Most organizations today rely heavily on Microsoft Entra ID as the backbone of identity, access, and security. It sits at the center of everything—from user authentication to application access to external collaboration. But while it’s incredibly powerful, getting a clear, complete picture of your actual security posture isn’t always straightforward.
The data is there, but it’s scattered across multiple portals, dashboards, and reports. So when someone asks, “How secure is our Entra tenant?” the answer usually isn’t immediate—it’s a mix of assumptions, partial visibility, and a bit of guesswork. That gap between configuration and true understanding is exactly what led me to build something better.
Table of Contents
Why Entra Security Actually Matters (More Than We Admit)
Your Entra tenant is basically your front door, your security system, your guest list—and occasionally, your biggest blind spot. Everything flows through it: identity, access, applications, and OAuth permissions (aka “why does this app have that level of access?”). It’s at the center of your environment whether you actively think about it or not.
And here’s the uncomfortable truth: you can be configured… but not necessarily secure. There’s a big difference between “we turned it on” and “we actually understand what’s going on.”
The Problem: Visibility is Painful
If you’ve ever tried to assess Entra security manually, you know the drill:
- Conditional Access → one blade
- App permissions → another
- Risky users → somewhere else
- Sign-ins → yet another place
By the time you piece it together, you’ve forgotten what you were looking for.
It’s not that the data isn’t there. It’s that it’s everywhere
So I Built a Script (Because of Course I Did)
I wanted something that could:
- Pull all security-relevant data
- Put it in one place
- Tell me what actually matters
Not just:
“Here are 600 permissions, good luck”
What This Script Actually Does
Think of it as a tenant-wide security sweep.
Link to GitHub Repo: ps-entra-tenant-security-posture-ai-analyzer
It connects to Microsoft Graph and collects:
- Users, guests, stale accounts
- Conditional Access policies
- Authentication methods
- App registrations & enterprise apps
- OAuth grants & application permissions
- High-risk permissions (the spicy stuff)
- App credentials (expired secrets lurking around)
- Devices
- Risky users, sign-ins, audit logs
- Cross-tenant access
Then it does something important:
It doesn’t just dump data — it analyzes it
Where AI Comes In (And Why It’s Actually Useful)
Let’s address the elephant in the room.
Yes, this uses AI.
No, it’s not just for buzzword compliance.
Instead of giving you raw output like:
“You have 618 application permission grants”
It turns that into:
“Here’s what’s risky, why it matters, and what you should fix first.”
The AI:
- Reads the collected evidence
- Identifies real risks vs noise
- Highlights high-risk apps and permissions
- Explains things in plain English
- Generates a clean HTML report
So instead of spending hours interpreting logs… You get a security assessment in minutes
What You Need in Azure (It’s Simpler Than You Think)
This is the part people overcomplicate.
You don’t need some massive AI platform rollout.
You just need:
1. Azure OpenAI (via Azure AI Foundry)
- Create an Azure OpenAI resource
- Deploy a model (example:
gpt-4oorgpt-4.1) - Grab:
- Endpoint
- API Key
That’s it.
2. Create a Model Deployment
Inside Azure AI Foundry:
- Go to Model deployments
- Deploy a model (name it something like:
entra-security-analyzer) - Use default settings to start
No crazy tuning needed.
3. Plug It Into the Script
Set:
$env:AZURE_OPENAI_API_KEY = "<your-key>"And update your endpoint + deployment name.
Done.
What About Cost?
This is where it pleasantly surprises people.
You’re:
- Sending structured JSON
- Getting one report per run
This is not a chatbot with 10,000 messages per day. In most environments, this costs pennies per run
Unless you’re running it every 5 minutes (please don’t 😄),
this won’t even show up meaningfully on your Azure bill.
Why This Actually Helps Admins
This is where it becomes useful.
It finds what you forgot
- Apps with Directory.ReadWrite.All
- Old secrets that should’ve been rotated months ago
- Disabled apps that still have access
It highlights real risk
Not everything is equal.
It separates:
- “meh, keep an eye on it”
- from
- “fix this before someone else finds it”
It reduces blind spots
If your tenant is missing:
- Authentication method visibility
- Sign-in telemetry
- Identity Protection signals
It tells you.
It gives context
Instead of:
“14 apps have high-risk permissions”
You get:
“Here’s why that matters and what to review first”
The Output (aka the Good Stuff)
You get:
- Excel evidence pack
- Full JSON
- AI-generated HTML report
Readable. Shareable. Useful.
Before You Go Full “Run This in Prod”… Read This
Test First
Run this in:
- A test tenant
- Or limited scope
What Data Is Sent to AI?
The script sends a curated subset of Entra data, including:
- Security posture metrics
- App and permission data
- Risk indicators
Not sent:
- Passwords
- Secrets
- Tokens
It’s metadata, not sensitive payloads.
Talk to Your Security Team
Before production use: Inform your security / compliance team
Avoid surprises later.
Azure OpenAI — What Happens to Your Data?
- Stays in Azure
- Not used for training
- Enterprise controls available
But You Still Own the Risk
You’re still responsible for:
- Data governance
- Compliance alignment
Sample Report:
My Recommendation
- Test it
- Review AI input
- Share with security team
- Lock it down
- Then enjoy it
Final Thoughts
This script started as a shortcut.
Now it’s something I use to:
- sanity check tenants
- prep for audits
- catch issues early
Because…It’s better when you find the problem than when your auditor does.
If you try it out, let me know what it finds.
(Just don’t blame me if it finds too much 😄)
Thank you for stopping by. ✌️