auditing-azure-active-directory-configuration - SKILL.md Agent Skill

name: auditing-azure-active-directory-configuration description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies, overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite.

' domain: cybersecurity tags:

cloud-security
azure
entra-id
active-directory
iam-audit
conditional-access subdomain: cloud-security version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
PR.IR-01
ID.AM-08
GV.SC-06
DE.CM-01

Auditing Azure Active Directory Configuration

Overview

Cybersecurity skill for auditing azure active directory configuration. Follows industry best practices and security standards.

When to Use

When performing a security assessment of an Azure tenant's identity configuration
When compliance audits require review of authentication policies, MFA enforcement, and role assignments
When onboarding a new Azure tenant after merger or acquisition
When investigating suspicious sign-in activity or compromised accounts
When validating conditional access policies adequately protect against identity-based attacks

Do not use for on-premises Active Directory auditing (use PingCastle or BloodHound AD), for Azure resource-level RBAC auditing without identity context, or for real-time threat detection (use Microsoft Defender for Identity).

When NOT to Use

When you lack proper authorization for testing
For production systems without change management
When the task requires legal or compliance expertise beyond technical scope

Prerequisites

Global Reader or Security Reader role in the target Microsoft Entra ID tenant
Microsoft Graph PowerShell SDK installed (Install-Module Microsoft.Graph)
Az CLI authenticated to the target tenant (az login --tenant TENANT_ID)
ScoutSuite with Azure provider configured for automated assessment
Access to Azure AD audit logs and sign-in logs (requires Azure AD Premium P1/P2)

Workflow

# Example: IOC detection
import re

IOC_PATTERNS = {
    "ip": r"\b(?:\d{1,3}\.){3}\d{1,3}\b",
    "domain": r"\b[a-z0-9-]+\.[a-z]{2,}\b",
    "hash_md5": r"\b[a-f0-9]{32}\b",
    "hash_sha256": r"\b[a-f0-9]{64}\b",
}

def extract_iocs(text: str) -> dict:
    return {k: re.findall(v, text) for k, v in IOC_PATTERNS.items()}

Define Objectives — Clarify the goals and scope for azure active directory configuration.
Gather Resources — Collect tools, data, and access needed for azure active directory configuration.
Execute Process — Carry out azure active directory configuration operations methodically.
Verify Quality — Check results against acceptance criteria.
Document Outcomes — Record findings, decisions, and next steps.

Tools

Analysis Platform — Data processing and visualization
Collaboration Tools — Team coordination and knowledge sharing

Verification

All azure active directory configuration procedures executed completely and documented
Findings validated against multiple data sources
False positives identified and filtered
Results documented with evidence and timestamps
Recommendations provided with risk-based prioritization

Anti-Rationalization

Rationalization	Reality
"We are too small to be targeted"	Automated attacks target everyone. Size does not matter.
"Security slows us down"	A breach slows you down 100x more. Build security in from the start.
"We will fix it after launch"	Vulnerabilities in production are exploited within hours. Fix before deploy.