SkillAgentSearch skills...

EntraFalcon

A lightweight PowerShell tool for assessing the security posture of Microsoft Entra ID environments. It helps identify privileged objects, risky assignments, and potential misconfigurations.

GenerateConvertImprove

Install / Use

/learn @CompassSecurity/EntraFalcon
About this skill

Quality Score

0/100

Category

Operations

Supported Platforms

Universal

README

EntraFalcon

alt text

EntraFalcon is a PowerShell-based assessment tool for pentesters, security analysts, and system administrators to evaluate the security posture of a Microsoft Entra ID environment.

Designed for ease of use, EntraFalcon runs on PowerShell 5.1 and 7, supports both Windows and Linux, and requires no additional PowerShell modules, extra installations, or Microsoft Graph API consent.

The tool helps uncover privileged objects, potentially risky assignments and Conditional Access misconfigurations that are often overlooked, such as:

  • Users with control over high-privilege groups or applications
  • External or internal enterprise applications with excessive permissions (e.g., Microsoft Graph API, Azure roles)
  • Users with Azure IAM role assignments directly on resources
  • Privileged accounts synced from on-premises
  • Inactive users or users without MFA capability
  • Unprotected groups used in sensitive assignments (e.g., Conditional Access exclusions, Subscription Owner, or eligible member of a privileged group)

Findings are presented in interactive HTML reports to support efficient exploration and analysis.

🚀 Features

  • Simple PowerShell script compatible with PowerShell 5.1 and 7. Works on Windows and Linux
  • Built-in authentication supporting multiple methods
  • Uses first-party Microsoft applications with pre-consented scopes to bypass Graph API consent prompts
  • Generates navigable HTML reports that support filtering, sorting, data export, etc.
  • Performs >60 automated checks and summarizes the results in a Security Findings Report
    • Includes checks for weak tenant configurations and risky object properties or permissions
    • Provides severity ratings as well as descriptions of the issue, potential threats, and remediation guidance
    • Lists affected objects and links directly to their detailed reports for further investigation
  • Performs basic impact, likelihood, and risk scoring to highlight weakly protected high-privilege objects and sort the data.
  • Displays warnings for risky configurations and elevated privileges
  • Enumerates Entra ID objects, including:
    • Users (including Agent Users)
    • Groups
    • Enterprise Applications
    • App Registrations
    • Managed Identities
    • PIM assignments:
      • PIM for Entra Roles
      • PIM for Entra Groups
      • PIM for Azure Roles
    • Entra Role Assignments
    • Azure Role Assignments
    • Conditional Access Policies
    • Administrative Units
    • PIM settings (for Entra Roles)

✅ Requirements

|Type|Permission|Mandatory|Impact if missing| |-|-|-|-| |Entra ID Role|Global Reader|Yes|Not possible to run the scripts| |Azure Role|Reader: On every Management Group or Subscription|No|Can't assess Azure IAM assignments|

Furthermore, you must be able to authenticate to the Microsoft Graph API and optionally the Azure ARM API from the device where you run the tool. Ensure that Conditional Access Policies do not block your authentication.

▶️ Usage

Download EntraFalcon

To get started, clone the repository and navigate into the project directory:

git clone https://github.com/CompassSecurity/EntraFalcon
cd EntraFalcon

Note: You may need to temporarily change the PowerShell execution policy to run the script. Only do this for trusted scripts!

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process

Run EntraFalcon

EntraFalcon includes built-in support for Entra ID authentication.
Multiple authentication flows are available to support different environments and restrictions.
Depending on the selected flow, this requires multiple interactive authentications.

Use -AuthFlow to select the authentication flow.

| Auth Flow | Windows | Linux/macOS | Interactive Logins | Convenience | Parameter(s) | Notes | |-----------------------------|---------|-------|--------------------|-------------|--------------------------------------|-------| | BroCi | Yes | No | 1 | High | -AuthFlow BroCi (default) | Avoids reliance on legacy clients such as Azure Active Directory PowerShell. | | Auth Code Flow | Yes | No | 4 | Normal | -AuthFlow AuthCode | Standard non-BroCi auth code flow. | | Device Code Flow | Yes | Yes | 3 | Normal | -AuthFlow DeviceCode | Authentication can be completed on another device, but two Security Findings checks run with reduced depth. | | Auth Code + Manual Code Flow| Yes | Yes | 4 | Low-Normal | -AuthFlow ManualCode | Authentication can be completed on a different device or browser session. | | BroCi + Manual Code Flow | Yes | Yes | 1 | Low | -AuthFlow BroCiManualCode | Authorization code must be manually extracted from browser developer tools. | | BroCi with Token | Yes | Yes | 0 | Low | -AuthFlow BroCiToken -BroCiToken "<refresh_token>" | Refresh token must be obtained manually (e.g., from browser dev tools or another auth tool). |

