Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies, overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionauditing-azure-active-directory-configurationExecute the skills CLI command in your project's root directory to begin installation:
Fetches auditing-azure-active-directory-configuration from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate auditing-azure-active-directory-configuration. Access via /auditing-azure-active-directory-configuration in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | auditing-azure-active-directory-configuration |
| description | 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies, overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite. ' |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | - cloud-security - azure - entra-id - active-directory - iam-audit - conditional-access |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01 |
Do not use for on-premises Active Directory auditing (use PingCastle or BloodHound AD), for Azure resource-level RBAC auditing without identity context, or for real-time threat detection (use Microsoft Defender for Identity).
Install-Module Microsoft.Graph)az login --tenant TENANT_ID)Assess the tenant's baseline identity security settings including security defaults and legacy authentication status.
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Directory.Read.All","Policy.Read.All","AuditLog.Read.All"
# Get tenant details
Get-MgOrganization | Select-Object DisplayName, Id, VerifiedDomains
# Check if Security Defaults are enabled
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | Select-Object IsEnabled
# List authentication methods policies
Get-MgPolicyAuthenticationMethodPolicy | ConvertTo-Json -Depth 5
# Check legacy authentication status via Conditional Access
Get-MgIdentityConditionalAccessPolicy | Where-Object {
$_.Conditions.ClientAppTypes -contains "exchangeActiveSync" -or
$_.Conditions.ClientAppTypes -contains "other"
} | Select-Object DisplayName, State
Review directory role assignments to identify over-privileged users, permanent admin accounts, and risky role configurations.
# List all Global Administrator assignments
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/directoryRoles/filterByIds" \
--body '{"ids":["62e90394-69f5-4237-9190-012177145e10"]}' | \
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/directoryRoles?filter=displayName eq 'Global Administrator'" \
--query "value[0].id" -o tsv
# List all privileged role assignments using Graph API
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?\$expand=principal" \
--query "value[*].{Role:roleDefinitionId, Principal:principal.displayName, PrincipalType:[email protected]}" \
-o table
# Check for users with multiple admin roles
az ad user list --query "[].{UPN:userPrincipalName, DisplayName:displayName}" -o table
# List service principals with admin role assignments
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?\$filter=principalOrganizationId eq 'TENANT_ID'" \
-o json
Audit conditional access policies for coverage gaps, particularly around MFA enforcement, device compliance, and location-based restrictions.
# List all Conditional Access policies
Get-MgIdentityConditionalAccessPolicy | Select-Object DisplayName, State, @{
N='GrantControls'; E={$_.GrantControls.BuiltInControls -join ', '}
} | Format-Table -AutoSize
# Identify policies in report-only mode (not enforced)
Get-MgIdentityConditionalAccessPolicy | Where-Object {$_.State -eq "enabledForReportingButNotEnforced"} |
Select-Object DisplayName
# Check MFA enforcement coverage
Get-MgIdentityConditionalAccessPolicy | Where-Object {
$_.GrantControls.BuiltInControls -contains "mfa"
} | Select-Object DisplayName, State, @{
N='Users'; E={$_.Conditions.Users.IncludeUsers -join ', '}
}
# Find policies that exclude groups (potential bypass)
Get-MgIdentityConditionalAccessPolicy | Where-Object {
$_.Conditions.Users.ExcludeGroups.Count -gt 0
} | Select-Object DisplayName, @{
N='ExcludedGroups'; E={$_.Conditions.Users.ExcludeGroups -join ', '}
}
Find accounts that have not signed in recently, disabled accounts with active role assignments, and risky guest user configurations.
# Find users who haven't signed in for 90+ days
az ad user list --query "[?signInActivity.lastSignInDateTime < '2025-11-25T00:00:00Z'].{UPN:userPrincipalName, LastSignIn:signInActivity.lastSignInDateTime, Enabled:accountEnabled}" -o table
# List all guest users
az ad user list --filter "userType eq 'Guest'" \
--query "[].{UPN:userPrincipalName, DisplayName:displayName, CreatedDate:createdDateTime}" \
-o table
# Find guest users with privileged roles
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?\$expand=principal" \
--query "value[?principal.userType=='Guest'].{Role:roleDefinitionId,Guest:principal.userPrincipalName}" \
-o table
# Check for accounts with disabled MFA
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/reports/authenticationMethods/userRegistrationDetails" \
--query "value[?!isMfaRegistered].{UPN:userPrincipalName,MfaRegistered:isMfaRegistered}" \
-o table
Review sign-in logs to identify anomalous authentication patterns, failed MFA challenges, and risky sign-in detections.
