CRT : CrowdStrike Reporting Tool for Azure

CRT is a tool to queries the following configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments.

Exchange Online (O365):

• Federation Configuration
• Federation Trust
• Client Access Settings Configured on Mailboxes
• Mail Forwarding Rules for Remote Domains
• Mailbox SMTP Forwarding Rules
• Mail Transport Rules
• Delegates with ‘Full Access’ Permission Granted
• Delegates with Any Permissions Granted
• Delegates with ‘Send As’ or ‘SendOnBehalf’ Permissions
• Exchange Online PowerShell Enabled Users
• Users with ‘Audit Bypass’ Enabled
• Mailboxes Hidden from the Global Address List (GAL)
• Collect administrator audit logging configuration settings.

Azure AD:

• Service Principal Objects with KeyCredentials
• O365 Admin Groups Report
• Delegated Permissions & Application Permissions

Querying Tenant Partner Information: In order to view Tenant Partner Information, including roles assigned to your partners, you must log into the Microsoft 365 Admin Center as Global Admin:

https://admin.microsoft.com/AdminPortal/Home#/partners

Prerequisites

The following PowerShell modules are required and will be installed automatically:

• ExchangeOnlineManagement
• AzureAD

NOTE: To return the full extent of the configurations being queried, the following role is required:

• Global Admin

When Global Admin privileges are not available, the tool will notify you about what information won’t be available to you as a result.

Usage

No parameters specified: A folder named with date and time (YYYYDDMMTHHMM) will be created automatically in the directory the script is being run from. Default authentication method will prompt for each connection for compatibility with MFA.

.\Get-CRTReport.ps1

-BasicAuth Parameter: [OPTIONAL] If MFA is not enforced for your user principal, you can use this parameter which will prompt only once for authentication and store credentials using Get-Credential. (Not Recommended)

.\Get-CRTReport.ps1 -BasicAuth

-JobName Parameter: [OPTIONAL] Use the JobName parameter to distinguish between different tenants. If no JobName is specified, a Date/Time formatted folder will be placed within the working directory.

.\Get-CRTReport.ps1 -JobName MyJobName

-Commands Parameter: [OPTIONAL] With this parameter, specify the specific commands you want to run in quotes, comma or space separated.

.\Get-CRTReport.ps1 -JobName MyJobName -WorkingDirectory ‘C:\Path\to\Job\Folder’ -Commands “Command1,Command2”

-AzureEnvironmentName & -ExchangeEnvironmentName Parameter: [OPTIONAL] With this parameter, specify the Azure or Exchange environment names. Using tab complete you can search the acceptable values.

.\Get-CRTReport.ps1 -ExchangeEnvironmentName O365USGovGCCHigh -AzureEnvironmentName AzureUSGovernment

Available Commands:

FedConfig
FedTrust
ClientAccess
RemoteDomains
SMTPForward
TransportRules
FullAccessGranted
AnyAccessGranted
SendAsGranted
EXOPowerShell
AuditBypassEnabled
HiddenMailboxes
KeyCredentials
O365AdminGroups
DelegateAppPerms
AdminAuditLogConfig

-Interactive Parameter: [OPTIONAL] Some commands may take a long time to process depending on the amount of data in the tenant. Using the Interactive parameter, you will have the option to skip any particular command prior to the module running.

.\Get-CRTReport.ps1 -JobName MyJobName -WorkingDirectory ‘C:\Path\to\Job\Folder’ -Interactive