Add PIM fro Groups role setting enumeration and report

Author: zh54321

README.md

@@ -46,7 +46,9 @@ Findings are presented in interactive HTML reports to support efficient explorat
     - Azure Role Assignments
     - Conditional Access Policies
     - Administrative Units
-    - PIM settings (for Entra Roles)
+    - PIM settings:
+        - PIM for Entra Roles
+        - PIM for Groups (BroCi auth only)
 
 
 ## ✅ Requirements
@@ -83,12 +85,12 @@ Use `-AuthFlow` to select the authentication flow.
 
 | Auth Flow                    | Windows | Linux/macOS | Interactive Logins | Convenience | Parameter(s)                         | Notes |
 |-----------------------------|---------|-------|--------------------|-------------|--------------------------------------|-------|
-| BroCi                       | Yes     | No    | 1                  | High        | `-AuthFlow BroCi` *(default)*        | Avoids reliance on legacy clients such as *Azure Active Directory PowerShell*. |
-| Auth Code Flow              | Yes     | No    | 4                  | Normal      | `-AuthFlow AuthCode`                 | Standard non-BroCi auth code flow. |
-| Device Code Flow            | Yes     | Yes   | 3                  | Normal      | `-AuthFlow DeviceCode`               | Authentication can be completed on another device, but two Security Findings checks run with reduced depth. |
-| Auth Code + Manual Code Flow| Yes     | Yes   | 4                  | Low-Normal  | `-AuthFlow ManualCode`               | Authentication can be completed on a different device or browser session. |
-| BroCi + Manual Code Flow    | Yes     | Yes   | 1                  | Low         | `-AuthFlow BroCiManualCode`          | Authorization code must be manually extracted from browser developer tools. |
-| BroCi with Token            | Yes     | Yes   | 0                  | Low         | `-AuthFlow BroCiToken -BroCiToken "<refresh_token>"` | Refresh token must be obtained manually (e.g., from browser dev tools or another auth tool). |
+| BroCi                       | Yes     | No    | 1                  | High        | `-AuthFlow BroCi` *(default)*        | Avoids reliance on legacy clients such as *Azure Active Directory PowerShell*. Supports all enumerations. |
+| Auth Code Flow              | Yes     | No    | 4                  | Normal      | `-AuthFlow AuthCode`                 | Standard non-BroCi auth code flow. Does not generate the standalone `PIM (Groups)` settings report. |
+| Device Code Flow            | Yes     | Yes   | 3                  | Normal      | `-AuthFlow DeviceCode`               | Authentication can be completed on another device, but two Security Findings checks run with reduced depth. Does not generate the standalone `PIM (Groups)` settings report. |
+| Auth Code + Manual Code Flow| Yes     | Yes   | 4                  | Low-Normal  | `-AuthFlow ManualCode`               | Authentication can be completed on a different device or browser session. Does not generate the standalone `PIM (Groups)` settings report. |
+| BroCi + Manual Code Flow    | Yes     | Yes   | 1                  | Low         | `-AuthFlow BroCiManualCode`          | Authorization code must be manually extracted from browser developer tools. Supports all enumerations.|
+| BroCi with Token            | Yes     | Yes   | 0                  | Low         | `-AuthFlow BroCiToken -BroCiToken "<refresh_token>"` | Refresh token must be obtained manually (e.g., from browser dev tools or another auth tool). Supports all enumerations. |
 
