Skip to content

jasperbaes/Conditional-Access-Matrix

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
assets
assets
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
helper.js
helper.js
 
 
index.js
index.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation


Logo

Conditional Access Impact Matrix

By Jasper Baes
Installation · Report Bug · Conditional Access Blueprint

The Conditional Access Impact Matrix is tool #3 in the Conditional Access Blueprint.

This script answers 2 major questions:

  • what CA policies are applied to who?
  • what is the user impact of my recent CA policy changes?

Output 1: excel matrix:

Logo

Output 2: impact changes:

Logo

Features:

  • extract an Excel visualizing which CA policies are applied on each user
  • filter in this table
  • identify gaps and misconfigurations
  • Predict user impact before enabling CA policies
  • for documentation and compliance purposes
  • easily and quickly answer questions like:
    • what accounts have MFA enabled/disabled?
    • what accounts are excluded form having a compliant device?
    • what accounts are allowed to use legacy auth?
    • ...
  • visualize how recent CA changes impacted your users

Usage

Examples:

node index.js
node index.js --include-report-only
node index.js --compare 2024-09-01-CA-Impact-Matrix.json
node index.js --compare 2024-09-01-CA-Impact-Matrix.json --include-report-only
node index.js --limit 100
node index.js --group <groupID>
node index.js --type member
node index.js --limit 10 --type guest
Parameter Description
--include-report-only Includes Conditional Access policies that are in the ‘report-only’ state
--compare <file.json> Compares the current output to a previously generated output specified by
-t or --type Specifies the type of accounts to include (options: member or guest)
-l or --limit Limits the number of users to the specified count
-g or --group Restricts the scope to members of the specified group

What running the script looks like:

Logo

Installation




Limitations

  • Conditional Access policies scoped on users with Entra roles might not be evaluated

Contact

Jasper Baes (https://www.linkedin.com/in/jasper-baes)

Discovered a bug or do you have an improvement? Create an issue.

Release history

Release version numbers: YEAR.WEEK

  • 2024.49
    • bugfix (#7)
    • implemented local caching (drastically improved execution speed)
    • added support for recursive groups (#8)
    • removed limit on user group membership reads (previously capped at 100)
  • 2024.41
    • add 3 new parameters: limit, group and type
  • 2024.40
    • updated installation guide
    • added .env template file
  • 2024.39
    • added parameter for 'report-only' CA policies
    • bugfix (#1)
  • 2024.38
    • initial release (open-source)

License

Please be aware that the Conditional Access Impact Matrix code is intended solely for individual administrators' personal use. It is not licensed for use by organizations seeking financial gain. This restriction is in place to ensure the responsible and fair use of the tool. Admins are encouraged to leverage this code to enhance their own understanding and management within their respective environments, but any commercial or organizational profit-driven usage is strictly prohibited.

Thank you for respecting these usage terms and contributing to a fair and ethical software community.

Jasper Baes (https://www.linkedin.com/in/jasper-baes)

Buy Me a Coffee (https://buymeacoffee.com/jasperbaes)

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

65 stars

Watchers

2 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages