Saturday, November 26, 2022
Hi All,
Some hours ago, Microsoft has released a new Version of the Microsoft.Online.SharePoint.PowerShell Module to the PowerShell Gallery.
Microsoft.Online.SharePoint.PowerShell 16.0.23109.12000
Check what Module Version is installed and what's available from the PowerShell Gallery
Get-InstalledModule Microsoft.Online.SharePoint.PowerShell
Find-Module Microsoft.Online.SharePoint.PowerShell
Uninstall the old Module and install the new Version
Uninstall-Module Microsoft.Online.SharePoint.PowerShell
Install-Module Microsoft.Online.SharePoint.PowerShell
Get-InstalledModule Microsoft.Online.SharePoint.PowerShell
Regards
Andres Bohren
Thursday, November 24, 2022
Hi All,
Since a few Days there is a new Setting in Azure AD User Settings "Tenant creation"
Per default this setting is set to "Yes". Means that a user with can create a new Azure AD Tenant.
"No" means that only users with "Global Administrator" or "Tenant Creator" Admin Role can create Azure AD Tenants.
I can't think much of a Szenario where this should be enabled. So setting this to "No" is a secure configuration.
You can have a look ath the Authorization Policy with the Graph Explorer
GET https://graph.microsoft.com/beta/policies/authorizationPolicy
You can view and change the Setting with PowerShell.
Connect-MgGraph -Scopes Policy.Read.All, Policy.ReadWrite.Authorization
Select-MgProfile -Name "beta"
Get-MgPolicyAuthorizationPolicy | fl
(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions
(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions.AdditionalProperties | fl
Allow Tenant creation for Users
#Users can create Tenants
$Param = @"
{"allowedToCreateTenants": true}
"@
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId "authorizationPolicy" -DefaultUserRolePermissions $Param
Disable Tenant creation for users
#Users can't create Tenants
$Param = @"
{"allowedToCreateTenants": false}
"@
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId "authorizationPolicy" -DefaultUserRolePermissions $Param
Regards
Andres Bohren
Saturday, November 19, 2022
Hi All,
In this Blog Post i explain how to Create and Depoly a PowerShell 7 Runbook for Azure Automation with the AZ PowerShell Module.
#Connect to Azure
Connect-AzAccount
#Get Automation Account
Get-AzAutomationAccount
I have two Azure Automation Accounts. In this Example, we use the second one.
###############################################################################
# Create Runbook
###############################################################################
$accountName = "icewolfautomation"
$rgName = "RG_DEV"
$location = "West Europe"
$RunbookName = "DemoPS7"
$scriptContent = @'
#Connect to Exchange with Managed Identity
$tenant = "icewolfch.onmicrosoft.com"
Connect-ExchangeOnline -ManagedIdentity -Organization $tenant
#Get Accepted Domain
Get-AcceptedDomain | Format-Table DomainName, DomainType
#Disconnect Exchange Online
Disconnect-ExchangeOnline -Confirm:$False
'@
Invoke-AzRestMethod -Method "PUT" -ResourceGroupName $rgName -ResourceProviderName "Microsoft.Automation" `
-ResourceType "automationAccounts" -Name "${AccountName}/runbooks/${RunbookName}" -ApiVersion "2017-05-15-preview" `
-Payload "{`"properties`":{`"runbookType`":`"PowerShell7`", `"logProgress`":false, `"logVerbose`":false, `"draft`":{}}, `"location`":`"${Location}`"}"
Invoke-AzRestMethod -Method "PUT" -ResourceGroupName $rgName -ResourceProviderName "Microsoft.Automation" `
-ResourceType automationAccounts -Name "${AccountName}/runbooks/${RunbookName}/draft/content" -ApiVersion 2015-10-31 `
-Payload "$scriptContent"
The Runbook is now visible in the Azure Portal
###############################################################################
# Publish Runbook
###############################################################################
Publish-AzAutomationRunbook -Name $RunbookName -AutomationAccountName $AccountName -ResourceGroupName $rgName
The Runbook is now published
It contains the code
I've already created Shedules for this Automation Account
###############################################################################
# Get Schedule
###############################################################################
$accountName = "icewolfautomation"
$rgName = "RG_DEV"
Get-AzAutomationSchedule -AutomationAccountName $AccountName -ResourceGroupName $rgName
Get-AzAutomationSchedule -AutomationAccountName $AccountName -ResourceGroupName $rgName -Name "Weekly"
Here are the Schedules in the Portal
###############################################################################
# Link Schedule with Runbook
###############################################################################
$accountName = "icewolfautomation"
$rgName = "RG_DEV"
$scheduleName = "Weekly"
Register-AzAutomationScheduledRunbook -AutomationAccountName $accountName `
-Name $RunbookName -ScheduleName $scheduleName -ResourceGroupName $rgName
Check in the Portal if the schedule is Linked
And finally test the Runbook
This Script is also available on my GitHub Repo
Regards
Andres Bohren
Hi All,
As you might already know, i am a big Fan of Azure Automation.
