policy names.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-CreateDocumentation\r\n\tDescription:\tCreates a Markdown documentation of the baseline.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-SkipReportOnlyMode\r\n\tDescription:\tAll Conditional Access policies created by this CMDlet will be set to report-only mode if you don't use this parameter. WARNING: Use this parameter with caution since ALL POLICIES will go live for ALL USERS when you specify this.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tDeploy-DCConditionalAccessBaselinePoC\r\n\t    \r\n\tDeploy-DCConditionalAccessBaselinePoC -AddCustomPrefix 'PILOT - '\r\n\t    \r\n\tDeploy-DCConditionalAccessBaselinePoC -CreateDocumentation\r\n\t    \r\n\tDeploy-DCConditionalAccessBaselinePoC -SkipReportOnlyMode # Use with caution!\r\n\r\n---\r\n\r\n### Enable-DCEntraIDPIMRole\r\n\r\n**Synopsis:**\r\n\r\nActivate an Entra ID Privileged Identity Management (PIM) role with PowerShell.\r\n\r\n**Details:**\r\n\r\nUses the Graph PowerShell module to activate a user selected Entra ID role in Entra ID Privileged Identity Management (PIM).\r\n\r\nDuring activation, the user will be prompted to specify a reason for the activation.\r\n\r\n**Parameters:**\r\n\r\n\t-RolesToActivate\r\n\tDescription:\tThis parameter is optional but if you specify it, you can select multiple roles to activate at ones.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-Reason\r\n\tDescription:\tSpecify the reason for activating your roles.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-UseMaximumTimeAllowed\r\n\tDescription:\tUse this switch to automatically request maximum allowed time for all role assignments.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tEnable-DCEntraIDPIMRole\r\n\t    \r\n\tEnable-DCEntraIDPIMRole -RolesToActivate 'Exchange Administrator', 'Security Reader'\r\n\t    \r\n\tEnable-DCEntraIDPIMRole -RolesToActivate 'Exchange Administrator', 'Security Reader' -UseMaximumTimeAllowed\r\n\t    \r\n\tEnable-DCEntraIDPIMRole -RolesToActivate 'Exchange Administrator', 'Security Reader' -Reason 'Performing some Exchange security configuration.' -UseMaximumTimeAllowed\r\n\r\n---\r\n\r\n### Export-DCConditionalAccessPolicyDesign\r\n\r\n**Synopsis:**\r\n\r\nExport all Conditional Access policies to JSON.\r\n\r\n**Details:**\r\n\r\nThis CMDlet uses Microsoft Graph to export all Conditional Access policies in the tenant to a JSON file. This JSON file can be used for backup, documentation or to deploy the same policies again with Import-DCConditionalAccessPolicyDesign. You can basically treat Conditional Access as code!\r\n\r\nThe user running this CMDlet (the one who signs in when the authentication pops up) must have the appropriate permissions in Entra ID (Global Admin, Security Admin, Conditional Access Admin, etc).\r\n\r\n**Parameters:**\r\n\r\n\t-FilePath\r\n\tDescription:\tThe file path where the new JSON file will be created. Skip this to use the current path.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-PrefixFilter\r\n\tDescription:\tOnly export the policies with this prefix. The filter is case sensitive.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tExport-DCConditionalAccessPolicyDesign\r\n\t    \r\n\t$Parameters = @{\r\n\t    FilePath = 'C:\\Temp\\Conditional Access.json'\r\n\t}\r\n\tExport-DCConditionalAccessPolicyDesign @Parameters\r\n\t    \r\n\t$Parameters = @{\r\n\t    FilePath = 'C:\\Temp\\Conditional Access.json'\r\n\t    PrefixFilter = 'GLOBAL - '\r\n\t}\r\n\tExport-DCConditionalAccessPolicyDesign @Parameters\r\n\r\n---\r\n\r\n### Get-DCConditionalAccessPolicies\r\n\r\n**Synopsis:**\r\n\r\nList all Conditional Access policies in the tenant.\r\n\r\n**Details:**\r\n\r\nList all Conditional Access policies in the tenant.\r\n\r\nYou can filter on a name prefix with -PrefixFilter.\r\n\r\n**Parameters:**\r\n\r\n\t-PrefixFilter\r\n\tDescription:\tOnly show the policies with this prefix. The filter is case sensitive.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-ShowTargetResources\r\n\tDescription:\tShow included and excluded resources in output. Only relevant without -Details.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-Details\r\n\tDescription:\tInclude policy details in output.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-NamesOnly\r\n\tDescription:\tShow names only in output.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tGet-DCConditionalAccessPolicies\r\n\t    \r\n\tGet-DCConditionalAccessPolicies -PrefixFilter 'GLOBAL - '\r\n\r\n---\r\n\r\n### Get-DCEntraIDUsersAndGroupsAsGuest\r\n\r\n**Synopsis:**\r\n\r\nThis script lets a guest user enumerate users and security groups/teams when 'Guest user access restrictions' in Entra ID is set to the default configuration.\r\n\r\n**Details:**\r\n\r\nThis script is a proof of concept. Don't use it for bad things! It lets a guest user enumerate users and security groups/teams when 'Guest user access restrictions' in Entra ID is set to the default configuration. It works around the limitation that guest users must do explicit lookups for users and groups. It basically produces a list of all users and groups in the tenant, even though such actions are blocked for guests by default.