DCToolbox

A PowerShell toolbox for Microsoft 365 security fans.

Author: Daniel Chronlund (https://danielchronlund.com)

---

About DCToolbox

This PowerShell module contains a collection of tools for Microsoft 365 security tasks, Microsoft Graph functions, Entra ID management, Conditional Access, zero trust strategies, attack and defense scenarios, etc.

---

Get Started

Install the module from the PowerShell Gallery by running:

Install-Module DCToolbox

If you already installed it, update to the latest version by running:

Update-Module DCToolbox

PowerShell Gallery package link: https://www.powershellgallery.com/packages/DCToolbox

When you have installed it, to get started, run:

Get-DCHelp

Explore and copy script examples to your clipboard with:

Copy-DCExample

---

Included Tools

Add-DCConditionalAccessPoliciesBreakGlassGroup

Synopsis:

Excludes a specified Entra ID security group from all Conditional Access policies in the tenant.

Details:

Excludes a specified Entra ID security group from all Conditional Access policies in the tenant.

Please create the group and add your break glass accounts before running this command.

You can filter on a name prefix with -PrefixFilter.

Parameters:

-PrefixFilter
Description:	Only modify the policies with this prefix. The filter is case sensitive.
Required:		false

-ExcludeGroupName
Description:	The name of your exclude group in Entra ID. Please create the group and add your break glass accounts before running this command.
Required:		true

Examples:

Add-DCConditionalAccessPoliciesBreakGlassGroup -PrefixFilter 'GLOBAL - ' -ExcludeGroupName 'Excluded from Conditional Access'

---

Confirm-DCPowerShellVersion

Synopsis:

Check that a supported PowerShell version is running.

Details:

Parameters:

Examples:

Confirm-DCPowerShellVersion
    
Confirm-DCPowerShellVersion -Verbose

---

Connect-DCMsGraphAsApplication

Synopsis:

Connect to Microsoft Graph with application credentials.

Details:

This CMDlet will automatically connect to Microsoft Graph using application permissions (as opposed to delegated credentials). If successfull an access token is returned that can be used with other Graph CMDlets. Make sure you store the access token in a variable according to the example.

Before running this CMDlet, you first need to register a new application in your Entra ID according to this article: https://danielchronlund.com/2018/11/19/fetch-data-from-microsoft-graph-with-powershell-paging-support/

Parameters:

-ClientID
Description:	Client ID for your Entra ID application.
Required:		true

-ClientSecret
Description:	Client secret for the Entra ID application.
Required:		true

-TenantName
Description:	The name of your tenant (example.onmicrosoft.com).
Required:		true

Examples:

$AccessToken = Connect-DCMsGraphAsApplication -ClientID '8a85d2cf-17c7-4ecd-a4ef-05b9a81a9bba' -ClientSecret 'j[BQNSi29Wj4od92ritl_DHJvl1sG.Y/' -TenantName 'example.onmicrosoft.com'

---

Connect-DCMsGraphAsUser

Synopsis:

Connect to Microsoft Graph with the Microsoft Graph PowerShell module as a user (using delegated permissions in Graph).

Details:

Parameters:

-Scopes
Description:	The required API permission scopes (delegated permissions). Example: "Policy.ReadWrite.ConditionalAccess", "Policy.Read.All"
Required:		true

Examples:

Connect-DCMsGraphAsUser -Scopes 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All', 'Directory.Read.All'
    
Connect-DCMsGraphAsUser -Scopes 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All', 'Directory.Read.All' -Verbose

---

Copy-DCExample

Synopsis:

Copy-DCExample

Details:

Parameters:

Examples:

---

Deploy-DCConditionalAccessBaselinePoC

Synopsis:

Automatically deploy the latest version of the Conditional Access policy design baseline from https://danielchronlund.com.

Details:

Automatically deploy the latest version of the Conditional Access policy design baseline from https://danielchronlund.com. It creates all necessary dependencies like exclusion groups, named locations, and terms of use, and then deploys all Conditional Access policies in the baseline.

All Conditional Access policies created by this CMDlet will be set to report-only mode.

The purpose of this tool is to quickly deploy the complete baseline as a PoC. You can then test, pilot, and deploy it going forward.

You must be a Global Admin to run this command (because of the admin consent required) but no other preparations are required.

