An open API service indexing awesome lists of open source software.

https://github.com/Noble-Effeciency13/M365IdentityPosture

PowerShell security reporting framework for Microsoft 365 identity posture assessment. Analyzes Authentication Context, PIM, Conditional Access & more.
https://github.com/Noble-Effeciency13/M365IdentityPosture

authentication-context azure-ad compliance-reporting conditional-access entra-id identity-governance microsoft-365 microsoft-graph pim powershell powershell-module purview security-assessment security-reporting zero-trust

Last synced: 1 day ago
JSON representation

PowerShell security reporting framework for Microsoft 365 identity posture assessment. Analyzes Authentication Context, PIM, Conditional Access & more.

Awesome Lists containing this project

README

          

# M365IdentityPosture Module

A comprehensive PowerShell module for security posture assessment and identity governance reporting across Microsoft 365, Azure, and hybrid environments.

![PowerShell](https://img.shields.io/badge/PowerShell-7.0%2B-blue.svg)
[![PSGallery Version](https://img.shields.io/powershellgallery/v/M365IdentityPosture)](https://www.powershellgallery.com/packages/M365IdentityPosture/1.1.0)
[![PSGallery Downloads](https://img.shields.io/powershellgallery/dt/M365IdentityPosture)](https://www.powershellgallery.com/packages/M365IdentityPosture/1.1.0)
![License](https://img.shields.io/badge/License-MIT-yellow.svg)

## 📑 Table of Contents

- [Overview](#-overview)
- [What's Included](#-whats-included)
- [Prerequisites](#-prerequisites)
- [Installation](#-installation)
- [Reports](#-reports)
- [Authentication Context Inventory](#-authentication-context-inventory)
- [Access Package Documentor](#-access-package-documentor)
- [Common Features](#-common-features)
- [Use Cases](#-use-cases)
- [Module Architecture](#️-module-architecture)
- [Troubleshooting](#-troubleshooting)
- [Roadmap](#-roadmap--future-reports)
- [Contributing](#-contributing)
- [Author & Contributors](#-author---contributors)
- [Changelog](#-changelog)
- [Support](#-support)

## 🎯 Overview

M365IdentityPosture is an extensible PowerShell framework for security posture assessment and identity governance reporting across Microsoft 365, Azure AD/Entra ID, and hybrid environments. Built with a modular architecture, the framework provides specialized reports for different identity and access management scenarios, with each report generating interactive HTML output featuring runtime theme switching and comprehensive data visualization.

## 🎁 What's Included

The module currently includes two comprehensive reports:

- **🔐 Authentication Context Inventory**: Maps authentication context requirements and enforcement across Microsoft 365 services including Purview, Conditional Access, PIM, SharePoint, and Teams. Identifies security gaps and configuration issues.

- **📦 Access Package Documentor**: Interactive graph-based visualization and documentation of Entitlement Management. Features Cytoscape.js graph visualization with filtering, search, zoom/pan controls, and multi-format export (PNG, Markdown, JSON). *Co-developed with Christian Frohn*.

Both reports generate interactive HTML with runtime theme switching (Classic/Light and Dark) and are designed for security auditors, compliance teams, and identity governance professionals.

## 📋 Prerequisites

### System Requirements

- **PowerShell**: Version 7.0 or higher (PowerShell Core)
- **Operating System**: Windows 10/11, Windows Server 2019+, macOS, Linux

### Module Dependencies

This module **dynamically loads and unloads** its dependencies as needed for each reporting phase. You do **not** need to import all modules up front. The following modules are required and will be loaded automatically when needed:

```powershell
# Authentication Context Inventory dependencies
Microsoft.Graph.Authentication
Microsoft.Graph.Groups
ExchangeOnlineManagement
Microsoft.Online.SharePoint.PowerShell

# Access Package Documentor dependencies
Microsoft.Graph.Authentication
Microsoft.Graph.Identity.Governance

# Azure modules (only if Azure PIM reporting is enabled in AuthContext)
Az.Accounts
Az.Resources
```

**Note:** The module handles loading and unloading as needed. If a required module is missing, you will be prompted to install it, or the report will skip that phase.