\r\n\r\nIf the target tenant allows guest users to sign in with Entra ID PowerShell, and the 'Guest user access restrictions' is set to one of these two settings:\r\n'Guest users have the same access as members (most inclusive)'\r\n'Guest users have limited access to properties and memberships of directory objects' [default]\r\n\r\nAnd not set to:\r\n'Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)'\r\n\r\n...then this script will query Entra ID for the group memberships of the specified -InterestingUsers that you already know the UPN of. It then perform nested queries until all users and groups have been found. It will stop after a maximum of 5 iterations to avoid throttling and infinite loops. \"A friend of a friend of a friend...\"\r\n\r\nFinally, the script will output one array with found users, and one array with found groups/teams. You can then export them to CSV or some other format of your choice. Export examples are outputed for your convenience.\r\n\r\n**Parameters:**\r\n\r\n\t-TenantId\r\n\tDescription:\tThe tenant ID of the target tenant where you are a guest. You can find all your guest tenant IDs here: https://portal.azure.com/#settings/directory\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-AccountId\r\n\tDescription:\tYour UPN in your home tenant (probably your email address, right?).\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-InterestingUsers\r\n\tDescription:\tOne or more UPNs of users in the target tenant. These will serve as a starting point for the search, and one or two employees you know about is often sufficient to enumerate everything.\r\n\tRequired:\t\ttrue\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tGet-DCEntraIDUsersAndGroupsAsGuest -TenantId '00000000-0000-0000-0000-000000000000' -AccountId 'user@example.com' -InterestingUsers 'customer1@customer.com', 'customer2@customer.com'\r\n\r\n---\r\n\r\n### Get-DCHelp\r\n\r\n**Synopsis:**\r\n\r\n\r\nGet-DCHelp \r\n\r\n\r\n**Details:**\r\n\r\n\r\n\r\n**Parameters:**\r\n\r\n**Examples:**\r\n\r\n\r\n---\r\n\r\n### Get-DCNamedLocations\r\n\r\n**Synopsis:**\r\n\r\nList Named Locations in the tenant.\r\n\r\n**Details:**\r\n\r\nList Named Locations in the tenant.\r\n\r\nYou can filter on a name prefix with -PrefixFilter.\r\n\r\n**Parameters:**\r\n\r\n\t-PrefixFilter\r\n\tDescription:\tOnly show the named locations with this prefix. The filter is case sensitive.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tGet-DCNamedLocations\r\n\t    \r\n\tGet-DCNamedLocations -PrefixFilter 'OFFICE-'\r\n\t    \r\n\t# List all trusted IP addresses.\r\n\t(Get-DCNamedLocations | where isTrusted -eq $true).ipRanges | Select-Object -Unique | Sort-Object\r\n\t    \r\n\t# List all countries.\r\n\t(Get-DCNamedLocations).countriesAndRegions | Select-Object -Unique | Sort-Object\r\n\r\n---\r\n\r\n### Get-DCPublicIp\r\n\r\n**Synopsis:**\r\n\r\nGet current public IP address information.\r\n\r\n**Details:**\r\n\r\nGet the current public IP address and related information. The ipinfo.io API is used to fetch the information. You can use the -UseTorHttpProxy to route traffic through a running Tor network HTTP proxy that was started by Start-DCTorHttpProxy.\r\n\r\n**Parameters:**\r\n\r\n\t-UseTorHttpProxy\r\n\tDescription:\tRoute traffic through a running Tor network HTTP proxy that was started by Start-DCTorHttpProxy.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tGet-DCPublicIp\r\n\t    \r\n\t(Get-DCPublicIp).ip\r\n\t    \r\n\tWrite-Host \"$((Get-DCPublicIp).city) $((Get-DCPublicIp).country)\"\r\n\r\n---\r\n\r\n### Import-DCConditionalAccessPolicyDesign\r\n\r\n**Synopsis:**\r\n\r\nImport Conditional Access policies from JSON.\r\n\r\n**Details:**\r\n\r\nThis CMDlet uses Microsoft Graph to automatically create Conditional Access policies from a JSON file.\r\n\r\nThe JSON file can be created from existing policies with Export-DCConditionalAccessPolicyDesign or manually by following the syntax described in the Microsoft Graph documentation:\r\nhttps://docs.microsoft.com/en-us/graph/api/resources/conditionalaccesspolicy?view=graph-rest-1.0\r\n\r\nAll Conditional Access policies created by this CMDlet will be set to report-only mode if you don't use the -SkipReportOnlyMode override.\r\n\r\nWARNING: If you want to, you can also delete all existing policies when deploying your new ones with -DeleteAllExistingPolicies, Use this parameter with caution and always create a backup with Export-DCConditionalAccessPolicyDesign first!\r\n\r\nThe user running this CMDlet (the one who signs in when the authentication pops up) must have the appropriate permissions in Entra ID (Global Admin, Security Admin, Conditional Access Admin, etc).\r\n\r\nAs a best practice you should always have an Entra ID security group with break glass accounts excluded from all Conditional Access policies.\r\n\r\n**Parameters:**\r\n\r\n\t-FilePath\r\n\tDescription:\tThe file path of the JSON file containing your Conditional Access policies.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-SkipReportOnlyMode\r\n\tDescription:\tAll Conditional Access policies created by this CMDlet will be set to report-only mode if you don't use this parameter.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-DeleteAllExistingPolicies\r\n\tDescription:\tWARNING: If you want to, you can delete all existing policies when deploying your new ones with -DeleteAllExistingPolicies, Use this parameter with causon and allways create a backup with Export-DCConditionalAccessPolicyDesign first!!\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-AddCustomPrefix\r\n\tDescription:\tAdds a custom prefix to all policy names.