Tools, scripts and tips useful during Cloud Security Assessments.
Lists Entra ID interactive sign-ins that did not succeed (Interrupted or Failure) over the last N days as a console table, with an optional Excel export. Authenticates via Connect-MgGraph.
Requirements: Entra ID P1/P2 licensed tenant, delegated scope AuditLog.Read.All. Microsoft.Graph.Reports (and ImportExcel for -Excel) auto-install on first run.
| Parameter | Description |
|---|---|
-Days |
Days to look back, 1-30 (rolling window). Prompts if omitted. |
-TenantId |
Target tenant, GUID or domain (e.g. contoso.onmicrosoft.com). |
-UseDeviceCode |
Device-code auth for headless / SSH / Server Core hosts. |
-MaxRows |
Max rows printed to console (default 1000; summary always counts all). |
-Excel |
Also export the full result set to a timestamped .xlsx (CSV fallback). |
-ExcelPath |
Explicit .xlsx output path (implies -Excel). |
# Prompt for the number of days
.\Get-EntraInteractiveSignInIssues.ps1
# Last 15 days, console only
.\Get-EntraInteractiveSignInIssues.ps1 -Days 15
# Last 30 days, export to a timestamped .xlsx in the current directory
.\Get-EntraInteractiveSignInIssues.ps1 -Days 30 -Excel
# Target a specific tenant and write to an explicit .xlsx path
.\Get-EntraInteractiveSignInIssues.ps1 -Days 7 -TenantId contoso.onmicrosoft.com -ExcelPath C:\Reports\contoso-signins.xlsx
# Headless / SSH host (device-code sign-in)
.\Get-EntraInteractiveSignInIssues.ps1 -Days 7 -UseDeviceCode
# Raise the console row cap
.\Get-EntraInteractiveSignInIssues.ps1 -Days 30 -MaxRows 5000Enumerates every registered/joined device across all users in Entra ID, cross-references Intune managed devices, and flags likely-rogue devices — attacker-registered persistence (MITRE T1098.005), unmanaged/BYOD machines with tenant access, faked-compliance (Conditional-Access bypass) devices, BPRT/bulk-enrollment persistence, stale-but-enabled, rooted and orphaned/owner-anomalous devices. Every device is listed with a Tier/Severity/RiskFlags column (a two-tier THREAT/HYGIENE model, so the marquee count stays triage-ready), with an optional color-coded Excel export. Authenticates via Connect-MgGraph. Strictly read-only.
Requirements: delegated scopes Device.Read.All (or Directory.Read.All) + User.Read.All, plus DeviceManagementManagedDevices.Read.All for the Intune cross-check and AuditLog.Read.All for -IncludeRegistrationAudit. The signed-in user must also hold a supporting Entra role (Directory Readers / Global Reader / Security Reader). No Entra ID P1/P2 is required for /devices. Microsoft.Graph.Identity.DirectoryManagement (and ImportExcel for -Excel) auto-install on first run.
| Parameter | Description |
|---|---|
-TenantId |
Target tenant, GUID or domain (e.g. contoso.onmicrosoft.com). |
-UseDeviceCode |
Device-code auth for headless / SSH / Server Core hosts. |
-MaxRows |
Max rows printed to console (default 1000; summary always counts all). |
-Excel / -ExcelPath |
Also export the full result set to a color-coded .xlsx (CSV fallback). |
-OnlyFlagged |
Print only devices that tripped a rule. |
-HighConfidenceOnly |
Print/export only Tier-1 THREAT devices. |
-IncludeHygiene |
Also show low-value hygiene-only rows in the console. |
-SkipOwnerResolution |
Skip owner resolution (owner-dependent rules become inert; a banner is printed). |
-ResolveOwners |
Force full owner resolution even on very large tenants. |
-ResolveRegisteredUsers |
Also resolve/display the RegisteredUsers column (off by default). |
-SkipIntune |
Do not query Intune (the faked-compliance cross-check is disabled; a banner is printed). |
-IncludeRegistrationAudit |
Pull directory audit logs for registration attribution (who/when/IP/app). Uses AuditLog.Read.All. |
-SignInCorrelationCsv |
Correlate against a sign-in export (this repo's sibling) by DeviceId. No extra scope. |
-RecentRegistrationDays / -StaleDeviceDays |
Recency (default 7) and stale (default 180) thresholds. |
-OwnerResolutionMaxDevices |
Above this device count, resolve owners for the high-risk subset only (default 20000). |
-KnownToolBuilds, -ExpectedOperatingSystems, -ExpectedProfileTypes, -NamingConventionRegex, -BulkClusterThreshold, -OwnerFanoutThreshold, -IpFanoutThreshold, -RegActorFanoutThreshold |
Heuristic tunables. |
# Full rogue-device sweep (Entra + Intune), interactive sign-in
.\Get-EntraRegisteredDevices.ps1
# Only the high-confidence THREAT tier, exported to a color-coded .xlsx
.\Get-EntraRegisteredDevices.ps1 -HighConfidenceOnly -Excel
# Add registration attribution + sign-in correlation (deepest coverage)
.\Get-EntraRegisteredDevices.ps1 -IncludeRegistrationAudit -SignInCorrelationCsv .\EntraSignInIssues_30d.csv
# Entra-only (no Intune scope requested) — prints the faked-compliance-disabled banner
.\Get-EntraRegisteredDevices.ps1 -SkipIntune
# Headless / SSH host (device-code sign-in), pinned tenant
.\Get-EntraRegisteredDevices.ps1 -UseDeviceCode -TenantId contoso.onmicrosoft.comThe classification engine has an offline unit test (no tenant required):
powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\tests\Test-GetEntraRegisteredDevices.ps1