----------------️ Tool===================Executive summary:The Zero Trust Assessment is a Microsoft PowerShell module designed to evaluate tenant configuration against Zero Trust principles and produce a local HTML report. The module performs read-only checks via Microsoft Graph and, optionally, Azure sign-in/audit log verification, and requests administrator consent on the initial connection.Technical details:• The module operates by authenticating to Microsoft Graph to enumerate tenant configuration and security-related settings. When available, it also connects to Microsoft Azure to verify export of audit and sign-in logs.• The assessment is explicitly read-only and stores results locally in an output folder that contains an ZeroTrustAssessmentReport.html file and associated artifacts.• Initial authentication requires Global Administrator consent to grant a set of Graph permissions. Subsequent assessments can run under Global Reader where applicable.Permissions observed:AuditLog.Read.AllCrossTenantInformation.ReadBasic.AllDeviceManagementApps.Read.AllDeviceManagementConfiguration.Read.AllDirectory.Read.AllDirectoryRecommendations.Read.AllPolicy.Read.AllPolicy.Read.ConditionalAccessReports.Read.AllRoleManagement.Read.AllUserAuthenticationMethod.Read.AllPrivilegedAccess.Read.AzureADHow it works (conceptual):• The module queries tenant objects, policy configuration, device management settings, role and entitlement data, and authentication methods via Graph endpoints.• If Azure sign-in is provided, additional checks validate whether audit/sign-in logs are being exported and accessible for monitoring and retention checks.Use cases:• Internal security reviews to benchmark tenant configuration against Zero Trust recommendations.• Regular health checks before audits or compliance assessments.• Pre-engagement diagnostic for third‑party security assessments (with caution about sharing results).Limitations and considerations:• The tool requires elevated consent on the first run; organizations must review requested Graph permissions before consenting.• The assessment may skip Azure‑dependent checks when Azure access is not provided, producing partial results.• Large tenants can experience runs exceeding 24 hours; the report and export folder contain sensitive tenant metadata and should be handled securely.References & notes:• The module name and approach indicate an endpoint‑driven audit using Graph APIs with local result storage. Additions such as custom report paths are supported conceptually. tool #ZeroTrust #MicrosoftGraph #AzureAD #tenant_security Source: https://learn.microsoft.com/en-us/security/zero-trust/assessment/get-started
