V20260424

General

• Fixed: Tenant display names are now sanitized before being used in report filenames and links, preventing invalid filenames for tenants with special characters in their display name (issue #32).

Summary Report

• Fixed: Execution duration reporting now uses the recorded start and end timestamps instead of rounded minute values, improving accuracy for short runs.
• Added: The Summary report now includes tenant on-premises sync metadata in the General > Tenant section, including sync status and the last sync timestamp.

Security Findings

• Changed: Renamed the Agent Identity security finding category to Agent Identities for consistent plural naming.

Full Changelog: V20260422...V20260424

V20260422

Security Findings

• Added: 17 new security findings in the new Agent Identity category covering blueprints, blueprint principals, agent identities, and agent users:
  • AGT-001 — Blueprints with client secrets
  • AGT-002 — Foreign agent identities with extensive application API privileges
  • AGT-003 — Foreign agent identities with extensive delegated API privileges
  • AGT-004 — Foreign agent identities with Entra ID roles
  • AGT-005 — Foreign agent identities with Azure roles
  • AGT-006 — Internal agent identities with extensive application API privileges
  • AGT-007 — Internal agent identities with extensive delegated API privileges
  • AGT-008 — Internal agent identities with privileged Entra ID roles
  • AGT-009 — Internal agent identities with privileged Azure roles
  • AGT-010 — Inactive enabled agent identities
  • AGT-011 — Foreign agent users with Entra ID roles
  • AGT-012 — Foreign agent users with Azure roles
  • AGT-013 — Internal agent users with privileged Entra ID roles
  • AGT-014 — Internal agent users with privileged Azure roles
  • AGT-015 — Agent users owning groups referenced by Conditional Access policies
  • AGT-016 — Inactive enabled agent users
  • AGT-017 — Blueprints with a non-Tier-0 owner and an impact score ≥ 200
• Improved: CAP-004 now verifies that MFA is enforced either through a direct MFA grant or an authentication strength.
• Improved: CAP-002, CAP-007, and CAP-008 now accept authentication strength policies as an alternative to plain MFA grant controls, reducing false positives in tenants using phishing-resistant or custom authentication strengths.
• Improved: Security findings output is more consistent, including sorted affected-object in JSON exports.
• Fixed: ENT-001 now correctly includes credentials whose display name is empty.

Example Agent identity finding:

Agent Identity Reports

• Improved: Agent identity details now split effective application and effective delegated API permissions, including delegated consent type and principal context.
• Improved: Agent identity detail views now distinguish active and eligible Entra ID and Azure role assignments.

Summary Report

• Added: The Summary report now includes a Subscriptions section with subscription name, ID, state, external managing-tenant count, and resource count.
• Changed: EntraFalcon now writes a machine-readable summary JSON file instead of the previous text summary export.
• Improved: Domains are now sorted with the default domain first, followed by remaining domains ordered by user count descending.

Managed Identities

• Improved: Managed identity scope paths now resolve Azure subscription IDs to their subscription display names where available.

Users

• Improved: The Users report now flags whether an agent user is a foreign agent, making internal vs. foreign agent users easier to identify and filter.

General

• Added: -DebugObjectDump switch to export final in-memory report objects for troubleshooting.
• Improved: Report tables are now more usable on smaller screens. EntraFalcon now applies responsive, report-specific default column sets on narrower displays so important information remains visible without excessive horizontal scrolling.
• Improved: Key table columns can now be copied directly from the report UI.
• Improved: The report navigation bar and report titles have been visually refined.
• Improved: Detail views across major reports now support search in the details pane, including filter operators and filtered-vs-global search scope (feature request #7).

Search in the details section:

Bulk column copy:

Full Changelog: V20260414...V20260422

V20260414

Agent Identities (Beta)

• Added: Full enumeration of the Microsoft Entra agent identities: Agent Identity Blueprints, Agent Identity Blueprint Principals, Agent Identities and Agent Users. Note: legacy Agent objects are not covered (they should be visible as Enterprise Applications).
• Added: Effective API permission resolution per agent identity, including permissions inherited from the parent blueprint principal gated by the blueprint's inheritablePermissions rules (allAllowed / enumerated / none).
• Added: Impact and risk scoring across all three tiers, with inherited impact flowing from agent users → agent identities → blueprint principals → blueprints.
• Added: Agent users are recognized as a distinct user type in the Users report, enriched with their parent agent identity and blueprint principal context.
• Added: Agent identities are included in role enumeration and appear in role assignment charts.
• Added: Agent identity type breakdown and sign-in activity charts in the Summary report.
• Improved: Report navigation, preset views, and table filters for the new Agent Identity reports.

