blog.icewolf.ch

Let's talk about IT!
posts - 2247, comments - 295, trackbacks - 0

My Links

Archives

Post Categories

icewolf

Wednesday, January 25, 2023

Exchange Online: Use Test-Message to verify your Transport- and DLP Rules

Hi All,

In the Microsoft 365 Message Center https://admin.microsoft.com/#/MessageCenter there is an Announcement about Test-Message where you can test the Transport Rules and DLPRules.



Test-Message -Sender m.muster@icewolf.ch -Recipients postmaster@icewolf.ch -SendReportTo a.bohren@icewolf.ch  -TransportRules -UnifiedDLPRules


Let's have a look at my Transport Rules

Get-TransportRule


Now i get two Reports: "Transport Rule Tracing Report"



and a "DLP Rules Tracing Report"



Regards
Andres


posted @ Thursday, January 26, 2023 11:39 AM | Filed Under [ Exchange ]

Analyze AzureAD SignIn Logs with PowerShell

Hi All,

I recently had a case where i needed to access the AzureAD Signin Logs with PowerShell.

I've started at the Azure AD Signin Logs and filtered by UPN



Next step was Graph Explorer where i found the needed Permissions

###############################################################################
# Graph Explorer
###############################################################################
#Go to https://aka.ms/ge
https://graph.microsoft.com/v1.0/auditLogs/signIns
https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=startsWith(userPrincipalName,'a.bohren@icewolf.ch')



Let's connect with these Permissions (they need Admin Consent and i already have that)

#Import-Module and Connect to Microsoft Graph
Import-Module Microsoft.Graph.Reports
Connect-MgGraph -Scope AuditLog.Read.All,Directory.Read.All



By default you only get 1000 Rows

#Get Signins
$Signins  = Get-MgAuditLogSignIn
$Signins.Coun
t


Let's check the Details of one Record

#Show Details of one Record
$Signins[0] | fl



Do we have SignIns where RiskState is set?

#List RiskState
$Signins | where {$_.RiskState -ne "none"}


By using a Filter you can search for UPN and with the "-All" Parameter you get all Records that match the Filter

###############################################################################
# Use query parameters to customize responses
# https://docs.microsoft.com/en-us/graph/query-parameters
###############################################################################
#Search for a specific User
$Signins  = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')"
$Signins.Count
$Signins  = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -All
$Signins.Count



Now we filter for only successfull Logins, sort by date and use only the Attributes i am interested in

#List Details
$Signins | where {$_.ConditionalAccessStatus -eq "success"} | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime



If you just need the last couple SignIns use this command

#Get latest 10 Signins for a specific User
$Signins  = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -Top 10
$Signins | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime




Hope that help you to get startet. Now you can create your own querys built on top of that.
Happy coding.

Regards
Andres Bohren


posted @ Thursday, January 26, 2023 10:51 AM | Filed Under [ Security PowerShell Azure ]

MSIdentityTools PowerShell Module v2.0.36 released

Hi All,

Microsoft has released another Version of theyr MSIdentityTools PowerShell Module to the Powershell Gallery.

MSIdentityTools 2.0.36


Check what Version of the Module is installed and what's available in the PowerShell Gallery

Get-InstalledModule MSIdentityTools
Find-Module MSIdentityTools


Uninstall the old version of the PowerShell Module and install the newest one

Uninstall-Module MSIdentityTools
Install-Module MSIdentityTools
Get-InstalledModule MSIdentityTools


To see what commands are available use the following command

Get-Command -Module MSIdentityTools


To get the Signin URL you can use the following Command

Get-MsIdAuthorityUri -TenantId icewolfch.onmicrosoft.com

To get the OpenIDConnect Configuration you can use this Command

Get-MsIdAuthorityUri -TenantId icewolfch.onmicrosoft.com | Get-MsIdOpenIdProviderConfiguration



Regards
Andres Bohren


posted @ Thursday, January 26, 2023 8:52 AM | Filed Under [ PowerShell ]

Microsoft 365 Whiteboard Admin PowerShell Module 1.10.0

Hi All,

Just a few Hours ago, Microsoft has released a new Version of the WhiteboardAdmin PowerShell Module for Microsoft 365.

Release Notes:
Fixes Get-WhiteboardsForTenant repetitive auth prompt issue. Includes some improvements for help comments and verbose messages

WhiteboardAdmin 1.10.0


Let's check what Version is installed and what's available from the PowerShell Gallery

Get-InstalledModule WhiteboardAdmin
Find-Module WhiteboardAdmin


Let's uninstall the old Module and install the current one

Uninstall-Module WhiteboardAdmin
Install-Module WhiteboardAdmin
Get-InstalledModule WhiteboardAdmin


List the Commands of the Module

Get-Command -Module WhiteboardAdmin


Get-WhiteboardSettings


Get-WhiteboardsForTenant -Geography [Worldwide/Europe/Australia]


Get-Whiteboard -UserId [AzureADObjectID]



Regards
Andres Bohren


posted @ Wednesday, January 25, 2023 11:49 AM | Filed Under [ Microsoft365 ]

Powered by:
Powered By Subtext Powered By ASP.NET