PwnCheck - HaveIBeenPwned Query

You can use this script to query the HaveIBeenPwned database with your on-premises and Office 365 Active Directory user accounts. It's based on the reference API, and allows you to output a CSV of potentially breached accounts. When querying your accounts, you can select AD, Office 365, or both. Additionally, you can choose whether or not to include Azure AD guests (when querying AAD).

You can see examples of usage and more at:

Updates:

Updated to use v3 of the API (which requires you obtain an API key).
Updated to retry on API 429/Too Many Requests error
Added StartDate parameter.
Added PerUserSummaryDisplay parameter.
Added IncludeUnverifiedResults parameter.
Bugfix for adding null $ImportedUsers
Added Identity parameter to take single identity.
Set Identity as default parameter and configured to show Get-Help -Examples if parameter was blank.
Added examples.
Updated header check and output.
Added -ImportUsers parameter to allow you to import a CSV or text file with the header UserPrincipalName.
Added -Timeout parameter to allow user customizable timeout for querying haveibeenpwned.com API

PowerShell

Edit|Remove

<#
.SYNOPSIS
Check accounts in Active Directory and Office 365 against
haveibeenpwned.com database

.PARAMETER ActiveDirectory
Choose to run against Active Directory.

.PARAMETER ApiKey
Your HaveIBeenPwned API key.  This is an authenticated API, so this is now
required.  You can obtain a key from https://haveibeenpwned.com/API/.

.PARAMETER Credential
Standard Credential Object generated via Get-Credential

.PARAMETER Identity
Single identity (in the form of user@domain.tld).

.PARAMETER IncludeGuests
If querying Office 365, choose if you want to include external guests. Otherwise
only objects with type MEMBER are selected.

.PARAMETER IncludeUnverifiedResults
If set to $true, will return breaches that don't have credential content (such
as mailing lists that contain only public information).

.PARAMETER ImportUsers
Import a list of users to check against database.

.PARAMETER InstallModules
Choose if you want to install MSOnline and supporting modules.

.PARAMETER Logfile
Output log file name.

.PARAMETER Office365
Choose to run against Office 365.

.PARAMETER Output
CSV filename for any potentially breached accounts

.PARAMETER PerUserSummaryDisplay
Use this switch to turn on console output for per-user breach summary.  Summary
will be logged regardless.

.PARAMETER StartDate
Use a standard PowerShell DateTime object to filter on breaches reported after a
specified date.

.PARAMETER Timeout
Set the sleep time in milliseconds between API query attempts. Default is 1500.

.EXAMPLE
.\pwncheck.ps1 -Identity user@domain.com -apikey "asdfghjklHIBP"
Run Pwncheck on a particular identity.

.EXAMPLE
.\pwncheck.ps1 -Office365 -Credential $cred -apikey "asdfghjklHIBP"
Run Pwncheck against an Office 365 tenant with the credential stored in $cred.

.EXAMPLE
.\pwncheck.ps1 -Office365 -IncludeGuests -Credential $cred -apikey "asdfghjklHIBP"
Run Pwncheck against an Office 365 tenant (including guest accounts) with the 
credential stored in $cred.

.EXAMPLE
.\pwncheck.ps1 -ActiveDirectory -Office365 -Credential $cred -apikey "asdfghjklHIBP"
Run Pwncheck against Active Directory and Office 365 tenant with credentials
stored in $cred.

.EXAMPLE
.\pwncheck.ps1 -ImportUsers userlist.txt -apikey "asdfghjklHIBP"
Run Pwncheck against imported user list.  You can specify a file with either a
header of 'userprincipalname' or a file with no header at all.

