blog.icewolf.ch

Let's talk about IT!
posts - 2247, comments - 295, trackbacks - 0

My Links

Archives

Post Categories

icewolf

Saturday, January 28, 2023

PowerShell Module Microsoft.Online.SharePoint.PowerShell 16.0.23311.12000 released

Hi All,

A few hours ago, Microsoft has released the Microsoft.Online.SharePoint.PowerShell 16.0.22615.12000 PowerShell Module

Microsoft.Online.SharePoint.PowerShell 16.0.23311.12000


Check the installed Version and what is available from the PowerShell Gallery

Get-InstalledModule Microsoft.Online.SharePoint.PowerShell
Find-Module Microsoft.Online.SharePoint.PowerShell



Uninstall the old Version and install the new Version of the Module

Uninstall-Module Microsoft.Online.SharePoint.PowerShell
Install-Module Microsoft.Online.SharePoint.PowerShell
Get-InstalledModule Microsoft.Online.SharePoint.PowerShell



List the Commands of the Module

Get-Command -Module Microsoft.Online.SharePoint.PowerShell


Connect to Sharepoint Online

Connect-SPOService -Url https://icewolfch-admin.sharepoint.com


Get some Settings

Get-SPOTenant | fl



Regards
Andres Bohren


posted @ Saturday, January 28, 2023 8:37 AM | Filed Under [ PowerShell ]

Thursday, January 26, 2023

Exchange Online: Use Test-Message to verify your Transport- and DLP Rules

Hi All,

In the Microsoft 365 Message Center https://admin.microsoft.com/#/MessageCenter there is an Announcement about Test-Message where you can test the Transport Rules and DLPRules.



Test-Message -Sender m.muster@icewolf.ch -Recipients postmaster@icewolf.ch -SendReportTo a.bohren@icewolf.ch  -TransportRules -UnifiedDLPRules


Let's have a look at my Transport Rules

Get-TransportRule


Now i get two Reports: "Transport Rule Tracing Report"



and a "DLP Rules Tracing Report"



Regards
Andres


posted @ Thursday, January 26, 2023 11:39 AM | Filed Under [ Exchange ]

Analyze AzureAD SignIn Logs with PowerShell

Hi All,

I recently had a case where i needed to access the AzureAD Signin Logs with PowerShell.

I've started at the Azure AD Signin Logs and filtered by UPN



Next step was Graph Explorer where i found the needed Permissions

###############################################################################
# Graph Explorer
###############################################################################
#Go to https://aka.ms/ge
https://graph.microsoft.com/v1.0/auditLogs/signIns
https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=startsWith(userPrincipalName,'a.bohren@icewolf.ch')



Let's connect with these Permissions (they need Admin Consent and i already have that)

#Import-Module and Connect to Microsoft Graph
Import-Module Microsoft.Graph.Reports
Connect-MgGraph -Scope AuditLog.Read.All,Directory.Read.All



By default you only get 1000 Rows

#Get Signins
$Signins  = Get-MgAuditLogSignIn
$Signins.Coun
t


Let's check the Details of one Record

#Show Details of one Record
$Signins[0] | fl



Do we have SignIns where RiskState is set?

#List RiskState
$Signins | where {$_.RiskState -ne "none"}


By using a Filter you can search for UPN and with the "-All" Parameter you get all Records that match the Filter

###############################################################################
# Use query parameters to customize responses
# https://docs.microsoft.com/en-us/graph/query-parameters
###############################################################################
#Search for a specific User
$Signins  = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')"
$Signins.Count
$Signins  = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -All
$Signins.Count



Now we filter for only successfull Logins, sort by date and use only the Attributes i am interested in

#List Details
$Signins | where {$_.ConditionalAccessStatus -eq "success"} | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime



If you just need the last couple SignIns use this command

#Get latest 10 Signins for a specific User
$Signins  = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -Top 10
$Signins | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime




Hope that help you to get startet. Now you can create your own querys built on top of that.
Happy coding.

Regards
Andres Bohren


posted @ Thursday, January 26, 2023 10:51 AM | Filed Under [ Security PowerShell Azure ]

MSIdentityTools PowerShell Module v2.0.36 released

Hi All,

Microsoft has released another Version of theyr MSIdentityTools PowerShell Module to the Powershell Gallery.

