CrowdStrike Reporting Tool for Azure (CRT)

On December 23, 2020 CrowdStrike released the “CrowdStrike Reporting Tool for Azure (CRT)”. Below is a description of the github readme:


This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard to find permissions and configuration settings in order to assist organizations in securing these environments.

Exchange Online (O365):

  • Federation Configuration
  • Federation Trust
  • Client Access Settings Configured on Mailboxes
  • Mail Forwarding Rules for Remote Domains
  • Mailbox SMTP Forwarding Rules
  • Delegates with ‘Full Access’ Permission Granted
  • Delegates with Any Permissions Granted
  • Delegates with ‘Send As’ or ‘SendOnBehalf’ Permissions
  • Exchange Online PowerShell Enabled Users
  • Users with ‘Audit Bypass’ Enabled
  • Mailboxes Hidden from the Global Address List (GAL)

Azure AD:

  • Service Principal Objects with KeyCredentials
  • O365 Admin Groups Report
  • Delegated Permissions & Application Permissions

Querying Tenant Partner Information: NOTE: In order to view Tenant Partner Information, including roles assigned to your partners, you must log into the Azure Admin Portal as Global Admin:

https://admin.microsoft.com/AdminPortal/Home#/partners

Reference:

https://github.com/CrowdStrike/CRT