Cloud Tenant Configuration Snapshot

PreservationP260 min

☁️ Cloud & Identity Compromise 📧 Business Email Compromise

IR AnalystSwitch roles in the top navigation to see different perspectives.

Capture a point-in-time snapshot of the entire Azure AD / M365 tenant configuration to preserve the state of identity, access, and security controls before remediation changes alter the environment.

Actions

1.Export all Azure AD users, groups, roles, and licenses using Microsoft Graph API or AzureAD PowerShell module to establish a baseline of the identity configuration at the time of incident
2.Snapshot all conditional access policies, named locations, and authentication methods: Export-AzureADMSConditionalAccessPolicy and Get-AzureADMSAuthorizationPolicy
3.Export all OAuth application registrations, enterprise applications, and service principals with their permissions and credential expiry dates
4.Capture all mail transport rules, connector configurations, and anti-spam/anti-phish policy settings from Exchange Online
5.Export all SharePoint Online sharing settings, external access configurations, and OneDrive sync policies
6.Snapshot Azure AD audit logs and sign-in logs for the maximum available retention period (30 days default, 90 days with P2 license)

Queries

// PowerShell -- Comprehensive Azure AD tenant snapshot
# Users and roles
Get-AzureADUser -All $true | Export-Csv "C:\Evidence\AzureAD_Users.csv" -NoTypeInformation
Get-AzureADDirectoryRole | ForEach-Object {
  $role = $_
  Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Select-Object @{N="Role";E={$role.DisplayName}}, DisplayName, UserPrincipalName
} | Export-Csv "C:\Evidence\AzureAD_RoleMembers.csv" -NoTypeInformation

// PowerShell -- OAuth app and service principal export
Get-AzureADApplication -All $true | Select-Object DisplayName, AppId, ReplyUrls, RequiredResourceAccess | Export-Csv "C:\Evidence\AzureAD_Apps.csv" -NoTypeInformation
Get-AzureADServicePrincipal -All $true | Select-Object DisplayName, AppId, ServicePrincipalType | Export-Csv "C:\Evidence\AzureAD_ServicePrincipals.csv" -NoTypeInformation

// PowerShell -- Exchange Online transport rules and connectors
Get-TransportRule | Select-Object Name, State, Priority, Conditions, Actions | Export-Csv "C:\Evidence\ExO_TransportRules.csv" -NoTypeInformation
Get-InboundConnector | Export-Csv "C:\Evidence\ExO_InboundConnectors.csv" -NoTypeInformation
Get-OutboundConnector | Export-Csv "C:\Evidence\ExO_OutboundConnectors.csv" -NoTypeInformation

Notes

Tenant snapshots must be captured BEFORE any remediation changes to preserve the compromised-state configuration for forensic analysis
Compare the snapshot against a known-good baseline (if available) to identify attacker-introduced changes
Store all exports with SHA256 hashes and timestamps for evidence integrity

Where to Go Next

Snapshot complete, collect Azure AD logs

Collect Azure AD logs

Azure AD Logs

OAuth abuse detected in snapshot

Investigate OAuth abuse

OAuth Abuse

Update chain of custody

Document chain of custody

Chain of Custody

Related Artifacts

Azure AD (Entra ID) Audit Logs

Azure Portal > Entra ID > Monitoring > Audit logs (or Microsoft Graph API /auditLogs/directoryAudits)

Conditional Access Policy Logs

Azure Portal > Entra ID > Monitoring > Sign-in logs > Conditional Access tab

Service Principal & App Registration Activity

Azure Portal > Entra ID > App registrations and Enterprise applications > Audit logs (or Microsoft Graph API)