Category: Azure


https://adsecurity.org/wp-content/uploads/2019/08/2019-BlackHat-US-Metcalf-Morowczynski-AttackingAndDefendingTheMicrosoftCloud.pdf

Advertisements

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-logs-overview

 

By default the log events are stored for 90 days. You have to archive the logs to storage account if you want to keep more than 90 days.

 

 

By default log is stored in 90 days you have to archive the logs to storage account if you want to keep them more that 90 days.

 

 

Introduction:

https://docs.microsoft.com/en-us/azure/automation/automation-intro

 

Automation runbook gallery:

https://docs.microsoft.com/en-us/azure/automation/automation-runbook-gallery

 

 

 

 

Azure AD custom extensions

How to work with custom extensions:

Reference:

https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0

 

 

Examples:

 

# Connect to Azure AD with Global Administrator

Connect-AzureAD  

# Get a User and Read Extension Properties

$aadUser = Get-AzureADUser -ObjectId <youruser> $aadUser | Select -ExpandProperty ExtensionProperty  

# Serialize User Object to JSON

$aadUser.ToJson()  

# Explore Object Properties

$aadUser | Get-Member  

# How to: Add Extension Properties

# PS! Can only write to Cloud homed users

$aadUser = Get-AzureADUser ObjectId <yourclouduser>@mydomain.onmicrosoft.com
$extensionProp = New-Object System.Collections.Generic.Dictionary2[System.String,System.String]
$extensionProp.Add(extension_<YourTenantSchemaExtensionAppId>_msDS_ExtensionAttr1,ENTERPRISEPACK)
$extensionProp.Add(extension_<YourTenantSchemaExtensionAppId>_msDS_ExtensionAttr2,EMSPREMIUM)
Set-AzureADUser ObjectId $aadUser.ObjectId ExtensionProperty $extensionProp

# Check added Extension Properties

Get-AzureADUser -ObjectId <yourclouduser>@mydomain.onmicrosoft.com | Select -ExpandProperty ExtensionProperty

 #region List all users with Extension Properties

$aadUsers = Get-AzureADUser | Select DisplayName, ObjectId
$aadUsersExt = @()
ForEach ($aadUser in $aadUsers) {
    $user = Get-AzureADUser ObjectId $aadUser.ObjectId | Select ObjectId, DisplayName
    $userDetail = Get-AzureADUser ObjectId $aadUser.ObjectId | Select ExpandProperty ExtensionProperty
        foreach ($key in $userDetail.Keys)
        {
            if($key -like extension_<YourTenantSchemaExtensionAppId>_msDS_ExtensionAttr1)
            {
                $ext1 = $userDetail.$key
            }
            elseif($key -like extension_<YourTenantSchemaExtensionAppId>_msDS_ExtensionAttr2)
            {
                $ext2 = $userDetail.$key
            }
            else { $ext1 = ; $ext2 = }
        }
    $obj = [pscustomobject]@{DisplayName=$user.DisplayName; ObjectId=$user.ObjectId; Ext1=$ext1; Ext2=$ext2}
    $aadUsersExt += $obj
    }

# List only users with values for extension attributes

$aadUsersExt | Where {$_.Ext1 -or $_.Ext2} | FT  

# List all users

$aadUsersExt  

# Serialize users and extension attributes to JSON

$aadUsersExt | ConvertTo-Json

Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services: To provide applications, services, or devices access to a central identity, there are three common ways to use Active Directory-based services in Azure. This choice in identity solutions gives you the flexibility to use the most appropriate directory for your organization’s needs. For example, if you mostly manage cloud-only users that run mobile devices, it may not make sense to build and run your own Active Directory Domain Services identity solution. Instead, you could just use Azure Active Directory

https://blogs.technet.microsoft.com/cbernier/2018/01/16/microsoft-flow-and-azure-ad-lets-automate/

 

 

Microsoft has release a new PS  module to manage Azure Information Protection : AIPService. At the same time, MS is deprecating the previous AIP module called AADRM (for the 15th, July  2020). https://docs.microsoft.com/en-us/azure/information-protection/install-powershell

https://docs.microsoft.com/en-us/powershell/azure/aip/overview?view=azureipps

 

Summary:

The procedure consists in adding DNS TXT records in all domains just like for standard domain registration to prove our ownership and then the process unregister them and add them to tour tenant.

Reference article:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover

 

 

 

Reference article:

https://docs.microsoft.com/en-us/office365/admin/add-users/set-password-to-never-expire?view=o365-worldwide

 

# Set a password to expire

Run one of the following commands:

To set the password of one user so that the password expires, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None

To set the passwords of all users in the organization so that they expire, use the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

 

# Set a password to never expire

Run one of the following commands:

To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies DisablePasswordExpiration

To set the passwords of all the users in an organization to never expire, run the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

Warning

Passwords set to -PasswordPolicies DisablePasswordExpiration still age based on the pwdLastSet attribute. If you set the user passwords to never expire and then 90+ days go by, the passwords expire. Based on the pwdLastSet attribute, if you change the expiration to -PasswordPolicies None, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.

# To get if password will expire for a user

Get-AzureADUser -ObjectId <user id or UPN> | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
}

# To get a report of all the users with PasswordNeverExpires in HTML

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html

# To get a report of all the users with PasswordNeverExpires in CSV

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Csv -NoTypeInformation | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.csv

 

By default, when using a PowerShell script in an Office 365 environment, that need to provide user credentials, we use a PowerShell such as – Get-Credential.
The Get-Credential displays a pop out credential’s windows in which the user needs to fill in his credentials. The information about the user credentials can saved in a variable, and we can use these provided credentials for connecting each of the different Office 365 infrastructures.
The news is that the PowerShell includes a built-in mechanism, which enables us to save user credentials in a text file in a secure manner. The information in the text file will be encrypted so, although the information stored in a simple text file, the information is useless for non-authorized users.

Only the PowerShell will be able to access the encrypted file and fetch from the file the required information.
PowerShell script and user credentials

1. Write the password as part of the PowerShell script. Add the password to the PowerShell script file – this is the simplest option but, from the security perspective, this is the worst option because the password kept in a text file in a non-encrypted format. (we will not review this option).
2. Provide user credentials when running the PowerShell script. the PowerShell script includes an “empty variable” that will contain the required user credentials. When we run the PowerShell script, pop out window will appear.
The person the execute the PowerShell script will need to provide the required credentials. When using this option, we will need to provide the required user credentials, each time we run the PowerShell script

====================================

Read-Host -Prompt “<text>” -AsSecureString

ConvertFrom-SecureString | Out-File “Path”

Read-Host -Prompt “<text>” -AsSecureString | ConvertFrom-SecureString | Out-File “Path”

Read-Host -Prompt “Enter your tenant password” -AsSecureString | ConvertFrom-SecureString | Out-File “C:\windows\temp\cred.txt”

====================================

$AdminName = “UPN Name”

$Pass = Get-Content “<Path>” | ConvertTo-SecureString

$Credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminName, $Pass

====================================

Import-Module MSOnline

Connect-MsolService -Credential $credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection

Import-PSSession $Session