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-PrefixFilter\r\n\tDescription:\tOnly import (and delete) the policies with this prefix in the JSON file. The filter is case sensitive.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\tImport-DCConditionalAccessPolicyDesign @Parameters    \r\n\t$Parameters = @{\r\n\t    FilePath = 'C:\\Temp\\Conditional Access.json'\r\n\t    SkipReportOnlyMode = $false\r\n\t    DeleteAllExistingPolicies = $false\r\n\t}\r\n\tImport-DCConditionalAccessPolicyDesign @Parameters    \r\n\t$Parameters = @{\r\n\t    FilePath = 'C:\\Temp\\Conditional Access.json'\r\n\t    SkipReportOnlyMode = $false\r\n\t    DeleteAllExistingPolicies = $false\r\n\t    AddCustomPrefix = 'PILOT - '\r\n\t}\r\n\tImport-DCConditionalAccessPolicyDesign @Parameters    \r\n\t$Parameters = @{\r\n\t    FilePath = 'C:\\Temp\\Conditional Access.json'\r\n\t    SkipReportOnlyMode = $true\r\n\t    DeleteAllExistingPolicies = $true\r\n\t    PrefixFilter = 'GLOBAL - '\r\n\t}\r\n\r\n---\r\n\r\n### Install-DCMicrosoftGraphPowerShellModule\r\n\r\n**Synopsis:**\r\n\r\nCheck, install, and update the Microsoft Graph PowerShell module.\r\n\r\n**Details:**\r\n\r\n\r\n\r\n**Parameters:**\r\n\r\n**Examples:**\r\n\r\n\t    \r\n\tInstall-DCMicrosoftGraphPowerShellModule\r\n\t    \r\n\tInstall-DCMicrosoftGraphPowerShellModule -Verbose\r\n\r\n---\r\n\r\n### Install-DCToolbox\r\n\r\n**Synopsis:**\r\n\r\nCheck, install, and update the DCToolbox PowerShell module.\r\n\r\n**Details:**\r\n\r\n\r\n\r\n**Parameters:**\r\n\r\n**Examples:**\r\n\r\n\t    \r\n\tInstall-DCToolbox\r\n\t    \r\n\tInstall-DCToolbox -Verbose\r\n\r\n---\r\n\r\n### Invoke-DCConditionalAccessGallery\r\n\r\n**Synopsis:**\r\n\r\nSelect policies from a list of Entra ID Conditional Access templates, and deploy them in report-only mode.\r\n\r\n**Details:**\r\n\r\nSelect policies from a list of Entra ID Conditional Access templates, and deploy them in report-only mode.\r\n\r\nThe script will automatically create any missing groups, named locations, country lists, and terms of use, and replace the names in the JSON with the corresponding IDs.\r\n\r\nIt will also output the result of the policy creation in JSON-format.\r\n\r\n**Parameters:**\r\n\r\n\t-AddCustomPrefix\r\n\tDescription:\tAdds a custom prefix to all policy names.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-AutoDeployIds\r\n\tDescription:\tSpecify list of policy IDs to auto-deploy (non-interactive deployment). This parameter is only used for automated deployments.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-SkipDocumentation\r\n\tDescription:\tSkip the documentation part of the script. There will be no Markdown file produced.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tInvoke-DCConditionalAccessGallery\r\n\t    \r\n\tInvoke-DCConditionalAccessGallery -AddCustomPrefix 'PILOT - '\r\n\t    \r\n\tInvoke-DCConditionalAccessGallery -SkipDocumentation -AutoDeployIds 1010, 1020, 1030, 2010, 2020\r\n\r\n---\r\n\r\n### Invoke-DCConditionalAccessSimulation\r\n\r\n**Synopsis:**\r\n\r\nSimulates the Entra ID Conditional Access evaluation process of a specific scenario.\r\n\r\n**Details:**\r\n\r\nUses Microsoft Graph to fetch all Entra ID Conditional Access policies. It then evaluates which policies that would have been applied if this was a real sign-in to Entra ID. Use the different parameters available to specify the conditions. Details are included under each parameter.\r\n\r\n**Parameters:**\r\n\r\n\t-JSONFile\r\n\tDescription:\tOnly use this parameter if you want to analyze a local JSON file export of Conditional Access polices, instead of a live tenant. Point it to the local JSON file. Export JSON with Export-DCConditionalAccessPolicyDesign (or any other tool exporting Conditional Access policies from Microsoft Graph to JSON), like 'Entra Exporter'.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-UserPrincipalName\r\n\tDescription:\tThe UPN of the simulated Entra ID user signing in. Can also be set to 'All' for all users, or 'GuestsOrExternalUsers' to test external user sign-in scenarios. Example: 'user@example.com'. Default: 'All'.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-ApplicationDisplayName\r\n\tDescription:\tThe display name of the application targeted by Conditional Access policies (same display name as in Entra ID Portal when creating Conditional Access policies). Example 1: 'Office 365'. Example 2: 'Microsoft Admin Portals'. Default: 'All'.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-UserAction\r\n\tDescription:\tUnder construction...\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-ClientApp\r\n\tDescription:\tThe client app type used during sign-in. Possible values: 'browser', 'mobileAppsAndDesktopClients', 'exchangeActiveSync', 'easSupported', 'other'. Default: 'browser'\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-TrustedIPAddress\r\n\tDescription:\tSpecify if the simulated sign-in comes from a trusted IP address (marked as trusted in Named Locations)? $true or $false? Don't specify the actual IP address. That is not really that important when simulating policy evaluation. Default: $false\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-Country\r\n\tDescription:\tThe country code for the sign-in country of origin based on IP address geo data. By default, this script tries to resolve the IP address of the current PowerShell session.