Recorded two new videos this week. The first is an understanding of how tokens work with Azure AD and then one looking at conditional access (which can control the access to get those tokens for various scenarios).
Word of caution – I talk about terms of use in the second video. If you just enable this for ALL users it will break things that can’t accept it, for example the account you use for Azure AD Connect to sync to Azure AD so make sure you exclude accounts that can’t accept!
When using Azure AD there are two types of authentication available:
When using the cloud authentication there are two ways to validate the password:
There are therefore three options for the authentication configuration
The order I have them is generally the preference but there are some pros and cons of each (in addition to a few considerations) and I wanted to outline them briefly here.
Password Hash
Passthrough-Authentication (PTA)
Federation
Note that for all scenarios I can still use features like Conditional Access. I try to start at the top of the options and work down if needed. I really consider the federation a legacy option that most organizations are moving away from since Azure AD would be used for the actual application federations moving forward.
Microsoft has a good doc at https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn which should also be reviewed.
Any thoughts, please post below!
PowerShell 5.1 marks the last major update to PowerShell we are likely to see built into Windows. The future of PowerShell has gone the open-source path with PowerShell 6 being available via GitHub and available not just for Windows but also multiple Linux distributions and MacOSX. This is made possible as PowerShell 6, or rather PowerShell CORE 6.0 is built on .NET Core (which is cross platform) instead of the Windows exclusive .NET.
The good news is PowerShell 6 can be installed alongside the PowerShell that is part of Windows/WMF. Download and install from https://github.com/PowerShell/PowerShell/releases. Once installed you can launch by running pwsh.exe. If you look at $psversiontable you will see you have the Core PSEdition instead of the standard Desktop.
I recommend installing this and running alongside the regular PowerShell and getting used to it. The good news is most regular PowerShell will run and if you execute get-module -listavailable you will see the built-in modules. For non-built in modules you will need to check if they are supported with PowerShell Core.
Read the Microsoft article at https://blogs.msdn.microsoft.com/powershell/2018/01/10/powershell-core-6-0-generally-available-ga-and-supported/ for a great overview and walks through the key features that are not part of PowerShell Core 6, e.g. workflows in addition to key considerations.
Tools like Visual Studio Code can be used with PowerShell 5.1 and PowerShell Core 6.0. Simply change the settings for Visual Studio Code to add pwsh, e.g. add the following to user settings (File – Preferences – Settings) (change to your specific PowerShell version). I added this just under the existing User Setting (the , goes after the existing line in the file).
|
1 2 |
, "terminal.integrated.shell.windows": "C:\\Program Files\\PowerShell\\6.1.0-preview.1\\pwsh.exe" |
Happy PowerShelling!
There are many ways to create functionality in PowerShell including basic cmdlets, aliases and functions. When you use multiple combinations its important to understand the precedence. This is best understood by walking through a basic example.
Firstly just run:
get-process
This will result in processes being displayed as expected.
Now lets create a function called get-process that lists child items.
function get-process { Get-ChildItem }
Now if you run get-process it will show child items so the function trumps the built-in cmdlet.
Now let’s create an alias so get-process points to get-service.
New-Alias get-process -Value get-service
Run get-process and it shows services so an alias trumps a function (which trumps the native cmdlets).
Note, you can always force running the cmdlet by its full name.
microsoft.powershell.management\get-process
Once you’ve finished you can reverse by deleting one-at-a-time.
|
1 2 3 4 5 6 7 8 9 |
get-process function get-process { Get-ChildItem } New-Alias get-process -Value get-service Remove-Item Alias:\get-process Remove-Item Function:\get-process |
I have a demonstration environment where many users have accounts but they never logon to AD directly nor look at this demonstration email mailbox. They only use the environment via Azure AD where they logon at Azure AD via the replicated password hash. Because of this they don’t get password expiry notifications and continue to logon however if they try and access something that does hook into AD and not Azure AD the logon fails.