But i think i have improved the Script a little bit. And finally i explain how to Manage the PowerShell 7 Modules on Azure Automate.
#Connect to Azure
Connect-AzAccount
#Get Automation Account
Get-AzAutomationAccount
#Get Modules
$accountName = 'icewolfautomation'
$rgName = 'RG_DEV'
$ModuleName = "Microsoft.Graph"
$Modules = Get-AzAutomationModule -AutomationAccountName $accountName -ResourceGroupName $rgName | Where-Object {$_.Name -match "$ModuleName"}
$Modules
That's the same List as from the Azure Portal
#Remove Module
#For Microsoft.Graph it is important that Microsoft.Graph.Authentication is uninstalled last due to dependencys
Foreach ($Module in $Modules)
{
If ($Module.Name -ne "Microsoft.Graph.Authentication")
{
$ModuleName = $Module.Name
Write-Host "Remove ModuleName: $ModuleName"
Remove-AzAutomationModule -AutomationAccountName $accountName -Name $ModuleName -ResourceGroupName $rgName -Confirm:$False -Force
}
}
$ModuleName = "Microsoft.Graph.Authentication"
Write-Host "Remove ModuleName: $ModuleName"
Remove-AzAutomationModule -AutomationAccountName $accountName -Name $ModuleName -ResourceGroupName $rgName -Confirm:$False -Force
#Add Module
#For Microsoft.Graph it is important that Microsoft.Graph.Authentication is installed first due to dependencys
$ModuleName = "Microsoft.Graph.Authentication"
$moduleVersion = "1.17.0"
New-AzAutomationModule -AutomationAccountName $accountName -ResourceGroupName $rgName -Name $moduleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion"
The PowerShell 5 Modules have been removed.
#Add Module
#For Microsoft.Graph it is important that Microsoft.Graph.Authentication is installed first due to dependencys
$ModuleName = "Microsoft.Graph.Authentication"
$moduleVersion = "1.17.0"
New-AzAutomationModule -AutomationAccountName $accountName -ResourceGroupName $rgName -Name $moduleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion"
#Wait until Module is installed
Do {
$Module = Get-AzAutomationModule -AutomationAccountName $accountName -ResourceGroupName $rgName | Where-Object {$_.Name -match "$ModuleName"}
Write-Host "State: $($Module.ProvisioningState) > Check again in 15 Seconds"
Start-Sleep -Seconds 15
} until ($Module.ProvisioningState -eq "Succeeded")
#Install the Rest of the Modules
$Modules = @()
$Modules += "Microsoft.Graph.Users"
$Modules += "Microsoft.Graph.Users.Actions"
$Modules += "Microsoft.Graph.Groups"
$moduleVersion = "1.17.0"
Foreach ($ModuleName in $Modules)
{
Write-Host "ModuleName: $ModuleName"
New-AzAutomationModule -AutomationAccountName $accountName -ResourceGroupName $rgName -Name $moduleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion"
}
The Microsoft.Graph.Authentication will be installed and after the ProvisioningState is succeeded the Rest of the Modules can be installed and the dependencys will be fullfilled.
