Microsoft Entra has become the central identity and access management platform for many modern organizations in 2025. Entra handles authentication, authorization, policies, governance, and many other functions. With most configurations being in flux from day to day and week to week, admins need a reliable way to capture configuration state. It would be very helpful to capture this state and track changes over time. When you have a historical record, you can then roll back when needed. This is where the open-source project EntraExporter comes into play. Recently, version 3 of the tool was released. Let’s see what EntraExporter is, and what new features are included in the new release.
What is EntraExporter?
The EntraExporter tool connects to your Microsoft Entra tenant and uses the Microsoft Graph API to collect information and metadata about your config. The configuration data is then written into JSON files on disk. From here you can commit it to Git, archive it, or compare it with previous exports to understand drift and changes over time.
This helps to solve a very challenging problem and that is how can you version control your identity configuration. What can you track with EntraExporter? You can track things like:
- Conditional access
- MFA policies
- PIM roles
- App registrations
- User settings
- Group memberships
- Etc…
The good thing is you can use the information produced as part of a nightly or weekly governance or security audit for compliance. This can be especially helpful and beneficial for compliance audits and reviews.
Looking at what is new in version 3
The recent release of the EntraExporter is a major update. In the notes for the latest release, maintainers tout this release has much improved performance and reliability. Note the following enhancements that have found their way into v3.
| Feature or Improvement (from v3.0.1 Release Notes) | What It Means for Administrators |
|---|---|
| improved export performance with Microsoft Graph batch endpoints instead of sequential calls | You get faster exports with less throttling, which is important in large tenants. Administrators can now run exports more frequently without long waits. |
| Better PIM export logic in this version to use new Privileged Identity Management API | It has more accurate exports of PIM Directory Roles, PIM Groups and PIM Azure Resource roles. The previous categories (PIMAAD, PIMAzure) are deprecated. |
| New export for IAM (Identity and Access Management) through Azure Resource Graph | Enables you to export subscription, management group and resource level IAM assignments that exist outside of traditional directory objects. Offers broader governance visibility. |
| New Access Policies Export | Adds visibility into Entra Access Package policies, making entitlement management reviews easier. |
| New export type: PIMResources | It allows you to export Azure resource PIM assignments using the new API. Ideal for organizations using just-in-time elevation for resource access. |
| New export type: PIMGroups | It captures PIM assignments for eligible and active role assignments tied to Entra ID groups. Useful for delegated admin models. |
| Now supports Conditional Access Authentication Context export | Lets admins capture Authentication Context definitions that are used by CA policies for app-specific controls. These can be overlooked, so now fully exportable. |
| Export engine refactoring and cleanup | More consistent structure, better error handling and more predictable output folders. Easier to track diffs in Git. |
| Deprecated categories removed or replaced | It helps to reduce confusion and makes sure of future compatibility with Microsoft Graph |
| Improved logging, telemetry and error messages | It gives you easier troubleshooting when API calls fail and permissions are missing or throttling happens |
With these improvements, it now scales to larger environments. It also will capture a much wider footprint of policies and assignments. These used to be very difficult to track.
How the improvements in EntraExporter v3 will help admins
There has always been the challenge of configuration drift for cloud administrators. There are several scenarios that come to mind as examples. Think about the following and how not having visibility to them can affect security and governance.
- A Conditional Access policy is modified to test an app and never switched back
- A privileged role is assigned temporarily but accidentally remains active
- A Teams or SharePoint setting changes due to an administrator-level permission and suddenly an entire workflow is executing differently
With the improvements that are found in EntraExporter version3, it helps to surface these kinds of issues. The new version has much faster configuration exports. This means you can run your exports more often. Since it covers a broader range of configurations, it means you can have visibility to more of your configuration footprint in Microsoft Entra. The cleaner structure also means you can more easily see the differences between the versions and review these.
As many orgs move more towards GitOps and DevOps processes, storing your configuration of your Microsoft Entra environment in Git provides many advantages and opens the door to much better automation. Exports can be ran from scheduled jobs or even CI/CD pipelines with notifications triggered if sensitive roles are changed. Pull requests can also be used for reviewing changes.
