home.social

#tenant_security — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #tenant_security, aggregated by home.social.

  1. hasamba @[email protected] ·

    ----------------

    🛠️ Tool
    ===================

    Executive summary:
    The Zero Trust Assessment is a Microsoft PowerShell module designed to evaluate tenant configuration against Zero Trust principles and produce a local HTML report. The module performs read-only checks via Microsoft Graph and, optionally, Azure sign-in/audit log verification, and requests administrator consent on the initial connection.

    Technical details:
    • The module operates by authenticating to Microsoft Graph to enumerate tenant configuration and security-related settings. When available, it also connects to Microsoft Azure to verify export of audit and sign-in logs.
    • The assessment is explicitly read-only and stores results locally in an output folder that contains an ZeroTrustAssessmentReport.html file and associated artifacts.
    • Initial authentication requires Global Administrator consent to grant a set of Graph permissions. Subsequent assessments can run under Global Reader where applicable.

    Permissions observed:

    AuditLog.Read.All
    CrossTenantInformation.ReadBasic.All
    DeviceManagementApps.Read.All
    DeviceManagementConfiguration.Read.All
    Directory.Read.All
    DirectoryRecommendations.Read.All
    Policy.Read.All
    Policy.Read.ConditionalAccess
    Reports.Read.All
    RoleManagement.Read.All
    UserAuthenticationMethod.Read.All
    PrivilegedAccess.Read.AzureAD

    How it works (conceptual):
    • The module queries tenant objects, policy configuration, device management settings, role and entitlement data, and authentication methods via Graph endpoints.
    • If Azure sign-in is provided, additional checks validate whether audit/sign-in logs are being exported and accessible for monitoring and retention checks.

    Use cases:
    • Internal security reviews to benchmark tenant configuration against Zero Trust recommendations.
    • Regular health checks before audits or compliance assessments.
    • Pre-engagement diagnostic for third‑party security assessments (with caution about sharing results).

    Limitations and considerations:
    • The tool requires elevated consent on the first run; organizations must review requested Graph permissions before consenting.
    • The assessment may skip Azure‑dependent checks when Azure access is not provided, producing partial results.
    • Large tenants can experience runs exceeding 24 hours; the report and export folder contain sensitive tenant metadata and should be handled securely.

    References & notes:
    • The module name and approach indicate an endpoint‑driven audit using Graph APIs with local result storage. Additions such as custom report paths are supported conceptually.

    🔹 tool #ZeroTrust #MicrosoftGraph #AzureAD #tenant_security

    🔗 Source: learn.microsoft.com/en-us/secu

    #tenant_security #azuread #microsoftgraph #zerotrust