They wanted to be emailed of upcoming password expiry to their real-email. To accomplish this their real email was stored in extensionAttribute10. I didn’t use the proxyaddresses as this may have SIP information. This attribute could be easily set with:
|
1 |
$aduser | Set-Aduser -Replace @{extensionAttribute10=$AltEmail} |
I had a mailbox for a core process I use. Now that user has no other rights so I placed the password in the script but that’s not ideal at all. If this was Azure Automation I could have used a credential object, I could have at least made the password harder to read by creating an encrypted version of the password and then storing that in the file (but its still reversible, just slightly harder to glance at!), e.g.
|
1 2 3 4 |
ConvertFrom-SecureString (ConvertTo-SecureString -AsPlainText -Force 'Password123') #this is run once to generate the value $securepassword = ConvertTo-SecureString "<the huge value from previous command on one line>" #this is then in script going forward $cred = new-object System.Management.Automation.PSCredential ("john@savilltech.com", $securepassword) |
However the account can’t do anything except email and access to the script location was highly restricted so I left it as text which was also easier to demonstrate below however in my environment I used the alternate approach above just to make it a little harder to get the password on glance :-). Replace this with your own email and password.
The script looks for any password expiring in less than 10 days and emails a simple message. Customize as you like! It has a basic HTML block with a placeholder (MESSAGEHOLDER) that is replaced by a custom string for the user.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
$CurrentDate = Get-Date $Users = Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties msDS-UserPasswordExpiryTimeComputed, PasswordLastSet, CannotChangePassword, extensionAttribute10 $fromEmail = 'fromuser@domain.com' $fromPass = 'password' $securePassword = ConvertTo-SecureString $fromPass -AsPlainText -Force $emailcred = New-Object System.Management.Automation.PSCredential ($fromEmail, $securePassword) $SMTPServer = 'smtp.office365.com' $SMTPPort = '587' $PasswordNotifyDays = 10 $emailBody = @" <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta content="en-us" http-equiv="Content-Language" /> <meta content="text/html; charset=utf-8" http-equiv="Content-Type" /> </head> <body> <p>MESSAGEHOLDER</p> <p>Please change password at <a href="https://myapps.microsoft.com">https://myapps.microsoft.com</a>.</p> </body> </html> "@ foreach($user in $users) { $userUPN = $user.DistinguishedName $userName = $user.Name $PasswordLastChanged = $user.PasswordLastSet $PasswordExpired = [datetime]::FromFileTime($user."msDS-UserPasswordExpiryTimeComputed") $PasswordTillExpired = ($PasswordExpired - $CurrentDate).Days if($PasswordTillExpired -lt $PasswordNotifyDays) { if($PasswordTillExpired -lt 0) { $message = "User $userName ($($user.UserPrincipalName)) password is expired ($PasswordTillExpired days past change time). Last changed $PasswordLastChanged" } else { $message = "User $userName ($($user.UserPrincipalName)) password expires in $PasswordTillExpired days. Last changed $PasswordLastChanged" } Write-Output $message $altemail = $user.extensionAttribute10 if($altemail -ne $null) { write-output " Alternate email found and message being sent to $altemail" Send-MailMessage -To $altemail -From $fromEmail -Subject "Password Expiry Notification - $($user.UserPrincipalName)" -BodyAsHtml $emailBody.Replace("MESSAGEHOLDER",$message) ` -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $emailcred } } } |
Have fun!
I needed to add members of a number of groups from one Azure AD tenant to a group in another Azure AD tenant that would then be given access to a resource. The goal was to not require the users added to have to redeem the invite which is common when adding a B2B user. To do this the first step was a user invited via B2B the normal way, that user redeemed the invite and in this case was then made a global admin (although another option would have been to enable guests to invite guests). The key point was this user had the ability to invite people via B2B and could enumerate users in the invited Azure AD instance which would mean invites would not have to be redeemed.
My first version of the script was very simply however I soon realized I would have to rerun the script to add new users and so I enhanced it to extract the current members of the group, convert to regular email format (since when invite to Azure AD the users have @ replaced with _ and is put in a string with various components separated by a #). The script therefore extracts the first part and converts the _ back to a @. Then looks for only for people who are not already members.