Conditional Access Policies

• Added: Conditional Access user coverage analysis. CAP reports now calculate effective user targeting after direct users, groups, roles, guest/external-user categories, and exclusions are evaluated. The report includes UserCoverage, effective included/excluded user counts, uncovered users, and detailed targeting breakdowns per policy.
• Added: Effective targeting details for CAP policies. Policy detail views now show how many users are reached directly, through groups, through roles, through external-user categories, and how many users remain uncovered after exclusions. Counts are marked as approximate where Graph data does not allow exact user resolution.
• Added: Tracking for potential PIM-based CAP coverage. Eligible users from targeted PIM groups or eligible role paths are reported separately as PotentialUsersViaGroups and PotentialUsersViaRoles. They are not counted as currently effective coverage.
• Added: -ExportCapUncoveredUsers switch to export per-policy CSV files for enabled CAP policies. The export lists enabled users not effectively covered by each policy and labels the reason as NotTargeted, Excluded, or PotentialViaPIM.
• Improved: CAP warnings now use effective targeting and exclusion context, making broad MFA/authentication-strength policy checks less dependent on raw selector counts.

Note: Conditional Access user coverage is a best-effort calculation based on enumerated users, group members, role assignments, and resolvable external-user categories. External-user selectors are only resolved for tenant guest users matching b2bCollaborationGuest. Other external-user types or external users with specified external tenants can make coverage values approximate.

Role Assignments (Azure)

• Added: Distinction between direct and PIM-activated Azure role assignments.
• Added: ActivatedViaPIM, Start, and Expires fields to Azure role assignment reporting.

Security Findings

• Added: USR-013 security finding for enabled synchronized on-premises accounts older than 90 days with no recorded Entra ID sign-in.
• Fixed: USR-005 is skipped when user sign-in activity could not be read, avoiding misleading inactive-user findings.
• Fixed: Security Findings JSON export now preserves Warnings as strings.
• Fixed: Several small robustness issues around null handling, report links, and generated report paths.
• Changed: PIM-002 now focuses on active Tier-0 user and group assignments that are not activated via PIM.
• Changed: CAP-005 evaluation no longer treats policies as passing when coverage is only based on unresolved or external-only targeting.

General

• Improved: Centralized application role lookups for more consistent API permission resolution across application and agent-related reports.
• Improved: Service principal sign-in activity is now fetched once and reused across dependent reports.
• Improved: Delegated API permission display-name resolution now uses the shared application reference cache, reducing repeated Graph calls.
• Fixed: Multiple small robustness issues across tenant, PIM, Azure role, and reporting logic.

Full Changelog: V20260327...V20260414

V20260327

Changelog

General

• Added: Support for AND (&&) filters in report tables.
• Fixed: Multiple small robustness issues across tenant, PIM, Azure role, and reporting logic.
• Added: CONTRIBUTING.md with basic contribution guidelines.
• Improved: Reworked preset views with clearer grouping and descriptions. They can now also be triggered via GET parameters.

Summary

• Added: Tenant domain enumeration, including the user count per domain, in the summary report.

Conditional Access Policies

• Improved: Detection of policies affecting scoped service principal assignments.
• Improved: Cleanup of Conditional Access warning handling and related edge cases.

PIM and Role Assignments

• Added: Distinction between direct and PIM-activated Entra role assignments.
• Added: ActivatedViaPIM, Start, and Expires fields to Entra role assignment reporting.
• Fixed: Improved handling of linked Conditional Access policies and null-safe role lookups.

App Registrations and Enterprise Applications

• Fixed: Corrected the ApiDelegated count in the App Registration appendix.
• Cleaned up: Minor Enterprise Application cleanup and report consistency fixes.

Security Findings

• Changed: PIM-002 now focuses on active Tier-0 user and group assignments outside PIM activation.
• Changed: CAP-005 no longer passes when only external identities are targeted.