Parameters:

-AddCustomPrefix
Description:	Adds a custom prefix to all policy names.
Required:		false

-CreateDocumentation
Description:	Creates a Markdown documentation of the baseline.
Required:		false

-SkipReportOnlyMode
Description:	All Conditional Access policies created by this CMDlet will be set to report-only mode if you don't use this parameter. WARNING: Use this parameter with caution since ALL POLICIES will go live for ALL USERS when you specify this.
Required:		false

Examples:

Deploy-DCConditionalAccessBaselinePoC
    
Deploy-DCConditionalAccessBaselinePoC -AddCustomPrefix 'PILOT - '
    
Deploy-DCConditionalAccessBaselinePoC -CreateDocumentation
    
Deploy-DCConditionalAccessBaselinePoC -SkipReportOnlyMode # Use with caution!

---

Enable-DCEntraIDPIMRole

Synopsis:

Activate an Entra ID Privileged Identity Management (PIM) role with PowerShell.

Details:

Uses the Graph PowerShell module to activate a user selected Entra ID role in Entra ID Privileged Identity Management (PIM).

During activation, the user will be prompted to specify a reason for the activation.

Parameters:

-RolesToActivate
Description:	This parameter is optional but if you specify it, you can select multiple roles to activate at ones.
Required:		false

-Reason
Description:	Specify the reason for activating your roles.
Required:		false

-UseMaximumTimeAllowed
Description:	Use this switch to automatically request maximum allowed time for all role assignments.
Required:		false

Examples:

Enable-DCEntraIDPIMRole
    
Enable-DCEntraIDPIMRole -RolesToActivate 'Exchange Administrator', 'Security Reader'
    
Enable-DCEntraIDPIMRole -RolesToActivate 'Exchange Administrator', 'Security Reader' -UseMaximumTimeAllowed
    
Enable-DCEntraIDPIMRole -RolesToActivate 'Exchange Administrator', 'Security Reader' -Reason 'Performing some Exchange security configuration.' -UseMaximumTimeAllowed

---

Export-DCConditionalAccessPolicyDesign

Synopsis:

Export all Conditional Access policies to JSON.

Details:

This CMDlet uses Microsoft Graph to export all Conditional Access policies in the tenant to a JSON file. This JSON file can be used for backup, documentation or to deploy the same policies again with Import-DCConditionalAccessPolicyDesign. You can basically treat Conditional Access as code!

The user running this CMDlet (the one who signs in when the authentication pops up) must have the appropriate permissions in Entra ID (Global Admin, Security Admin, Conditional Access Admin, etc).

Parameters:

-FilePath
Description:	The file path where the new JSON file will be created. Skip this to use the current path.
Required:		false

-PrefixFilter
Description:	Only export the policies with this prefix. The filter is case sensitive.
Required:		false

Examples:

Export-DCConditionalAccessPolicyDesign
    
$Parameters = @{
    FilePath = 'C:\Temp\Conditional Access.json'
}
Export-DCConditionalAccessPolicyDesign @Parameters
    
$Parameters = @{
    FilePath = 'C:\Temp\Conditional Access.json'
    PrefixFilter = 'GLOBAL - '
}
Export-DCConditionalAccessPolicyDesign @Parameters

---

Get-DCConditionalAccessPolicies

Synopsis:

List all Conditional Access policies in the tenant.

Details:

List all Conditional Access policies in the tenant.

You can filter on a name prefix with -PrefixFilter.

Parameters:

-PrefixFilter
Description:	Only show the policies with this prefix. The filter is case sensitive.
Required:		false

-ShowTargetResources
Description:	Show included and excluded resources in output. Only relevant without -Details.
Required:		false

-Details
Description:	Include policy details in output.
Required:		false

-NamesOnly
Description:	Show names only in output.
Required:		false

Examples:

Get-DCConditionalAccessPolicies
    
Get-DCConditionalAccessPolicies -PrefixFilter 'GLOBAL - '

---

Get-DCEntraIDUsersAndGroupsAsGuest

Synopsis:

This script lets a guest user enumerate users and security groups/teams when 'Guest user access restrictions' in Entra ID is set to the default configuration.

Details:

This script is a proof of concept. Don't use it for bad things! It lets a guest user enumerate users and security groups/teams when 'Guest user access restrictions' in Entra ID is set to the default configuration. It works around the limitation that guest users must do explicit lookups for users and groups. It basically produces a list of all users and groups in the tenant, even though such actions are blocked for guests by default.

If the target tenant allows guest users to sign in with Entra ID PowerShell, and the 'Guest user access restrictions' is set to one of these two settings: 'Guest users have the s