🛠️ Tool

hasamba@infosec.exchange

----------------

️ Tool
===================

Executive summary:
The Zero Trust Assessment is a Microsoft PowerShell module designed to evaluate tenant configuration against Zero Trust principles and produce a local HTML report. The module performs read-only checks via Microsoft Graph and, optionally, Azure sign-in/audit log verification, and requests administrator consent on the initial connection.

Technical details:
• The module operates by authenticating to Microsoft Graph to enumerate tenant configuration and security-related settings. When available, it also connects to Microsoft Azure to verify export of audit and sign-in logs.
• The assessment is explicitly read-only and stores results locally in an output folder that contains an ZeroTrustAssessmentReport.html file and associated artifacts.
• Initial authentication requires Global Administrator consent to grant a set of Graph permissions. Subsequent assessments can run under Global Reader where applicable.

Permissions observed:

AuditLog.Read.All
CrossTenantInformation.ReadBasic.All
DeviceManagementApps.Read.All
DeviceManagementConfiguration.Read.All
Directory.Read.All
DirectoryRecommendations.Read.All
Policy.Read.All
Policy.Read.ConditionalAccess
Reports.Read.All
RoleManagement.Read.All
UserAuthenticationMethod.Read.All
PrivilegedAccess.Read.AzureAD

How it works (conceptual):
• The module queries tenant objects, policy configuration, device management settings, role and entitlement data, and authentication methods via Graph endpoints.
• If Azure sign-in is provided, additional checks validate whether audit/sign-in logs are being exported and accessible for monitoring and retention checks.

Use cases:
• Internal security reviews to benchmark tenant configuration against Zero Trust recommendations.
• Regular health checks before audits or compliance assessments.
• Pre-engagement diagnostic for third‑party security assessments (with caution about sharing results).

Limitations and considerations:
• The tool requires elevated consent on the first run; organizations must review requested Graph permissions before consenting.
• The assessment may skip Azure‑dependent checks when Azure access is not provided, producing partial results.
• Large tenants can experience runs exceeding 24 hours; the report and export folder contain sensitive tenant metadata and should be handled securely.

References & notes:
• The module name and approach indicate an endpoint‑driven audit using Graph APIs with local result storage. Additions such as custom report paths are supported conceptually.

tool #ZeroTrust #MicrosoftGraph #AzureAD #tenant_security

Source: https://learn.microsoft.com/en-us/security/zero-trust/assessment/get-started