### Required Permissions

Minimum permissions needed vary by report:

#### Authentication Context Inventory Report
**Microsoft Graph API:**
- `Directory.Read.All`
- `Group.Read.All`
- `Policy.Read.All`
- `Policy.Read.ConditionalAccess`
- `AuthenticationContext.Read.All`
- `RoleManagement.Read.Directory`
- `PrivilegedAccess.Read.AzureADGroup`
- `InformationProtectionPolicy.Read.All`

**Service-Specific Roles:**
- **Exchange Online**: View-Only Organization Management
- **SharePoint Online**: SharePoint Administrator or Global Reader
- **Azure**: Reader role on subscriptions (for Azure PIM enumeration)

#### Access Package Documentor Report
**Microsoft Graph API:**
- `EntitlementManagement.Read.All`
- `Directory.Read.All` (for resolving directory objects)

## 📦 Installation

### Option 1: From PowerShell Gallery (Recommended)

```powershell
# Install from PSGallery
Install-Module -Name M365IdentityPosture -Scope CurrentUser

# Or install for all users (requires admin)
Install-Module -Name M365IdentityPosture -Scope AllUsers
```

### Option 2: Manual Installation

1. **Clone or download this repository**

```powershell
git clone https://github.com/Noble-Effeciency13/M365IdentityPosture.git
```

2. **Copy to PowerShell modules directory**

```powershell
# Check available module paths
$env:PSModulePath -split ';'

# Copy to user module path (recommended)
$modulePath = "$HOME\Documents\PowerShell\Modules\M365IdentityPosture"
Copy-Item -Path ".\M365IdentityPosture\*" -Destination $modulePath -Recurse -Force
```

3. **Import the module**

```powershell
Import-Module M365IdentityPosture
```

## 📊 Reports

### 🔐 Authentication Context Inventory

**Purpose**: Comprehensive discovery and analysis of authentication context enforcement across Microsoft 365 services, providing visibility into where and how authentication requirements are applied throughout your tenant.

**When to Use**:
- Security posture assessments and Zero Trust maturity evaluation
- Compliance audits requiring authentication requirements documentation
- Gap analysis of authentication context enforcement
- Pre/post implementation validation of authentication policies

**Quick Start**:

```powershell
# Import the module
Import-Module M365IdentityPosture

# Basic usage - discovers all authentication contexts across services
Invoke-AuthContextInventoryReport

# Exclude Azure PIM enumeration for faster execution
Invoke-AuthContextInventoryReport -ExcludeAzure

# Custom output path with quiet mode
Invoke-AuthContextInventoryReport `
-TenantName "contoso" `
-OutputPath "C:\Reports\AuthContext" `
-Quiet `
-NoAutoOpen
```

**Key Capabilities**:
- **Purview Sensitivity Labels**: Discovers labels with embedded authentication context requirements and tracks label inheritance
- **Conditional Access Policies**: Maps policies referencing authentication contexts with target users, groups, and applications
- **Privileged Identity Management (PIM)**: Analyzes directory role policies, group-based PIM, and Azure resource PIM policies (optional)
- **SharePoint Online**: Identifies direct authentication context assignments and inherited contexts through labels
- **Microsoft 365 Groups & Teams**: Tracks label inheritance and context enforcement across teams and channels
- **Protected Actions**: Maps RBAC resource actions requiring authentication contexts
- **Cross-Service Correlation**: Identifies relationships and dependencies between services
- **Gap Identification**: Highlights unused or misconfigured authentication contexts

**Parameters**: For complete parameter documentation and advanced examples, run:
```powershell
Get-Help Invoke-AuthContextInventoryReport -Full
```

---

### 📦 Access Package Documentor

**Purpose**: Interactive graph-based visualization and comprehensive documentation of Entitlement Management configurations, providing clear visibility into access package structures, policies, workflows, and resource assignments.

