Automating ‘Have I Been Pwned’ Breach Checks for Entra ID Groups using PowerShell

by
post views: 5,397

Introduction

In today’s digital landscape, data breaches are unfortunately common. As security-conscious professionals, we need to be proactive about monitoring whether our users’ credentials have been compromised. That’s why I built an automated PowerShell tool that checks Entra ID (Azure AD) group members against the Have I Been Pwned database.

The tool generates professional HTML and PDF reports that are perfect for security audits, compliance documentation, and executive briefings – making it easy to communicate breach findings to both technical and non-technical audiences.

Also, it was Friday evening, and I needed a fun project to wrap up the week – turns out automating security checks is a pretty good way to spend it! 😀

The Challenge

Manually checking each user account for breaches is time-consuming and impractical, especially for larger organizations. I needed a solution that could:

  • Automatically retrieve all members from Entra ID groups
  • Check each email address against Have I Been Pwned’s breach database
  • Generate professional reports for management and compliance
  • Respect API rate limits across different subscription tiers

The Solution

I developed a PowerShell script that integrates Microsoft Graph API with Have I Been Pwned’s API to provide automated, comprehensive breach checking for Entra ID groups.

Key Features

Comprehensive Breach Detection:

  • Checks all group members automatically
  • Shows detailed breach information including dates and exposed data types
  • Identifies multiple breaches per account

Professional Reporting:

  • Generates HTML reports with modern, responsive design
  • Optional PDF generation for archival and distribution
  • Branded with custom colors and styling
  • Clear metrics and executive summaries

Smart Rate Limiting:

  • Supports all five Have I Been Pwned subscription tiers (Pwned 1-5)
  • Automatically calculates optimal delays between API calls
  • Shows estimated processing time before starting
  • Prevents API throttling errors

How It Works

The script follows a straightforward workflow:

  1. Connect to Microsoft Graph – Authenticates with the necessary permissions
  2. Retrieve Group Members – Fetches all users from the specified group(s), including nested groups
  3. Check Each Email – Queries the Have I Been Pwned API for each unique email address
  4. Generate Reports – Creates detailed HTML (and optionally PDF) reports with all findings

Usage Example

Here’s how simple it is to run:

.\Check-GroupMembersHaveIBeenPwned.ps1 -GroupName "Team imab.dk" -ApiKey "your-hibp-api-key" -RateLimitPerMinute '10' -GeneratePdf

The script will:

  • Connect to your Entra ID tenant
  • Find all members of the “Team imab.dk” group
  • Check each email address for breaches
  • Generate both HTML and PDF reports
  • Show you a complete summary of findings

Security Considerations

This tool is designed with security in mind:

  • API Keys: Never hardcoded; passed as parameters
  • Authentication: Uses Microsoft Graph with proper OAuth authentication
  • Permissions: Only requires Group.Read.All and User.Read.All

Technical Implementation

The script is built using:

  • Microsoft Graph PowerShell SDK: Official Microsoft module for Entra ID access
  • Have I Been Pwned API: Latest API version with hibp-api-key authentication
  • HaveIBeenPwned PowerShell Module: Community module for HIBP API integration

Use Cases

This tool is perfect for:

  • Regular Security Audits: Schedule monthly or quarterly breach checks
  • High-Security Groups: Monitor privileged access accounts
  • Compliance Requirements: Document security monitoring for audits
  • Incident Response: Quick assessment after public breach announcements
  • Executive Reporting: Professional reports for management briefings

Getting Started

Prerequisites

  1. Have I Been Pwned API key (subscribe at https://haveibeenpwned.com/API/Key)
  2. Microsoft Graph PowerShell SDK
  3. HaveIBeenPwned PowerShell Module
  4. Entra ID permissions (Group.Read.All, User.Read.All)

Download

Find the complete script on my GitHub page: imabdk/EntraID-HIBP-BreachChecker

Conclusion

Proactive security monitoring is essential in today’s threat landscape. This tool makes it easy to regularly check whether your Entra ID users’ credentials have been compromised in data breaches, providing actionable intelligence with minimal effort.

Disclaimer

This script is provided “as-is” without any warranties or guarantees. While I’ve tested it thoroughly in my own environment, you should always review and test any script before running it in production. Use at your own risk and always follow your organization’s security and change management policies.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.