.NOTES
2019-10-09 - Added ApiKey support for v3.  An API Key is required.
		   - Added StartDate parameter.
		   - Renamed parameter BreachedAccountOutput to Output.
		   - Added IncludeUnverifiedResults parameter.
		   - Added PerUserSummaryDisplay parameter.
2019-08-01 - Added init for $ImportedUsers var. H/t @itpro_tipscom
2019-06-11 - Updated header check.
			 Updated to add Identity parameter.
			 Added examples.
		 	 Updated default parameter to identity, and configured to display
			  Get-Help $($MyInvovation.Line).ToString() -Examples to show help
			  data if no identity was specified.
2019-05-10 - Updated header check and output.
2019-05-09 - Updated to allow importing users from CSV and customizable timeout.
2019-02-09 - Updated console output wording.
2018-12-19 - Original release.
#>

<# 
.SYNOPSIS 
Check accounts in Active Directory and Office 365 against 
haveibeenpwned.com database 
 
.PARAMETER ActiveDirectory 
Choose to run against Active Directory. 
 
.PARAMETER ApiKey 
Your HaveIBeenPwned API key.  This is an authenticated API, so this is now 
required.  You can obtain a key from https://haveibeenpwned.com/API/. 
 
.PARAMETER Credential 
Standard Credential Object generated via Get-Credential 
 
.PARAMETER Identity 
Single identity (in the form of user@domain.tld). 
 
.PARAMETER IncludeGuests 
If querying Office 365, choose if you want to include external guests. Otherwise 
only objects with type MEMBER are selected. 
 
.PARAMETER IncludeUnverifiedResults 
If set to $true, will return breaches that don't have credential content (such 
as mailing lists that contain only public information). 
 
.PARAMETER ImportUsers 
Import a list of users to check against database. 
 
.PARAMETER InstallModules 
Choose if you want to install MSOnline and supporting modules. 
 
.PARAMETER Logfile 
Output log file name. 
 
.PARAMETER Office365 
Choose to run against Office 365. 
 
.PARAMETER Output 
CSV filename for any potentially breached accounts 
 
.PARAMETER PerUserSummaryDisplay 
Use this switch to turn on console output for per-user breach summary.  Summary 
will be logged regardless. 
 
.PARAMETER StartDate 
Use a standard PowerShell DateTime object to filter on breaches reported after a 
specified date. 
 
.PARAMETER Timeout 
Set the sleep time in milliseconds between API query attempts. Default is 1500. 
 
.EXAMPLE 
.\pwncheck.ps1 -Identity user@domain.com -apikey "asdfghjklHIBP" 
Run Pwncheck on a particular identity. 
 
.EXAMPLE 
.\pwncheck.ps1 -Office365 -Credential $cred -apikey "asdfghjklHIBP" 
Run Pwncheck against an Office 365 tenant with the credential stored in $cred. 
 
.EXAMPLE 
.\pwncheck.ps1 -Office365 -IncludeGuests -Credential $cred -apikey "asdfghjklHIBP" 
Run Pwncheck against an Office 365 tenant (including guest accounts) with the  
credential stored in $cred. 
 
.EXAMPLE 
.\pwncheck.ps1 -ActiveDirectory -Office365 -Credential $cred -apikey "asdfghjklHIBP" 
Run Pwncheck against Active Directory and Office 365 tenant with credentials 
stored in $cred. 
 
.EXAMPLE 
.\pwncheck.ps1 -ImportUsers userlist.txt -apikey "asdfghjklHIBP" 
Run Pwncheck against imported user list.  You can specify a file with either a 
header of 'userprincipalname' or a file with no header at all. 
 
.NOTES 
2019-10-09 - Added ApiKey support for v3.  An API Key is required. 
           - Added StartDate parameter. 
           - Renamed parameter BreachedAccountOutput to Output. 
           - Added IncludeUnverifiedResults parameter. 
           - Added PerUserSummaryDisplay parameter. 
2019-08-01 - Added init for $ImportedUsers var. H/t @itpro_tipscom 
2019-06-11 - Updated header check. 
             Updated to add Identity parameter. 
             Added examples. 
              Updated default parameter to identity, and configured to display 
              Get-Help $($MyInvovation.Line).ToString() -Examples to show help 
              data if no identity was specified. 
2019-05-10 - Updated header check and output. 
2019-05-09 - Updated to allow importing users from CSV and customizable timeout. 
2019-02-09 - Updated console output wording. 
2018-12-19 - Original release. 
#>