MSIdentityTools 2.0.36


Check what Version of the Module is installed and what's available in the PowerShell Gallery

Get-InstalledModule MSIdentityTools
Find-Module MSIdentityTools


Uninstall the old version of the PowerShell Module and install the newest one

Uninstall-Module MSIdentityTools
Install-Module MSIdentityTools
Get-InstalledModule MSIdentityTools


To see what commands are available use the following command

Get-Command -Module MSIdentityTools


To get the Signin URL you can use the following Command

Get-MsIdAuthorityUri -TenantId icewolfch.onmicrosoft.com

To get the OpenIDConnect Configuration you can use this Command

Get-MsIdAuthorityUri -TenantId icewolfch.onmicrosoft.com | Get-MsIdOpenIdProviderConfiguration



Regards
Andres Bohren


posted @ Thursday, January 26, 2023 8:52 AM | Filed Under [ PowerShell ]

Wednesday, January 25, 2023

Microsoft 365 Whiteboard Admin PowerShell Module 1.10.0

Hi All,

Just a few Hours ago, Microsoft has released a new Version of the WhiteboardAdmin PowerShell Module for Microsoft 365.

Release Notes:
Fixes Get-WhiteboardsForTenant repetitive auth prompt issue. Includes some improvements for help comments and verbose messages

WhiteboardAdmin 1.10.0


Let's check what Version is installed and what's available from the PowerShell Gallery

Get-InstalledModule WhiteboardAdmin
Find-Module WhiteboardAdmin


Let's uninstall the old Module and install the current one

Uninstall-Module WhiteboardAdmin
Install-Module WhiteboardAdmin
Get-InstalledModule WhiteboardAdmin


List the Commands of the Module

Get-Command -Module WhiteboardAdmin


Get-WhiteboardSettings


Get-WhiteboardsForTenant -Geography [Worldwide/Europe/Australia]


Get-Whiteboard -UserId [AzureADObjectID]



Regards
Andres Bohren


posted @ Wednesday, January 25, 2023 11:49 AM | Filed Under [ Microsoft365 ]

Tuesday, January 24, 2023

New look for Office on the Web

Hi All,

Did you notice, that there is a new Look in Office for the web?

The new look of Office


It applies to all Office on the Web Applications like PowerPoint, Excel and Word.



Regards
Andres Bohren


posted @ Tuesday, January 24, 2023 10:53 PM | Filed Under [ Office ]

Migrate MFA and SSPR Authentication Methods

Hi All,

In January 2024, the legacy multifactor authentication and self-service password reset policies will be deprecated and you'll manage all authentication methods here in the authentication methods policy. Use this control to manage your migration from the legacy policies to the new unified policy.

How to migrate MFA and SSPR policy settings to the Authentication methods policy for Azure AD (preview)

First review current Policies:
  • MFA policy
  • SSPR policy (if used)
  • Authentication methods policy (if used)







Enable "Allow use of Microsoft Authenticator OTP"


Let's start the Migration



Let's try to finish the Migration


Apparently, we need to remove the Authentication Methods in MFA and SSPR.


Remove the Authentication Methods in Legacy MFA Portal


Remove Authentication Methods im SSPR


Let's try again to finish the Migration


This time it has worked



Regards
Andres Bohren


posted @ Tuesday, January 24, 2023 10:40 PM | Filed Under [ Security Microsoft365 ]

Friday, January 20, 2023

OnPrem Exchange Server Update Status visible in M365 Admin Center (Preview)

Hi All,

The Exchange Server Update Dashboard in Microsoft 365 Admin Center was announced at MEC 2022 in September 2022.



In my Tenant this is now available in Preview.
As you can see all my OnPrem Exchange Servers are in a supported state


And also the Exchange Server have the latest Cumulative Update and Security Update installed



Hope this helps to keep your Hybrid Exchange Infrastructure up to date.

Regards
Andres Bohren


posted @ Friday, January 20, 2023 2:58 PM |

Thursday, January 19, 2023

Exchange Online custom RBAC Role with App Authentication (OAuth2)

Hi All,

  • Azure AD Application Registration
  • Permission: Office 365 Exchange Online > Exchange.ManageAsApp
  • Add AAD App to Azure AD Role "Exchange Administrator" or "Exchange Recipient Administrator"

In this Article it's about custom RBAC Roles and Application Authentication
  • Azure AD Application Registration
  • Permission: Office 365 Exchange Online > Exchange.ManageAsApp
  • Create a Exchange Online Service Principal for the Azure AD App
  • Create a RoleGroup and Assign ServicePrincipal (and CustomRecipientWriteScope if you want)

Notes from the field: Using app-only authentication with customized RBAC roles in Exchange Online

I've created an Azure AD App Registration


Uploaded a Certificate


Add Permission
Add Permission > APIs my organization uses > Office 365 Exchange Online > Exchange.ManageAsApp


Grant Admin Consent



You need to create an Exchange Service Principal.
For that you need the ObjectID of the Enterprise Application



###############################################################################
# Get AzureAD Application with Microsoft.Graph PowerShell
###############################################################################
Connect-MgGraph -Scopes 'Application.Read.All'
$ServicePrincipalDetails = Get-MgServicePrincipal -Filter "DisplayName eq 'Demo-EXO-RBAC-PS'"
$ServicePrincipalDetails

