CrowdStrike Reporting Tool for Azure
CrowdStrike Reporting Tool for Azure (CRT)
This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments.
Exchange Online (O365):
- Federation Configuration
- Federation Trust
- Client Access Settings Configured on Mailboxes
- Mail Forwarding Rules for Remote Domains
- Mailbox SMTP Forwarding Rules
- Mail Transport Rules
- Delegates with ‘Full Access’ Permission Granted
- Delegates with Any Permissions Granted
- Delegates with ‘Send As’ or ‘SendOnBehalf’ Permissions
- Exchange Online PowerShell Enabled Users
- Users with ‘Audit Bypass’ Enabled
- Mailboxes Hidden from the Global Address List (GAL)
- Collect administrator audit logging configuration settings.
Azure AD:
- Service Principal Objects with KeyCredentials
- O365 Admin Groups Report
- Delegated Permissions & Application Permissions
Querying Tenant Partner Information: In order to view Tenant Partner Information, including roles assigned to your partners, you must log in to the Microsoft 365 Admin Center as Global Admin.
Download
git clone https://github.com/CrowdStrike/CRT.git
Prerequisites
The following PowerShell modules are required and will be installed automatically:
- ExchangeOnlineManagement
- AzureAD
NOTE: To return the full extent of the configurations being queried, the following role is required:
- Global Admin
When Global Admin privileges are not available, the tool will notify you about what information won’t be available to you as a result.
Use
Copyright (c) 2020 CrowdStrike Services
Copyright (c) 2020 panavarr
Copyright (c) 2017 Paul Cunningham