Voila - Upgrade was sucessful
In the Portal you are able to add PowerShell 7 Modules
As you can see, there is no Parameter to address PowerShell 7 Modules
New-AzAutomationModule
###############################################################################
# GET PS7 Module
###############################################################################
$subscriptionId = "42ecead4-eae9-4456-997c-1580c58b54ba"
$accountName = "icewolfautomation"
$rgName = "RG_DEV"
$ModuleName = "Microsoft.Graph.Authentication"
$Result = Invoke-AzRestMethod `
-Method GET `
-SubscriptionId $subscriptionId `
-ResourceGroupName $rgName `
-ResourceProviderName Microsoft.Automation `
-ResourceType automationAccounts `
-Name $accountName/powershell7Modules/$ModuleName `
-ApiVersion 2019-06-01
($Result.Content | ConvertFrom-Json).Properties
###############################################################################
#Delete PS7 Module
###############################################################################
$subscriptionId = "42ecead4-eae9-4456-997c-1580c58b54ba"
$accountName = "icewolfautomation"
$rgName = "RG_DEV"
$Modules = @()
$Modules += "Microsoft.Graph.Authentication"
$Modules += "Microsoft.Graph.Users"
$Modules += "Microsoft.Graph.Users.Actions"
$Modules += "Microsoft.Graph.Groups"
#For Microsoft.Graph it is important that Microsoft.Graph.Authentication is uninstalled last due to dependencys
Foreach ($ModuleName in $Modules)
{
If ($ModuleName -ne "Microsoft.Graph.Authentication")
{
Write-Host "Remove ModuleName: $ModuleName"
Invoke-AzRestMethod `
-Method DELETE `
-SubscriptionId $subscriptionId `
-ResourceGroupName $rgName `
-ResourceProviderName Microsoft.Automation `
-ResourceType automationAccounts `
-Name $accountName/powershell7Modules/$ModuleName `
-ApiVersion 2019-06-01
}
}
$ModuleName = "Microsoft.Graph.Authentication"
Write-Host "Remove ModuleName: $ModuleName"
Invoke-AzRestMethod `
-Method DELETE `
-SubscriptionId $subscriptionId `
-ResourceGroupName $rgName `
-ResourceProviderName Microsoft.Automation `
-ResourceType automationAccounts `
-Name $accountName/powershell7Modules/$ModuleName `
-ApiVersion 2019-06-01
The PowerShell 7 Modules have been removed
###############################################################################
#Add PS7 Module
###############################################################################
$subscriptionId = "42ecead4-eae9-4456-997c-1580c58b54ba"
$accountName = "icewolfautomation"
$rgName = "RG_DEV"
$ModuleName = "Microsoft.Graph.Authentication"
$moduleVersion = "1.17.0"
#Install Microsoft.Graph.Authentication
$Payload = @"
{"properties":
{"contentLink":
{"uri":"https://www.powershellgallery.com/api/v2/package/$ModuleName/$moduleVersion"}
}
}
"@
Write-Host "Install ModuleName: $ModuleName"
Invoke-AzRestMethod `
-Method PUT `
-SubscriptionId $subscriptionId `
-ResourceGroupName $rgName `
-ResourceProviderName Microsoft.Automation `
-ResourceType automationAccounts `
-Name $accountName/powershell7Modules/$ModuleName `
-ApiVersion 2019-06-01 `
-Payload $Payload
#Wait until Module is installed
Do {
$Result = Invoke-AzRestMethod `
-Method GET `
-SubscriptionId $subscriptionId `
-ResourceGroupName $rgName `
-ResourceProviderName Microsoft.Automation `
-ResourceType automationAccounts `
-Name $accountName/powershell7Modules/$ModuleName `
-ApiVersion 2019-06-01
$ProvisioningState = (($Result.Content | ConvertFrom-Json).Properties).provisioningState
$Module = Get-AzAutomationModule -AutomationAccountName $accountName -ResourceGroupName $rgName | Where-Object {$_.Name -match "$ModuleName"}
Write-Host "State: $ProvisioningState > Check again in 15 Seconds"
Start-Sleep -Seconds 15
} until ($ProvisioningState -eq "Succeeded")
#Now install the Rest of the Modules
$Modules = @()
$Modules += "Microsoft.Graph.Users"
$Modules += "Microsoft.Graph.Users.Actions"
$Modules += "Microsoft.Graph.Groups"
Foreach ($ModuleName in $Modules)
{
$Payload = @"
{"properties":
{"contentLink":
{"uri":"https://www.powershellgallery.com/api/v2/package/$ModuleName/$moduleVersion"}
}
}
"@
Write-Host "Install ModuleName: $ModuleName"
Invoke-AzRestMethod `
-Method PUT `
-SubscriptionId $subscriptionId `
-ResourceGroupName $rgName `
-ResourceProviderName Microsoft.Automation `
-ResourceType automationAccounts `
-Name $accountName/powershell7Modules/$ModuleName `
-ApiVersion 2019-06-01 `
-Payload $Payload
}
Here as well Microsoft.Graph.Authentication has to be sucessfully installed before the other Microsoft.Graph* Modules can be installed due to Module Dependencys.
