{
	"id": "b14ddd35-970c-4b11-b3c1-7a900e8830a2",
	"created_at": "2026-04-06T00:12:14.819716Z",
	"updated_at": "2026-04-10T13:12:43.290103Z",
	"deleted_at": null,
	"sha1_hash": "c4ac768a320f8c3817e8a18c0ad520fc61db97af",
	"title": "CrowdStrike Launches Free Tool to Identify \u0026 Mitigate Risks in Azure Active Directory | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 536553,
	"plain_text": "CrowdStrike Launches Free Tool to Identify \u0026 Mitigate Risks in\r\nAzure Active Directory | CrowdStrike\r\nBy Michael Sentonas\r\nArchived: 2026-04-05 21:24:08 UTC\r\nExecutive Summary\r\nCrowdStrike launches CrowdStrike Reporting Tool for Azure (CRT), a free community tool that will help\r\norganizations quickly and easily review excessive permissions in their Azure AD environments, help\r\ndetermine configuration weaknesses, and provide advice to mitigate risk.\r\nCrowdStrike has observed the challenges that organizations face auditing Azure AD permissions, which is\r\na time-consuming and complex process.\r\nCrowdStrike conducted an extensive review of our production and internal environments and found no\r\nimpact.\r\nCrowdStrike does not have any attribution and does not know of any connection to SUNBURST at this\r\ntime.\r\nCompanies and governments around the world are facing one of the most advanced and far-reaching attacks in\r\nrecent history. This is clearly a sophisticated operation carried out over a long period of time. The motivations and\r\ntrue extent of how far reaching this campaign has been will be better understood by the security industry and\r\nauthorities in weeks, maybe months to come. Customer security and transparency are CrowdStrike’s top priority.\r\nWe have conducted an extensive review of our production and internal environments and found no impact.\r\nWhilst doing our review, CrowdStrike was contacted by the Microsoft Threat Intelligence Center on December\r\n15, 2020. Specifically, they identified a reseller's Microsoft Azure account used for managing CrowdStrike’s\r\nMicrosoft Office licenses was observed making abnormal calls to Microsoft cloud APIs during a 17-hour period\r\nseveral months ago. There was an attempt to read email, which failed as confirmed by Microsoft. As part of our\r\nsecure IT architecture, CrowdStrike does not use Office 365 email. CrowdStrike conducted a thorough review into\r\nnot only our Azure environment, but all of our infrastructure for the indicators shared by Microsoft. The\r\ninformation shared by Microsoft reinforced our conclusion that CrowdStrike suffered no impact. Throughout our\r\nanalysis, we experienced first hand the difficulties customers face in managing Azure’s administrative tools to\r\nknow what relationships and permissions exist within Azure tenants, particularly with third-party partner/resellers,\r\nand how to quickly enumerate them. We found it particularly challenging that many of the steps required to\r\ninvestigate are not documented, there was an inability to audit via API, and there is the requirement for global\r\nadmin rights to view important information which we found to be excessive. Key information should be easily\r\naccessible. In our role supporting organizations impacted by the SUNBURST incident, the CrowdStrike Services\r\nteam has created a community tool called CrowdStrike Reporting Tool for Azure (CRT) to quickly and easily pull\r\nup these excessive permissions and other important information about your Azure AD environment. This includes\r\ndelegated permissions and application permissions, Federation configurations, Federation trusts, mail forwarding\r\nhttps://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/\r\nPage 1 of 7\n\nrules, Service Principals, objects with KeyCredentials, and more. Of note, due to the lack of documentation of\r\nMicrosoft API capabilities, CRT does not pull critical information regarding partner tenant permissions, which\r\nincludes delegated admin access. We have detailed steps below enabling you to view this critical information\r\nmanually in the Microsoft 365 admin center; this is also documented in the CRT readme. We have made this tool\r\navailable to the community in our CrowdStrike github repository.\r\nWe recommend that all Azure AD administrators review their Azure AD configuration to help determine if they\r\nhave been impacted and take steps to prevent intrusions. We hope this tool will assist organizations around the\r\nworld. We would like to thank Microsoft for sharing this abnormal behavior and associated IOCs. We strongly\r\nrecommend all organizations leverage CRT to review their Azure tenants and understand if they need to take any\r\nconfiguration or mitigation steps, particularly as it relates to third-parties that may be present in your Azure\r\nenvironment. Additionally, it is critical to ensure you review your partner/reseller access, and you mandate multi-factor authentication (MFA) for your partner tenant if you determine it has not been configured. One of the\r\nreasons why these attack vectors are so difficult to mitigate is the inherent complexities that organizations face\r\nwith federated SSO infrastructure and in managing Azure tenants. We hope the findings and recommendations\r\nfrom our experience help your organization.