Devolutions.CIEM
0.1.0-alpha
Cloud Infrastructure Entitlement Management (CIEM) module for Azure identity and access security checks. Provides 46 identity-focused checks for Entra ID, IAM/RBAC, KeyVault, and Storage services.
Minimum PowerShell version
7.4
Installation Options
Owners
Copyright
(c) 2025 Devolutions Inc. All rights reserved.
Package Details
Author(s)
- Adam Bertram
Tags
Azure CIEM Security Identity IAM Entra RBAC Compliance PowerShellUniversal app
Functions
Get-CIEMAuthenticationContext Get-CIEMCheck Get-CIEMProvider Get-ProwlerCheck Invoke-CIEMScan Sync-ProwlerCheck
PSEditions
Dependencies
-
- Az.Accounts (>= 4.0.0)
Release Notes
## 0.1.0 - Initial Release
- 46 Azure identity-focused security checks
- Entra ID: 15 checks (MFA, conditional access, security defaults, etc.)
- IAM/RBAC: 3 checks (custom roles, permissions)
- KeyVault: 10 checks (access policies, RBAC, expiration)
- Storage: 18 checks (access controls, encryption, network rules)
- Parallel check execution with ForEach-Object -Parallel
- Auto-detect Azure authentication (Managed Identity, CLI, Interactive)
FileList
- Devolutions.CIEM.nuspec
- AzureChecks.schema.json
- Public\Get-CIEMAuthenticationContext.ps1
- Private\Test-AzureChecksSchema.ps1
- Private\Get-AzureAuthContext.ps1
- Private\Get-SupportedProvider.ps1
- Checks\Azure\Test-StorageDefaultNetworkAccessRuleIsDenied.ps1
- Checks\Azure\Test-KeyvaultKeyRotationEnabled.ps1
- Checks\Azure\Test-KeyvaultPublicNetworkAccessDisabled.ps1
- Checks\Azure\Test-EntraPolicyEnsureDefaultUserCannotCreateTenant.ps1
- Checks\Azure\Test-KeyvaultRbacEnabled.ps1
- Checks\Azure\Test-StorageEnsureAzureServicesAreTrustedToAccessIsEnabled.ps1
- Checks\Azure\Test-EntraPolicyDefaultUserCannotCreateSecurityGroup.ps1
- config.json
- Public\Sync-ProwlerCheck.ps1
- Private\Test-AzureConnection.ps1
- Private\Convert-ProwlerCheck.ps1
- Private\Invoke-AzureApi.ps1
- Checks\Azure\Test-KeyvaultPrivateEndpoint.ps1
- Checks\Azure\Test-KeyvaultLoggingEnabled.ps1
- Checks\Azure\Test-StorageInfrastructureEncryptionIsEnabled.ps1
- Checks\Azure\Test-EntraUserCannotCreateMicrosoft365Group.ps1
- Checks\Azure\Test-EntraConditionalAccessPolicyRequireMfaForManagementApi.ps1
- Checks\Azure\Test-EntraPolicyGuestUserAccessRestriction.ps1
- Checks\Azure\Test-EntraTrustedNamedLocationExist.ps1
- Devolutions.CIEM.psm1
- Public\Get-CIEMCheck.ps1
- Private\New-CIEMFinding.ps1
- Private\Test-KeyVaultItemExpiration.ps1
- Private\Initialize-StorageService.ps1
- Checks\Azure\Test-KeyvaultRbacSecretExpirationSet.ps1
- Checks\Azure\Test-IamSubscriptionRolesOwnerCustomNotCreated.ps1
- Checks\Azure\Test-StorageDefaultToEntraAuthorizationEnabled.ps1
- Checks\Azure\Test-StorageEnsureSoftDeleteIsEnabled.ps1
- Checks\Azure\Test-StorageKeyRotation90Day.ps1
- Checks\Azure\Test-StorageSecureTransferRequiredIsEnabled.ps1
