Tag: powershell

Azure AD – Keep it clean and tidy

There are several reasons for keeping your Azure AD nice and tidy. Locking down features, removing unused objects and applications and so on – all this keep the the attack surface of your environment lower and makes it easier for you to manage your Azure AD, do access reviews on access groups, roles and so on. So for making it a bit more easy for you I will list out 5 tips for getting a more tidy and clean Azure AD.

First tips – M365 Groups

Lock down who can make “Microsoft 365 Groups”. By doing this you block users from creating houndreds of testing group and often (almost never) they don`t delete groups again.

This need`s to be done within Powershell, but in short notes we create a security group in Azure AD that contains the super users who is allowed to create M365 groups. Then we run a short PowerShell script for locking it down

See learn.microsoft.com for full guide/documentation for this process

Connect-AzureAD

$GroupName = "<GroupName>"
$AllowGroupCreation = $False

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
    $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)
{
  $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
} else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

Second tips – Naming convention M365

Since we already have locked down creation of groups we can aim to do the naming convention in two ways. We can create a provisioning solution where users can order their groups and from there we are setting names, members and having approval process for ordering.

We can also create namin convention rules in Azure AD where we can set a prefix and or suffix. This can be set by a attribute from the user object creating the group or by a fixed string.

Within this feature there is also a “Blocked words” list. This is a list that you can upload with blocked words so that users cannot creat or use words that you put on that list. A maximum of 5000 words can be added to this list.

Learn more about naming conventions here at learn.microsoft.com

All settings are foud under “Azure AD – > Groups -> Settings”

Third tips – User attributes

Maybe not a tidy up and clean Azure AD tips – but I like to have good data quality in Azure AD so that many attributes can be used when creating dynamic groups, homemade scripts and so on. This tips is closely attached to the next tip for User provisioning. So please add as much information as possible on all user objects.

All of these attriutes must also match the organization in that manner so that we are not ending up with 1000 different departments that actually are the same.

Fourth tips – User provisioning

To make it easier for the entire organization and specially the IT department who are creating users, then the need of a easy user provisioning system is always there! Based on a provisioning system we can add more attributes without having users to type all of it.

An super easy user provisioning can just be a SharePoint Lists list in a company wide Teams Team called onboarding. Power Automate that creates a user disabled and based on “Employee Hire Date” we can user “Lifecycle workflows” within Identity Governance to do tasks a few days before users are starting in the company. In the pictures below we see how we can add input for user creation, and a Power Automate that created the user in Azure AD with all attributes added (and keeps it disabled). The last part is where the Lifecycle workflow`s runs and enable the user, add license and sends out a Temporarly Access Pass so that users can sign-in and setup the security for their account.

SharePoint list for onboarding
Power Automate for creating a user and keeping it disabled in Azure AD
Pre-hire tasks runned on user prior to hire date based on the SharePoint list input

Fifth tips – Enterprise applications

This tips is to keep good governance and security posture for applications that are connected to Azure AD. This is applications that connects to Azure AD to exstract information about signed in users and also can claim access for services that the end-user have access to – this can be mailbox for the user, Onedrive for business or sharepoint sites.

Malicious applications can therefore gain access to information and documents that they should not have access to when the end-user them self can approve the application access.

So we start with blocking for User concent for everyone.
head into “Azure AD -> Enterprise Applications -> Consent and permissions” and set both settings to “Do not allow user Consent” / “Do not allow group owner consent”

After we have done this we need to be sure that a administrator is getting notifications when users are trying to get consent for a application.
This can we do here – “Azure AD -> Enterprise Applications -> User settings” and set the settings like this.

The official documentation is at learn.microsoft.com

List all users and their manager

Sometime we need to gain a list of all users and their managers so the managers can get a review of “their” staff!

An easy oneliner within PowerShell using AzureAD ps module is this one. this takes the first 4000 users and export them to CSV


Get-AzureADUser -Top 4000 | select UserPrincipalName,@{n="Manager";e={(Get-AzureADUser -ObjectId (Get-AzureADUserManager -ObjectId $_.ObjectId).ObjectId).UserPrincipalName}} | Export-Csv C:\Temp\YOURUSERS_usr_with_manager.csv -Encoding UTF8

How do I know all my users are enabled for and using MFA?

More and more organizations is taking advantage of using MFA for their users and there is no reason for them not to since it`s free for all Office 365 users and also for all Azure AD users if you are not using the Office 365 services. But after you enable it for your users, are you sure everyone is enabled?

You may have seen at the Secure Score that not all users are registred for MFA, and if you do so you have users with no MFA! So these users may be victims for bruteforce attacks so it`s super important to remediate all users to see how everything is configured! Some of the users with no MFA maybe legit and should not have it.

So let`s dig into the materials for a second or two.

First thing is that there is a “Secure Score” check for MFA registered users that will show you how many of your users which are not registered (if any)

If you have any users in that list it would not show who the users are so we need to go deeper in the material to retreive this status.

So to get the list of users who don`t have setup MFA you need to run this PowerShell command with the AzureAD PowerShell module loaded.

