This repo has now moved to the follow location - Azure Rediness Check
This PowerShell script helps customers validate their Azure environment meets the necessary prerequisites before onboarding to CrowdStrike's Falcon Cloud Security solution. It performs comprehensive checks across Azure subscriptions and tenant root management group.
- Owner Status: Verifies required owner permissions at tenant level
- Global Administrator: Checks if the user has Global Administrator role
- User Access Administrator: Verifies if the user has User Access Administrator role or elevated access
- Policy Assignments: Identifies potential policy conflicts at tenant level
- Owner Status: Verifies required owner permissions
- Provider Registration: Validates required Azure providers
- Microsoft.Insights
- Microsoft.Management
- Microsoft.EventHub
- Microsoft.PolicyInsights
- Diagnostic Settings: Checks activity log export configuration (optimal: < 5 logs)
- Policy Assignments: Identifies potential policy conflicts
- Require a tag and its value on resources
- Require a tag and its value on resource groups
- Require a tag on resources
- Require a tag on resource groups
- Allowed locations
- Allowed locations for resource groups
- Allowed resource types
- Owner: True (required for onboarding)
- Global Administrator: True (provides additional capabilities)
- User Access Administrator: True (provides necessary permissions)
- Provider: Registered (required for functionality)
- Diagnostic Settings: Count < 5 (optimal configuration)
- Policies: False (no conflicting policies)
- Owner: False (insufficient permissions)
- Global Administrator: False (limited capabilities)
- User Access Administrator: False (limited permissions)
- Provider: Not Registered (missing requirements)
- Diagnostic Settings: Count >= 5 (potential issues)
- Policies: True (potential conflicts)
- Azure PowerShell module installed (for local execution)
- Sufficient permissions to read configurations
- Active Azure subscription
# Run the script locally
./Get-PreReqs.ps1# Run in Azure Cloud Shell (PowerShell)
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/mikedzikowski/AzureFalconCloudSecurityPreReqs/main/Get-PreReqs.ps1" -OutFile "Get-PreReqs.ps1"
./Get-PreReqs.ps1Note: Azure Cloud Shell comes with Azure PowerShell modules pre-installed, making it an ideal option for quick checks without local setup.
=== Checking Tenant Root Management Group ===
Scope: /providers/Microsoft.Management/managementGroups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Owner Check:
✓ Is Owner: True
Global Administrator Check:
✓ Is Global Administrator: True
User Access Administrator Check:
✓ Is User Access Administrator: True
Policy Checks:
✓ Require a tag and its value on resources: False
✓ Allowed locations: False
=== Checking Subscription ===
Scope: /subscriptions/xxxx-xxxx-xxxx-xxxx
Provider Checks:
✓ Provider Microsoft.Insights is registered
✓ Provider Microsoft.Management is registered
✓ Provider Microsoft.EventHub is registered
✓ Provider Microsoft.PolicyInsights is registered
Owner Check:
✓ Is Owner: True
Diagnostic Settings Check:
✓ Activity Logs Exported: 2
Policy Checks:
✓ Require a tag and its value on resources: False
✓ Allowed locations: False
- If you see "Is Global Administrator: False", you can manage Global Administrator roles at: https://portal.azure.com/#view/Microsoft_AAD_IAM/RolesManagementMenuBlade/~/AllRoles/adminUnitObjectId//resourceScope/%2F
- If you see "Is User Access Administrator: False", you can enable this at: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties
- If you see "Activity Logs Exported: 5" or higher, you can manage Activity Log settings at: https://portal.azure.com/#view/Microsoft_Azure_Monitoring/DiagnosticsLogsBlade/
This script is designed to help identify any potential blockers or configuration issues that need to be addressed before proceeding with Falcon Cloud Security onboarding. If you see any 🔴 indicators, please review the requirements documentation or contact CrowdStrike Support for assistance.