Skip to content
/ Microsoft-Cloud-Group-Analyzer Public

For Microsoft Cloud admins who struggle to keep track of where Entra ID groups are used, Group Analyzer is an opensource script that provides instant insights in what services/policies/... a given group or user is scoped to.

License

Apache-2.0 license
124 stars 14 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jasperbaes/Microsoft-Cloud-Group-Analyzer

BranchesTags

Repository files navigation


Logo

Microsoft Cloud Group Analyzer

Track where your Entra ID Groups are used! 💪
View setup guide · Fork this project · Report Bug · Request Feature


Entra Groups are often used in multiple locations in your environment and used by multiple admins. Without continuously updating documentation or syncing with other admins, you’re all using groups blindly, potentially causing unintended security or user impact through changes in group memberships. Therefore, I've created this script.

For Microsoft Cloud admins who struggle to keep track of where Entra groups are used, Group Analyzer is an opensource script that provides instant insights in what services/policies/... a given group or user is scoped to.

Generated webreport:

Group Analyzer is an essential script for Microsoft Cloud Administrators seeking comprehensive visibility into the usage of Entra groups across their environment. By providing detailed insights, this tool empowers admins to:

  • Prevent Unintended Impacts: Safeguard against inadvertent membership modifications in groups that could trigger unexpected configuration changes in various services.
  • Enhance Group Management: Maintain a clear overview of group assignments, ensuring efficient and informed management of your cloud environment.
  • Save time: Don't spend time going over all of your policies and services looking where a certain Entra group is used.
  • Be in control: To be certain and have confirmation that you are not adding users to groups, causing unforseen impact.

Find the original post on LinkedIn.

What's in scope?

Group Analyzer lists group memberships for following services:

Available Service Description / Comment / Reason
Entra Group memberships
Entra ID Roles
Entra ID Enterprise Applications
Entra ID MFA Registration
Entra ID Authentication Methods
Entra ID Conditional Access Policies
Intune Enrollment Devices Limit restrictions
Intune Enrollment Device OS restrictions
Intune Compliance Policies
Intune Configuration Profiles
Intune Device Scripts
Intune App Protection Policies
Intune App Configuration Policies
Intune Autopilot Deployment Profiles
Microsoft 365 Teams
Azure Resources If the input is a User ID, the resources where that specific user is assigned to are also reported
Azure Subscriptions
Access Package
Entra ID Authentication Methods feature settings Coming soon
Entra ID Administrative Unit Coming soon
Entra ID Cross Tenant Coming soon
Entra ID App Registrations Coming soon

Installation and usage




git clone https://github.com/jasperbaes/Microsoft-Cloud-Group-Analyzer.git
cd ./Microsoft-Cloud-Group-Analyzer
npm install

Rename the .env.example file in the root of the folder to .env and fill in below fields (guide above):

CLIENTID=<app registration ID>
TENANTID=<your tenant ID>
CLIENTSECRET=<app secret>

Usage

Examples:

node index.js <user ID>
node index.js <group ID>
node index.js all

Export examples:

node index.js xxxx-xxxx-xxxx-xxxx --export-json
node index.js xxxx-xxxx-xxxx-xxxx --export-csv
node index.js xxxx-xxxx-xxxx-xxxx --export-json --export-csv

Import example:

node index.js all -f Cloud-Analyzer-export.json

CLI-only, skip, limit and debug parameter:

node index.js xxxx-xxxx-xxxx-xxxx --export-json --cli-only
node index.js xxxx-xxxx-xxxx-xxxx --skip 10 --limit 5
node index.js xxxx-xxxx-xxxx-xxxx --debug
Parameter Description
xxxx-xxxx-xxxx-xxxx The group ID / user ID or 'all' should be the first parameter. This parameter is optional.
--export-json This parameter will export the results to JSON in a file in the current directory. This parameter is optional and can be used with any other parameter.
--export-csv This parameter will export the results to JSON in a file in the current directory. This parameter is optional and can be used with any other parameter.
-f This parameter specifies an import JSON file. Format needs to be the same as the JSON exported with the parameter --export-json. This parameter is optional and can be used with any other parameter.
--cli-only With this parameter, the web report will not be generated or opened. This parameter is optional and can be used with any other parameter.
-s or --skip Limits the number of groups in scope.
-l or --limit Limits the number of groups in scope.
-d or --debug Debug output and log file.

Without specifying an ID in the command, the script will ask you to paste a group ID, a user ID or the word 'all':

Option example Description
Entra Group ID 99ccbd7e-0fc9-4545-8cf9-ee89191ed78d The given group ID + subgroups will be in scope
Entra User ID caf7b774-c8ab-47c3-a39e-d0a0d85d6423 All groups where the given user is member of are in scope + subgroups
'all' all This option will take all Entra groups in scope

Web report

Automatically, a visual web report will be generated and opened in your default browser. To save the report as a PDF file, use the shortcut Ctrl + P. To skip the web report and use the command line interface only, include the --cli-only parameter.

Issues?

I cannot rule out the existence of current or future issues with this open-source project. These may be related to hard-coded elements or the Microsoft 365 API used. If there are any issues, please feel free to report them. I will see what I can do to resolve them.

Contact

Jasper Baes (https://jbaes.be and https://www.linkedin.com/in/jasper-baes)

Release history

Release version numbers: YEAR-WEEK

  • 2024.50
    • 8x faster (local caching + processing in batches of 10)
  • 2024.48
    • add skip, limit and debug parameter (#12)
    • report improvements
  • 2024.45
    • bug fixes, improved error handline, documentation updates
  • 2024.07
    • bugfix (#8)
  • 2024.06
    • visual webreport
    • open JSON export as input file
  • 2024.05
    • temporary removed documentation for user login. App authentication recommended for now.
    • improved error reporting
    • improved documentation and setup guide
    • export to JSON and CSV
    • added new service: Access Packages
    • added version checker
  • 2024.04
    • initial release

Issues?

I can’t promise there won’t be any issues with this open-source project, now or in the future. If you run into any issues, just let me know, and I’ll do my best to fix them.

License

Please be aware that the Group Analyzer code is intended solely for individual administrators' personal use. It is not licensed for use by organizations seeking financial gain. This restriction is in place to ensure the responsible and fair use of the tool. Admins are encouraged to leverage this code to enhance their own understanding and management within their respective environments, but any commercial or organizational profit-driven usage is strictly prohibited.

Thank you for respecting these usage terms and contributing to a fair and ethical software community.

Jasper Baes (https://jbaes.be and https://www.linkedin.com/in/jasper-baes)

About

For Microsoft Cloud admins who struggle to keep track of where Entra ID groups are used, Group Analyzer is an opensource script that provides instant insights in what services/policies/... a given group or user is scoped to.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

124 stars

Watchers

9 watching

Forks

14 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages