PreservationP2~60 min

Cloud Tenant Configuration Snapshot

Capture a point-in-time snapshot of the entire Azure AD / M365 tenant configuration to preserve the state of identity, access, and security controls before remediation changes alter the environment.

Actions

1
Export all Azure AD users, groups, roles, and licenses using Microsoft Graph API or AzureAD PowerShell module to establish a baseline of the identity configuration at the time of incident
2
Snapshot all conditional access policies, named locations, and authentication methods: Export-AzureADMSConditionalAccessPolicy and Get-AzureADMSAuthorizationPolicy
3
Export all OAuth application registrations, enterprise applications, and service principals with their permissions and credential expiry dates
4
Capture all mail transport rules, connector configurations, and anti-spam/anti-phish policy settings from Exchange Online
5
Export all SharePoint Online sharing settings, external access configurations, and OneDrive sync policies
6
Snapshot Azure AD audit logs and sign-in logs for the maximum available retention period (30 days default, 90 days with P2 license)

Queries

// PowerShell -- Comprehensive Azure AD tenant snapshot
# Users and roles
Get-AzureADUser -All $true | Export-Csv "C:\Evidence\AzureAD_Users.csv" -NoTypeInformation
Get-AzureADDirectoryRole | ForEach-Object {
  $role = $_
  Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Select-Object @{N="Role";E={$role.DisplayName}}, DisplayName, UserPrincipalName
} | Export-Csv "C:\Evidence\AzureAD_RoleMembers.csv" -NoTypeInformation

// PowerShell -- OAuth app and service principal export
Get-AzureADApplication -All $true | Select-Object DisplayName, AppId, ReplyUrls, RequiredResourceAccess | Export-Csv "C:\Evidence\AzureAD_Apps.csv" -NoTypeInformation
Get-AzureADServicePrincipal -All $true | Select-Object DisplayName, AppId, ServicePrincipalType | Export-Csv "C:\Evidence\AzureAD_ServicePrincipals.csv" -NoTypeInformation

// PowerShell -- Exchange Online transport rules and connectors
Get-TransportRule | Select-Object Name, State, Priority, Conditions, Actions | Export-Csv "C:\Evidence\ExO_TransportRules.csv" -NoTypeInformation
Get-InboundConnector | Export-Csv "C:\Evidence\ExO_InboundConnectors.csv" -NoTypeInformation
Get-OutboundConnector | Export-Csv "C:\Evidence\ExO_OutboundConnectors.csv" -NoTypeInformation

index=o365 sourcetype=o365:management:activity (Operation="Add application" OR Operation="Add service principal" OR Operation="Update application*" OR Operation="Consent to application") earliest=-90d | stats count by Operation, UserId, Target_0_id | sort -count

Notes

Tenant snapshots must be captured BEFORE any remediation changes to preserve the compromised-state configuration for forensic analysis

Compare the snapshot against a known-good baseline (if available) to identify attacker-introduced changes

Store all exports with SHA256 hashes and timestamps for evidence integrity

Where to Go Next

Snapshot complete, collect Azure AD logs

Collect Azure AD logs

OAuth abuse detected in snapshot

Investigate OAuth abuse

Update chain of custody

Document chain of custody

Related Resources

Artifacts

Azure AD (Entra ID) Audit LogsAzure Portal > Entra ID > Monitoring > Audit logs (or Microsoft Graph API /auditLogs/directoryAudits)Conditional Access Policy LogsAzure Portal > Entra ID > Monitoring > Sign-in logs > Conditional Access tab Service Principal & App Registration ActivityAzure Portal > Entra ID > App registrations and Enterprise applications > Audit logs (or Microsoft Graph API)AWS CloudTrail Management EventsAWS CloudTrail > Event history (last 90 days) or trail delivery in S3 / CloudWatch Logs AWS IAM Credential Report & Access Key MetadataAWS IAM > Credential report plus IAM API responses for users and access keys Google Workspace Admin Audit EventsGoogle Admin Console > Reporting > Audit and investigation > Admin log events Google Cloud Audit LogsGoogle Cloud Logging > Logs Explorer > cloudaudit.googleapis.com/*

Common Blockers

Cloud or Container Logging Coverage Missing