Category: Azure


Reference article:

https://docs.microsoft.com/en-us/office365/admin/add-users/set-password-to-never-expire?view=o365-worldwide

 

# Set a password to expire

Run one of the following commands:

To set the password of one user so that the password expires, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None

To set the passwords of all users in the organization so that they expire, use the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

 

# Set a password to never expire

Run one of the following commands:

To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies DisablePasswordExpiration

To set the passwords of all the users in an organization to never expire, run the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

Warning

Passwords set to -PasswordPolicies DisablePasswordExpiration still age based on the pwdLastSet attribute. If you set the user passwords to never expire and then 90+ days go by, the passwords expire. Based on the pwdLastSet attribute, if you change the expiration to -PasswordPolicies None, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.

# To get if password will expire for a user

Get-AzureADUser -ObjectId <user id or UPN> | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
}

# To get a report of all the users with PasswordNeverExpires in HTML

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html

# To get a report of all the users with PasswordNeverExpires in CSV

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Csv -NoTypeInformation | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.csv

 

Advertisements

By default, when using a PowerShell script in an Office 365 environment, that need to provide user credentials, we use a PowerShell such as – Get-Credential.
The Get-Credential displays a pop out credential’s windows in which the user needs to fill in his credentials. The information about the user credentials can saved in a variable, and we can use these provided credentials for connecting each of the different Office 365 infrastructures.
The news is that the PowerShell includes a built-in mechanism, which enables us to save user credentials in a text file in a secure manner. The information in the text file will be encrypted so, although the information stored in a simple text file, the information is useless for non-authorized users.

Only the PowerShell will be able to access the encrypted file and fetch from the file the required information.
PowerShell script and user credentials

1. Write the password as part of the PowerShell script. Add the password to the PowerShell script file – this is the simplest option but, from the security perspective, this is the worst option because the password kept in a text file in a non-encrypted format. (we will not review this option).
2. Provide user credentials when running the PowerShell script. the PowerShell script includes an “empty variable” that will contain the required user credentials. When we run the PowerShell script, pop out window will appear.
The person the execute the PowerShell script will need to provide the required credentials. When using this option, we will need to provide the required user credentials, each time we run the PowerShell script

====================================

Read-Host -Prompt “<text>” -AsSecureString

ConvertFrom-SecureString | Out-File “Path”

Read-Host -Prompt “<text>” -AsSecureString | ConvertFrom-SecureString | Out-File “Path”

Read-Host -Prompt “Enter your tenant password” -AsSecureString | ConvertFrom-SecureString | Out-File “C:\windows\temp\cred.txt”

====================================

$AdminName = “UPN Name”

$Pass = Get-Content “<Path>” | ConvertTo-SecureString

$Credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminName, $Pass

====================================

Import-Module MSOnline

Connect-MsolService -Credential $credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection

Import-PSSession $Session

To configure Intune to enroll devices with internal PKI certificates and with SCCM in co-management mode read first the articles below:

https://docs.microsoft.com/en-us/intune/certificates-configure

https://docs.microsoft.com/en-us/intune/certificates-scep-configure

https://support.microsoft.com/en-us/help/4459540/troubleshoot-ndes-configuration-for-use-with-intune

https://howtomanagedevices.com/intune/258/intune-certificate-deployment-guide/

https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2015/02/25/part-4-protecting-ndes-with-azure-ad-application-proxy/

https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune/

 

NDES troubleshooting articles:

https://gsecse.wordpress.com/2015/10/06/ndes-deployment-and-troubleshooting/

https://docs.microsoft.com/en-us/intune/certficates-pfx-configure

https://blogs.technet.microsoft.com/askds/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates/

https://blog.hosebei.ch/2016/11/28/configmgr-ndes-certificate-deployment-fails-due-to-network-device-enrollment-service-failure/

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Configuring-and-Troubleshooting-PFX-PKCS/ba-p/516450

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-add-on-premises-application

Note : a GitHub script to validate the NDES configuration: Validate-NDESConfiguration.ps1.

https://github.com/microsoftgraph/powershell-intune-samples/tree/master/CertificationAuthority

 

 

Azure AD password protection is now generally available:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Password-Protection-is-now-generally-available/ba-p/377487

 

Azure AD password protection – how to eliminate bad passwords:

Architecture (to cover also onprem AD domain controllers):

 

Deployment:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy

 

Eliminate bad passwords in your organization:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#license-requirements

 

Azure AD Password protection monitoring:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-monitor

 

Azure AD password protection troubleshooting:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-troubleshoot

 

 

https://support.microsoft.com/en-us/help/10065/associating-a-custom-domain-name-and-securing-communication-with-azure

 

 

Microsoft has recently announced the public preview of Azure Active Directory’s passwordless login. This new capability enables your employees to use external security keys to sign into their Azure Active Directory-Joined Windows 10 machines (running version 1809 or higher) and get single sign-on to their cloud resources. They can also sign into Azure AD-connected apps on supported browsers including the latest versions of Microsoft Edge and Mozilla Firefox.