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-Platform\r\n\tDescription:\tSpecify the OS platform of the client signing in. Possible values: 'all', 'android', 'iOS', 'windows', 'windowsPhone', 'macOS', 'linux', 'spaceRocket'. Default: 'windows'\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-SignInRiskLevel\r\n\tDescription:\tSpecify the Entra ID Protection sign-in risk level. Possible values: 'none', 'low', 'medium', 'high'. Default: 'none'\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-UserRiskLevel\r\n\tDescription:\tSpecify the Entra ID Protection user risk level. Possible values: 'none', 'low', 'medium', 'high'. Default: 'none'\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-SummarizedOutput\r\n\tDescription:\tBy default, this script returns PowerShell objects representing all applied Conditional Access policies only. This can be used for piping to other tools, etc. But sometimes you also want a simple answer of what would happen during the simulated policy evaluation. Specify this parameter to add a summarized and simplified output (outputs to 'Informational' stream with Write-Host).\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-VerbosePolicyEvaluation\r\n\tDescription:\tInclude detailed verbose policy evaluation info. Use for troubleshooting and debugging.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-IncludeNonMatchingPolicies\r\n\tDescription:\tAlso, include all policies that did not match, and therefor was not applied. This can be useful to produce different kinds of Conditional Access reports.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\t# Run basic evaluation with default settings.\r\n\tInvoke-DCConditionalAccessSimulation | Format-List\r\n\tInvoke-DCConditionalAccessSimulation @Parameters    \r\n\t# Run evaluation with custom settings.\r\n\t$Parameters = @{\r\n\t    UserPrincipalName = 'user@example.com'\r\n\t    ApplicationDisplayName = 'Office 365'\r\n\t    ClientApp = 'mobileAppsAndDesktopClients'\r\n\t    TrustedIPAddress = $true\r\n\t    Country = 'US'\r\n\t    Platform = 'windows'\r\n\t    SignInRiskLevel = 'medium'\r\n\t    UserRiskLevel = 'high'\r\n\t    SummarizedOutput = $true\r\n\t    VerbosePolicyEvaluation = $false\r\n\t    IncludeNonMatchingPolicies = $false\r\n\t}\r\n\t    \r\n\t# Run basic evaluation offline against a JSON of Conditional Access policies.\r\n\tInvoke-DCConditionalAccessSimulation -JSONFile 'Conditional Access Backup.json' | Format-List\r\n\r\n---\r\n\r\n### Invoke-DCEntraIDDeviceAuthFlow\r\n\r\n**Synopsis:**\r\n\r\nGet a refresh token (or access token) from Entra ID using device code flow.\r\n\r\n**Details:**\r\n\r\nThis CMDlet will start a device code flow authentication process in Entra ID. Go to the provided URL and enter the code to authenticate. The script will wait for the authentication and then return the refresh token, and also copy it to the clipboard.\r\n\r\nA refresh token fetched by this tool can be replayed on another device.\r\n\r\n**Parameters:**\r\n\r\n\t-ShowTokenDetails\r\n\tDescription:\tAdd this parameter if you want to display the token details on successful authentication.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-ReturnAccessTokenInsteadOfRefreshToken\r\n\tDescription:\tReturn an access token instead of a refresh token.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-ClientID\r\n\tDescription:\tOPTIONAL: Specify the client ID for which a refresh token should be requested. Defaults to 'Microsoft Azure PowerShell' (1950a258-227b-4e31-a9cf-717495945fc2). If you set this parameter, you must also specify -TenantID. Note that the app registration in Entra ID must have device code flow enabled under Authentication \u003e Advanced settings.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-TenantID\r\n\tDescription:\tOPTIONAL: Specify your tenant ID. You only need to specify this if you're specifying a ClientID with -ClientID. This is because Microsoft needs to now in which tenant a specific app is located.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tInvoke-DCEntraIDDeviceAuthFlow\r\n\t    \r\n\t$RefreshToken = Invoke-DCEntraIDDeviceAuthFlow\r\n\t    \r\n\tInvoke-DCEntraIDDeviceAuthFlow -ShowTokenDetails\r\n\t    \r\n\tInvoke-DCEntraIDDeviceAuthFlow -ClientID '' -TenantID ''\r\n\r\n---\r\n\r\n### Invoke-DCHuntingQuery\r\n\r\n**Synopsis:**\r\n\r\nConnect to Microsoft Graph with the Microsoft Graph PowerShell module and run a KQL hunting query in Microsoft Defender XDR.\r\n\r\n**Details:**\r\n\r\nConnect to Microsoft Graph with the Microsoft Graph PowerShell module and run a KQL hunting query in Microsoft Defender XDR.\r\n\r\n**Parameters:**\r\n\r\n\t-Query\r\n\tDescription:\tThe KQL query you want to run in Microsoft Defender XDR.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-IncludeKQLQueryAtTop\r\n\tDescription:\t\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-IncludeRaw\r\n\tDescription:\tInclude the raw formated and escaped KQL query sent to Microsoft Graph.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\tInvoke-DCHuntingQuery -Query $Query    \r\n\t$Query = @'\r\n\tDeviceEvents\r\n\t| where ActionType startswith \"Asr\"\r\n\t| summarize count() by ActionType\r\n\t| order by count_\r\n\t'@\r\n\tInvoke-DCHuntingQuery -Query $Query -IncludeKQLQueryAtTop    \r\n\t$Query = @'\r\n\tDeviceEvents\r\n\t| where ActionType startswith \"Asr\"\r\n\t| summarize count() by ActionType\r\n\t| order by count_\r\n\t'@\r\n\r\n---\r\n\r\n### Invoke-DCM365DataExfiltration\r\n\r\n**Synopsis:**\r\n\r\nThis script uses an Entra ID app registration to download all files from all M365 groups (Teams) document libraries in a tenant.