# Get risky sign-ins from last 7 days
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=riskLevelDuringSignIn ne 'none' and createdDateTime ge 2026-02-16T00:00:00Z" \
--query "value[*].{User:userPrincipalName,Risk:riskLevelDuringSignIn,IP:ipAddress,App:appDisplayName,Status:status.errorCode}" \
-o table
# Get sign-ins from unfamiliar locations
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=riskEventTypes_v2/any(r:r eq 'unfamiliarFeatures')" \
--query "value[*].{User:userPrincipalName,Location:location.city,IP:ipAddress}" \
-o table
# Check for legacy authentication sign-ins
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=clientAppUsed ne 'Browser' and clientAppUsed ne 'Mobile Apps and Desktop clients'" \
--query "value[*].{User:userPrincipalName,ClientApp:clientAppUsed,Status:status.errorCode}" \
-o table
Execute ScoutSuite for comprehensive automated checks across the Azure tenant configuration.
# Run ScoutSuite against Azure
python3 -m ScoutSuite azure --cli \
--report-dir ./scoutsuite-azure-report \
--all-subscriptions
# Review the generated HTML report
open ./scoutsuite-azure-report/azure-report.html
| Term | Definition |
|---|---|
| Microsoft Entra ID | Microsoft's cloud identity and access management service, formerly Azure Active Directory, providing authentication and authorization |
| Conditional Access | Policy engine that evaluates signals (user, device, location, risk) to enforce access controls like MFA, device compliance, or block access |
| Security Defaults | Microsoft's baseline identity protection settings that enforce MFA registration, block legacy auth, and protect privileged actions |
| Privileged Identity Management | Azure AD Premium P2 feature enabling just-in-time privileged access with approval workflows and time-bound role activation |
| Legacy Authentication | Older authentication protocols (POP3, IMAP, SMTP, ActiveSync) that do not support MFA and are commonly exploited for credential attacks |
| Risky Sign-In | Microsoft Entra Identity Protection detection of sign-in anomalies including impossible travel, unfamiliar locations, and malware-linked IPs |
Context: After acquiring a company, the security team needs to assess the Azure tenant identity posture before integrating it with the corporate Entra ID.
Approach:
Pitfalls: Azure AD Premium P2 is required for risky sign-in detections and PIM. If the acquired tenant uses a lower license tier, many identity protection features will be unavailable. Guest users from partner tenants may have implicit access through dynamic groups that are not visible in standard role assignment queries.
Azure Active Directory Security Audit Report
===============================================
Tenant: acme-acquired.onmicrosoft.com
Tenant ID: a1b2c3d4-e5f6-7890-abcd-ef1234567890
Audit Date: 2026-02-23
License: Azure AD Premium P2
IDENTITY CONFIGURATION:
Security Defaults: Disabled (Conditional Access in use)
Conditional Access Policies: 12 (8 enforced, 3 report-only, 1 disabled)
Legacy Auth Blocked: Partial (blocked for admins only)
PRIVILEGED ACCESS:
Global Administrators: 8 (recommended: <= 4)
Permanent admin assignments: 6 (no PIM activation required)
Service principals with admin: 3
Guest users with privileged roles: 2
ACCOUNT HYGIENE:
Total users: 1,247
Stale accounts (90+ days): 89
Guest users: 234
Users without MFA registered: 156
SIGN-IN RISK:
Risky sign-ins (last 30 days): 34
Legacy auth sign-ins (last 7 days): 67
Impossible travel detections: 5
Unfamiliar location sign-ins: 12
CRITICAL FINDINGS:
1. 8 Global Administrators with permanent assignments (use PIM)
2. Legacy authentication not blocked for non-admin users
3. 156 users without MFA registration
4. 2 guest users with Privileged Role Administrator role
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
I recommend auditing-azure-active-directory-configuration for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
auditing-azure-active-directory-configuration fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Solid pick for teams standardizing on skills: auditing-azure-active-directory-configuration is focused, and the summary matches what you get after install.
auditing-azure-active-directory-configuration has been reliable in day-to-day use. Documentation quality is above average for community skills.
auditing-azure-active-directory-configuration is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Keeps context tight: auditing-azure-active-directory-configuration is the kind of skill you can hand to a new teammate without a long onboarding doc.
Keeps context tight: auditing-azure-active-directory-configuration is the kind of skill you can hand to a new teammate without a long onboarding doc.
Useful defaults in auditing-azure-active-directory-configuration — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
We added auditing-azure-active-directory-configuration from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Registry listing for auditing-azure-active-directory-configuration matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 42