EntraFalcon: PowerShell Tool for Microsoft Entra ID Security Audits

by ddos · Published · Updated

EntraFalcon is a PowerShell-based assessment tool for pentesters, security analysts, and system administrators to evaluate the security posture of a Microsoft Entra ID environment.

Designed for ease of use, EntraFalcon runs on PowerShell 5.1 and 7, supports both Windows and Linux, and requires no external dependencies or Microsoft Graph API consent.

The tool helps uncover privileged objects, potentially risky assignments and Conditional Access misconfigurations that are often overlooked, such as:

  • Users with control over high-privilege groups or applications
  • External or internal enterprise applications with excessive permissions (e.g., Microsoft Graph API, Azure roles)
  • Users with Azure IAM role assignments directly on resources
  • Privileged accounts synced from on-premises
  • Inactive users or users without MFA capability
  • Unprotected groups used in sensitive assignments (e.g., Conditional Access exclusions, Subscription Owner, or eligible member of a privileged group)

Findings are presented in interactive HTML reports to support efficient exploration and analysis.

Features

  • Simple PowerShell script compatible with PowerShell 5.1 and 7. Works on both Windows and Linux with no external dependencies.
  • Built-in authentication supporting multiple methods (Interactive Authorization Code Flow and Device Code flow)
  • Uses first-party Microsoft applications with pre-consented scopes to bypass Graph API consent prompts
  • Generates navigable HTML reports that support filtering, sorting, data export, etc.
  • Performs basic impact, likelihood, and risk scoring to highlight weakly protected high-privilege objects and sort the data.
  • Displays warnings for risky configurations and elevated privileges
  • Enumerates Entra ID objects, including:
    • Users
    • Groups
    • Enterprise Applications
    • App Registrations
    • Managed Identities
    • PIM assignments:
      • PIM for Entra Roles
      • PIM for Entra Groups
      • PIM for Azure Roles
    • Entra Role Assignments
    • Azure Role Assignments
    • Conditional Access Policies
    • Administrative Units

Install & Use

Tags: auditAzure ADEntra IDMicrosoft EntraPentestingPowerShellsecurity assessment