You can learn more about how it works here: https://aka.ms/fido2securitykeys

To help get you started, MS partners are offering promotions so you can try out their solutions:

  1. For a limited time, Yubico is offering complimentary YubiKey Starter Kits to organizations with Microsoft 365 customers who are interested in beginning their passwordless journey. The starter kit includes the YubiKey 5 NFC and YubiKey 5C. You can learn more about Yubico’s promotion here: https://www.yubico.com/passwordlessoffer.
  2. FEITIAN is offering the first 500 Microsoft referred clients limited-time promotional discounts of more than 30% for Fingerprint Biometric Passwordless Security Keys. Visit  http://www.FTSafe.com/AzurePublicPreview.
  3. HID Global will take 10% off the manufacturer’s suggested retail price (MSRP) for orders above 500 Crescendo C2300 cards or the Crescendo Key, until August 16, 2019. Learn more at https://www.hidglobal.com

 

TechNet article how-to:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-enable#enable-new-passwordless-authentication-methods

 

 

How to Migrate AADConnect LocalDB SQLExpress to MS SQL Server

Reference procedure: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-move-db

How to manage AADConnect LocalDB SQLExpress

Reference procedure: https://itfordummies.net/2017/02/13/manage-localdb-aad-connect-sql-database/

Azure AD free tenant

https://azure.microsoft.com/en-us/free/

 

 

SecOps experience news ! Unified on MCAS, Azure ATP and Azure AD identity protection:

Microsoft has three identity-centric security products offering detection capabilities across on-premise and in the cloud:

  • Azure Advanced Threat Protection (Azure ATP) identifies on-premises attacks
  • Azure Active Directory Identity Protection (Azure AD Identity Protection) detects and proactively prevents user and sign-in risks to identities in the cloud
  • Microsoft Cloud App Security (MCAS) identifies attacks within a cloud session, covering not only Microsoft products but also third-party applications

https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Unified-SecOps-Investigation-for-Hybrid-Environments/ba-p/360850

Azure ATP:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-atp

 

Latest on premise ATA version: ATA v1.9 : https://docs.microsoft.com/en-us/advanced-threat-analytics/whats-new-version-1.9

ATA forum: https://social.technet.microsoft.com/Forums/en-US/home?forum=mata

 

 

Technet resource: https://docs.microsoft.com/en-us/advanced-threat-analytics/

Suspicious activity guide: https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide

ATA simulation playbook:

https://gallery.technet.microsoft.com/ATA-Playbook-ef0a8e38

 

ATA powershell module:

https://github.com/Microsoft/Advanced-Threat-Analytics

(copied under \\ncecdlib.nce.amadeus.net\microsoft\microsoft ATA\)

News from pentesters:

https://www.slideshare.net/ChrisThompson73/ms-just-gave-the-blue-team-tactical-nukes-and-how-red-teams-need-to-adapt-defcon-25

http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html?m=1

 

What’s new in ATA version 1.8

New & updated detections

  • NEW! Abnormal modification of sensitive groups – As part of the privilege escalation phase, attackers modify groups with high privileges to gain access to sensitive resources. ATA now detects when there’s an abnormal change in an elevated group.
  • NEW! Suspicious authentication failures (Behavioral brute force) – Attackers attempt to brute force credentials to compromise accounts. ATA now raises an alert when an abnormal failed authentication behavior is detected.
  • NEW! Remote execution attempt – WMI exec – Attackers can attempt to control your network by running code remotely on your domain controller. ATA added detection for remote execution leveraging WMI methods to run code remotely.Reconnaissance using directory services queries– In ATA 1.8, a learning algorithm was added to this detection allowing ATA to detect reconnaissance attempts against a single sensitive entity and improve the results for generic reconnaissance.
  • Kerberos Golden Ticket activity ATA 1.8 includes an additional technique to detect golden ticket attacks, detecting time anomalies for Kerberos tickets.
  • Enhancements to some detections, to remove known false positives:
    • Privilege escalation detection (forged PAC)
    • Encryption downgrade activity (Skeleton Key)
    • Unusual protocol implementation
    • Broken trust

Triage

  • NEW! More actions can be made to suspicious activities during the triage process.
    • Exclude some entities from raising future suspicious activities. Prevent ATA from alerting when it detects benign true positives (i.e. an admin running remote code or using nslookup) or known false positives (don’t open a Pass-The-Ticket alert on a specific IP).
    • Suppress a reoccurring suspicious activity from alerting.
    • Delete suspicious activities from the timeline.
  • A more efficient triage – The suspicious activities time line has gone through a major process of re-design. In 1.8, a lot more suspicious activities will be visible at the same time, and will contain better information for triage and investigation purposes.

Investigate

  • NEW! Summary report. An option to see all the summarized data from ATA, including suspicious activities, health issues and more. It’s possible to define a reoccurring report.
  • NEW! Modification to sensitive groups report to see all the changes made in sensitive groups during a certain period.

Infrastructure

  • Lightweight Gateways can now read events locally, without configuring event forwarding
  • Feature flags were added for all detection, periodic tasks and monitoring alerts
  • Accessibility ramp up – ATA now stands with Microsoft in providing an accessible product, for everyone.
  • E-mail configuration for monitoring alerts and for suspicious activities are separated

Security

  • NEW! Single sign on for ATA management.
    • Gateway and Lightweight gateway silent installation scripts will use the logged on user’s context, without the need to provide credentials.
  • Local System privileges removed from Gateway process
    • You can now use virtual accounts (available on stand-alone GWs only), managed service accounts and group managed service accounts to run the ATA Gateway process.
  • Auditing logs for ATA Center and Gateways were added and all actions are now logged in the event viewer.Added support for KSP Certificates

 

Version: 1.7

Reference articles:

ATA on Technet: https://technet.microsoft.com/en-us/library/dn707706.aspx

ATA events: https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-explore/ata-threats

ATA deployment demo: https://www.youtube.com/watch?v=xvWJssUpU6w

Blog: https://social.technet.microsoft.com/Forums/security/en-US/home?forum=mata

Additional resources:

Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

Powershell windows forensics: https://github.com/gfoss/PSRecon

Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

 

Azure AD Sync issues:

 

https://gallery.technet.microsoft.com/scriptcenter/Common-Azure-AD-Sync-Issues-0f0025e1#content

 

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Sync-Error-Reports-in-AzureAD-Connect-Health-are-now-in-Public/ba-p/245151