\r\n\r\n**Details:**\r\n\r\nThis script is a proof of concept and for testing purposes only. Do not use this script in an unethical or unlawful way. Don’t be stupid!\r\n\r\nThis script showcase how an attacker can exfiltrate huge amounts of files from a Microsoft 365 tenant, using a poorly protected Entra ID app registration with any of the following Microsoft Graph permissions:\r\n\r\n- Files.Read.All\r\n- Files.ReadWrite.All\r\n- Sites.Read.All\r\n- Sites.ReadWrite.All\r\n\r\nAlso, one of the following permissions is required to enumerate M365 groups and SharePoint document libraries:\r\n\r\n- GroupMember.Read.All\r\n- Group.Read.All\r\n- Directory.Read.All\r\n- Group.ReadWrite.All\r\n- Directory.ReadWrite.All\r\n\r\nThe script will loop through all M365 groups and their SharePoint Online document libraries (used by Microsoft Teams for storing files) and download all files it can find, down to three folder levels. The files will be downloaded to the current directory.\r\n\r\nA list of downloaded files will be copied to the clipboard after completion.\r\n\r\nYou can run the script with -WhatIf to skip the actual downloads. It will still show the output and what would have been downloaded.\r\n\r\n**Parameters:**\r\n\r\n\t-ClientID\r\n\tDescription:\tClient ID for your Entra ID application.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-ClientSecret\r\n\tDescription:\tClient secret for the Entra ID application.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-TenantName\r\n\tDescription:\tThe name of your tenant (example.onmicrosoft.com).\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-WhatIf\r\n\tDescription:\tSkip the actual downloads. It will still show the output and what would have been downloaded.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tInvoke-M365DataExfiltration -ClientID '8a85d2cf-17c7-4ecd-a4ef-05b9a81a9bba' -ClientSecret 'j[BQNSi29Wj4od92ritl_DHJvl1sG.Y/' -TenantName 'example.onmicrosoft.com'\r\n\t    \r\n\tInvoke-M365DataExfiltration -ClientID '8a85d2cf-17c7-4ecd-a4ef-05b9a81a9bba' -ClientSecret 'j[BQNSi29Wj4od92ritl_DHJvl1sG.Y/' -TenantName 'example.onmicrosoft.com' -WhatIf\r\n\r\n---\r\n\r\n### Invoke-DCM365DataWiper\r\n\r\n**Synopsis:**\r\n\r\nThis script uses an Entra ID app registration to wipe all files from all M365 groups (Teams) document libraries in a tenant.\r\n\r\n**Details:**\r\n\r\nThis script is a proof of concept and for testing purposes only. Do not use this script in an unethical or unlawful way. Don’t be stupid!\r\n\r\nThis script showcase how an attacker can wipe huge amounts of files from a Microsoft 365 tenant, using a poorly protected Entra ID app registration with any of the following Microsoft Graph permissions:\r\n\r\n- Files.ReadWrite.All\r\n- Sites.ReadWrite.All\r\n\r\nAlso, one of the following permissions is required to enumerate M365 groups and SharePoint document libraries:\r\n\r\n- GroupMember.Read.All\r\n- Group.Read.All\r\n- Directory.Read.All\r\n- Group.ReadWrite.All\r\n- Directory.ReadWrite.All\r\n\r\nThe script will loop through all M365 groups and their SharePoint Online document libraries (used by Microsoft Teams for storing files) and delete all files it can find, down to three folder levels. The files will be downloaded to the current directory.\r\n\r\nA list of downloaded files will be copied to the clipboard after completion.\r\n\r\nYou can run the script with -WhatIf to skip the actual deletion. It will still show the output and what would have been deleted.\r\n\r\n**Parameters:**\r\n\r\n\t-ClientID\r\n\tDescription:\tClient ID for your Entra ID application.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-ClientSecret\r\n\tDescription:\tClient secret for the Entra ID application.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-TenantName\r\n\tDescription:\tThe name of your tenant (example.onmicrosoft.com).\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-WhatIf\r\n\tDescription:\tSkip the actual deletion. It will still show the output and what would have been deleted.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tInvoke-DCM365DataWiper -ClientID '8a85d2cf-17c7-4ecd-a4ef-05b9a81a9bba' -ClientSecret 'j[BQNSi29Wj4od92ritl_DHJvl1sG.Y/' -TenantName 'example.onmicrosoft.com'\r\n\t    \r\n\tInvoke-DCM365DataWiper -ClientID '8a85d2cf-17c7-4ecd-a4ef-05b9a81a9bba' -ClientSecret 'j[BQNSi29Wj4od92ritl_DHJvl1sG.Y/' -TenantName 'example.onmicrosoft.com' -WhatIf\r\n\r\n---\r\n\r\n### Invoke-DCMsGraphQuery\r\n\r\n**Synopsis:**\r\n\r\nRun a Microsoft Graph query.\r\n\r\n**Details:**\r\n\r\nThis CMDlet will run a query against Microsoft Graph and return the result. It will connect using an access token generated by Connect-DCMsGraphAsDelegated or Connect-DCMsGraphAsApplication (depending on what permissions you use in Graph).\r\n\r\nBefore running this CMDlet, you first need to register a new application in your Entra ID according to this article:\r\nhttps://danielchronlund.com/2018/11/19/fetch-data-from-microsoft-graph-with-powershell-paging-support/\r\n\r\n**Parameters:**\r\n\r\n\t-AccessToken\r\n\tDescription:\tAn access token generated by Connect-DCMsGraphAsDelegated or Connect-DCMsGraphAsApplication (depending on what permissions you use in Graph).\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-GraphMethod\r\n\tDescription:\tThe HTTP method for the Graph call, like GET, POST, PUT, PATCH, DELETE. Default is GET.