Connect-MsolService

Get-MSOLUser -all | where {$_.StrongAuthenticationMethods.methodtype -eq $null} | Select Displayname,UserPrincipalName,BlockCredential,LastPasswordChangeTimestamp,UserType |Out-GridView

And now that we have found all users we can check them out why they don`t use MFA and make sure that they use it 🙂

Further on we can check what method users are using when authenticating with MFA. For this I use this script located in Technet PowerShell archives HERE

If you have deployed MFA the Conditional Access way (recommended) you will see that the MFA status on all user are set to “Disabled” but the method is set to what the user are using.

Have checking status on your users! 🙂

SharePoint Online PowerShell module

To install, update og uninstall the SharePoint Online PowerShell module there are some few simple PowerShell commands you can use.

First of all, set your Execution policy to restricted

Get-ExecutionPolicy #for checking the current ExecutionPolicy setting
Set-ExecutionPolicy -ExecutionPolicy  Unrestricted

Install

 Install-Module -Name Microsoft.Online.SharePoint.PowerShell

Check current version

Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version

Update

Update-Module -Name Microsoft.Online.SharePoint.PowerShell

Uninstall

Uninstall-Module -Name Microsoft.Online.SharePoint.PowerShell

Block AdHoc subscriptions in Office 365

To block users from creating trial and adhoc subscriptions for Office 365 services or even PowerPlatform services you can turn a switch and block it.

Set-MsolCompanySettings -AllowAdhocSubscriptions $false

To check if this is set to “False” for your tenant you can run this

Get-MsolCompanyInformation |fl AllowAdhocSubscriptions 

Change language – Office 365 Mailbox

To change the Language for a Office 365 mailbox (Exchange Online), run the following commands:

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session

Set-MailboxRegionalConfiguration -Identity “USER” -Language nb-no -LocalizeDefaultFolderName

For full list of cultureinfo classes (Languages) see:
https://msdn.microsoft.com/en-us/library/system.globalization.cultureinfo(VS.71).aspx

Convert from user mailbox to shared mailbox

From time to time i run into a little problem with the Office 365 Admin Center when trying to convert user mailboxes into shared mailboxes.
when this occours i usualy just use Powershell to convert the mailbox into shared mailbox.

To do this you have to connect your Powershell to the Office 365 tenant and run a oneliner for converting the mailbox.

Here is how to connect to Office 365:
Import-Module MSOnline
$O365Cred = Get-Credential “adminuser@YOURTENANT.onmicrosoft.com”
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
Connect-MsolService -Credential $O365Cred

When connected then use this single line to convert the mailbox:
Set-Mailbox “Your@mailbox.no” -Type shared

 

Detect and uninstall hotfixes

There seem to be a broken patch KB3159398 which was released this Tuesday, it breaks GPO processing which can cause a lot of headache!

Source: https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398

I’ve made a script which lets you check if this hotfix is installed and also let’s you uninstall it. Replace the KBxxxxxxx with the KB number and run from elevated Powershell to see if it is installed. If you want the script to uninstall the hotfix silently, set $uninstall to $true.

$uninstall = $false # change to $true to uninstall hotfix
$hotfixID = ‘KBxxxxxxx’ #Hotfix KB-number to check, use ‘ quotation marks
Get-HotFix $hotfixID
if ($uninstall -eq $true)
{
Invoke-Command -ScriptBlock {wusa.exe /uninstall /KB:($hotfixID -replace ‘KB’,”) /quiet /norestart} #Uninstall quietly and does not prompt for reboot
}

 

Enable/disable Office 365 serviceplans

I was asked today how you can disable and enable individual features included in an Office 365 license (like Exchange Online, Yammer.. etc) from Powershell

Launch Powershell and log on to your tenant (connect-msolservice)

To see which features which is included in a license use the following code:

$lic = Get-MsolAccountSku | Out-GridView -OutputMode Single -Title “Select SKU to look up”
$lic.ServiceStatus

This will show a list of features and their status

Next, if you want to disable Exchange online for one specific user:

$skuid = Get-MsolAccountSku | Out-GridView -OutputMode Single -Title “Select SKU to edit”
$user = Get-MsolUser | ? {$_.isLicensed -EQ $true} | Out-GridView -title “Select user to modify” -OutputMode Single
$Disable_ExchangeOnine = New-MsolLicenseOptions -AccountSkuId $skuid.AccountSkuId -DisabledPlans “EXCHANGE_S_ENTERPRISE”
$Enable_ExchangeOnline = New-MsolLicenseOptions -AccountSkuId $skuid.AccountSkuId -DisabledPlans $null
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -LicenseOptions $Disable_ExchangeOnine

The sku must match the sku assigned to the user you want to change.

servicefeature

Then run this line in the same script to re-enable Exchange Online

Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -LicenseOptions $Enable_ExchangeOnline

Azure VPN – Change Local Site Public IP

If a Clients Local site public IP changes the VPN tunel betwen Azure and the Local Site will disconnect. To fix this do the following:

Connect to Azure using powershell and run the following command:

New-AzureRmLocalNetworkGateway -Name LocalSite -ResourceGroupName [ClientRG] -Location ‘northeurope’ -GatewayIpAddress ‘[Public wan IP 2.4.6.8]’ -AddressPrefix ‘[LAN IP Net 192.168.1.0/24’

 

(Change the RG and Public wan IP and the LAN IP Net to the correct settings)