The Blog

Reporting Active Directory Group Membership is probably one of the most common tasks for both AD admins and security professionals. Wide variety of tools are available to do the job. However, native tools like Get-ADGroupMember come with caveats which will most likely be noticed in a bit more complex environments with AD trusts and historical misconfigurations. For example: Get-ADGroupMember fails with "unspecified error" if group contains foreignSecurityPrincipal member attr

Windows includes few tools to report Windows Updates using PowerShell like Get-HotFix and Microsoft.Update.Session COM object. However, each seems to be missing some info - Get-HotFix only includes Security Updates and doesn't include hour:minute:second information which is critical in many scenarios; Microsoft.Update.Session often fails without clear solution provided). Below script combines few various methods to ensure no update is missed in the report. Feel free to just u

Often during troubleshooting or investigation there is a need to list cached Kerberos tickets on given machine. "klist sessions" makes it a breeze but output is fairly hard to read and might be a challenge to parse. Here is a nice little module to get information parsed and in PowerShell-friendly format. You're welcome <# .Synopsis Gathers Information about cached Kerberos tickets on specific server .DESCRIPTION Gathers Information about cached Kerberos tickets on specific s

Stuck trying to generate a report of Named Locations which will include start and end IP addresses? MS Graph can help, but there is a caveat since Named Locations and their IP addresses are in two separate places. Below is your solution, however, make sure you get and load these functions beforehand - Get-IPV4NetworkStartIP and Get-IPV4NetworkEndIP - else output will be partial. $all_named_locations = (Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/identity/co

Ever had a need to generate report of historical Active Directory group membership changes but SIEM log retention is too short? There is not-as-well-known but very handy way by using AD metadata. It will not include an 'actor' information (like who did it), but will include exact dates going back as far as when group was created (even if it was 10 years ago). It will also include event for users accounts already deleted from AD. Below is the function, hope you find it useful

For those who has to deal with Entra ID application consents and needs to report all app consent request - here is script you can use. Simply run it with appropriate Graph API permissions and Entra roles assigned. Report will be saved as $consentrequests variable, simply export to csv after running the script. $AppConsentRequests = Get-MgIdentityGovernanceAppConsentRequest -All $consentrequests = @() foreach ($AppConsentRequest in $AppConsentRequests) { $UserConsentRequest =

Entra-native accounts are often overlooked as many Identity Governance tools are focused on Active Directory accounts. Entra makes it easy to filter out Entra-native accounts in Entra Admin portal UI, but it's impossible to tell if account is a resource account or not. You can use below report to query all Entra-native accounts and see if account is associated with any EXO resource (like Shared Mailbox, Room Mailbox, or Scheduling Mailbox). Report will be saved as $cloud_user

Ever had a need to generate report of files shared in SharePoint Online and / or OneDrive for Business? Purview makes it easy , but report might take a while to run and downloadable report will need to be parsed in Excel, which might get time consuming with bunch of unnecessary clicks. Use below PowerShell script to easily query all sharing operations with nicely formatted output. Report is saved as @SPO_Sharing variable, just export to csv. Hope you'll find it useful! Cheers