Skip to content

Logisek/CloudKit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CloudKit

Tools, scripts and tips useful during Cloud Security Assessments.

Get-EntraInteractiveSignInIssues.ps1

Lists Entra ID interactive sign-ins that did not succeed (Interrupted or Failure) over the last N days as a console table, with an optional Excel export. Authenticates via Connect-MgGraph.

Requirements: Entra ID P1/P2 licensed tenant, delegated scope AuditLog.Read.All. Microsoft.Graph.Reports (and ImportExcel for -Excel) auto-install on first run.

Parameters

Parameter Description
-Days Days to look back, 1-30 (rolling window). Prompts if omitted.
-TenantId Target tenant, GUID or domain (e.g. contoso.onmicrosoft.com).
-UseDeviceCode Device-code auth for headless / SSH / Server Core hosts.
-MaxRows Max rows printed to console (default 1000; summary always counts all).
-Excel Also export the full result set to a timestamped .xlsx (CSV fallback).
-ExcelPath Explicit .xlsx output path (implies -Excel).

Usage

# Prompt for the number of days
.\Get-EntraInteractiveSignInIssues.ps1

# Last 15 days, console only
.\Get-EntraInteractiveSignInIssues.ps1 -Days 15

# Last 30 days, export to a timestamped .xlsx in the current directory
.\Get-EntraInteractiveSignInIssues.ps1 -Days 30 -Excel

# Target a specific tenant and write to an explicit .xlsx path
.\Get-EntraInteractiveSignInIssues.ps1 -Days 7 -TenantId contoso.onmicrosoft.com -ExcelPath C:\Reports\contoso-signins.xlsx

# Headless / SSH host (device-code sign-in)
.\Get-EntraInteractiveSignInIssues.ps1 -Days 7 -UseDeviceCode

# Raise the console row cap
.\Get-EntraInteractiveSignInIssues.ps1 -Days 30 -MaxRows 5000

Get-EntraRegisteredDevices.ps1

Enumerates every registered/joined device across all users in Entra ID, cross-references Intune managed devices, and flags likely-rogue devices — attacker-registered persistence (MITRE T1098.005), unmanaged/BYOD machines with tenant access, faked-compliance (Conditional-Access bypass) devices, BPRT/bulk-enrollment persistence, stale-but-enabled, rooted and orphaned/owner-anomalous devices. Every device is listed with a Tier/Severity/RiskFlags column (a two-tier THREAT/HYGIENE model, so the marquee count stays triage-ready), with an optional color-coded Excel export. Authenticates via Connect-MgGraph. Strictly read-only.

Requirements: delegated scopes Device.Read.All (or Directory.Read.All) + User.Read.All, plus DeviceManagementManagedDevices.Read.All for the Intune cross-check and AuditLog.Read.All for -IncludeRegistrationAudit. The signed-in user must also hold a supporting Entra role (Directory Readers / Global Reader / Security Reader). No Entra ID P1/P2 is required for /devices. Microsoft.Graph.Identity.DirectoryManagement (and ImportExcel for -Excel) auto-install on first run.

Parameters

Parameter Description
-TenantId Target tenant, GUID or domain (e.g. contoso.onmicrosoft.com).
-UseDeviceCode Device-code auth for headless / SSH / Server Core hosts.
-MaxRows Max rows printed to console (default 1000; summary always counts all).
-Excel / -ExcelPath Also export the full result set to a color-coded .xlsx (CSV fallback).
-OnlyFlagged Print only devices that tripped a rule.
-HighConfidenceOnly Print/export only Tier-1 THREAT devices.
-IncludeHygiene Also show low-value hygiene-only rows in the console.
-SkipOwnerResolution Skip owner resolution (owner-dependent rules become inert; a banner is printed).
-ResolveOwners Force full owner resolution even on very large tenants.
-ResolveRegisteredUsers Also resolve/display the RegisteredUsers column (off by default).
-SkipIntune Do not query Intune (the faked-compliance cross-check is disabled; a banner is printed).
-IncludeRegistrationAudit Pull directory audit logs for registration attribution (who/when/IP/app). Uses AuditLog.Read.All.
-SignInCorrelationCsv Correlate against a sign-in export (this repo's sibling) by DeviceId. No extra scope.
-RecentRegistrationDays / -StaleDeviceDays Recency (default 7) and stale (default 180) thresholds.
-OwnerResolutionMaxDevices Above this device count, resolve owners for the high-risk subset only (default 20000).
-KnownToolBuilds, -ExpectedOperatingSystems, -ExpectedProfileTypes, -NamingConventionRegex, -BulkClusterThreshold, -OwnerFanoutThreshold, -IpFanoutThreshold, -RegActorFanoutThreshold Heuristic tunables.

Usage

# Full rogue-device sweep (Entra + Intune), interactive sign-in
.\Get-EntraRegisteredDevices.ps1

# Only the high-confidence THREAT tier, exported to a color-coded .xlsx
.\Get-EntraRegisteredDevices.ps1 -HighConfidenceOnly -Excel

# Add registration attribution + sign-in correlation (deepest coverage)
.\Get-EntraRegisteredDevices.ps1 -IncludeRegistrationAudit -SignInCorrelationCsv .\EntraSignInIssues_30d.csv

# Entra-only (no Intune scope requested) — prints the faked-compliance-disabled banner
.\Get-EntraRegisteredDevices.ps1 -SkipIntune

# Headless / SSH host (device-code sign-in), pinned tenant
.\Get-EntraRegisteredDevices.ps1 -UseDeviceCode -TenantId contoso.onmicrosoft.com

The classification engine has an offline unit test (no tenant required):

powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\tests\Test-GetEntraRegisteredDevices.ps1

About

Tools, scripts and tips useful during Cloud Security Assessments.

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors