Saturday, January 28, 2023
Hi All,
A few hours ago, Microsoft has released the Microsoft.Online.SharePoint.PowerShell 16.0.22615.12000 PowerShell Module
Microsoft.Online.SharePoint.PowerShell 16.0.23311.12000
Check the installed Version and what is available from the PowerShell Gallery
Get-InstalledModule Microsoft.Online.SharePoint.PowerShell
Find-Module Microsoft.Online.SharePoint.PowerShell
Uninstall the old Version and install the new Version of the Module
Uninstall-Module Microsoft.Online.SharePoint.PowerShell
Install-Module Microsoft.Online.SharePoint.PowerShell
Get-InstalledModule Microsoft.Online.SharePoint.PowerShell
List the Commands of the Module
Get-Command -Module Microsoft.Online.SharePoint.PowerShell
Connect to Sharepoint Online
Connect-SPOService -Url https://icewolfch-admin.sharepoint.com
Get some Settings
Get-SPOTenant | fl
Regards
Andres Bohren
Thursday, January 26, 2023
Hi All,
Test-Message -Sender m.muster@icewolf.ch -Recipients postmaster@icewolf.ch -SendReportTo a.bohren@icewolf.ch -TransportRules -UnifiedDLPRules
Let's have a look at my Transport Rules
Get-TransportRule
Now i get two Reports: "Transport Rule Tracing Report"
and a "DLP Rules Tracing Report"
Regards
Andres
Hi All,
I recently had a case where i needed to access the AzureAD Signin Logs with PowerShell.
I've started at the Azure AD Signin Logs and filtered by UPN
Next step was Graph Explorer where i found the needed Permissions
###############################################################################
# Graph Explorer
###############################################################################
#Go to https://aka.ms/ge
https://graph.microsoft.com/v1.0/auditLogs/signIns
https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=startsWith(userPrincipalName,'a.bohren@icewolf.ch')
Let's connect with these Permissions (they need Admin Consent and i already have that)
#Import-Module and Connect to Microsoft Graph
Import-Module Microsoft.Graph.Reports
Connect-MgGraph -Scope AuditLog.Read.All,Directory.Read.All
By default you only get 1000 Rows
#Get Signins
$Signins = Get-MgAuditLogSignIn
$Signins.Count
Let's check the Details of one Record
#Show Details of one Record
$Signins[0] | fl
Do we have SignIns where RiskState is set?
#List RiskState
$Signins | where {$_.RiskState -ne "none"}
By using a Filter you can search for UPN and with the "-All" Parameter you get all Records that match the Filter
###############################################################################
# Use query parameters to customize responses
# https://docs.microsoft.com/en-us/graph/query-parameters
###############################################################################
#Search for a specific User
$Signins = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')"
$Signins.Count
$Signins = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -All
$Signins.Count
Now we filter for only successfull Logins, sort by date and use only the Attributes i am interested in
#List Details
$Signins | where {$_.ConditionalAccessStatus -eq "success"} | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime
If you just need the last couple SignIns use this command
#Get latest 10 Signins for a specific User
$Signins = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -Top 10
$Signins | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime
Hope that help you to get startet. Now you can create your own querys built on top of that.
Happy coding.
Regards
Andres Bohren
Hi All,
Microsoft has released another Version of theyr MSIdentityTools PowerShell Module to the Powershell Gallery.
MSIdentityTools 2.0.36
Check what Version of the Module is installed and what's available in the PowerShell Gallery
Get-InstalledModule MSIdentityTools
Find-Module MSIdentityTools
Uninstall the old version of the PowerShell Module and install the newest one
Uninstall-Module MSIdentityTools
Install-Module MSIdentityTools
Get-InstalledModule MSIdentityTools
To see what commands are available use the following command
Get-Command -Module MSIdentityTools
To get the Signin URL you can use the following Command
Get-MsIdAuthorityUri -TenantId icewolfch.onmicrosoft.com
To get the OpenIDConnect Configuration you can use this Command
Get-MsIdAuthorityUri -TenantId icewolfch.onmicrosoft.com | Get-MsIdOpenIdProviderConfiguration
Regards
Andres Bohren
Wednesday, January 25, 2023
Hi All,
Just a few Hours ago, Microsoft has released a new Version of the WhiteboardAdmin PowerShell Module for Microsoft 365.
