Add EntraID General tasks from @LuemmelSec

README.md

@@ -481,9 +481,9 @@ pip3 install -r requirements.txt
 Help PlumHound grow and be a great tool for Blue and Purple Teams.  We've created the initial proof of concept and are committed to continuing the maturity of PlumHound to leverage the power of BloodHoundAD into continual security improvement processes.  Community involvement is what makes this industry great!  
 * [Black Hills Information Security](https://www.blackhillsinfosec.com) - @[BHInfoSecurity](https://twitter.com/BHinfoSecurity) - [Discord](https://discord.gg/J4UJPgG)
 * [Defensive Origins](https://www.defensiveorigins.com)   -  [@DefensiveOGs](https://twitter.com/DefensiveOGs) - [Git](https://github.com/DefensiveOrigins) 
-* Kent Ickler  -  @[Krelkci](https://twitter.com/Krelkci) - [Git](https://github.com/Relkci)
+* Kent Ickler  -  [@Krelkci](https://twitter.com/Krelkci) - [Git](https://github.com/Relkci)
 * Jordan Drysdale -  [@Rev10D](https://twitter.com/Rev10D) - [Git](https://github.com/rev10d)
-* Mathieu Saulnier - Scoubi
+* Mathieu Saulnier - [@Scoubi](https://twitter.com/ScoubiMtl) - [Git](https://github.com/Scoubi)
 
 
 # License

tasks/EntraID-General.tasks

@@ -0,0 +1,11 @@
+[ "Return all Members of the 'Global Administrator' Role", "HTMLCSV", "EID-GlobalAdmin", "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p" ]
+[ "Return all Members of High Privileged Roles", "HTMLCSV", "EID-HighPriv", "MATCH p=(n)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole WHERE r.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR|Domain Name Administrator|Hybrid Identity Administrator|External Identity Provider Administrator') RETURN p" ]
+[ "Return all Members of High Privileged Roles that are synced from OnPrem AD", "HTMLCSV", "EID-HighPrivSyncUsers", "MATCH p=(n WHERE n.onpremisesyncenabled = true)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole WHERE r.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR') RETURN p" ]
+[ "Return all Azure Users that are synced from OnPrem AD", "HTMLCSV", "EID-SyncUsers", "MATCH (n:AZUser WHERE n.onpremisesyncenabled = true) RETURN n" ]
+[ "Return all Azure Groups that are synced from OnPrem AD", "HTMLCSV", "EID-SyncGroups", "MATCH (g:AZGroup {onpremsyncenabled: True}) RETURN g" ]
+[ "Return all Azure Subscriptions", "HTMLCSV", "EID-AzureSubs", "MATCH (n:AZSubscription) RETURN n" ]
+[ "Return all Azure Subscriptions and their direct Controllers", "HTMLCSV", "EID-SubAndControlers", "MATCH p = (n)-[r:AZOwns|AZUserAccessAdministrator]->(g:AZSubscription) RETURN p" ]
+[ "Return all principals with the UserAccessAdministrator Role against Subscriptions", "HTMLCSV", "EID-SubUserAccessAdmin","MATCH p = (u)-[r:AZUserAccessAdministrator]->(n:AZSubscription) RETURN p" ]
+[ "Return all prinicpals with the UserAccessAdministrator Role", "HTML", "EID-AllUserAccessAdmin", "MATCH p = (u)-[r:AZUserAccessAdministrator]->(n) RETURN p" ]
+[ "Return all Azure Users that DON'T hold an Azure Role but the RBAC Role 'User Access Administrator'", "HTMLCSV", "EID-UserNoRoleButAdmin", "MATCH (u:AZUser) WHERE NOT EXISTS((u)-[:AZMemberOf|AZHasRole*1..]->(:AZRole)) AND EXISTS((u)-[:AZUserAccessAdministrator]->()) RETURN u" ]
+[ "Return all Azure Principals that DON'T hold an Azure Role but the RBAC Role 'User Access Administrator'", "HTMLCSV", "EID-PrincipalNoRoleButAdmin", "MATCH (u) WHERE NOT EXISTS((u)-[:AZMemberOf|AZHasRole*1..]->(:AZRole)) AND EXISTS((u)-[:AZUserAccessAdministrator]->()) RETURN u"]