**When to Use**:
- Access review preparation and delegation audits
- Onboarding/offboarding process documentation
- Entitlement management optimization and cleanup
- Compliance reporting for access governance

**Quick Start**:

```powershell
# Import the module
Import-Module M365IdentityPosture

# Basic usage - documents all access packages and catalogs
Invoke-AccessPackageDocumentor -OutputPath "C:\Reports\AccessPackages"

# Use dark theme
Invoke-AccessPackageDocumentor `
-OutputPath "C:\Reports" `
-Theme Dark

# Quiet mode without auto-opening the report
Invoke-AccessPackageDocumentor `
-OutputPath "C:\Reports" `
-Quiet `
-NoAutoOpen
```

**Key Capabilities**:
- **Access Package Structure**: Complete inventory of access packages, catalogs, and assignment policies
- **Resource Assignments**: Maps resource role scopes including groups applications, SharePoint sites, and Teams
- **Approval Workflows**: Documents multi-stage approval processes with approvers and escalation settings
- **Policy Configurations**: Captures expiration settings, access reviews, requestor questions, and custom extensions
- **Verified ID Integration**: Shows Verified ID requirements in policies when configured
- **Interactive Cytoscape.js Graph**:
- Zoom, pan, and drag-to-explore visualizations
- Filter by catalog, access package, policy, or resource type
- Full-text search across all node labels
- Click nodes to view detailed information in side panel
- Layout optimization for different graph sizes
- **Multi-Format Export**:
- **PNG/JPEG**: High-resolution graph screenshots
- **Markdown**: Hierarchical documentation with all details
- **JSON**: Structured data for external processing or integration

**Parameters**: For complete parameter documentation and advanced examples, run:
```powershell
Get-Help Invoke-AccessPackageDocumentor -Full
```

*This report was co-developed with [Christian Frohn](https://github.com/ChrFrohn).*

---

## ✨ Common Features

All reports in the M365IdentityPosture module share these capabilities:

### Runtime Theme Switching
Both reports generate HTML with two built-in themes:
- **Classic (Light)**: Default professional appearance with high contrast
- **Dark**: Reduced eye strain for extended viewing sessions

Reports include a theme toggle button for instant switching without regenerating the report.

### Dynamic Module Loading
The module automatically loads required PowerShell modules on-demand for each phase and unloads them afterward to free memory. No need to pre-import dependencies.

### Comprehensive Logging
Detailed execution logs are automatically generated in your temp directory with timestamps:
- **Windows**: `%TEMP%\M365IdentityPosture_YYYYMMDD_HHMMSS.log`
- **Linux/macOS**: `/tmp/M365IdentityPosture_YYYYMMDD_HHMMSS.log`

### Read-Only Operations
All reports perform read-only operations with no tenant modifications, making them safe to run in production environments.

### Progress Reporting
Visual progress indicators and status messages keep you informed during long-running operations across multiple services.

## 💡 Use Cases

The M365IdentityPosture module addresses key identity and access management scenarios:

- **Security Posture Assessment**: Quarterly evaluations and Zero Trust maturity benchmarking
- **Compliance Auditing**: Authentication requirements documentation and regulatory validation
- **Access Governance**: Access review preparation and entitlement management optimization
- **Identity Lifecycle Management**: Onboarding/offboarding process documentation and validation
- **Gap Analysis**: Identify security gaps, misconfigurations, and unused resources
- **Migration Planning**: Zero Trust readiness assessment and authentication modernization
- **Audit Evidence**: Generate compliance documentation and security control effectiveness reports

Both reports complement each other: use **Authentication Context Inventory** for security policy enforcement analysis, and **Access Package Documentor** for access governance and delegation workflows.

## 🏗️ Module Architecture

M365IdentityPosture/
├── M365IdentityPosture.psd1 # Module manifest
├── M365IdentityPosture.psm1 # Root module with banner
├── Public/ # Exported functions
│ ├── Invoke-AuthContextInventoryReport.ps1
│ └── Invoke-AccessPackageDocumentor.ps1
├── Private/ # Internal functions (organized by domain)
│ ├── AuthContext/ # Authentication context specific
│ ├── Authentication/ # Service connections
│ ├── DataCollection/ # Cross-service data retrieval
│ ├── DataProcessing/ # Data transformation
│ ├── Orchestration/ # Workflow coordination
│ ├── ReportGeneration/ # HTML/Export generation
│ └── Utilities/ # Shared helpers
└── Tests/ # Pester tests and validation