Release Notes:
Fixes Get-WhiteboardsForTenant repetitive auth prompt issue. Includes some improvements for help comments and verbose messages
WhiteboardAdmin 1.10.0
Let's check what Version is installed and what's available from the PowerShell Gallery
Get-InstalledModule WhiteboardAdmin
Find-Module WhiteboardAdmin
Let's uninstall the old Module and install the current one
Uninstall-Module WhiteboardAdmin
Install-Module WhiteboardAdmin
Get-InstalledModule WhiteboardAdmin
List the Commands of the Module
Get-Command -Module WhiteboardAdmin
Get-WhiteboardSettings
Get-WhiteboardsForTenant -Geography [Worldwide/Europe/Australia]
Get-Whiteboard -UserId [AzureADObjectID]
Regards
Andres Bohren
Tuesday, January 24, 2023
Hi All,
Did you notice, that there is a new Look in Office for the web?
The new look of Office
It applies to all Office on the Web Applications like PowerPoint, Excel and Word.
Regards
Andres Bohren
Hi All,
In January 2024, the legacy multifactor authentication and self-service password reset policies will be deprecated and you'll manage all authentication methods here in the authentication methods policy. Use this control to manage your migration from the legacy policies to the new unified policy.
How to migrate MFA and SSPR policy settings to the Authentication methods policy for Azure AD (preview)
First review current Policies:
- MFA policy
- SSPR policy (if used)
- Authentication methods policy (if used)
Enable "Allow use of Microsoft Authenticator OTP"
Let's start the Migration
Let's try to finish the Migration
Apparently, we need to remove the Authentication Methods in MFA and SSPR.
Remove the Authentication Methods in Legacy MFA Portal
Remove Authentication Methods im SSPR
Let's try again to finish the Migration
This time it has worked
Regards
Andres Bohren
Friday, January 20, 2023
Hi All,
The Exchange Server Update Dashboard in Microsoft 365 Admin Center was announced at MEC 2022 in September 2022.
In my Tenant this is now available in Preview.
As you can see all my OnPrem Exchange Servers are in a supported state
And also the Exchange Server have the latest Cumulative Update and Security Update installed
Hope this helps to keep your Hybrid Exchange Infrastructure up to date.
Regards
Andres Bohren
Thursday, January 19, 2023
Hi All,
- Azure AD Application Registration
- Permission: Office 365 Exchange Online > Exchange.ManageAsApp
- Add AAD App to Azure AD Role "Exchange Administrator" or "Exchange Recipient Administrator"
In this Article it's about custom RBAC Roles and Application Authentication
- Azure AD Application Registration
- Permission: Office 365 Exchange Online > Exchange.ManageAsApp
- Create a Exchange Online Service Principal for the Azure AD App
- Create a RoleGroup and Assign ServicePrincipal (and CustomRecipientWriteScope if you want)
Notes from the field: Using app-only authentication with customized RBAC roles in Exchange Online
I've created an Azure AD App Registration
Uploaded a Certificate
Add Permission
Add Permission > APIs my organization uses > Office 365 Exchange Online > Exchange.ManageAsApp
Grant Admin Consent
You need to create an Exchange Service Principal.