Exports and UI

• Fixed: CSV downloads from the Security Findings report now include a UTF-8 BOM for better Excel compatibility.
• Fixed: Minor report link and wording issues.

Full Changelog: V20260321...V20260327

V20260321

Changelog

General

• Removed: Unused privileged branch for unknown Azure role scoring (Issue #17).
• Fixed: Null credential dates in detail reports are now handled correctly (Issue #19).

Groups

• Fixed: CAP warning check for public dynamic groups (Issue #20).

App Registrations

• Fixed: Initialized Expired per credential during app registration processing (Issue #16).
• Improved: Cached app and role assignment lookups during app registration processing (Issue #20).

Enterprise Applications

• Fixed: Service principal ownership debug log variable (Issue #21).

Managed Identities

• Removed: Unsupported app role assignment output from the Managed Identities report (Issue #15).

Users

• Fixed: AzureRoles value in user-owned service principal details (Issue #23).

Conditional Access Policies

• Fixed: Explicit null checks are now used in CAP detail rendering (Issue #24).

Roles

• Fixed: Azure role scope sorting for PowerShell 5.1 (Issue #26).

Security Findings Report

• Fixed: PIM-009 false positive in authentication context detection.

Full Changelog: V20260316...V20260321

V20260316

Changelog

General

• Improved: Refactoring of the authentication logic:
  • BroCi is now the default authentication method.
    • The -BroCi switch has been removed.
    • To manually provide a BroCi token, use -AuthFlow BroCiToken -BroCiToken "1.XXXX".
    • -AuthMethod has been renamed to -AuthFlow and now supports BroCi, AuthCode, DeviceCode, ManualCode, BroCiManualCode, and BroCiToken.
  • OS detection including warnings if incompatible authentication flows are used.
• Fixed: In Firefox, the chosen theme (Dark or Light mode) is now stored in session storage, making it persistent across all HTML pages.
• Fixed: Various typos and wording issues across all modules.
• Fixed: OR filter handling in GET parameters.
• Improved: Azure subscription names are now resolved and displayed instead of subscription IDs. This allows faster evaluation of whether a subscription is, for example, production or test.
• Changed: CSV versions of the main object tables are no longer generated automatically. Use -csv to generate them.
• Changed: The role Security Administrator is categorized as a Tier-0 role (as it can configure federation on existing domains).

Security Findings Report

Beta release of the Security Findings Report:

• More than 60 built-in checks across different areas
• Dynamic dashboard for overview
• Filtering options
• Export functions (CSV, JSON, and PDF)
• Detailed findings including description, threat, and high-level remediation recommendations, including details about affected objects
• If a finding has affected objects, they are listed in a sortable and filterable table and can also be exported
• Basic workflows are supported by tagging findings (for example: important, false positive, resolved, confirmed)

App Registrations

• Added: The new enabled property for App Registrations.
• Added: Enumeration of federated credentials.
• Changed: OwnerCount column renamed to Owners for consistency.
• Removed: The dedicated CSV report containing all App Registrations with secrets (AppRegistration_Secrets_XXX.csv) is no longer generated. The list can be manually exported as CSV from finding APP-001.

Conditional Access Policies

• Added: IncUsersViaGroups and ExcUsersViaGroups properties representing the number of users in those groups. This allows faster evaluation of how many users are included or excluded through groups.
• Improved: The effective number of excluded users through groups is now evaluated instead of simply counting the excluded group objects.
• Improved: Detection logic for phishing-resistant MFA enforcement.
• Improved: Fine-tuned security-info registration check (it is now OK to exclude guests).

Enterprise Applications

• Improved: Removed the noisy warning Foreign with permission.
• Improved: Impact rating logic (increased impact score for dangerous delegated API permissions).
• Improved: Entra and Azure role assignments through groups now also increase the counts in the EntraRoles and AzureRoles fields.
• Added: EntraMaxTier and AzureMaxTier fields representing the highest tier Entra / Azure role an enterprise application has (direct or through groups, excluding PIM for Groups).

Managed Identities

• Improved: Impact scoring for privileged API permissions (increased the impact score for dangerous or highly privileged API permissions).
• Improved: Entra and Azure role assignments through groups now also increase the counts in the EntraRoles and AzureRoles fields.
• Added: EntraMaxTier and AzureMaxTier fields representing the highest tier Entra / Azure role a managed identity has (direct or through groups, excluding privileges through PIM).