## 🔍 Troubleshooting

### Common Issues and Solutions

#### PowerShell Version Issues
- Privileged role usage patterns
- Role activation history
- Standing vs eligible assignments
- Separation of duties analysis
- Role mining recommendations

### Policy Analytics
- **Conditional Access Gap Analysis**
- Uncovered users and applications
- Policy overlap and conflicts
- MFA and device compliance gaps
- Sign-in risk coverage
- Location-based access patterns

### Identity Protection
- **Identity Security Dashboard**
- Security defaults assessment
- Identity Protection policy effectiveness
- Risky user and sign-in analytics
- Password health metrics
- Authentication method analysis

### Future Considerations
- Hybrid identity synchronization health
- Cross-cloud security posture (AWS/GCP integration)
- Automated remediation recommendations
- Integration with Microsoft Secure Score
- Custom compliance framework mapping
- Maester integration

## 🔍 Troubleshooting

### Common Issues and Solutions

#### PowerShell Version Issues

```powershell
# Check your PowerShell version
$PSVersionTable.PSVersion

# If version < 7.0, install PowerShell 7+
# Windows
winget install Microsoft.PowerShell

# macOS
brew install --cask powershell

# Linux
# See: https://docs.microsoft.com/powershell/scripting/install/installing-powershell-on-linux
```

#### Module Import Failures

```powershell
# Verify module is in correct path
Get-Module -ListAvailable M365IdentityPosture

# Check for missing dependencies
Test-ModuleManifest -Path ".\M365IdentityPosture\M365IdentityPosture.psd1"

# Force reload if cached
Remove-Module M365IdentityPosture -Force -ErrorAction SilentlyContinue
Import-Module M365IdentityPosture -Force
```

#### Authentication Issues

```powershell
# Clear existing Graph context
Disconnect-MgGraph

# Re-authenticate with required scopes
Connect-MgGraph -Scopes @(
"Directory.Read.All",
"Policy.Read.All",
"Group.Read.All",
"Policy.Read.ConditionalAccess",
"AuthenticationContext.Read.All",
"RoleManagement.Read.Directory",
"PrivilegedAccess.Read.AzureADGroup",
"InformationProtectionPolicy.Read.All"
)

# Verify connected account
Get-MgContext
```

### Logging and Debugging

Detailed logs are automatically generated:

```powershell
# Default log location
# Windows: %TEMP%\M365IdentityPosture_YYYYMMDD_HHMMSS.log
# Linux/macOS: /tmp/M365IdentityPosture_YYYYMMDD_HHMMSS.log

# View current session log
Get-Content "$env:TEMP\M365IdentityPosture_*.log" | Select-Object -Last 100

# Enable verbose output for debugging
Invoke-AuthContextInventoryReport -TenantName "contoso" -Verbose

# Enable debug output for maximum detail
$DebugPreference = 'Continue'
Invoke-AuthContextInventoryReport -TenantName "contoso"
```

## 🚀 Roadmap & Future Reports

The M365IdentityPosture module continues to expand with additional identity and access management reports:

### Planned Reports

- **Role Assignment Auditing**
- Privileged role usage patterns and activation history
- Standing vs eligible assignments analysis
- Separation of duties validation
- Role mining and optimization recommendations

- **Conditional Access Gap Analysis**
- Uncovered users and applications identification
- Policy overlap and conflict detection
- MFA and device compliance gap analysis
- Sign-in risk coverage evaluation
- Location-based access pattern analysis

- **Identity Protection Dashboard**
- Security defaults effectiveness assessment
- Identity Protection policy analysis
- Risky user and sign-in analytics
- Password health metrics
- Authentication method distribution

### Future Considerations

- Hybrid identity synchronization health monitoring
- Cross-cloud security posture (AWS/GCP integration)
- Automated remediation recommendations
- Microsoft Secure Score integration
- Custom compliance framework mapping
- Maester test framework integration

**Timeline**: Development priorities are determined by community feedback and organizational needs. Contributions are welcome! See the [Contributing](#-contributing) section for guidelines.

## 🤝 Contributing

We welcome contributions! Please follow these guidelines:

### Contributing New Reports

When adding a new security or identity report:

1. **Follow the established pattern**:
- Public function: `Invoke-