For that you need the ObjectID of the Enterprise Application
###############################################################################
# Get AzureAD Application with Microsoft.Graph PowerShell
###############################################################################
Connect-MgGraph -Scopes 'Application.Read.All'
$ServicePrincipalDetails = Get-MgServicePrincipal -Filter "DisplayName eq 'Demo-EXO-RBAC-PS'"
$ServicePrincipalDetails
###############################################################################
# Create Exchange Service Principal
###############################################################################
Connect-ExchangeOnline
New-ServicePrincipal -AppId $ServicePrincipalDetails.AppId -ServiceId $ServicePrincipalDetails.Id -DisplayName "EXO Serviceprincipal $($ServicePrincipalDetails.Displayname)"
Get-ServicePrincipal | where {$_.AppId -eq "341772e9-4f7a-4444-9b2c-66620d27aec0"}
Create the Management Scope. Please note that only the "Sitzungszimmer" Mailbox matches the Management Scope
###############################################################################
#Magagement Scope
###############################################################################
Filterable properties for the RecipientFilter parameter on Exchange cmdlets
https://learn.microsoft.com/en-us/powershell/exchange/recipientfilter-properties?view=exchange-ps
Get-ManagementScope
Get-Recipient -RecipientPreviewFilter "(City -eq 'Zürich') -and (RecipientTypeDetails -eq 'RoomMailbox')"
I've already documented how to create an Management Role in Exchange and Exchange Online
###############################################################################
#Get-ManagementRole
###############################################################################
Get-ManagementRole -Identity "ICE-UserPhoto"
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\*"
Now let's put it all together. Assign the App the Role "Ice-UserPhoto" and assign the ResourceScope "ZH Rooms"
###############################################################################
#New-RoleGroup
###############################################################################
$AppID = "341772e9-4f7a-4444-9b2c-66620d27aec0"
$SP = Get-ServicePrincipal | where {$_.AppId -eq $AppID}
$ServiceId = $SP.ServiceId
New-RoleGroup -Name 'Icewolf-UserPhoto' -Roles "ICE-UserPhoto" -CustomRecipientWriteScope "ZH Rooms"
Add-RoleGroupMember -Identity "Icewolf-UserPhoto" -Member $ServiceId
Note that this Action will trigger an Alert
###############################################################################
#Get-RoleGroup
###############################################################################
$AppID = "341772e9-4f7a-4444-9b2c-66620d27aec0"
$SP = Get-ServicePrincipal | where {$_.AppId -eq $AppID}
$ServiceId = $SP.ServiceId
Get-RoleGroup | where {$_.Members -Match $ServiceId} | fl
###############################################################################
#Get-ManagementRoleAssignment
###############################################################################
Get-ManagementRoleAssignment | where {$_.Role -match "ICE-UserPhoto"} | fl
You can see the Permissions also in the Classic Exchange Online Admin Center
I recently noticed that there exists a new Menu Item Roles > Admin Roles in the Exchange Admin Center
Let's connect with the App and the Certificate
###############################################################################
#Connect-ExchangeOnline with AppId and Certificate
###############################################################################
$AppID = "341772e9-4f7a-4444-9b2c-66620d27aec0"
$CertificateThumbprint = "07eff3918f47995eb53b91848f69b5c0e78622fd"
$TenantId = "icewolfch.onmicrosoft.com"
Connect-ExchangeOnline -AppId $AppID -CertificateThumbprint $CertificateThumbprint -Organization $TenantId
Get-ConnectionInformation
Get-Comand -Module <Module>
Let's try it. I will set a UserPhoto for a Mailbox that is inside the RecipientWriteScope
Set-UserPhoto -Identity Sitzungszimmer@icewolf.ch -PictureData ([System.IO.File]::ReadAllBytes("E:\Temp\AvatarBaby.jpg"))
Get-UserPhoto -Identity Sitzungszimmer@icewolf.ch
What threw me off, at first was that get works also for Mailboxes outside the Management Scope - but remember the Parameter is "CustomRecipientWriteScope"
Get-UserPhoto -Identity Sitzungszimmer@icewolf.ch
Get-UserPhoto -Identity a.bohren@icewolf.ch
It's not possible to Set-UserPhoto for a Mailbox that is Outside the Management Scope / CustomRecipientWriteScope.
And you also get an Error, if no Picture is set on the Mailbox
Set-UserPhoto -Identity SitzungszimmerEiger@icewolf.ch -PictureData ([System.IO.File]::ReadAllBytes("E:\Temp\AvatarBaby.jpg"))
Get-UserPhoto -Identity SitzungszimmerEiger
Regards
Andres Bohren
Wednesday, January 18, 2023
Hi All,
There exists a Security vulnerability in Git and you should update to Git Version 2.39.1
Git Downloads
Git security vulnerabilities announced
Let's check the GIT Version before the Update
git --version
Now run the update
Let's check the GIT version after the update
git --version
Regards
Andres Bohren