Use BroCi flow (default, Beta / Windows only)

BroCi uses alternate first-party applications and requires only one interactive sign-in.
It is further useful, when the Azure Active Directory PowerShell client requires assignment and must be avoided.

.\run_EntraFalcon.ps1

Explicit BroCi selection:

.\run_EntraFalcon.ps1 -AuthFlow BroCi

Auth Code Flow (Windows only)

.\run_EntraFalcon.ps1 -AuthFlow AuthCode

Device Code Flow

It is often restricted by Conditional Access in hardened environments.
With DeviceCode, two Security Findings checks run with reduced depth (CAP-004 and CAP-005).

.\run_EntraFalcon.ps1 -AuthFlow DeviceCode

Use Auth Code + Manual Code Flow Authentication

.\run_EntraFalcon.ps1 -AuthFlow ManualCode
  1. The script copies the authentication URL to the clipboard.
  2. Paste the URL into a browser (optionally on another device for SSO support).
  3. Complete authentication.
  4. Copy the final redirect URL from the browser address bar (containing the authorization code) to the clipboard.
  5. Press Enter to continue; the script reads the code from the clipboard and completes token acquisition.

BroCi + Manual Code Flow

.\run_EntraFalcon.ps1 -AuthFlow BroCiManualCode
  1. The script copies the authentication URL to the clipboard.
  2. Paste the URL into a browser (optionally on another device for SSO support).
  3. Open the browser developer tools and, in the Network tab, enable Preserve log.
  4. Complete authentication.
  5. Search the network log for code=1. and copy the request URL containing the code to the clipboard.
  6. Press Enter to continue; the script reads the code from the clipboard and completes token acquisition.

BroCi with Token

If a valid Azure Portal refresh token is already available (client c44b4083-3bb0-49c1-b47d-974e53cbdf3c), it can be used directly. Example: Obtaining the refresh token from the browser

  1. Open the browser developer tools and, in the Network tab, enable Preserve log.
  2. Authenticate at https://entra.microsoft.com.
  3. Search the network log for brk_client_id=c44b4083-3bb0-49c1-b47d-974e53cbdf3c and extract the refresh token from the response.
.\run_EntraFalcon.ps1 -AuthFlow BroCiToken -BroCiToken "1.XXXXXXXXXXX"

Other Parameters

Include Microsoft-Owned Enterprise Apps

By default, official Microsoft enterprise applications are excluded from the assessment to reduce noise. To include them in the enumeration and analysis, use the -IncludeMsApps switch:

.\run_EntraFalcon.ps1 -IncludeMsApps

Skip PIM for Groups Assessment

Use the -SkipPimForGroups switch to skip the enumeration of PIM assignments for groups.
This skips the additional authentication needed to access PIM for Groups data.

.\run_EntraFalcon.ps1 -SkipPimForGroups

Other Optional Parameters

| Parameter | Description | Default Value | |---------------------- |----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| | UserAgent | User agent used for the requests to the token endpoint and API calls. | EntraFalcon |
| DisableCAE | Disables requesting Continuous Access Evaluation (CAE) tokens. | false | | Tenant | Specifies the tenant (ID or domain) to authenticate against. Useful when assessing a tenant other than the account’s home tenant.| Account's home tenant | | OutputFolder | Output folder where the reports are stored. | Results_%TenantName%_YYYYMMDD_HHMM | | LimitResults | Limits the number of groups and users in the report (after sorting by risk). Useful for large tenants. | - | | LogLevel | Controls runtime cli logging verbosity. Supported values: Off (default), Verbose, Debug, Trace. | Off | | ApiTop | Sets the max number of objects returned from

CompassSecurity

View profile

View on GitHub
GitHub Stars356
CategoryOperations
Updated12h ago
Forks32
CompassSecurity/EntraFalcon

Languages

PowerShell

Security Score

100/100

Audited on Mar 27, 2026

No findings