###############################################################################
# Create Exchange Service Principal
###############################################################################
Connect-ExchangeOnline
New-ServicePrincipal -AppId $ServicePrincipalDetails.AppId -ServiceId $ServicePrincipalDetails.Id -DisplayName "EXO Serviceprincipal $($ServicePrincipalDetails.Displayname)"
Get-ServicePrincipal | where {$_.AppId -eq "341772e9-4f7a-4444-9b2c-66620d27aec0"}



Create the Management Scope. Please note that only the "Sitzungszimmer" Mailbox matches the Management Scope

###############################################################################
#Magagement Scope
###############################################################################
Filterable properties for the RecipientFilter parameter on Exchange cmdlets
https://learn.microsoft.com/en-us/powershell/exchange/recipientfilter-properties?view=exchange-ps

Get-ManagementScope
Get-Recipient -RecipientPreviewFilter "(City -eq 'Zürich') -and (RecipientTypeDetails -eq 'RoomMailbox')"



I've already documented how to create an Management Role in Exchange and Exchange Online

###############################################################################
#Get-ManagementRole
###############################################################################
Get-ManagementRole -Identity "ICE-UserPhoto"
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\*"



Now let's put it all together. Assign the App the Role "Ice-UserPhoto" and assign the ResourceScope "ZH Rooms"

###############################################################################
#New-RoleGroup
###############################################################################
$AppID = "341772e9-4f7a-4444-9b2c-66620d27aec0"
$SP = Get-ServicePrincipal | where {$_.AppId -eq $AppID}
$ServiceId = $SP.ServiceId
New-RoleGroup -Name 'Icewolf-UserPhoto' -Roles "ICE-UserPhoto" -CustomRecipientWriteScope "ZH Rooms"
Add-RoleGroupMember -Identity "Icewolf-UserPhoto" -Member $ServiceId



Note that this Action will trigger an Alert



###############################################################################
#Get-RoleGroup
###############################################################################
$AppID = "341772e9-4f7a-4444-9b2c-66620d27aec0"
$SP = Get-ServicePrincipal | where {$_.AppId -eq $AppID}
$ServiceId = $SP.ServiceId
Get-RoleGroup | where {$_.Members -Match $ServiceId} | fl




###############################################################################
#Get-ManagementRoleAssignment
###############################################################################
Get-ManagementRoleAssignment | where {$_.Role -match "ICE-UserPhoto"} | fl




You can see the Permissions also in the Classic Exchange Online Admin Center



I recently noticed that there exists a new Menu Item Roles > Admin Roles in the Exchange Admin Center






Let's connect with the App and the Certificate

###############################################################################
#Connect-ExchangeOnline with AppId and Certificate
###############################################################################
$AppID = "341772e9-4f7a-4444-9b2c-66620d27aec0"
$CertificateThumbprint = "07eff3918f47995eb53b91848f69b5c0e78622fd"
$TenantId = "icewolfch.onmicrosoft.com"
Connect-ExchangeOnline -AppId $AppID -CertificateThumbprint $CertificateThumbprint -Organization $TenantId


Get-ConnectionInformation
Get-Comand -Module <Module>


Let's try it. I will set a UserPhoto for a Mailbox that is inside the RecipientWriteScope

Set-UserPhoto -Identity Sitzungszimmer@icewolf.ch -PictureData ([System.IO.File]::ReadAllBytes("E:\Temp\AvatarBaby.jpg"))
Get-UserPhoto -Identity Sitzungszimmer@icewolf.ch



What threw me off, at first was that get works also for Mailboxes outside the Management Scope - but remember the Parameter is "CustomRecipientWriteScope"

Get-UserPhoto -Identity Sitzungszimmer@icewolf.ch
Get-UserPhoto -Identity a.bohren@icewolf.ch



It's not possible to Set-UserPhoto for a Mailbox that is Outside the Management Scope / CustomRecipientWriteScope.
And you also get an Error, if no Picture is set on the Mailbox

Set-UserPhoto -Identity SitzungszimmerEiger@icewolf.ch -PictureData ([System.IO.File]::ReadAllBytes("E:\Temp\AvatarBaby.jpg"))
Get-UserPhoto -Identity SitzungszimmerEiger



Regards
Andres Bohren


posted @ Thursday, January 19, 2023 11:09 PM | Filed Under [ Exchange ]

Wednesday, January 18, 2023

Git for Windows 2.39.1

Hi All,

There exists a Security vulnerability in Git and you should update to Git Version 2.39.1

Git Downloads

Git security vulnerabilities announced


Let's check the GIT Version before the Update

git --version



Now run the update





Let's check the GIT version after the update

git --version



Regards
Andres Bohren

posted @ Wednesday, January 18, 2023 8:06 PM | Filed Under [ Development ]

Powered by:
Powered By Subtext Powered By ASP.NET