← 返回 Skills 市场

Entra Id Auditor

Name: Entra Id Auditor
Author: anmolnagpal

作者 Anmol Nagpal · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

291

总下载

当前安装

版本数

在 OpenClaw 中安装

/install entra-id-auditor

功能描述

Audit Microsoft Entra ID for over-privileged roles, dangerous access patterns, and identity security gaps

使用说明 (SKILL.md)

Azure Entra ID (IAM) Auditor

You are a Microsoft Entra ID security expert. Identity is the new perimeter in Azure.

This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

Entra ID role assignments export — privileged role members

az role assignment list --output json > role-assignments.json
az ad user list --output json --query '[].{UPN:userPrincipalName,DisplayName:displayName,AccountEnabled:accountEnabled}'

Conditional Access policies export — current policy configuration

How to export: Azure Portal → Entra ID → Security → Conditional Access → Policies → Export JSON

App registrations with permissions — service principals and their API permissions

az ad app list --output json --query '[].{DisplayName:displayName,AppId:appId,RequiredResourceAccess:requiredResourceAccess}'

Minimum required Azure RBAC role to run the CLI commands above (read-only):

{
  "role": "Global Reader",
  "scope": "Azure AD Tenant",
  "note": "Also assign 'Security Reader' for Conditional Access and Identity Protection"
}

If the user cannot provide any data, ask them to describe: number of Global Admins, MFA enforcement status, and whether Privileged Identity Management (PIM) is enabled.

Checks

Permanent Global Administrator assignments (should use PIM for JIT access)
Accounts without MFA (especially admins)
Legacy authentication protocols not blocked (basic auth → credential stuffing)
Excessive privileged roles at subscription scope (Owner, Contributor)
Guest accounts with admin or sensitive resource access
App registrations with Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory
Service principals using client secrets vs certificates
No Conditional Access policy enforcing MFA for admins
Missing PIM activation requirements (approval, justification, time limit)

Output Format

Risk Score: Critical / High / Medium / Low
Findings Table: principal, finding, risk, MITRE technique
MITRE ATT&CK Mapping: e.g. T1078 Valid Accounts, T1098 Account Manipulation
Conditional Access Gaps: missing policies with recommended JSON
PIM Recommendations: roles that should require JIT activation
Remediation Steps: PowerShell / Graph API commands per finding

Rules

Entra ID compromise = full tenant takeover potential — always treat as Critical
FIDO2/passkeys are the 2025 MFA standard — flag SMS/voice MFA as insufficient for admins
Flag any account with > 2 admin roles — least privilege applies to admins too
Note: break-glass accounts need special treatment — document exemptions clearly
Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
If user pastes raw data, confirm no credentials are included before processing

安全使用建议

This skill appears to do what it claims — it analyzes exported Entra ID data rather than asking for credentials — but there are a few practical precautions: (1) The skill's source/homepage is missing and owner identity is opaque, so only use it if you trust the publisher. (2) Before pasting or uploading any JSON, manually inspect it for credentials, secrets, or private keys and redact any sensitive fields. (3) Prefer using a test or delegated tenant or least-privilege read-only roles (Global Reader, Security Reader) when producing exports. (4) When the skill recommends remediation commands (PowerShell/Graph), review them carefully before running in your tenant — the skill provides guidance but does not execute actions itself. (5) If you need higher assurance, ask the publisher for provenance or use in-house tooling to perform the same checks.

功能分析

Type: OpenClaw Skill Name: entra-id-auditor Version: 1.0.0 The skill is designed to audit Microsoft Entra ID configurations based on user-provided data. The `SKILL.md` explicitly states it is 'instruction-only' and 'does not execute any Azure CLI commands or access your Azure account directly.' It guides the user to export data using specified `az` CLI commands and then instructs the AI agent to analyze this data. Crucially, the instructions for the agent include explicit rules to 'Never ask for credentials, access keys, or secret keys' and to 'confirm no credentials are included before processing' user-pasted data, demonstrating a strong focus on security and preventing credential leakage. There are no hidden commands, data exfiltration attempts, or prompt injection attempts to subvert the agent's intended purpose.

能力评估

✓ Purpose & Capability

Name, description, and SKILL.md all describe an Entra ID auditing role and the only things requested are exported role/CA/app JSON or high-level tenant counts; these inputs are appropriate for the stated analysis.

ℹ Instruction Scope

Instructions are narrowly scoped: they explicitly ask the user to provide exported JSON or high-level answers and state the skill will not request credentials. The skill also tells users to confirm pasted data has no credentials. Recommend verifying exported files do not include any secrets or inadvertently leaked tokens before sharing.

✓ Install Mechanism

Instruction-only skill with no install spec and no code files — nothing is written to disk and no third-party packages are installed.

✓ Credentials

The skill declares no required environment variables, no primary credential, and asks users to supply exported data. The requested inputs (role assignments, conditional access JSON, app registrations) are proportional to an Entra ID audit.

✓ Persistence & Privilege

always is false, model invocation and invocation autonomy are standard. The skill does not request persistent system presence or modify other skills or global agent settings.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install entra-id-auditor
安装完成后，直接呼叫该 Skill 的名称或使用 /entra-id-auditor 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of Azure Entra ID (IAM) Auditor. - Provides step-by-step audit guidance for Microsoft Entra ID, focusing on over-privileged roles and identity security gaps. - Analyzes exported data on role assignments, Conditional Access, and app registrations—no direct Azure access required. - Outputs include risk score, detailed findings with MITRE ATT&CK mapping, Conditional Access gaps, and precise remediation steps. - Enforces strict data and security rules—never requests credentials, only exported/enumerated data. - Designed for users with Global Reader permissions; also recommends Security Reader for complete coverage.

元数据

Slug entra-id-auditor

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Entra Id Auditor 是什么？

Audit Microsoft Entra ID for over-privileged roles, dangerous access patterns, and identity security gaps. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 291 次。

如何安装 Entra Id Auditor？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install entra-id-auditor」即可一键安装，无需额外配置。

Entra Id Auditor 是免费的吗？

是的，Entra Id Auditor 完全免费（开源免费），可自由下载、安装和使用。

Entra Id Auditor 支持哪些平台？

Entra Id Auditor 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Entra Id Auditor？

由 Anmol Nagpal（@anmolnagpal）开发并维护，当前版本 v1.0.0。