A modular, client-agnostic PowerShell toolkit for implementing Microsoft Entra ID (Azure AD) security hardening based on Microsoft's official guidance and industry best practices.
This toolkit provides automated scripts to implement comprehensive Entra ID security controls across 10 major security areas. Each module is independent and can be executed individually, allowing organizations to implement hardening controls at their own pace.
- Modular Design: Pick and choose which security controls to implement
- Client-Agnostic: Configuration-driven approach works with any tenant
- Report-Only Mode: Test policies before enforcement
- Rollback Support: Safely revert changes if needed
- Comprehensive Logging: Track all changes and operations
- Best Practices: Based on official Microsoft guidance
- Microsoft Entra ID P1 (minimum for Conditional Access)
- Microsoft Entra ID P2 (for risk-based policies and PIM)
- Microsoft Entra ID Governance (optional, for advanced PIM features)
Install-Module Microsoft.Graph -Scope CurrentUser -Force
Install-Module Az.Accounts -Scope CurrentUser -Force
Install-Module Az.Monitor -Scope CurrentUser -ForceThe account running these scripts needs:
- Global Administrator (for full implementation)
- Security Administrator (for read-only audits)
- Conditional Access Administrator (for CA policies only)
- Privileged Role Administrator (for PIM configuration)
-
Clone or download this repository
-
Configure your environment
# Copy the template configuration Copy-Item config.template.json config.json # Edit config.json with your organization's settings notepad config.json
-
Connect to Microsoft Graph
.\Common\Connect-EntraID.ps1 -
Run individual modules or use the orchestrator
# Run individual module .\Modules\1-MFA-Authentication\Deploy-MFA.ps1 -WhatIf # Run orchestrator for full deployment .\Deploy-EntraHardening.ps1 -Phase 1 -WhatIf
- Deploy-MFA.ps1: Enforce MFA for all users
- Deploy-PasswordlessAuth.ps1: Configure passwordless authentication methods
- Block-LegacyAuth.ps1: Disable legacy authentication protocols
- Deploy-BaselineCA.ps1: Deploy baseline Conditional Access policies
- Deploy-RiskBasedCA.ps1: Implement risk-based access controls
- New-EmergencyCAPolicy.ps1: Create emergency access policies
- Deploy-PIM.ps1: Configure PIM for privileged roles
- Set-JITAccess.ps1: Implement Just-In-Time access
- Review-PrivilegedAccess.ps1: Audit privileged role assignments
- New-BreakGlassAccount.ps1: Create emergency access accounts
- Monitor-BreakGlassActivity.ps1: Alert on emergency account usage
- Deploy-AccessReviews.ps1: Configure automated access reviews
- Audit-LeastPrivilege.ps1: Review and enforce least privilege
- Deploy-AuditLogging.ps1: Configure audit log retention and streaming
- Deploy-SIEMIntegration.ps1: Integrate with external SIEM
- New-SecurityAlerts.ps1: Create custom security alerts
- Restrict-AppConsent.ps1: Disable user app consent
- Audit-EnterpriseApps.ps1: Review registered applications
- Restrict-AppRegistration.ps1: Limit app registration permissions
- Harden-B2BSettings.ps1: Secure external collaboration
- Deploy-NamedLocations.ps1: Configure trusted network locations
- Disable-WeakProtocols.ps1: Disable weak ciphers and protocols
- Deploy-PasswordProtection.ps1: Enable banned password lists
- Set-PasswordPolicy.ps1: Configure strong password requirements
- Get-SecurityPosture.ps1: Generate comprehensive security reports
- Export-ComplianceReport.ps1: Create audit documentation
The config.json file drives all module behavior. Key sections:
{
"TenantId": "your-tenant-id",
"OrganizationName": "Client Name",
"BreakGlassAccounts": {
"Count": 2,
"PasswordLength": 32
},
"ConditionalAccess": {
"ReportOnlyDuration": 7,
"TrustedLocations": []
},
"PIM": {
"DefaultActivationDuration": 4,
"RequireApproval": true
}
}.\Deploy-EntraHardening.ps1 -Phase 1 -WhatIf- Create break-glass accounts
- Enable MFA for administrators
- Block legacy authentication
- Deploy baseline CA policies (report-only)
.\Deploy-EntraHardening.ps1 -Phase 2- Roll out MFA to all users
- Enforce Conditional Access policies
- Implement PIM for Global Administrators
- Set up audit log retention
.\Deploy-EntraHardening.ps1 -Phase 3- Deploy passwordless authentication
- Implement risk-based Conditional Access
- Extend PIM to all privileged roles
- Integrate with SIEM
- Regular access reviews
- Policy refinement
- Security posture assessments
All scripts support -WhatIf to preview changes without applying them:
.\Modules\2-ConditionalAccess\Deploy-BaselineCA.ps1 -WhatIfConditional Access policies are deployed in report-only mode by default, with automatic enforcement after the configured duration.
All scripts create rollback files in the Rollback\ directory:
.\Rollback\Restore-Changes.ps1 -RollbackFile ".\Rollback\20250122-143022-Deploy-BaselineCA.json"All operations are logged to Logs\ directory with timestamps:
Logs\EntraHardening-YYYYMMDD.log: Main execution logLogs\Changes-YYYYMMDD.json: Detailed change trackingLogs\Errors-YYYYMMDD.log: Error log
- Test in Non-Production First: Always validate in a test tenant
- Review Exclusions: Minimize CA policy exclusions
- Protect Break-Glass Accounts: Follow physical security procedures
- Monitor Break-Glass Usage: Alert on any emergency account activity
- Regular Reviews: Conduct periodic access reviews
This toolkit is designed to be extended. To add custom modules:
- Create a new folder under
Modules\ - Follow the existing module structure
- Use shared utilities from
Common\ - Update
config.template.jsonwith new settings
This project is provided as-is for security hardening purposes.
[Unverified] These scripts make significant changes to your Entra ID tenant. Always:
- Test in a non-production environment first
- Review all configurations before deployment
- Ensure you have valid break-glass account access
- Maintain backups of current configurations
- Have rollback procedures ready