Access tokens

There is also an option for Access tokens but some of the services don't support it the same way and Teams CS* commands will brake, so I will go with the "easiest" solution here.

Here is more information on the access tokens from Andrés Gorzelany and how to generate them. I will also do some experiments in my future blogs about these.

Andrés Gorzelany - Microsoft Teams PowerShell and token-based auth

Get-ITips

The script

With this script You can disconnect all sessions with -disconnect switch or choose the ones You want with -services switch

The script will install all the newest versions (not previews) of the modules available in PowerShell gallery.

You can use this script with PowerShell 6 not above and this is also stated inside Microsoft documentation.

https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide

# Original script from AdminDroid, modified by Harri Jaakkonen @24032022 # Original script can be downloaded from https://admindroid.sharepoint.com/:u:/s/external/ETYww6L3LJFJooEb5MOwjrkBJrHNhGb-EUK5ZBFPiMfm_A?e=Hb9fb4 Param ( $Disconnect, ]$Services=("AzureAD","MSOnline","ExchangeOnline",'SharePoint','SharePointPnP','SecAndCompCenter','Teams','MSGraph'), $SharePointHostName, $MFA, $UserName, $Password ) Clear-Host '' write-host "This script will connect the following services: AzureAD,MSOnline,ExchangeOnline,SharePoint,SharePointPnP,SecAndCompCenter,Teams,MSGraph" write-host "You switch to MFA-based by adding -MFA to end of the script. You can also limit service with -SERVICES swithc and" write-host "adding one of the above ones or disconnect all sessions with -DISCONNECT switch" '' #Disconnecting Sessions if($Disconnect.IsPresent) { #Disconnect Exchange Online,Skype and Security & Compliance center session Get-PSSession | Remove-PSSession #Disconnect Teams connection Disconnect-MicrosoftTeams #Disconnect SharePoint connection Disconnect-SPOService #Disconnect MsGraph connection Disconnect-Graph Write-Host All sessions in the current window has been removed. -ForegroundColor Yellow } else { if(($UserName -ne "") -and ($Password -ne "")) { $SecuredPassword = ConvertTo-SecureString -AsPlainText $Password -Force $Credential = New-Object System.Management.Automation.PSCredential $UserName,$SecuredPassword } #Getting credential for non-MFA account elseif(!($MFA.IsPresent)) { $Credential=Get-Credential -Credential $null } $ConnectedServices="" if($Services.Length -eq 8) { $RequiredServices=$Services } else { $RequiredServices=$PSBoundParameters.Services } #Loop through each required services Foreach($Service in $RequiredServices) { Write-Host Checking connection to $Service... Switch ($Service) { #Module and Connection settings for Exchange Online module ExchangeOnline { $Module=Get-InstalledModule -Name ExchangeOnlineManagement -MinimumVersion 2.0.5 if($Module.count -eq 0) { Write-Host Required Exchange Online'(EXO V2)' module is not available -ForegroundColor yellow $Confirm= Read-Host Are you sure you want to install module? Yes No if($Confirm -match "") { Install-Module ExchangeOnlineManagement -MinimumVersion 2.0.5 -force Import-Module ExchangeOnlineManagement } else { Write-Host EXO V2 module is required to connect Exchange Online.Please install module using Install-Module ExchangeOnlineManagement cmdlet. } Continue } if($mfa.IsPresent) { Connect-ExchangeOnline -UserPrincipalName $UserFQDN } else { Connect-ExchangeOnline -Credential $Credential } If($null -ne (Get-EXOMailbox -ResultSize 1)) { if($ConnectedServices -ne "") { $ConnectedServices=$ConnectedServices+"," } $ConnectedServices=$ConnectedServices+" Exchange Online" } } #Module and Connection settings for AzureAD V1 (MSOnline module) MSOnline { $Module=Get-Module -Name MSOnline -ListAvailable if($Module.count -eq 0) { Write-Host MSOnline module is not available -ForegroundColor yellow $Confirm= Read-Host Are you sure you want to install module? Yes No if($Confirm -match "") { Install-Module MSOnline -force Import-Module MSOnline } else { Write-Host MSOnline module is required to connect AzureAD.Please install module using Install-Module MSOnline cmdlet. } Continue } if($mfa.IsPresent) { Connect-MsolService } else { Connect-MsolService -Credential $Credential } If($null -ne (Get-MsolUser -MaxResults 1)) { if($ConnectedServices -ne "") { $ConnectedServices=$ConnectedServices+"," } $ConnectedServices=$ConnectedServices+" MSOnline" } if(($RequiredServices -contains "SharePoint") -eq "true") { $SharePointHostName=((Get-MsolDomain) | Where-Object {$_.IsInitial -eq "True"} ).name -split ".onmicrosoft.com" $SharePointHostName=($SharePointHostName).trim() } } #Module and Connection settings for AzureAD V2 (AzureAD module) AzureAD { $Module=Get-Module -Name AzureAD -ListAvailable if($Module.count -eq 0) { Write-Host AzureAD module is not available -ForegroundColor yellow $Confirm= Read-Host Are you sure you want to install module? Yes No if($Confirm -match "") { Install-Module AzureAD -MinimumVersion 2.0.2.140 -force Import-Module AzureAD } else { Write-Host AzureAD module is required to connect AzureAD.Please install module using Install-Module AzureAD cmdlet. } Continue } if($mfa.IsPresent) { '' $UserFQDN = Read-Host -Prompt 'Input Your FQDN username' '' Connect-AzureAD -AccountId $UserFQDN } else { Connect-AzureAD -Credential $Credential } If($null -ne (Get-AzureADUser -Top 1)) { if($ConnectedServices -ne "") { $ConnectedServices=$ConnectedServices+"," } $ConnectedServices=$ConnectedServices+" AzureAD" } } #Module and Connection settings for SharePoint Online module SharePoint { $Module=Get-installedModule -Name Microsoft.Online.SharePoint.PowerShell if($Module.count -eq 0) { Write-Host SharePoint Online PowerShell module is not available -ForegroundColor yellow $Confirm= Read-Host Are you sure you want to install module? Yes No if($Confirm -match "") { Install-Module Microsoft.Online.SharePoint.PowerShell -scope AllUsers -MinimumVersion 16.0.22208.12000 -force } else { Write-Host SharePoint Online PowerShell module is required.Please install module using Install-Module Microsoft.Online.SharePoint.PowerShell cmdlet. Continue } } if(!($PSBoundParameters) -and ($SharePointHostName -eq "") ) { Write-Host SharePoint organization name is required.`nEg: Contoso for admin@Contoso.Onmicrosoft.com -ForegroundColor Yellow $SharePointHostName= Read-Host "Please enter SharePoint organization name" } if($MFA.IsPresent) { Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking Connect-SPOService -Url https://$SharePointHostName-admin.sharepoint.com } else { Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking Connect-SPOService -Url https://$SharePointHostName-admin.sharepoint.com -credential $credential } if($null -ne (Get-SPOTenant)) { if($ConnectedServices -ne "") { $ConnectedServices=$ConnectedServices+"," } $ConnectedServices=$ConnectedServices+"SharePoint Online" } } #Module and Connection settings for Sharepoint PnP module SharePointPnP { $Module=Get-InstalledModule -Name SharePointPnPPowerShellOnline if($Module.count -eq 0) { Write-Host SharePoint PnP module module is not available -ForegroundColor yellow $Confirm= Read-Host Are you sure you want to install module? Yes No if($Confirm -match "") { Install-Module -Name SharePointPnPPowerShellOnline -MinimumVersion 3.29.2101.0 -AllowClobber -force } else { Write-Host SharePoint Pnp module is required.Please install module using Install-Module SharePointPnPPowerShellOnline cmdlet. } Continue } if(!($PSBoundParameters) -and ($SharePointHostName -eq "") ) { Write-Host SharePoint organization name is required.`nEg: Contoso for admin@Contoso.com -ForegroundColor Yellow $SharePointHostName= Read-Host "Please enter SharePoint organization name" } if($MFA.IsPresent) { Import-Module SharepointpnpPowerShellOnline -DisableNameChecking Connect-PnPOnline -Url https://$SharePointHostName.sharepoint.com -UseWebLogin -WarningAction Ignore } else { Import-Module SharepointpnpPowerShellOnline -DisableNameChecking Connect-PnPOnline -Url https://$SharePointHostName.sharepoint.com -credential $credential -WarningAction Ignore } If ($? -eq $true) { if($ConnectedServices -ne "") { $ConnectedServices=$ConnectedServices+"," } $ConnectedServices=$ConnectedServices+"SharePoint PnP" } } #Module and Connection settings for Security & Compliance center SecAndCompCenter { $Module=Get-InstalledModule -Name ExchangeOnlineManagement if($Module.count -eq 0) { Write-Host Exchange Online'(EXO V2)' module is not available -ForegroundColor yellow $Confirm= Read-Host Are you sure you want to install module? Yes No if($Confirm -match "") { Install-Module ExchangeOnlineManagement -MinimumVersion 2.0.5 -force Import-Module ExchangeOnlineManagement } else { Write-Host EXO V2 module is required to connect Security and Compliance PowerShell.Please install module using Install-Module ExchangeOnlineManagement cmdlet. } Continue } if($mfa.IsPresent) { Connect-IPPSSession -WarningAction SilentlyContinue -UserPrincipalName $UserFQDN } else { Connect-IPPSSession -Credential $Credential -WarningAction SilentlyContinue } $Result=Get-RetentionCompliancePolicy If(($?) -eq $true) { if($ConnectedServices -ne "") { $ConnectedServices=$ConnectedServices+"," } $ConnectedServices=$ConnectedServices+" Security & Compliance Center" } } #Module and Connection settings for Teams Online module Teams { $Module=Get-InstalledModule -Name MicrosoftTeams if($Module.count -eq 0) { Write-Host Required MicrosoftTeams module is not available -ForegroundColor yellow $Confirm= Read-Host Are you sure you want to install module? Yes No if($Confirm -match "") { Install-Module MicrosoftTeams -MinimumVersion 4.0.0 -AllowClobber -force Import-Module MicrosoftTeam } else { Write-Host MicrosoftTeams module is required.Please install module using Install-Module MicrosoftTeams cmdlet. } Continue } if($mfa.IsPresent) { Connect-MicrosoftTeams -AccountId $UserFQDN } else { Connect-MicrosoftTeams -Credential $Credential if($ConnectedServices -ne "") { $ConnectedServices=$ConnectedServices+"," } $ConnectedServices=$ConnectedServices+" Microsoft Teams" } } #Module and Connection settings for MS Graph module MSGraph { $Module=Get-InstalledModule -Name Microsoft.Graph if($Module.count -eq 0) { Write-Host Required Microsoft Graph module is not available -ForegroundColor yellow $Confirm= Read-Host Are you sure you want to install module? Yes No if($Confirm -match "") { Install-Module -Name Microsoft.Graph -MinimumVersion 1.9.3 -AllowClobber -force Import-Module Microsoft.Graph } else { Write-Host Microsoft Graph module is required.Please install module using Install-Module Microsoft.Graph cmdlet. } Continue } if($mfa.IsPresent) { Connect-Graph -Scopes "User.Read.all","Application.Read.All" } else { Connect-Graph -Scopes "User.Read.all","Application.Read.All" } If($null -ne (Get-MgUser -top 1)) { if($ConnectedServices -ne "") { $ConnectedServices=$ConnectedServices+"," } $ConnectedServices=$ConnectedServices+" Microsoft Graph" } } } } if($ConnectedServices -eq "") { $ConnectedServices="-" } Write-Host `n`nConnected Services $ConnectedServices -ForegroundColor DarkYellow }