- Checks\Azure\Test-KeyvaultRbacKeyExpirationSet.ps1
- Devolutions.CIEM.psd1
- Public\Get-ProwlerCheck.ps1
- Private\Test-EntraAuthorizationPolicyBooleanSetting.ps1
- Private\Get-CheckMetadata.ps1
- Checks\Azure\Test-IamRoleUserAccessAdminRestricted.ps1
- Checks\Azure\Test-StorageEnsureMinimumTlsVersion12.ps1
- Checks\Azure\Test-KeyvaultKeyExpirationSetInNonRbac.ps1
- Checks\Azure\Test-StorageEnsureEncryptionWithCustomerManagedKey.ps1
- Checks\Azure\Test-EntraPolicyEnsureDefaultUserCannotCreateApp.ps1
- Checks\Azure\Test-KeyvaultRecoverable.ps1
- Checks\Azure\Test-EntraUserWithVmAccessHasMfa.ps1
- Checks\Azure\Test-StorageCrossTenantReplicationDisabled.ps1
- AzureChecks.json
- Public\Invoke-CIEMScan.ps1
- Private\Initialize-IAMService.ps1
- Private\Test-GitRemote.ps1
- Checks\Azure\Test-StorageBlobPublicAccessLevelIsDisabled.ps1
- Checks\Azure\Test-EntraNonPrivilegedUserHasMfa.ps1
- Checks\Azure\Test-StorageGeoRedundantEnabled.ps1
- Checks\Azure\Test-KeyvaultNonRbacSecretExpirationSet.ps1
- Checks\Azure\Test-StorageEnsureFileSharesSoftDeleteIsEnabled.ps1
- Checks\Azure\Test-EntraPolicyGuestInviteOnlyForAdminRole.ps1
- Checks\Azure\Test-StorageAccountKeyAccessDisabled.ps1
- Checks\Azure\Test-EntraPolicyRestrictUserConsentForApp.ps1
- Private\Get-AllGraphPage.ps1
- Private\Initialize-KeyVaultService.ps1
- Private\Get-CIEMConfig.ps1
- Checks\Azure\Test-StorageSmbProtocolVersionIsLatest.ps1
- Checks\Azure\Test-EntraPrivilegedUserHasMfa.ps1
- Checks\Azure\Test-StorageSmbChannelEncryptionWithSecureAlgorithm.ps1
- Checks\Azure\Test-StorageBlobVersioningIsEnabled.ps1
- Checks\Azure\Test-IamCustomRoleHasPermissionToAdministerResourceLock.ps1
- Checks\Azure\Test-EntraSecurityDefaultsEnabled.ps1
- Checks\Azure\Test-StorageEnsurePrivateEndpointInStorageAccount.ps1
- apps\DevolutionsCIEM\app.ps1
- Public\Get-CIEMProvider.ps1
- Private\Initialize-EntraService.ps1
- Private\Test-StorageAccountProperty.ps1
- Private\Set-CIEMConfig.ps1
- Checks\Azure\Test-EntraPolicyUserConsentForVerifiedApp.ps1
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 0.2.132 | 0 | 5/19/2026 |
| 0.2.131 | 0 | 5/19/2026 |
| 0.2.130 | 0 | 5/19/2026 |
| 0.2.129 | 0 | 5/19/2026 |
| 0.2.128 | 0 | 5/19/2026 |
| 0.2.127 | 0 | 5/19/2026 |
| 0.2.126 | 0 | 5/18/2026 |
| 0.2.125 | 0 | 5/18/2026 |
| 0.2.124 | 0 | 5/18/2026 |
| 0.2.123 | 0 | 5/18/2026 |
| 0.2.122 | 0 | 5/15/2026 |
| 0.2.121 | 2 | 5/15/2026 |
| 0.2.120 | 2 | 5/15/2026 |
| 0.2.119 | 2 | 5/15/2026 |
| 0.2.118 | 3 | 5/15/2026 |
| 0.2.117 | 2 | 5/15/2026 |
| 0.2.116 | 2 | 5/15/2026 |
| 0.2.115 | 2 | 5/15/2026 |
| 0.2.114 | 2 | 5/15/2026 |
| 0.2.113 | 3 | 5/15/2026 |
| 0.2.112 | 3 | 5/15/2026 |
| 0.2.111 | 3 | 5/15/2026 |
| 0.2.110 | 3 | 5/15/2026 |
| 0.2.109 | 5 | 5/15/2026 |
| 0.1.0 | 7 | 5/8/2026 |
| 0.1.0-alpha (current version) | 5 | 1/27/2026 |