I would like to share with you a recipe from my "Script Kitchen" that I'm in the process of matching ingredients to. The question I asked myself: Do you really need to protect your Entra ID tenant(s)? My answer: see below ;)
Entra ID stores a variety of settings and policies that are important to the continuity of your business. Anything that compromises your Entra ID configuration can result in an immediate loss of access to data and applications. So how about exporting the information to another location so it can be analyzed and imported or reconfigured if something bad happens? And how about adding a retention to the exported data?
Microsoft provides some built-in retention mechanisms (Recycle Bin), but these mechanisms are not enough to meet the needs of most organizations. The Recycle Bin stores deleted objects such as users and groups for 30 days. Some limitations which I associate with it:
- After 30 days the deleted objects are permanently deleted and cannot be recovered
- It does not cover all objects (e.g. Security Groups)
- There is no versioning mechanism
This is where my script comes into play. Most of the data is exported using the EntraExporter tool. The exported data should be kept in a protected storage location. This also allows access to the information should access to the original data no longer be possible. It is also recommended to backup the exported data to another location (Remember 3-2-1). Since the data is in JSON format, all sorts of actions or analyses can be performed. The following basic queries are already implemented in my script to show what’s possible beside of storing the exported data:
- Show exported users
- Show exported groups & group members (group must be selected)
- Show exported security groups & group members
- Display of exported application information
- Show exported roles & role members (role must be selected).
For these basic functions the query can be executed on an older export as well (Remember Retention?). However, the exported data can also be used to perform advanced queries:
- CompareUserCount: Shows the number of exported user accounts and displays any differences to the latest export.
- CompareSpecificUser: Compares for a specific user the data from the most recent export against the export specified by the user and shows any differences.
In addition, audit log data is not stored forever at Microsoft, therefore an option to export this data is also integrated in my script . This allows detecting suspicious logins as well as directory activities (adding/removing role members) using the exported data.
How about a GUI?
I have already talked to a few people about the script. Because it already offers many possibilities, the need for a GUI came up very often. Since I already have such a UI available for my backup scanning tools, I could very quickly "transfer" this script into a GUI. Here's a sneak peek at some of the features:
Display Roles (Yes, too many users are Global Administrator)
Display Users in Recycle Bin
Before I upload the script to my GitHub account, I will do some additional testing. Also the necessary permissions still need to be documented. It is also possible that more features will be added (e.g. display of dynamic groups or set the necessary permissions for exporting the data). Stay tuned. Code will be shared in October.