CrowdStrike Reporting Tool for Azure

CrowdStrike Reporting Tool for Azure (CRT)

This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments.

Exchange Online (O365):

• Federation Configuration
• Federation Trust
• Client Access Settings Configured on Mailboxes
• Mail Forwarding Rules for Remote Domains
• Mailbox SMTP Forwarding Rules
• Mail Transport Rules
• Delegates with ‘Full Access’ Permission Granted
• Delegates with Any Permissions Granted
• Delegates with ‘Send As’ or ‘SendOnBehalf’ Permissions
• Exchange Online PowerShell Enabled Users
• Users with ‘Audit Bypass’ Enabled
• Mailboxes Hidden from the Global Address List (GAL)
• Collect administrator audit logging configuration settings.

Azure AD:

• Service Principal Objects with KeyCredentials
• O365 Admin Groups Report
• Delegated Permissions & Application Permissions

Querying Tenant Partner Information: In order to view Tenant Partner Information, including roles assigned to your partners, you must log in to the Microsoft 365 Admin Center as Global Admin.

Download

git clone https://github.com/CrowdStrike/CRT.git

Prerequisites

The following PowerShell modules are required and will be installed automatically:

• ExchangeOnlineManagement
• AzureAD

NOTE: To return the full extent of the configurations being queried, the following role is required:

• Global Admin

When Global Admin privileges are not available, the tool will notify you about what information won’t be available to you as a result.

Use

Copyright (c) 2020 CrowdStrike Services
Copyright (c) 2020 panavarr
Copyright (c) 2017 Paul Cunningham