How to install and use EntraExporter v3
EntraExporter is simple to use. You just need to install the module, and then authenticate with your Entra tenant. Then, you just export your configuration. After the configuration is exported, you can store and version the file in your Git repo.
Install the module:
Install-Module EntraExporter
Connect to Microsoft Entra and run a full export:
Connect-EntraExporter
As part of the connect cmdlet, you will see the normal authentication workflow you are used to when authenticating to Microsoft Entra, including multip-factor authentication
After entering in your MFA and authentication information, you are successfully connected.
Now to run the export:
Export-Entra -Path “C:\EntraBackup” -All
You can also use the Connect-MgGraph with the following scopes, with these notes about permissions:
- When “PIMResources” export is selected, you will need to be granted the RBAC role “Management Group Reader” at the “Tenant Root Group” level
- When “IAM” export is selected, you need to be granted RBAC role “Reader” at the “Tenant Root Group” level
Connect-AzAccount Connect-MgGraph -Scopes 'Directory.Read.All', 'Policy.Read.All', 'IdentityProvider.Read.All', 'Organization.Read.All', 'User.Read.All', 'EntitlementManagement.Read.All', 'UserAuthenticationMethod.Read.All', 'IdentityUserFlow.Read.All', 'APIConnectors.Read.All', 'AccessReview.Read.All', 'Agreement.Read.All', 'Policy.Read.PermissionGrant', 'RoleEligibilitySchedule.Read.Directory', 'PrivilegedEligibilitySchedule.Read.AzureADGroup', 'Application.Read.All', 'OnPremDirectorySynchronization.Read.All', 'Teamwork.Read.All', 'TeamworkAppSettings.ReadWrite.All', 'SharepointTenantSettings.Read.All', 'Reports.Read.All', 'RoleManagement.Read.All', 'AuditLog.Read.All'
You can also target specific areas of your Entra environment also. This includes things like Conditional Access or groups, etc. Most admins though will choose to export everything and filter changes in Git or some type of diff type tool.
Also, keep in mind, the module is written to work best with PowerShell 7 or later. Also, the maintainers note that PowerShell 5.1 is still supported, but output formatting is not going to be as clean as using Posh 7.
Getting the most out of the new EntraExporter version 3 release
Here are just a few notes to help you get the most out of using the tool with your Microsoft Entra environment. What are those?
- Use Git for your version control – When you use a Git repository, you can store snapshots in a way that gives you historical diffing and branching. In this way, you can treat your identity settings like you do your infrastructure as code environments.
- Run it nightly or as part of a CI workflow – Snapshots that happen regularly can help catch drift early. The module can be ran through Windows Task Scheduler, Azure Automation, GitHub Actions or Azure DevOps, just to name a few.
- Make sure you secure the export location – JSON files contained in the export can often include sensitive data. Use access controls and things like encryption and restricted repository visibility.
- Review changes – In a large Entra environment it can help alert on unexpected modifications, such as a new privileged role assignments or a modified Conditional Access policies.
- Expect some change noise – A large tenant will naturally produce many diffs. Build yourself filters or review processes to surface the more sensitive areas of the configuration to alert on.
Keep an eye on your identity with EntraExporter
Security experts will tell you that identity is the new perimeter, especially in cloud SaaS environments. Misconfigurations in identity platforms cause outages, downtime, and can lead to security incidents. The Entra environment is highly dynamic and without having historical snapshots of the configuration, it is difficult to understand how a configuration drifted or when a change was introduced.
EntraExporter v3 will help admins solve these blind spots and help them to have visibility to policies, roles, permissions changes, and configuration decisions. Even for smaller orgs, having a tool that can give you a historical record of configuration is extremely valuable for security audits, compliance checks, and troubleshooting. It gives you the visibility that you wouldn’t have otherwise.
Wrapping up
The EntraExporter v3 release is a very nice upgrade to a tool that already brings value to the Microsoft Entra environment. It gives you the visibility you need to version control your configuration for identity like you would for infrastructure as code. As we saw, it is easy to install the module and get started exporting and diffing your configurations. The ability to treat your cloud configurations and identity management and configuration as code will definitely help admins keep track of configuration drift and establish approval workflows for changes with simple pull requests in Git.