In the script below replace the group names, Azure AD names and IDs to meet your requirements.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
Import-Module AzureAD $OneMTCTenantName = "sourceten.net" $OneMTCTenantID = "ID1" $OPCTenantName = "targetten.net" $OPCTenantID = "ID2" $AADGroupsToEnumerate = "SourceGroup1","SourceGroup2","SourceGroup3" $AllMTCTeam = @() $MTCTeamGroupName = "TargetGroup" Connect-AzureAD -TenantId $OneMTCTenantID foreach($AADGroupName in $AADGroupsToEnumerate) { $AADGroup =Get-AzureADGroup -Filter "DisplayName eq '$AADGroupName'" $AADPeople = Get-AzureADGroupMember -ObjectId $AADGroup.ObjectId -All $true $AllMTCTeam += $AADPeople } Connect-AzureAD -TenantId $OPCTenantID #$OPCOneMTCGroup = New-AzureADGroup -DisplayName $MTCTeamGroupName -Description "All members of the global OneMTC organization" ` # -SecurityEnabled $true -MailEnabled $false -MailNickName "$MTCTeamGroupName" $OPCOneMTCGroup = Get-AzureADGroup -SearchString "$MTCTeamGroupName" $OPCUsers = Get-AzureADUser -Filter "userType eq 'Guest'" -All $true | Select-Object -ExpandProperty UserPrincipalName $OPCCleanUsers = @() foreach($OPCUser in $OPCUsers) { #Clean up to a real email address $tempemail = ($OPCUser.Split("#"))[0].Replace('_','@') #Write-Output "Converting $OPCUser to $tempemail" $OPCCleanUsers += $tempemail } foreach($MTCTeamMember in $AllMTCTeam) { #Check if already a guest if($OPCCleanUsers -Contains $MTCTeamMember.UserPrincipalName) { Write-Output "User $($MTCTeamMember.UserPrincipalName) already added" } else { Write-Output "Adding $($MTCTeamMember.UserPrincipalName)" $AADB2BAdd = New-AzureADMSInvitation -InvitedUserEmailAddress "$($MTCTeamMember.UserPrincipalName)" -SendInvitationMessage $false ` -InviteRedirectUrl "http://myapps.microsoft.com" Add-AzureADGroupMember -ObjectId $OPCOneMTCGroup.ObjectId -RefObjectId $AADB2BAdd.InvitedUser.Id } } |
I recently needed to create an AD site for each MTC (an office), add the IP range assigned to that MTC (which was in a CSV file) and then associate the site with a site link for its region. This is so the Active Directory automatic site coverage feature will enable DCs to populate per-site DNS records for the MTCs ensuring authentication traffic uses the most optimal DC. The DCs are spread over four regional locations.
The CSV file simply had one or two second octet numbers for the /16 IP range associated with the MTC. The code therefore enumerates through each OU, checks to see if the MTC can be found in the CSV data for the IP ranges. Next if the site does not already exist it is created, added to its regional site link (based on the parent OU name and for NA if its East or West) and then the IP ranges for the MTC assigned.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 |
$MTCIPConfigFile = "F:\PowerShell\basicmtcips.csv" $MTCIPInfo = Import-Csv -Path $MTCIPConfigFile $RootDomain = "DC=onemtc,DC=net" $TopLevelRegions = "APAC","EMEA","NA" foreach($TopLevelRegion in $TopLevelRegions) { $MTCOUs = Get-ADOrganizationalUnit -filter * -searchbase "OU=$TopLevelRegion,$RootDomain" -SearchScope OneLevel -Properties Name, Description foreach($MTCOU in $MTCOUs) { $MTCCode = $MTCOU.Name $MTCCodeShort = $MTCOU.Name.Substring(3) #Find the MTC in the IP list $MTCIPrange = $null $MTCLocation = $null foreach($MTCInfo in $MTCIPInfo) { if($MTCInfo.Code -eq $MTCCode) { if($MTCInfo.LocalOctet -eq $MTCInfo.SharedOctet) { $MTCIPrange = $MTCInfo.LocalOctet } else { $MTCIPrange = $MTCInfo.LocalOctet,$MTCInfo.SharedOctet } $MTCLocation = $MTCInfo.Location } } Write-Output "MTC $MTCCodeShort processing in region $TopLevelRegion" if($MTCIPrange -ne $null) { $MTCADSiteName = "$TopLevelRegion$MTCCodeShort" $MTCADSiteSearch = $null try { $MTCADSiteSearch = Get-ADReplicationSite -Filter {Name -eq $MTCADSiteName} } catch {} if($MTCADSiteSearch -eq $null) { Write-Output "Site not found, creating" New-ADReplicationSite $MTCADSiteName #Add to site link switch ($TopLevelRegion) { 'NA' {if($MTCLocation -eq "W") {$siteLinkName = "NAMTCs-AzureWestUS"} else {$siteLinkName = "NAMTCs-AzureEastUS"}} 'APAC' {$siteLinkName = "APACMTCs-AzureSoutheastAsia"} 'EMEA' {$siteLinkName = "EMEAMTCs-AzureWestEurope"} Default {$siteLinkName = "NAMTCs-AzureEastUS"} } Write-Output "Adding to site link $siteLinkName" Set-ADReplicationSiteLink $siteLinkName -SitesIncluded @{Add="$MTCADSiteName"} foreach($IPrange in $MTCIPrange) { $IPCIDR = "10.$IPrange.0.0/16" Write-Output "Assigning $IPCIDR to new site $MTCADSiteName" New-ADReplicationSubnet -Name $IPCIDR -Site $MTCADSiteName -Location $TopLevelRegion } } else { Write-Output "Site exists" } } else { Write-Output "No IP configuration found, skipping" } Write-Output "" } } |
A lot of the work I do around Active Directory and Azure AD is for our OneMTC.net environment used by our global Microsoft Technology Centers. It is built around a number of region-based organizational units which then have child OUs for each MTC.