Office 365 for IT Pros GitHub

One repository that has excellent scripts is Office 365 for IT Pros PowerShell examples.

GitHub - 12Knocksinna/Office365itpros: Office 365 for IT Pros PowerShell examples

Office 365 for IT Pros PowerShell examples. Contribute to 12Knocksinna/Office365itpros development by creating an account on GitHub.

For guest users

Azure AD Access reviews

For access reviews I really like this one.

This PowerShell sample script is meant to create a high-level overview over external identity use in a tenant, outlining if and where external identities are used:

  • group membership
  • application assignment
  • assignment to privileged roles
  • membership through rules in a dynamic group

The script is enumerating membership and assignments in Azure AD. It does not reach out to services that keep membership or role assignments outside of Azure AD (e.g. SharePoint Online with direct user-to-role assignment outside of group membership).

access-reviews-samples/ExternalIdentityUse at master · microsoft/access-reviews-samples

This repo contains sample code that demonstrates programmatic access to Azure AD Access Reviews. Sample code includes reading and managing Access Reviews, as well as working on decisions and result...

Admindroid version

Or this one from Admindroid.

It will generate a csv-file that has information from the guest accounts.

Export Office 365 Guest User Report with their Membership

This PowerShell script exports Office 365 guest user report along with guest user’s group membership info.You can also get stale guests using this script.

If You are using AzureADPreview instead of AzureAD module, You can just switch the AzureAD to the preview one.

And all the rest of Admindroid scripts are conveniently in this repo, all in one.

GitHub - admindroid-community/powershell-scripts: Office 365 Reporting PowerShell Scripts

Office 365 Reporting PowerShell Scripts. Contribute to admindroid-community/powershell-scripts development by creating an account on GitHub.

Teams reporting

Teams users

This one will generate TeamsUserReport.csv for users and their settings.

Connect-microsoftteams $TeamsUser = Get-CsOnlineUser | Select-Object DisplayName,Identity,UserPrincipalName, ` SipAddress,Enabled,WindowsEmailAddress,LineURI,HostedVoiceMail,OnPremEnterpriseVoiceEnabled,OnPremLineURI,SipProxyAddress, ` OnlineDialinConferencingPolicy,TeamsUpgradeEffectiveMode,TeamsUpgradePolicy,HostingProvider $TeamsReporting = @() Foreach ($User in $TeamsUser) { $Info = "" | Select "DisplayName","Identity","UserPrincipalName","SipAddress","Enabled","LineURI", ` "WindowsEmailAddress","HostedVoiceMail","OnPremEnterpriseVoiceEnabled","OnPremLineURI","SipProxyAddress", ` "OnlineDialinConferencingPolicy","TeamsUpgradeEffectiveMode","TeamsUpgradePolicy","HostingProvider", ` "VoicePolicy","MeetingPolicy","TeamsMeetingPolicy","TeamsMessagingPolicy","TeamsAppSetupPolicy", ` "TeamsCallingPolicy","VoicePolicySource","MeetingPolicySource","TeamsMeetingPolicySource", ` "TeamsMessagingPolicySource","TeamsAppSetupPolicySource","TeamsCallingPolicySource" Write-Host "Getting information for" $User.DisplayName -ForegroundColor Green $UserPolicies = Get-CsUserPolicyAssignment -Identity $User.identity $Info.DisplayName = $User.DisplayName $Info.Identity = $User.identity $Info.UserPrincipalName = $User.UserPrincipalName $Info.SipAddress = $User.SipAddress $Info.Enabled = $User.Enabled $Info.LineURI = $User.LineURI $Info.WindowsEmailAddress = $User.WindowsEmailAddress $Info.HostedVoiceMail = $User.HostedVoiceMail $Info.OnPremEnterpriseVoiceEnabled = $User.OnPremEnterpriseVoiceEnabled $Info.OnPremLineURI = $User.OnPremLineURI $Info.SipProxyAddress = $User.SipProxyAddress $Info.OnlineDialinConferencingPolicy = $User.OnlineDialinConferencingPolicy $Info.TeamsUpgradeEffectiveMode = $User.TeamsUpgradeEffectiveMode $Info.TeamsUpgradePolicy = $User.TeamsUpgradePolicy $Info.HostingProvider = $User.HostingProvider $Info.VoicePolicy = ($UserPolicies | Where-Object {$_.PolicyType -eq "VoicePolicy"}).PolicyName $Info.VoicePolicy = (($UserPolicies | Where-Object {$_.PolicyType -eq "VoicePolicy"}).PolicySource).AssignmentType $Info.MeetingPolicy = ($UserPolicies | Where-Object {$_.PolicyType -eq "MeetingPolicy"}).PolicyName $Info.MeetingPolicySource = (($UserPolicies | Where-Object {$_.PolicyType -eq "MeetingPolicy"}).PolicySource).AssignmentType $Info.TeamsMeetingPolicy = ($UserPolicies | Where-Object {$_.PolicyType -eq "TeamsMeetingPolicy"}).PolicyName $Info.TeamsMeetingPolicySource = (($UserPolicies | Where-Object {$_.PolicyType -eq "TeamsMeetingPolicy"}).PolicySource).AssignmentType $Info.TeamsMessagingPolicy = ($UserPolicies | Where-Object {$_.PolicyType -eq "TeamsMessagingPolicy"}).PolicyName $Info.TeamsMessagingPolicySource = (($UserPolicies | Where-Object {$_.PolicyType -eq "TeamsMessagingPolicy"}).PolicySource).AssignmentType $Info.TeamsAppSetupPolicy = ($UserPolicies | Where-Object {$_.PolicyType -eq "TeamsAppSetupPolicy"}).PolicyName $Info.TeamsAppSetupPolicySource = (($UserPolicies | Where-Object {$_.PolicyType -eq "TeamsAppSetupPolicy"}).PolicySource).AssignmentType $Info.TeamsCallingPolicy = ($UserPolicies | Where-Object {$_.PolicyType -eq "TeamsCallingPolicy"}).PolicyName $Info.TeamsCallingPolicySource = (($UserPolicies | Where-Object {$_.PolicyType -eq "TeamsCallingPolicy"}).PolicySource).AssignmentType $TeamsReporting += $Info $Info = $null } $TeamsReporting | Export-Csv .\TeamsUserReport.csv -nti -enc utf8