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-GraphUri\r\n\tDescription:\tThe Microsoft Graph URI for the query. Example: https://graph.microsoft.com/v1.0/users/\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-GraphBody\r\n\tDescription:\tThe request body of the Graph call. This is often used with methids like POST, PUT and PATCH. It is not used with GET.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tInvoke-DCMsGraphQuery -AccessToken $AccessToken -GraphMethod 'GET' -GraphUri 'https://graph.microsoft.com/v1.0/users/'\r\n\r\n---\r\n\r\n### New-DCConditionalAccessAssignmentReport\r\n\r\n**Synopsis:**\r\n\r\nAutomatically generate an Excel report containing your current Conditional Access assignments.\r\n\r\n**Details:**\r\n\r\nUses Microsoft Graph to fetch all Conditional Access policy assignments, both group- and user assignments (for now, it doesn't support role assignments). It exports them to Excel in a nicely formatted report for your filtering and analysing needs. If you include the -IncludeGroupMembers parameter, members of assigned groups will be included in the report as well (of course, this can produce very large reports if you have included large groups in your policy assignments).\r\n\r\nThe purpose of the report is to give you an overview of how Conditional Access policies are currently applied in an Entra ID tenant, and which users are targeted by which policies.\r\n\r\nThe report does not include information about the policies themselves. Use New-DCConditionalAccessPolicyDesignReport for that task.\r\n\r\nThe CMDlet also uses the PowerShell Excel Module for the export to Excel. You can install this module with:\r\nInstall-Module ImportExcel -Force\r\n\r\nThe report is exported to Excel and will automatically open. In Excel, please do this:\r\n1. Select all cells.\r\n2. Click on \"Wrap Text\".\r\n3. Click on \"Top Align\".\r\n\r\nThe report is now easier to read.\r\n\r\nMore information can be found here: https://danielchronlund.com/2020/10/20/export-your-conditional-access-policy-assignments-to-excel/\r\n\r\n**Parameters:**\r\n\r\n\t-IncludeGroupMembers\r\n\tDescription:\tIf you include the -IncludeGroupMembers parameter, members of assigned groups will be included in the report as well (of course, this can produce a very large report if you have included large groups in your policy assignments).\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tNew-DCConditionalAccessAssignmentReport\r\n\t    \r\n\tNew-DCConditionalAccessAssignmentReport -IncludeGroupMembers\r\n\r\n---\r\n\r\n### New-DCConditionalAccessPolicyDesignReport\r\n\r\n**Synopsis:**\r\n\r\nAutomatically generate an Excel report containing your current Conditional Access policy design.\r\n\r\n**Details:**\r\n\r\nUses Microsoft Graph to fetch all Conditional Access policies and exports an Excel report, You can use the report as documentation, design document, or to get a nice overview of all your policies.\r\n\r\nThe CMDlet also uses the PowerShell Excel Module for the export to Excel. You can install this module with:\r\nInstall-Module ImportExcel -Force\r\n\r\nThe report is exported to Excel and will automatically open. In Excel, please do this:\r\n1. Select all cells.\r\n2. Click on \"Wrap Text\".\r\n3. Click on \"Top Align\".\r\n\r\nThe report is now easier to read.\r\n\r\nThe user running this CMDlet (the one who signs in when the authentication pops up) must have the appropriate permissions in Entra ID (Global Admin, Security Admin, Conditional Access Admin, etc).\r\n\r\n**Parameters:**\r\n\r\n**Examples:**\r\n\r\n\t    \r\n\tNew-DCConditionalAccessPolicyDesignReport\r\n\r\n---\r\n\r\n### New-DCEntraIDAppPermissionsReport\r\n\r\n**Synopsis:**\r\n\r\nGenerate a report containing all Entra ID Enterprise Apps and App Registrations with API permissions (application permissions only) in the tenant.\r\n\r\n**Details:**\r\n\r\nUses Microsoft Graph to fetch all Entra ID Enterprise Apps and App Registrations with API permissions (application permissions only) and generate a report. The report includes app names, API permissions, secrets/certificates, and app owners.\r\n\r\nThe purpose is to find vulnerable applications and API permissions in Entra ID.\r\n\r\nApplications marked with 'AppHostedInExternalTenant = False' also has a corresponding App Registration in this tenant. This means that App Registration Owners has the same permissions as the application.\r\n\r\n**Parameters:**\r\n\r\n**Examples:**\r\n\r\n\t    \r\n\t# Get all API application permissions assigned to applications in tenant.\r\n\tNew-DCEntraIDAppPermissionsReport\r\n\t    \r\n\t# Look for sensitive permissions.\r\n\t$Result = New-DCEntraIDAppPermissionsReport\r\n\t$Result | where RoleName -in 'RoleManagement.ReadWrite.Directory', 'Application.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All'\r\n\t    \r\n\t# Export report to Excel for further filtering and analysis.\r\n\t$Result = New-DCEntraIDAppPermissionsReport\r\n\t$Path = \"$((Get-Location).Path)\\Entra ID Enterprise Apps Report $(Get-Date -Format 'yyyy-MM-dd').xlsx\"\r\n\t$Result | Export-Excel -Path $Path -WorksheetName \"Enterprise Apps\" -BoldTopRow -FreezeTopRow -AutoFilter -AutoSize -ClearSheet -Show\r\n\r\n---\r\n\r\n### New-DCEntraIDStaleAccountReport\r\n\r\n**Synopsis:**\r\n\r\nAutomatically generate an Excel report containing all stale Entra ID accounts.