And now all PowerShell 7 Modules on Azure Automate have been updated
By the Way. These PowerShell Commands are also available on my GitHub Repo
Regards
Andres Bohren
Friday, November 18, 2022
Hi All,
Microsoft has released the AZ 9.1.1 PowerShell Module to the PowerShell Gallery just a few Hours ago.
Az 9.1.1
Show Installed AZ Module and what's available in the PowerShell Gallery
Get-InstalledModule AZ -AllVersions
Find-Module AZ
To uninstall all the old Modules and install the new Modules i have written a PowerShell Script that is published at my GitHub Repo.
#Run Script directly from GitHub
$ScriptFromGitHub = Invoke-WebRequest "https://raw.githubusercontent.com/BohrenAn/GitHub_PowerShellScripts/main/Azure/Cleanup-AZModules.ps1"
Invoke-Expression $($ScriptFromGitHub.Content)
The AZ Module is just a Wrapper Module for all AZ* Modules
Get-Installed Module AZ*
Regards
Andres Bohren
Hi All,
A few hours ago, Microsoft has released a new Version of the Microsoft.Graph PowerShell Module.
Apparently it covers the latest API version and Help as well as some minor fixes.
Microsoft.Graph 1.17.0
1.17.0 Release Notes
Let's check the installed Version and what's available on the PowerShell Gallery
Get-InstalledModule Microsoft.Graph
Find-Module Microsoft.Graph
To install the newest Version of the PowerShell Modules and also uninstalling the old Versions, you can use my GitHub Script. It takes a while until all Modules are installed. Wait until "Cleanup finished" is shown.
#Run Script directly from GitHub
$ScriptFromGitHub = Invoke-WebRequest "https://raw.githubusercontent.com/BohrenAn/GitHub_PowerShellScripts/main/ExchangeOnline/GraphAPI/Cleanup-GraphModules.ps1"
Invoke-Expression $($ScriptFromGitHub.Content)
To list the Modules you can use the following Command
Get-Module Microsoft.Graph* -ListAvailable
Let's check how many Commandlets are available.
Get-Command -Module Microsoft.Graph* | measure
Regards
Andres Bohren
Wednesday, November 16, 2022
Hi All,
Basic Authentication has been mostly disabled. And Attackers now search for new ways to compromise M365 Accounts.
If you use Microsoft Authenticator Push Notifications - good for you. There is a thing called "MFA Fatique" that Attackers use to gain access. They send so many Push Requests until a user is annoyed and clicks on "Approve".
As anounced in the Article below, the MFA Number Matching will be enabled for all M365 Tenants starting end of February 2023. This will prevent these Attacks as the User needs to know the Number from the Request to Approve the MFA Signin.
Defend your users from MFA fatigue attacks
How to use number matching in multifactor authentication (MFA) notifications - Authentication methods policy
Go to Authentication Methods in your Azure Active Directory Tenant
I have enabled Number Matching for a Group in my Tenant
That is the Request after login in to https://office.com
And this is the Screen on the Microsoft Authenticator on the Smartphone.
Please note that i have also enabled the following Settings:
- Show Application Name in push and passwordless notifications
- Show geographic location in push and passwordless notifications
Regards
Andres Bohren
Hi All,
I have already blogged about the Exchange 2019 Recipient Managemen PowerShell that can Manage Echange Objects without an Exchange Server running.
Install and use Exchange 2019 CU12 Recipient Management PowerShell
For Identity and Access Management Systems (IAM) provisioning, management and deprovisioning based in the past on crating a Remote PowerShell to Exchange Server. How do you Address this with the new Recipient Management?
In Fact there are two Solutions:
- You install the Recipient Management PSSnapIn on the IAM Server (Management Tools)
- You create a Remote PowerShell to a Server that has the Recipient Management PSSnapin installed
Let's have a look into the second Option.