\r\nIntroducing the CrowdStrike Reporting Tool for Azure\r\nPrerequisites and Deployment\r\nCRT uses PowerShell and automatically installs the Exchange Online PowerShell V2, MSOnline, and AzureAD\r\nmodules. While we recommend that this tool be run with an account with Global Reader privileges, certain read-only functions nonetheless require authentication as a user with Global Admin or similarly high-risk privileges.\r\nWhen Global Admin privileges are not available, the tool will notify you about what information won’t be\r\navailable to you as a result.\r\nhttps://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/\r\nPage 2 of 7\n\nSample view of CRT while collecting application permissions\r\nCRT output with CSV and JSON format\r\nAdditional Recommendations\r\nBased on incident response engagements conducted by the CrowdStrike Services team, I want to highlight some\r\nadditional attack surface and mitigation recommendations.\r\nLogging\r\nhttps://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/\r\nPage 3 of 7\n\nCrowdStrike recommends centralizing storage of logs in a secure location to prevent tampering, unauthorized\r\naccess, and forensic preservation. Certain log sources must be enabled and diagnostic settings need to be added for\r\nsufficient detail to be available. If these additional settings are not configured, the relevant events will not be\r\ncaptured. At a minimum, the following logs should be captured in a Security Incident Event Management (SIEM)\r\nsystem or log storage environment separate from Azure:\r\nUnified Audit Log\r\nAzure Activity Logs\r\nAzure Services Logs\r\nAzure NSG Flow Logs\r\nAzure AD Logs:\r\nAzure AD Audit Logs\r\nAzure AD Sign-In Logs\r\nAzure AD Managed Identity Sign-In Logs (Preview)\r\nAzure AD Non-Interactive User Sign-In Logs (Preview)\r\nAzure AD Service Principal Sign-In Logs (Preview)\r\nAzure AD Provisioning Logs\r\nAzure AD Risky Sign-In events\r\nConfiguration Review and Hardening Measures\r\nCrowdStrike recommends reviewing tenant configurations and applying\r\nthe hardening measures below as applicable.\r\nTenant\r\nReview trust relationships with partners including IT consultants, vendors and resellers and limit\r\nprivileges. Partner role information is available to Global Admin accounts at this link\r\nhttps://admin.microsoft.com/AdminPortal/Home#/partners. This information does not appear to be\r\navailable through documented APIs.\r\nReview existing Federations. Identify unauthorized or unrecognized Federations and revoke them.\r\nStore SAML token signing certificate key material in a Hardware Security Module (HSM) so that the\r\nsigning key cannot be stolen. Alternatively, rotate SAML signing certificates periodically.\r\nReview Azure AD allowed identity providers (SAML IDPs through direct federation or social logins) and\r\nidentify and remove those that are not legitimate.\r\nReview Azure B2B external identities’ access to the Azure portal and identify and remove those that are no\r\nlonger needed or not legitimate.\r\nEnsure only required on-premises AD Organizational Units (OUs) and objects are being synced to the\r\ncloud. Use extreme caution when establishing bi-directional trust and syncing privileged identities, service\r\naccounts, or OUs between on-premise and cloud.\r\nImplement Azure Policies to restrict specific actions in the tenant.\r\nRestrict Region Usage\r\nEnforce tagging for sensitive resources\r\nhttps://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/\r\nPage 4 of 7\n\nReview access controls to the Azure administrator portal, using least privilege access principles.\r\nReview environment for overly privileged service accounts that may have access to on-prem environments\r\nas well as Azure and reduce privileges and access if possible.\r\nAzure ADOAuth Applications\r\nReview existing applications with credentials recently added.\r\nReview non-Microsoft registered applications and permissions, and revoke permissions and credentials for\r\nany unrecognized application.\r\nReview and remove unused applications.\r\nLimit application consent policy to only approved administrators.\r\nEntitlements Review\r\nEnsure that only dedicated cloud-only administrator accounts are used for cloud administration.\r\nPractice the principle of least privilege and remove unnecessary privileges where warranted.\r\nReview users granted membership in administrative roles or groups:\r\nUsers with elevated permissions via the following roles should be given extra scrutiny:\r\nAuthentication Administrator\r\nBilling Administrator\r\nConditional Access Administrator\r\nE-Discovery Manager and Administrator\r\nExchange Administrator\r\nGlobal Administrator\r\nHelpdesk Administrator\r\nPassword Administrator\r\nSecurity Administrator\r\nSharePoint Administrator\r\nUser Access Administrator\r\nUser Administrator\r\nReview privileges and enforce multi-factor authentication requirements for Guest users.\r\nEnsure only the appropriate users have Azure CLI access to the tenant.\r\nAuthentication\r\nEnforce multi-factor authentication (MFA) for all users.\r\nCheck for new unknown MFA registrations and restrict service accounts from MFA registration.