AAD Security made easy: Check your Azure AD Security with One-Liner (AZSK.AAD)

You can now scan your AAD tenant security posture with one-liner, and get really detailed and comprehensive report of the results

https://github.com/azsk/DevOpsKit-docs/blob/master/ReleaseNotes/LatestReleaseNotes.md

Install-Module AzSK.AAD -Scope CurrentUser -AllowClobber 
Import-Module AzSK.AAD 
Get-AzSKAADSecurityStatusTenant 
<#Controls available

The following controls are available from the get go!

ControlID	Description
AAD_Tenant_RBAC_Grant_Limited_Access_To_Guests	Guests must not be granted full access to the directory
AAD_Tenant_RBAC_Dont_Permit_Guests_To_Invite_Guests	Guests must not be allowed to invite other guests
AAD_Tenant_MFA_Required_For_Admins	Admins must use baseline MFA policy
AAD_Tenant_Apps_Dont_Allow_Users_To_Create_Apps	Do not permit users to create apps in tenant
AAD_Tenant_RBAC_Dont_Allow_Users_To_Invite_Guests	Do not permit users to invite guests to the tenant
AAD_Tenant_Misc_Set_Security_Contact_Info	Security compliance notification phone and email must be set
AAD_Tenant_Device_Require_MFA_For_Join	Enable ’require MFA’ for joining devices to tenant
AAD_Tenant_Device_Set_Max_Per_User_Limit	Set a max device limit for users in the tenant
AAD_Tenant_MFA_Review_Bypassed_Users	Review list of current ’MFA-bypassed’ users in the tenant
AAD_Tenant_MFA_Allow_Users_To_Notify_About_Fraud	Allow users to send notifications about possible fraud
AAD_Tenant_Apps_Regulate_Data_Access_Approval	Do not allow users to approve tenant data access for external apps
AAD_Tenant_RBAC_Keep_Min_Global_Admins	Include at least three members in global admin role
AAD_Tenant_RBAC_Dont_Have_Guests_As_Global_Admins	Guest users must not be made members of global admin role
AAD_Tenant_AuthN_Use_Custom_Banned_Passwords	Ensure that custom banned passwords list is configured for use
AAD_Tenant_AuthN_Enforce_Banned_Passwords_OnPrem	Ensure that banned password check is enabled on-prem and set to ’Enforce’ level
AAD_Tenant_Privacy_Configure_Valid_Privacy_Contact	Ensure that tenant-wide privacy contact email is set to a valid (current) non-guest user
AAD_Tenant_Privacy_Configure_Valid_Privacy_Statement	Ensure that a privacy statement is configured and points to a valid URL
AAD_Application_Remove_Test_Demo_Apps	Old test/demo apps should be removed from the tenant
AAD_Application_ReturnURLs_Use_HTTPS	All return URLs configured for an application must be HTTPS endpoints
AAD_Application_Review_Orphaned_Apps	Do not permit orphaned apps (i.e., apps with no owners) in the tenant
AAD_Application_Require_FTE_Owner	At least one of the owners of an app must be an FTE
AAD_Application_HomePage_Use_HTTPS	The home page URL for an application must be an HTTPS endpoint
AAD_Application_LogoutURLs_Use_HTTPS	The logout URL configured for an application must be an HTTPS endpoint
AAD_Application_Must_Have_Privacy_Disclosure	All enterprise apps must use a privacy disclosure statement
AAD_Application_Must_Restrict_To_Tenant	Enterprise (line of business) apps should be tenant scope only
AAD_Application_Minimize_Resource_Access_Requested	Apps should request the least permissions needed to various resources
AAD_ServicePrincipal_Use_Cert_Credentials	SPNs must not use password creds – use cert creds instead
AAD_ServicePrincipal_Review_Legacy_SPN	SPNs of type legacy should be carefully reviewed
AAD_ServicePrincipal_Check_Key_Expiry	SPN key credentials should be renewed before expiry
AAD_Device_Review_Stale_Devices	Review and remove stale devices from the directory
AAD_User_DirSync_Setting_Should_Match_Tenant	A user’s dirsync-enabled setting must match the tenant level setting
AAD_User_Do_Not_Disable_Password_Expiration	Do not disable password expiration policy for users
AAD_User_Do_Not_Disable_Strong_Password	Do not disable strong password policy for users
AAD_Group_Use_Security_Enabled	All AAD groups must be security enabled (TBD)
AAD_Group_Require_FTE_Owner	Group must have at least one non-guest (native) owner