Teams configs

Backup-TeamsConfig is a PowerShell script allowing you to backup various parts of Microsoft Teams configuration and package it up in to a single file for safe keeping - this includes policies, configurations and voice applications (inc. audio files).

GitHub - leeford/Backup-TeamsConfig: Backup-TeamsConfig is a script allowing you to backup various parts of Microsoft Teams configuration and package it up in to a single file

Backup-TeamsConfig is a script allowing you to backup various parts of Microsoft Teams configuration and package it up in to a single file - GitHub - leeford/Backup-TeamsConfig: Backup-TeamsConfig ...

Microsoft365DSC

DSC is still work in progress but it getting there. New versions popping up all the time.

Basically 365DSC is for getting Your tenant config and keeping the config up-to-date with a pipeline or just to compare the config to another tenant for auditing purposes.

So make baselines for different scenarios and compare them against tenants. You will get a verbose report about the differences You have. All isn't in the report but like said it's getting there.

Get Started - Microsoft365DSC - Your Cloud Configuration

This article is a complete guide to installing, deploying and using Microsoft365DSC. Microsoft365DSC is an open-source solution that’s available for free on GitHub. It is led by Microsoft engineers and maintained by the community. Official documentation for the solution is available on the official…

Exchange Online and Azure

Crowdstrike

There is a lot different scripts for EXO but I really like this from Crowdstrike.

It will get the following information:

Exchange Online (O365):

  • Federation Configuration
  • Federation Trust
  • Client Access Settings Configured on Mailboxes
  • Mail Forwarding Rules for Remote Domains
  • Mailbox SMTP Forwarding Rules
  • Mail Transport Rules
  • Delegates with 'Full Access' Permission Granted
  • Delegates with Any Permissions Granted
  • Delegates with 'Send As' or 'SendOnBehalf' Permissions
  • Exchange Online PowerShell Enabled Users
  • Users with 'Audit Bypass' Enabled
  • Mailboxes Hidden from the Global Address List (GAL)
  • Collect administrator audit logging configuration settings.

Azure AD:

  • Service Principal Objects with KeyCredentials
  • O365 Admin Groups Report
  • Delegated Permissions & Application Permissions

GitHub - CrowdStrike/CRT: Contact: CRT@crowdstrike.com

Contact: CRT@crowdstrike.com. Contribute to CrowdStrike/CRT development by creating an account on GitHub.

