When I begin a new Microsoft 365 identity security engagement, one of the first questions clients ask is: “Where do we stand?”
Before making any recommendations or changes, I need a clear picture of the tenant’s current security posture — and getting that picture means examining the key areas that could potentially serve as an entry point for an attacker.
Rather than manually checking each area one by one — which is time-consuming and prone to oversight — I built a PowerShell tool that runs six critical identity security checks and produces a professional HTML report in a single run. What used to take hours now takes under five minutes.
These six checks are not an exhaustive representation of every possible attack surface, as risk profiles vary from tenant to tenant. However, they cover areas that are present in virtually every Microsoft 365 environment, which means this tool can be deployed across multiple client engagements with minimal modification.
In this post I will walk through the tool, what it checks, and why each check matters.
Why Identity Security Matters
Microsoft Entra ID is the backbone of every Microsoft 365 environment. It controls who has access, what they can do, and how they authenticate.
A misconfigured or poorly governed Entra ID tenant is one of the most common root causes of security incidents — from compromised accounts to unauthorized data access.
In fact, research examining cyberattacks in 2024 found that in more than half of all incidents, attackers compromised an identity to gain access to protected environments. In other words, they didn’t hack in — they simply logged in.
The challenge is that most organizations don’t have visibility into the state of their tenant. Guest accounts accumulate, MFA gaps go unnoticed, and app registrations with expired secrets quietly break production workflows.
That’s why having an automated workflow to regularly audit the key identity areas of your Microsoft 365 environment is essential.
What the Tool Checks
The tool runs six checks against the tenant using the Microsoft Graph API:
- MFA Status Identifies all users: This includes both members and guests who have no MFA method registered. A user without MFA is one stolen password away from a full account compromise. Surprisingly, this is consistently one of the most common findings in new client engagements.
- Guest User Audit: This check pulls all guest accounts and checks their last sign-in from the audit logs. Guests inactive for 90 days or more are flagged as stale. Unmanaged guest accounts are a frequent audit finding and a real attack surface
- Privileged Role Assignments: The check lists all users assigned to high-privilege admin roles such as Global Administrator, Security Administrator, and others. The goal here is to ensure that privileged access is intentional, and identify any admin accounts that lack MFA.
- App Credential Expiry: Checks all app registrations for client secrets and certificates that have expired or are expiring within 30 days. Expired credentials are a common cause of silent production failures such as automations and integrations that stop working overnight with no warning.
- Overprivileged Apps: Flags app registrations that have been granted overly broad Microsoft Graph permissions such as Directory.ReadWrite.All or Mail.ReadWrite. Following the principle of least privilege applies to apps just as much as it does to users. Any app in your environment should have just enough access to perform its intended function — nothing more.
- Dormant Accounts: The goal is to check it to identify user accounts that have never signed in or have been inactive for 90 days or more. Dormant accounts represent unnecessary risk — they should be disabled or removed as part of a regular lifecycle management process.
The Output
At the end of the run the script generates a professional HTML report that can be opened in any browser and shared directly with the client. The report includes:
- A summary dashboard showing the finding count for each check.
- Color coded status badges — red for critical findings, amber for warnings, green for passing checks
- A detailed table for each check
- Remediation recommendations for every finding
This is the document I walk through with the client at the start of an engagement. It sets the baseline, prioritizes what needs to be fixed, and demonstrates immediately that there is real value in the work ahead.
My goal is to keep it as simple and readable as possible, while ensuring it captures all the critical information a client needs to clearly understand where they stand on identity and access management security.
How It Authenticates
The tool authenticates to Microsoft Graph using an Entra ID app registration. This app is a dedicated identity that defines what the script is allowed to do and on whose behalf it operates. Without this, the script would have no way to securely access your tenant’s data.
After registering the app, I granted it only the specific Microsoft Graph permissions required to perform each check — nothing beyond what the script needs to function.
For authentication, I chose certificate-based authentication over the more commonly used client secret. A client secret is essentially a password — a plain text string that can be copied, leaked, or accidentally committed to a code repository.
A certificate works differently. It consists of two parts: a private key that never leaves your machine or server, and a public certificate that is uploaded to Entra ID. When the script authenticates, it uses the private key to sign a token, which Microsoft verifies against the public certificate it already holds. At no point does the private key get transmitted, which makes it significantly harder to compromise.
Prerequisites
To run this tool in your own environment you will need:
- PowerShell 7.0 or higher
- Microsoft Graph PowerShell module
- An Entra ID app registration with the following permissions:
- User.Read.All
- User.ReadWrite.All
- AuditLog.Read.All
- Directory.Read.All
- Application.Read.All
- UserAuthenticationMethod.Read.All
- A self-signed certificate for authentication
- Full setup instructions are included in the GitHub repository.
The Script
The full script is available on GitHub: github.com/tmugema1/entra-id-security-health-check
What Comes Next
After using this tool to establish a clear picture of your identity security posture, the next step is putting ongoing governance in place to ensure it stays that way. Here is what I typically recommend:
- Access Reviews: Scheduled quarterly reviews of guest and privileged accounts to ensure only the right people retain access. Without a regular review process, access tends to accumulate over time rather than being revoked when it is no longer needed.
- Lifecycle Workflows: Automatically disable or remove dormant accounts using Entra ID Lifecycle Workflows, ensuring stale identities are acted on consistently without relying on manual intervention.
- Privileged Identity Management (PIM): Replace permanent admin role assignments with just-in-time access. Rather than a user holding Global Administrator privileges around the clock, PIM allows them to activate the role only when needed and for a limited time — significantly reducing the window of exposure if that account is ever compromised.
- Conditional Access: Enforce MFA and other access controls at sign-in to ensure that even if credentials are stolen, an attacker cannot easily use them to gain entry.
Key Takeaway
Effective identity security starts with visibility. You cannot protect what you don’t know exists. Regardless of the size of your organization, you need a clear picture of who has access to what, which guest accounts are stale, which users are inactive, and what permissions your apps are holding. It is this data that drives a meaningful security strategy.
An automated tool like this one makes that visibility achievable without the manual overhead. It can be deployed across multiple tenants with minimal modification and run on a schedule to ensure your security posture is never left unchecked for long.
If you would like me to run this assessment against your tenant or help you build a long-term identity governance strategy, send me a message on tom@helpdesq.tech.