 
 #### Use BroCi flow (default, Beta / Windows only)
@@ -163,8 +165,8 @@ By default, official Microsoft enterprise applications are excluded from the ass
 ```
 
 #### Skip PIM for Groups Assessment
-Use the `-SkipPimForGroups` switch to skip the enumeration of PIM assignments for groups.  
-This skips the additional authentication needed to access PIM for Groups data.
+Use the `-SkipPimForGroups` switch to skip PIM-for-Groups precollection and enrichment.  
+This also skips the standalone `PIM (Groups)` settings report.
 ```powershell
 .\run_EntraFalcon.ps1 -SkipPimForGroups
 ```
@@ -213,9 +215,12 @@ This skips the additional authentication needed to access PIM for Groups data.
 ### Conditional Access Policies (Details Section)
 ![alt text](/images/caps_details.png)
 
-### PIM Role Settings
+### PIM Role Settings (Entra)
 ![alt text](/images/pim_settings.png)
 
+### Agent Identities
+![alt text](/images/agent_identities.png)
+
 ### Enumeration Summary
 ![alt text](/images/enumeration_overview.png)
 
@@ -661,7 +666,6 @@ When BroCi authentication is used, only one interactive login occurs.
 |74658136-14ec-4630-ad9b-26e160ff0fc6|Non-Interactive|797f4846-ba00-4fd7-ba43-dac1f8f63013|Retrieve Azure IAM role assignment data|
 
 When BroCi is enabled, EntraFalcon also queries `api.azrbac.mspim.azure.com` for PIM for Groups.
-
 ### Details
 For data collection, the tool sends multiple requests to the Microsoft Graph API and, optionally, the Azure ARM API—one or more per object. Where possible, it leverages the Graph Batch endpoint to reduce the number of individual requests and improve efficiency.
 

modules/check_Groups.psm1

@@ -51,7 +51,6 @@ function Invoke-CheckGroups {
         }
     }   
 
-
     #Function to create transitive members
     function Get-TransitiveMembers {
         param (
@@ -434,6 +433,7 @@ function Invoke-CheckGroups {
 
     Write-Host "[*] Getting all group memberships"
     $GroupMembers = @{}
+    $DirectActiveMemberCountById = @{}
     $BatchSize = 10000
     $ChunkCount = [math]::Ceiling($GroupsTotalCount / $BatchSize)
 
@@ -458,8 +458,11 @@ function Invoke-CheckGroups {
 
         # Store results
         foreach ($item in $Response) {
-            if ($item.response.value) {
-                $GroupMembers[$item.id] = @($item.response.value)
+            $groupResponseId = [string]$item.id
+            $directMembers = @($item.response.value)
+            $DirectActiveMemberCountById[$groupResponseId] = $directMembers.Count
+            if ($directMembers.Count -gt 0) {
+                $GroupMembers[$groupResponseId] = $directMembers
             }
         }
     }
@@ -508,9 +511,13 @@ function Invoke-CheckGroups {
     # Send Batch request and create a hashtable
     $RawResponse = (Send-GraphBatchRequest -AccessToken $GLOBALmsGraphAccessToken.access_token -Requests $Requests -BetaAPI  -UserAgent $($GlobalAuditSummary.UserAgent.Name) -QueryParameters @{'$select' = 'id,userType,onPremisesSyncEnabled'})
     $GroupOwnersRaw = @{}
+    $DirectActiveOwnerCountById = @{}
     foreach ($item in $RawResponse) {
-        if ($item.response.value -and $item.response.value.Count -gt 0) {
-            $GroupOwnersRaw[$item.id] = $item.response.value
+        $groupResponseId = [string]$item.id
+        $directOwners = @($item.response.value)
+        $DirectActiveOwnerCountById[$groupResponseId] = $directOwners.Count
+        if ($directOwners.Count -gt 0) {
+            $GroupOwnersRaw[$groupResponseId] = $directOwners
         }
     }
 
@@ -663,6 +670,9 @@ function Invoke-CheckGroups {
         $owneruser     = [System.Collections.Generic.List[psobject]]::new()
         $ownersp       = [System.Collections.Generic.List[psobject]]::new()
         $baseOwnerUserDetails = [System.Collections.Generic.List[psobject]]::new()
+        $groupIdKey = [string]$group.Id
+        $DirectActiveMemberCount = if ($null -ne $DirectActiveMemberCountById -and $DirectActiveMemberCountById.ContainsKey($groupIdKey)) { [int]$DirectActiveMemberCountById[$groupIdKey] } else { 0 }
+        $DirectActiveOwnerCount = if ($null -ne $DirectActiveOwnerCountById -and $DirectActiveOwnerCountById.ContainsKey($groupIdKey)) { [int]$DirectActiveOwnerCountById[$groupIdKey] } else { 0 }
 
         # Process group members
         if ($TransitiveMembersRaw.ContainsKey($group.Id)) {
@@ -1352,6 +1362,8 @@ function Invoke-CheckGroups {
             MemberSpDetails = $memberSpDetails
             Devices = $memberdevices.count
             DevicesDetails = $memberdevices
+            DirectActiveMembers = $DirectActiveMemberCount
+            DirectActiveOwners = $DirectActiveOwnerCount
             DirectOwners = @($owneruser).count + @($ownersp).count + @($OwnerGroup).count
             NestedOwners = 0 #Will be adjusted in port-processing
             OwnerUserDetails = $owneruser
@@ -2644,6 +2656,8 @@ $headerHtml = @"
             Warnings = $group.Warnings
             EntraRolePrivilegedCount = $group.EntraRolePrivilegedCount
             InheritedHighValue = $group.InheritedHighValue
+            DirectActiveMembers = $group.DirectActiveMembers
+            DirectActiveOwners = $group.DirectActiveOwners
             DirectOwners = $group.DirectOwners
             NestedOwners = $group.NestedOwners
         }