Groups

• Added: EntraMaxTier and AzureMaxTier fields representing the highest tier Entra / Azure role a group has (direct, via PIM, or through other groups).
• Fixed: Score inheritance behavior.

Users

• Fixed: Incorrect AppLock status for service principal ownerships in the warning message.
• Added: EntraMaxTier and AzureMaxTier fields representing the highest tier Entra / Azure role a user has (direct, via PIM, or through groups).
• Added: PerUserMFAState field showing the state (disabled, enabled, or enforced) for each user.
• Added: Agent field indicating whether the user is an Agent User. These users are also filtered out in certain preset views and security findings (e.g., missing MFA).
• Removed: The dedicated CSV report containing all inactive users (Users_XXXX_Inactive.csv) is no longer generated. The list can be manually exported as CSV from finding USR-005.

Summary

• Fixed: Added the missing date range to the chart Last Successful Sign-In.
• Improved: Restyled the general information, enumerated objects, and chart sections.
• Improved: Added a chart showing Azure tiering.

PIM for Entra

• Fixed: Error when multiple CAPs were linked to an authentication context.

Agent Identities

Note: Agent identities are currently under active research. Future releases will include additional enumeration and checks related to Agent Identities.

• Added: The API permissions AgentIdentityBlueprint.ReadWrite.All and AgentIdentityBlueprint.AddRemoveCreds.All are categorized as High.
• Added: The role Agent ID Administrator is categorized as a Tier-1 role.
• Added: The API permission AgentIdentity.CreateAsManager is categorized as Low.
• Removed: Agent Identity Blueprints are excluded from the App Registration enumeration.
• Removed: Agent Identity Blueprint principals are excluded from the Enterprise Application enumeration.

Internal

• Updated: Send-GraphBatchRequest version.
• Updated: Send-GraphRequest version.
• Added: Custom API request module for requests to ARM and api.azrbac.mspim.azure.com. The module handles pagination, throttling, and related behaviors.

Full Changelog: V20260208...V20260316

V20260208

Changelog

General

• Improved: Filters on the main overview tables are now also applied to the objects in the details sections, meaning the views are now synchronized. This allows navigating through the details sections more efficiently.
• Improved: The content of items in the details section is now loaded only when an item is expanded. This improves the performance of the HTML reports, especially for large tenants.
• Improved: Updated the text of several table header tooltips.
• Added: Additional categorization of various application and delegated permissions.

Enterprise Applications

• Added: Check whether an application is configured for SAML and populate the SAML property accordingly. This allows filtering these apps in the preset view Enterprise Apps with Credentials and avoids false positives.

Internal

• Updated: Updated Chart.js to version 4.5.1.

Full Changelog: V20260127...V20260208

V20260127

Changelog

General

• Fixed: Issue #6 . Microsoft revoked the FOCI status of the Azure CLI client. As a result, token refresh to the Managed Meeting Rooms client (eb20f3e3-3dce-4d2c-b721-ebb8d4414067) is no longer possible.
  The client has been replaced with the Dynamics 365 Example Client Application (51f81489-12ee-4a9e-aaae-a2591f45987d).
  Due to this change, the standard authentication flow now requires three interactive sign-ins.
  The README has been updated to better explain the available authentication flows and their respective advantages and limitations.

Groups

• Fixed: Issue that could cause non-existent role assignments to be displayed.

Internal

• Updated: Bumped EntraTokenAid to the latest version.
• Improved: Internal restructuring to support upcoming features.

Full Changelog: V20260125...V20260127

V20260125

Changelog

General

• Fixed: An issue with the help text introduced by the navigation bar.

Full Changelog: V20260121...V20260125

V20260121

Changelog

General

• Added: New report header and navigation bar, enabling:
  • Navigation between the different reports
  • Faster jumping between sections within the same report
  • Tenant information and execution time displayed at the top
  • Execution warnings accessible via the warnings button (if present)

Conditional Access Policies

• Improved: Updated condition counting and adjusted thresholds per policy type to reduce unnecessary warnings.
• Improved: Improved warning formatting and refined policy-related text.

Groups

• Fixed: Device display name issue.

Internal

• Updated: Bumped Send-GraphBatchRequest to the latest version.
• Improved: Various internal cleanups.

Full Changelog: V20260117...V20260121