\r\n\r\n**Details:**\r\n\r\nUses Microsoft Graph to fetch all Entra ID users who has not signed in for a specific number of days, and exports an Excel report. Some users might not have a last sign-in timestamp at all (maybe they didn't sign in or maybe they signed in a very long time ago), but they are still included in the report.\r\n\r\nBefore running this CMDlet, you first need to register a new application in your Entra ID according to this article:\r\nhttps://danielchronlund.com/2018/11/19/fetch-data-from-microsoft-graph-with-powershell-paging-support/\r\n\r\nThe following Microsoft Graph API permissions are required for this script to work:\r\n    Directory.Read.All\r\n    AuditLog.Read.All\r\n\r\nThe CMDlet also uses the PowerShell Excel Module for the export to Excel. You can install this module with:\r\nInstall-Module ImportExcel -Force\r\n\r\nAlso, the user running this CMDlet (the one who signs in when the authentication pops up) must have the appropriate permissions in Entra ID (Global Admin, Global Reader, Security Admin, Security Reader, etc).\r\n\r\n**Parameters:**\r\n\r\n\t-ClientID\r\n\tDescription:\tClient ID for the Entra ID application with Microsoft Graph permissions.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-ClientSecret\r\n\tDescription:\tClient secret for the Entra ID application with Microsoft Graph permissions.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-LastSeenDaysAgo\r\n\tDescription:\tSpecify the number of days ago the account was last seen. Note that you can only see as long as your Entra ID sign-in logs reach (30 days by default).\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-OnlyMembers\r\n\tDescription:\tOnly include member accounts (no guest accounts) in the report.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-OnlyGuests\r\n\tDescription:\tOnly include guest accounts (no member accounts) in the report.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-IncludeMemberOf\r\n\tDescription:\tAdd a column with all group/teams memberships.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\tNew-DCEntraIDStaleAccountReport @Parameters\r\n\t\r\n\t\r\n\t$Parameters = @{\r\n\t    ClientID = ''\r\n\t    ClientSecret = ''\r\n\t    LastSeenDaysAgo = 10\r\n\t    OnlyGuests = $true\r\n\t    IncludeMemberOf = $true\r\n\t}\r\n\tNew-DCEntraIDStaleAccountReport @Parameters    \r\n\t$Parameters = @{\r\n\t    ClientID = ''\r\n\t    ClientSecret = ''\r\n\t    LastSeenDaysAgo = 30\r\n\t}\r\n\r\n---\r\n\r\n### Remove-DCConditionalAccessPolicies\r\n\r\n**Synopsis:**\r\n\r\nDelete ALL Conditional Access policies in a tenant.\r\n\r\n**Details:**\r\n\r\nThis script is a proof of concept and for testing purposes only. Do not use this script in an unethical or unlawful way. Don’t be stupid!\r\n\r\nThis CMDlet uses Microsoft Graph to automatically delete all Conditional Access policies in a tenant. It was primarily created to clean-up lab tenants, and as an attack PoC.\r\n\r\nThis CMDlet will prompt you for confirmation multiple times before deleting policies.\r\n\r\n**Parameters:**\r\n\r\n\t-PrefixFilter\r\n\tDescription:\tOnly delete the policies with this prefix. The filter is case sensitive.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tRemove-DCConditionalAccessPolicies\r\n\t    \r\n\tRemove-DCConditionalAccessPolicies -PrefixFilter 'TEST - '\r\n\r\n---\r\n\r\n### Rename-DCConditionalAccessPolicies\r\n\r\n**Synopsis:**\r\n\r\nRename Conditional Access policies that matches a specific prefix.\r\n\r\n**Details:**\r\n\r\nThis command helps you to quickly rename a bunch of Conditional Access policies by searching for a specific prefix.\r\n\r\nIf you dontt specify a PrefixFilter, ALL policies will be modified to include the new prefix .\r\n\r\n**Parameters:**\r\n\r\n\t-PrefixFilter\r\n\tDescription:\tOnly toggle the policies with this prefix. The filter is case sensitive.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-AddCustomPrefix\r\n\tDescription:\tAdds a custom prefix to all policy names.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tRename-DCConditionalAccessPolicies -PrefixFilter 'PILOT - ' -AddCustomPrefix 'PROD - '\r\n\t    \r\n\tRename-DCConditionalAccessPolicies -PrefixFilter 'GLOBAL - ' -AddCustomPrefix 'REPORT - GLOBAL - '\r\n\t    \r\n\tRename-DCConditionalAccessPolicies -AddCustomPrefix 'OLD - '\r\n\r\n---\r\n\r\n### Set-DCConditionalAccessPoliciesPilotMode\r\n\r\n**Synopsis:**\r\n\r\nToggles Conditional Access policies between 'All users' and a specified pilot group.\r\n\r\n**Details:**\r\n\r\nThis command helps you to quickly toggle you Conditional Access policies between a pilot and production. It does this by switching policies targeting a specified pilot group and 'All users'.\r\n\r\nIt is common to use a dedicated Entra ID security group to target specific pilot users during a Conditional Access deployment project. When the pilot is completed you want to move away from that pilot group and target 'All users' in the organization instead (at least with your global baseline).\r\n\r\nYou must filter the toggle with a prefix filter to only modify specific policies. Use a prefix like \"GLOBAL -\" or \"PILOT -\" for easy bulk management. This is a built-in safety measure.\r\n\r\n**Parameters:**\r\n\r\n\t-PrefixFilter\r\n\tDescription:\tOnly toggle the policies with this prefix. The filter is case sensitive.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-PilotGroupName\r\n\tDescription:\tThe name of your pilot group in Entra ID (must be a security group for users).