Purview ‐ Audit Entra Group Membership Changes that Impact Purview Policies - mattnovitsch/M365 GitHub Wiki

Summary

Customer wants a report for when group membership changes would impact their Purview policies.

Output: image

Requirements for this report

  • Defender for Cloud Apps
  • Entra Groups
  • Purview
  • Entra Application
  • Defender XDR - Advanced Hunting

Defender for Cloud Apps Requirements

  1. Navigate to Defender XDR > System > Settings > Cloud Apps > Connected Apps > App Connectors
  2. Check Microsoft 365 then click Edit Settings
image
  1. Check off all the boxes to get the data from Entra.
image

Entra Application Requirements

  1. Navigate to Entra > App registrations > All Applications > New registration

Note: You want to use a pre-existing registered application, you will need to add/check the API permissions, Client Secret, Certificates

  1. Copy Client ID and Tenant ID
image
  1. Navigate to Cerificates & secrets > New Client Secret
image
  1. Enter a description that is applicable to your organization and expiration per your customer requirements.
image
  1. Copy Value
image
  1. Navigate to Certificates > upload certificate

Note: I am using a certificate I generated off my laptop previously

image
  1. Copy the Thumbprint
image
  1. Navigate to API Permissions > Add a permission
  2. Here are the permissions needed

Note: all permissions are application based not delegated

  • Graph > Directory.Read.All
  • Graph > ThreatHunting.Read.All
  • Office 365 Exchange Online > Exchange.ManageAsAppV2
  1. Grant Admin consent for your environment
image

Purview permissions for Registered Application - Create Service Principal in Exchange

  1. Run the following command: Connect-ExchangeOnline
image
  1. Run the following command: Get-MgServicePrincipal -Filter "appId eq '<APP_ID>'"

Replace APP_ID with Client ID from step 2 of Entra Application Requirements

image
  1. Copy ID value
  2. Run the following command: `New-ServicePrincipal -AppId "<APP_ID>" -ObjectId "<OBJECT_ID>" -DisplayName "Purview Automation App"'

Replace APP_ID with Client ID from step 2 of Entra Application Requirements and OBJECT_ID from step 3(ID Value).

image
  1. Run the following command: Add-RoleGroupMember -Identity "Compliance Administrator" -Member "Purview Automation App"
image

Download and Edit Script

  1. Download PurviewPolicyImpactedbyGroupChanges
  2. Open PurviewPolicyImpactedbyGroupChanges with your favorite script editor.

Note: I just use Notepad

  1. At the top of the script you will see the Config section, change the values accordingly:
image
  1. Save script

You probably want to delete the word Template from the script.

  1. Open a PowerShell window.
  2. Run the script and your output should look like this:
image

You CSV should look like this: image

Final note: since we are using certificate-based authentication, please remember to have the private key on the machine you are running this from.

⚠️ **GitHub.com Fallback** ⚠️