Azure AD Exporter

The Azure AD Exporter is a PowerShell module that allows you to export your Azure AD and Azure AD B2C configuration settings to local .json files.

GitHub - microsoft/azureadexporter: PowerShell module to export a local copy of all Azure Active Directory configuration settings and objects.

PowerShell module to export a local copy of all Azure Active Directory configuration settings and objects. - GitHub - microsoft/azureadexporter: PowerShell module to export a local copy of all Azur...

DCToolbox

DCToolbox is made by Daniel Chronlund. The PowerShell module contains a collection of tools for Microsoft 365 security tasks, Microsoft Graph functions, Azure AD management, Conditional Access, zero trust strategies, attack and defense scenarios, etc.

This is an excellent swiss knife toolbox but especially I like these four.

Export-DCConditionalAccessPolicyDesign

This CMDlet uses Microsoft Graph to export all Conditional Access policies in the tenant to a JSON file. This JSON file can be used for backup, documentation or to deploy the same policies again with Import-DCConditionalAccessPolicyDesign.

Import-DCConditionalAccessPolicyDesign

This CMDlet uses Microsoft Graph to automatically create Conditional Access policies from a JSON file. The JSON file can be created from existing policies with Export-DCConditionalAccessPolicyDesign or manually by following the syntax described in the Microsoft Graph documentation.

New-DCConditionalAccessPolicyDesignReport

Automatically generate an Excel report containing your current Conditional Access policy design.

New-DCConditionalAccessAssignmentReport

Automatically generate an Excel report containing your current Conditional Access assignments.

GitHub - DanielChronlund/DCToolbox: Tools for Microsoft cloud fans

Tools for Microsoft cloud fans. Contribute to DanielChronlund/DCToolbox development by creating an account on GitHub.

Azure infrastructure

Azure Visualizer, aka 'AzViz'

PowerShell module to automatically generate Azure resource topology diagrams by just typing a PowerShell cmdlet and passing the name of one or more Azure Resource Group(s).

It is capable of:

  • Finding Resources in a Azure Resource Group and identifying their dependencies.
  • Plot nodes and edges to represent Azure Resources and their dependencies on a graph.
  • Insert appropriate Azure Icons on basis of resource category/sub-category.
  • Label each resource with information like Name, Category, Type etc.
  • Generate visualization in formats like: .png and .svg
  • Output image can be in 'light', 'dark' or 'neon' theme.
  • Can target more than one resource group at once.
  • Change direction in which resource groups are plotted, i.e, left-to-right or top-to-bottom.

GitHub - PrateekKumarSingh/AzViz: ⚡ ☁ Azure Visualizer aka ‘AzViz’ : A #powershell module to automatically generate Azure resource topology diagrams by just typing a PowerShell cmdlet and passing the name of one or more Azure Resource groups

⚡ ☁ Azure Visualizer aka 'AzViz' : A #powershell module to automatically generate Azure resource topology diagrams by just typing a PowerShell cmdlet and passing the name of one or more Azu...

ORCA (Office 365 Recommended Configuration Analyzer)

ORCA is a PowerShell module that you can run thru Exchange Online V2 PowerShell module. ORCA will gather your tenants security policy information and compare it against 61 policies from Microsoft best practices.

Then it will write a report saying how compliant your tenant is and what to do to get more compliant.

Installing ORCA

You can install ORCA from PowerShell Gallery.

https://www.powershellgallery.com/packages/ORCA/1.10.6

And you also need Exchange Online PowerShell module V2 as a pre-requisite.

More info from Github

orca/README.md at master · cammurray/orca

The Microsoft Defender for Office 365 Recommended Configuration Analyzer (ORCA) - orca/README.md at master · cammurray/orca

That all for today. hopefully these tips will help You to cover some caveats in Your toolbox.

Thanks for reading and stay safe!

KEEP CALM AND BRING THE AUDIT ON Poster | John | Keep Calm-o-Matic

Archives