\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-EnablePilot\r\n\tDescription:\tModify all specified Conditional Access policies to target your pilot group.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-EnableProduction\r\n\tDescription:\tModify all specified Conditional Access policies to target 'All users'.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tSet-DCConditionalAccessPoliciesPilotMode -PrefixFilter 'GLOBAL - ' -PilotGroupName 'Conditional Access Pilot' -EnablePilot\r\n\t    \r\n\tSet-DCConditionalAccessPoliciesPilotMode -PrefixFilter 'GLOBAL - ' -PilotGroupName 'Conditional Access Pilot' -EnableProduction\r\n\r\n---\r\n\r\n### Set-DCConditionalAccessPoliciesReportOnlyMode\r\n\r\n**Synopsis:**\r\n\r\nToggles Conditional Access policies between 'Report-only' and Enabled.\r\n\r\n**Details:**\r\n\r\nThis command helps you to quickly toggle you Conditional Access policies between Report-only and Enabled.\r\n\r\nIf will skip any policies in Disabled state.\r\n\r\nYou must filter the toggle with a prefix filter to only modify specific policies. This is a built-in safety measure.\r\n\r\n**Parameters:**\r\n\r\n\t-PrefixFilter\r\n\tDescription:\tOnly toggle the policies with this prefix. The filter is case sensitive.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-SetToReportOnly\r\n\tDescription:\tModify all specified Conditional Access policies to report-only.\r\n\tRequired:\t\tfalse\r\n\t\r\n\t-SetToEnabled\r\n\tDescription:\tModify all specified Conditional Access policies to Enabled.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tSet-DCConditionalAccessPoliciesReportOnlyMode -PrefixFilter 'GLOBAL - ' -SetToReportOnly\r\n\t    \r\n\tSet-DCConditionalAccessPoliciesReportOnlyMode -PrefixFilter 'GLOBAL - ' -SetToEnabled\r\n\r\n---\r\n\r\n### Start-DCTorHttpProxy\r\n\r\n**Synopsis:**\r\n\r\nStart a Tor network HTTP proxy for anonymous HTTP calls via PowerShell.\r\n\r\n**Details:**\r\n\r\nStart a Tor network HTTP proxy that can be used for anonymization of HTTP traffic in PowerShell. Requires proxy support in the PowerShell CMDlet you want to anonymise. Many of the tools included in DCToolbox supports this.\r\n\r\nStart the proxy:\r\nStart-DCTorHttpProxy\r\n\r\nThe proxy will launch in a new PowerShell window that you can minimize.\r\n\r\nYou can test it out (and find your currentn Tor IP address and location) with:\r\nGet-DCPublicIp -UseTorHttpProxy\r\n\r\nFor other CMDlets, use the following proxy configuration:\r\n127.0.0.1:9150\r\n\r\nNote: This CMDlet expects the Tor browser to be installed under C:\\Temp\\Tor Browser. You can change the path with -TorBrowserPath.\r\n\r\nDownload Tor browser:\r\nhttps://www.torproject.org/download/\r\n\r\n**Parameters:**\r\n\r\n\t-TorBrowserPath\r\n\tDescription:\tThe path to the Tor browser directory. Default is 'C:\\Temp\\Tor Browser'.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tStart-DCTorHttpProxy\r\n\r\n---\r\n\r\n### Test-DCEntraIDCommonAdmins\r\n\r\n**Synopsis:**\r\n\r\nTest if common and easily guessed admin usernames exist for specified Entra ID domains.\r\n\r\n**Details:**\r\n\r\nUses Test-DCEntraIDUserExistence to test if common and weak admin account names exist in specified Entra ID domains. It uses publicaly available Microsoft endpoints to query for this information. Run help Test-DCEntraIDUserExistence for more info.\r\n\r\nDo not use this script in an unethical or unlawful way. Use it to find weak spots in you Entra ID configuration.\r\n\r\n**Parameters:**\r\n\r\n\t-Domains\r\n\tDescription:\tAn array of one or more domains to test.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-UseTorHttpProxy\r\n\tDescription:\tUse a running Tor network HTTP proxy that was started by Start-DCTorHttpProxy.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tTest-DCEntraIDCommonAdmins -UseTorHttpProxy -Domains \"example.com\", \"example2.onmicrosoft.com\"\r\n\r\n---\r\n\r\n### Test-DCEntraIDUserExistence\r\n\r\n**Synopsis:**\r\n\r\nTest if an account exists in Entra ID for specified email addresses.\r\n\r\n**Details:**\r\n\r\nThis CMDlet will connect to public endpoints in Entra ID to find out if an account exists for specified email addresses or not. This script works without any authentication to Entra ID. This is called user enumeration in cyber security.\r\n\r\nThe script can't see accounts for federated domains (since they are on-prem accounts) but it will tell you what organisation the federated domain belongs to.\r\n\r\nDo not use this script in an unethical or unlawful way. Use it to find weak spots in you Entra ID configuration.\r\n\r\n**Parameters:**\r\n\r\n\t-Users\r\n\tDescription:\tAn array of one or more user email addresses to test.\r\n\tRequired:\t\ttrue\r\n\t\r\n\t-UseTorHttpProxy\r\n\tDescription:\tUse a running Tor network HTTP proxy that was started by Start-DCTorHttpProxy.\r\n\tRequired:\t\tfalse\r\n\t\r\n**Examples:**\r\n\r\n\t    \r\n\tTest-DCEntraIDUserExistence -UseTorHttpProxy -Users \"user1@example.com\", \"user2@example.com\", \"user3@example.onmicrosoft.com\"\r\n\r\n---\r\n\r\n\r\nPlease follow me on my blog https://danielchronlund.com and on LinkedIn!\r\n\r\n@DanielChronlund\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDanielChronlund%2FDCToolbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDanielChronlund%2FDCToolbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDanielChronlund%2FDCToolbox/lists"}