Auditing Azure Active Directory Configuration

When to Use

• When performing a security assessment of an Azure tenant's identity configuration
• When compliance audits require review of authentication policies, MFA enforcement, and role assignments
• When onboarding a new Azure tenant after merger or acquisition
• When investigating suspicious sign-in activity or compromised accounts
• When validating conditional access policies adequately protect against identity-based attacks

Do not use for on-premises Active Directory auditing (use PingCastle or BloodHound AD), for Azure resource-level RBAC auditing without identity context, or for real-time threat detection (use Microsoft Defender for Identity).

Prerequisites

• Global Reader or Security Reader role in the target Microsoft Entra ID tenant
• Microsoft Graph PowerShell SDK installed (Install-Module Microsoft.Graph)
• Az CLI authenticated to the target tenant (az login --tenant TENANT_ID)
• ScoutSuite with Azure provider configured for automated assessment
• Access to Azure AD audit logs and sign-in logs (requires Azure AD Premium P1/P2)