Skip to main content

Zero Trust Assessment Tool

What is the Zero Trust Assessment Tool?

This PowerShell cmdlet tool provides essential checks to confirm a strong security baseline, preparing you for advanced features and a more resilient security posture.

How do I access it?

It is a PowerShell cmdlet. If this is the first time you are running the assessment, you can access it from your PowerShell command line by invoking:

Install-Module ZeroTrustAssessment 
Invoke-ZTAssessment

For subsequent runs of the assessment, use Import-Module instead:

Import-Module ZeroTrustAssessment
Invoke-ZTAssessment

What version of PowerShell do I need?

This app uses PowerShell 7.0 or higher. It will not run if you have a version of PowerShell below 7.0. You can download PowerShell 7.0 here

How does this app work?

This app uses Microsoft Graph to read the tenant configuration and provide recommendations on improving the end to end security configuration.
When you run the cmdlet, you will be prompted to log in to your Entra ID tenant. It is recommended to use a non-guest account for logging in. For example, if your tenant domain name is contoso.onmicrosoft.com, you should log in with an account similar to <signin-name>@contoso.onmicrosoft.com.

What options are available with this tool?

You can specify an option whether to collect telemetry on the usage of this cmdlet. The only telemetry that is collected is the Entra ID tenant id (GUID) that the cmdlet is being run against. No other personal or tenant information is collected.

The switch available is -EnableTelemetry and it defaults to $true. The two values for this switch are:

  • $true, which is the default value, indicates that the Entra ID tenant ID (GUID) will be collected
  • $false, indicates that the Entra ID tenant ID (GUID) will NOT be collected

An example of running the cmdlet with telemetry enabled is:

Invoke-ZTAssessment -EnableTelemetry $true

What are the permissions required for this app?

  • The app requires Global Admin to consent to the following read-only permissions.
    • Agreement.Read.All
    • CrossTenantInformation.ReadBasic.All
    • Directory.Read.All
    • Policy.Read.All
    • User.Read
    • DeviceManagementServiceConfig.Read.All
    • DeviceManagementConfiguration.Read.All
    • DeviceManagementRBAC.Read.All
    • DeviceManagementConfiguration.Read.All
    • DeviceManagementApps.Read.All
    • RoleAssignmentSchedule.Read.Directory
    • RoleEligibilitySchedule.Read.Directory
    • PrivilegedEligibilitySchedule.Read.AzureADGroup
  • The app does not store any tenant data and the session is revoked when the user signs out.

What is the output generated by this app?

The spreadsheet generated by the assessment includes a template of the roadmap that will be used during the workshop as well as the results of the assessment based on your tenant configuration.