v1.4.0 - Entra ID Deep Coverage + Secure Score Simulator

[1.4.0] - 2026-06-05

New Features

18 New Findings (30 → 48 across 6 modules)

Entra ID — Application Security (10 new findings)

• ENTRA-001 — High-Privilege App Registrations (Critical)
• ENTRA-002 — Expired App Registration Credentials (High)
• ENTRA-003 — App Credentials Expiring ≤30 Days (High)
• ENTRA-004 — App Credentials Expiring 31–90 Days (Medium)
• ENTRA-005 — Never-Expiring App Credentials (Medium)
• ENTRA-006 — Unowned App Registrations (Medium)
• ENTRA-007 — Multi-Tenant App Registrations (Medium)
• ENTRA-008 — Implicit Grant Flow Enabled (Medium)
• ENTRA-009 — Privileged Service Principals (Critical)
• ENTRA-010 — Privileged Managed Identities (High)

Across all modules (8 new findings)

• CA-003 — No CA Policy Enforcing MFA for All Users (Critical)
• EXO-006 — Zero-Hour Auto Purge (ZAP) Not Fully Enabled (High)
• TEAMS-003 — Anonymous Users Can Join Meetings (Medium)
• TEAMS-004 — Third-Party Teams Apps Unrestricted (Medium)
• SPO-003 — OneDrive External Sharing Unrestricted (High)
• SPO-004 — Guest Access Expiry Not Configured (Medium)
• MDM-005 — No Mobile Device Compliance Policy (High)
• MDM-006 — Defender for Endpoint Not Integrated with Intune (Medium)

Simulated Microsoft Secure Score in Attack Simulator

• Simulator now shows MS Secure Score baseline, projected score and uplift
• Each finding carries a secure_score_impact value — toggling findings updates the projected score in real time
• Shows the concrete MS Secure Score improvement achievable by fixing open findings
• Requires Security module to have run to populate the baseline

Full Investigation Script Coverage for all 18 new findings

• Every new finding includes a ready-to-run PowerShell investigation script
• Scripts surface per-policy detail, credential expiry lists, ZAP status, app permission breakdowns

UI Overhaul

• Font updated to Inter for improved legibility
• Richer dark colour palette — more professional product feel
• Card depth with box-shadows and header accent stripe
• Simulator labels updated: Attack Path Score, Simulated Path Score, MS Secure Score, MS Projected, MS Uplift

Improvements

• Get-IdentityMetrics.ps1 performance optimised — bulk role lookup, capped owner checks, inverted SP/MI enumeration. Run time reduced from >300s to ~48s on large tenants
• ZAP check covers malware, phishing and spam policies separately with fallback for older EXO module versions
• Two new attack chains added to the simulator: APP-TAKEOVER and SP-PERSIST

v1.3.0

What's new in v1.3.0

Read/Write Permission Separation

• Assessment and remediation credentials can now be configured independently
• Default behaviour unchanged — Same as Assessment requires no action from existing users
• Separate mode allows a dedicated write account with minimum required permissions
• Supports Interactive, App Registration and Certificate for both read and write
• Fails safely if write permissions are insufficient — nothing changes in the tenant

Findings sorted by severity

• Overview metrics now display red → amber → green
• Issues surface immediately without scrolling

Documentation overhauled

• Minimum roles per module
• Full data flow transparency
• Security policy (SECURITY.md)
• Contributing guide (CONTRIBUTING.md)

Also in recent releases

• Certificate-based authentication (v1.2.0)
• 7 new findings — 30 total (v1.2.0)
• Full investigation script coverage (v1.2.0)
• Auto update checker (v1.2.1)

v1.2.1 — Auto Update Checker

• Tool silently checks for updates on every startup
• Banner appears when a newer version is available
• Update Now applies the update directly from within the tool
• What's New and GitHub buttons added to the header

v1.2.0

7 New Findings (23 → 30)

ID-006 — Risky Users Not Reviewed
ID-007 — No Emergency Access Account Detected
SEC-006 — No Microsoft Sentinel Connected
EXO-004 — DMARC Not Configured
EXO-005 — SPF or DKIM Not Configured
MDM-003 — No Windows Update Ring Configured
MDM-004 — BitLocker Not Enforced
Certificate-Based Authentication

Third auth option alongside Interactive and App Registration
No client secret is stored in the UI
Full setup guide in the README
Full Investigation Script Coverage

All 30 findings now have a ready-to-run PowerShell investigation script
Bug Fixes

All 6 modules now complete correctly on PowerShell 5.1
The remediation report correctly reflects the rollback status

v1.1.0

What's new in v1.1.0

Bug fixes

• Consultant details (name, role, email) now correctly populate in all generated Word and PDF reports
• Compare tab fully implemented load two saved assessments and compare score, findings & metrics
• Approval labels in remediation now read from your custom settings correctly

Transparency & Trust

• Minimum role requirements shown in the Interactive Login section
• Read-only banner added above Run Assessment button
• AI disclosure added to footer and README

Install & Update

• One-line install now works: irm ... | iex
• Update and uninstall commands fixed

v1.0.0 - Initial Release

All notable changes to the M365 Assessment Toolkit are documented here.
[1.0.0] - 2026-05-05
Initial Release

Assessment Engine
23 findings across 6 modules: Identity, Security/CA, Exchange, Teams, SharePoint, Intune
Dual authentication: Interactive Login and App Registration
Severity-weighted scoring model (Critical/High/Medium/Low)
Session auto-save and reload without re-running scripts

Remediation
9 Tier 1 auto-fix findings with paired rollback scripts
Pre-remediation safety checks (dependency scan before changes)
Snapshot saved before every change for full rollback capability
Approval gate with customisable fields (approver, change reference, date)
Session-level and individual approval recording
Manual PowerShell commands displayed on each remediation card
Remediation log saved per engagement

Reports
Assessment Report: findings, score, recommendations, metrics appendix
Remediation Report: before/after score, changes made, approval details, open findings
Comparison Report: two-assessment side-by-side with resolved/new/still open
Consultant branding fields (name, role, email)
Word (.docx) and print-to-PDF output

Simulator
7 attack chain models: BEC, Account Takeover, Privilege Escalation, OAuth Abuse,
Data Exfiltration, Ransomware, Invisible Persistence
Toggle findings to simulate fixes — live score and chain status update
Risk narrative updates in real time
Export What-If report

Comparison
Load two saved sessions and compare score, findings, metrics
Resolved / New / Still Open / Improved categorisation
Downloadable comparison Word report

Packaging
One-line installer with prerequisite detection and auto-install
Update script (preserves all data)
Uninstall script (optional data backup)