\r\nSet the multi-factor authentication access policy to “Do not allow users to create app passwords to sign in\r\nto non-browser apps” to prevent bypassing MFA.\r\nReview and enforce Conditional Access Policies:\r\nUtilize geo-fencing and/or trusted locations.\r\nEnforce modern authentication and blocking of legacy authentication.\r\nBlock “risky sign-ins” with medium severity and above.\r\nhttps://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/\r\nPage 5 of 7\n\nMonitor authentication requests from unknown identity providers.\r\nMonitor for credentials being added to service principals.\r\nEnsure Self Service Password Reset (SSPR) requests are enabled to notify users when their passwords are\r\nchanged.\r\nExchange\r\nReview mailbox forwarding rules and remove unauthorized rules, including:\r\nTenant-wide mail flow rules\r\nIndividual mailboxes\r\nReview mailbox delegations and remove unnecessary delegations.\r\nEnsure Exchange PowerShell usage is only permitted for Exchange Administrators.\r\nHarden On-Premise and Self-Managed Systems\r\nIt is important to highlight the need to harden on-premise systems as well as cloud and datacenter-hosted systems\r\nfor which the organization is ultimately responsible. Based on current intelligence, the ability of this adversary to\r\nbe successful depends on the initial compromise of hosts configured by or for the organization along with its\r\npartners, including hosts in public clouds. Privileged users, roles and organizational units should be synced\r\nbetween cloud and on-premises or self-managed directories with extreme caution. Cloud admin roles must rely on\r\ncloud-only authentication and not authenticate with SAML SSO, just as admin roles for on-premises / self\r\nmanaged must not be authenticated through cloud services.\r\nEndpoint Detection and Response (EDR) Solution\r\nDeploy Endpoint Detection and Response solution, such as Falcon Insight, to provide visibility and prevention\r\nacross the enterprise endpoints and cloud workloads.\r\nCloud Security Posture Management (CSPM)\r\nMonitor Azure using a Cloud Security Posture Management solution such as Falcon Horizon.\r\nImplement Risk Based Conditional Access Everywhere\r\nAchieve unified visibility and adaptive enforcement for both on-premises and in the cloud resources to secure\r\naccess based on context and use enforcement to prevent identity based threats in real time using a solution like\r\nFalcon Zero Trust. This includes protecting legacy systems, unmanaged devices, and all accounts types\r\n(privileged, employee, remote, and service).\r\nPrivileged Identity Management (PIM)\r\nImplement Privileged Identity Management solution to be utilized to limit exposure to administrative permissions\r\nby providing just-in-time access. Falcon Zero Trust can also help extend core PIM functionality to systems that\r\nrequire risk based conditional access when PIM is not feasible for all applications, workloads, and privileged\r\nusers.\r\nhttps://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/\r\nPage 6 of 7\n\nEnforce Mail Encryption and Signing\r\nEnforcing end-to-end email encryption and signing can help to prevent unauthorized access and verify the\r\nauthenticity of the communication.\r\nSecurity Email Gateway Solution\r\nHaving a secure email gateway solution will provide protection, visibility, and data protection.\r\nMail DNS Controls\r\nImplementing SPF, DKIM, and DMARC records will ensure email authenticity, prevent spoofing, and provide\r\nvisibility.\r\nConduct Organizational Phishing Campaign and Trainings\r\nRegular phishing exercises and awareness training can assist employees to recognize, avoid, and report potential\r\nthreats that could compromise the environment. We encourage feedback on the CRT tool. Feel free to contact us at\r\nCRT@CrowdStrike.com. Note: On December 24, 2020 the US Department of Homeland Security’s Cybersecurity\r\n\u0026 Infrastructure Security Agency (CISA) released a new tool, Sparrow.ps1, to help network admins secure their\r\nMicrosoft 365-based infrastructure following the recent reports that hackers have been exploiting Microsoft 365 to\r\ncompromise commercial and sensitive government networks. The CISA tool is designed to detect possible\r\ncompromised accounts and applications in the Azure/m365 environment and can be found here -\r\nhttps://github.com/cisagov/Sparrow\r\nAdditional Resources\r\nAccess the new CrowdStrike Reporting Tool for Azure (CRT).\r\nLearn about CrowdStrike’s comprehensive next-gen endpoint and cloud workload security platform by\r\nvisiting the Falcon products webpage.\r\nTest CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™.\r\nSource: https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/\r\nhttps://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/"
	],
	"report_names": [
		"crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory"
	],
	"threat_actors": [],
	"ts_created_at": 1775434334,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c4ac768a320f8c3817e8a18c0ad520fc61db97af.pdf",
		"text": "https://archive.orkl.eu/c4ac768a320f8c3817e8a18c0ad520fc61db97af.txt",
		"img": "https://archive.orkl.eu/c4ac768a320f8c3817e8a18c0ad520fc61db97af.jpg"
	}
}