$Cred = Get-Credential lab\administrator
New-PSSession
#Create PSSession
$PSSession= New-PSSession LAB03 -credential $cred
#Define String for Argumentlist
$Name = "Demo96"
#Invoke Remote Command
Invoke-Command -Argumentlist $Name -Session $PSSession -ScriptBlock {
param($SamAccountName)
Write-Host "Loading PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement" -ForegroundColor Green
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement
Get-PSSnapin
Write-Host "SamAccountName: $SamAccountName"
Write-Host "Enable-RemoteMailbox"
Enable-RemoteMailbox -Identity "$SamAccountName" -Alias "$SamAccountName" -RemoteRoutingAddress "$SamAccountName@serveralivech.mail.onmicrosoft.com" -Shared
Write-Host "Get-RemoteMailbox"
Get-RemoteMailbox -Identity $SamAccountName
Write-Host "Remove-PSSnapIn"
Remove-PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement
Get-PSSnapin
}
#Remove PSSession
Get-PSSession | Remove-PSSession
As you can see i get an Authentication Error
The Solution comes here
Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role "Client" -DelegateComputer LAB03
Let's check the Settings with the following Command
winrm get winrm/config/client
Let's try it again
#Create PSSession
$PSSession= New-PSSession LAB03 -authentication credssp -credential $cred
#Define String for Argumentlist
$Name = "Demo96"
#Invoke Remote Command
Invoke-Command -Argumentlist $Name -Session $PSSession -ScriptBlock {
param($SamAccountName)
Write-Host "Loading PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement" -ForegroundColor Green
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement
Get-PSSnapin
Write-Host "SamAccountName: $SamAccountName"
Write-Host "Enable-RemoteMailbox"
Enable-RemoteMailbox -Identity "$SamAccountName" -Alias "$SamAccountName" -RemoteRoutingAddress "$SamAccountName@serveralivech.mail.onmicrosoft.com" -Shared
Write-Host "Get-RemoteMailbox"
Get-RemoteMailbox -Identity $SamAccountName
Write-Host "Remove-PSSnapIn"
Remove-PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement
Get-PSSnapin
}
#Remove PSSession
Get-PSSession | Remove-PSSession
As you can see that worked perfectly
Now you have the Solutions for your IAM System to Provision and Manage Exchange Objects without Exchange Services running. This improves the overall Security Posture as less Services are Exposed to the LAN or even Internet.
Keep in Mind that this Solution only works based on Kerberos - that means both Computers (IAM and Server with Recipient Managent PSSnapin) have to be Members of an Active Directory Domain.
Regards
Andres Bohren
Tuesday, November 15, 2022
Hi All,
Today Microsoft has released a new Version of the MicrosoftTeams PowerShell Module to the PowerShell Gallery.
MicrosoftTeams 4.9.1
Check installed Module and what's available in the PowerShell Gallery
Get-InstalledModule MicrosoftTeams -AllVersions
Find-Module MicrosoftTeams
Uninstall the old Module and install the newest Module
Uninstall-Module MicrosoftTeams
Uninstall-Module MicrosoftTeams
Install-Module MicrosoftTeams
Testing
Connect-MicrosoftTeams
Get-Team
Get-CsOnlineUser -Identity a.bohren@icewolf.ch | fl *Ent*,*host*,*voice*, *line*
Regards
Andres Bohren
Hi All,
Today Microsoft has released the ExchangeOnlineManagement-Preview1 PowerShell Module.
ExchangeOnlineManagement 3.0.1-Preview1
Whats new in this release:
v3.0.1-Preview1 :
1. Bug fixes in Connect-ExchangeOnline.
2. Bug fix in Connect-IPPSSession for connecting to Security and Compliance PowerShell using Certificate Thumbprint.
3. Mitigation for the known vulnerability in Newtonsoft.Json library. More details here: https://github.com/advisories/GHSA-5crp-9r3c-p9vr
Check what Version is installed and what's available from the PowerShell Gallery
Get-InstalledModule ExchangeOnlineManagement
Find-Module ExchangeOnlineManagement -AllowPrerelease
Uninstall the old Module and install the Preview Module
Uninstall-Module ExchangeOnlineManagement -Force
Install-Module ExchangeOnlineManagement -AllowPrerelease
Get-InstalledModule ExchangeOnlineManagement
Testing
Connect-ExchangeOnline
Get-Mailbox -Identity <Mailbox>
Here is the Code to Connect with a Certificate on the Local Cert Store.
What Permissions are needed can be found in the following Blog Post
Exchange Online PowerShell V2 Authentication with App in AzureAD (Update)
$AppID = "f38d26a7-740e-425f-aef5-2da3f3d595db"
$CertThumbprint = "07EFF3918F47995EB53B91848F69B5C0E78622FD"
$TenantID = "icewolfch.onmicrosoft.com"
Connect-ExchangeOnline -AppId $AppId -CertificateThumbprint $CertThumbprint -Organization $TenantID
Connect-IPPSSession -AppId $AppID -CertificateThumbprint $CertThumbprint -Organization $TenantID
Regards
Andres Bohren