The requirement was to create a number of GPOs for each MTC which could then be modified by the local administrator of the MTC. To do this I created two template GPOs with most of the basic settings which I then just needed to copy to a new, per-MTC GPO instance then link to the GPO. This was very easy with PowerShell and the GroupPolicy module.
I also had already created the GPOs for a couple of MTCs so wanted to skip creating the objects for them. In the PowerShell below you can see I have a variable for the top-level of the MTC and then an array of the top level regional OUs. From there I have the names of the GPO templates and an array of the MTCs to skip. At that point I just enumerate for OUs, copy the GPOs and link the new per-instance GPO to the OU.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
Import-Module GroupPolicy $RootDomain = "DC=onemtc,DC=net" $TopLevelRegions = "APAC","EMEA","NA" $WSUSConfigTemplateName = "WSUS Configuration" $AdminTemplateName = "MTC Admins Template" $MTCsToSkip = "DAL","ATL","DEN","MPLS" foreach($TopLevelRegion in $TopLevelRegions) { $MTCOUs = Get-ADOrganizationalUnit -filter * -searchbase "OU=$TopLevelRegion,$RootDomain" -SearchScope OneLevel -Properties Name, Description foreach($MTCOU in $MTCOUs) { $MTCCode = $MTCOU.Name.Substring(3) if($MTCsToSkip -notcontains $MTCCode) { Write-Output "Creating GPOs and linking for MTC $MTCCode" #Copy the two templates to the new names Copy-GPO -SourceName $AdminTemplateName -TargetName "$MTCCode Admins" Copy-GPO -SourceName $WSUSConfigTemplateName -TargetName "$MTCCode WSUS Config" #Link the GPOs to the OU New-GPLink -Name "$MTCCode Admins" -Target $MTCOU.DistinguishedName New-GPLink -Name "$MTCCode WSUS Config" -Target $MTCOU.DistinguishedName } } } |
In this blog I want to walkthrough a solution I recently architected and implemented along with a two other MTC architects to deliver a solution we needed for two reasons:
The global MTC organization is made up of around 30 offices which each have several Azure subscriptions to host the projects they are working on and environments used in customer activities. Additionally, there are several global, shared Azure subscriptions that host core infrastructure and experiences. These subscriptions are tied to various Azure AD tenants depending on requirements. The primary subscription for each MTC also hosts a virtual network that is part of a global IP space that is connected via one of four regional ExpressRoute circuits to the MTC worldwide VPN that provides connectivity between all MTC offices.
While there is a standard governance and process guide each MTC has control of their own subscriptions and resources however from a central MTC organization perspective insight into several key factors was required.
The insight into the health needed to be in the form to provide easy overall insight while allowing detail to be exposed through drilling down into the data.
I started off crafting a solution in PowerShell through which I can access the full knowledge of the Azure Resource Manager via the AzureRM module and also other solutions such as Log Analytics, Azure Security Center and Azure Storage.
If you like to read the end of the book below is the final solution and what I will walk through is some of the detail you see in the picture.
The first challenge was the context to run the script under since multiple Azure AD tenants were utilized and I didn’t want to have to manage multiple credentials. Therefore, Azure AD B2B (business to business) was utilized. A single identity in the main Azure AD tenant was created and then a communication sent to each MTC to add that identity via Azure AD B2B to any local Azure AD tenant instances and then to give that account Read permissions to all subscriptions. This enabled a single credential to be used across every subscription, regardless of the Azure AD tenant the subscription was tied to. This same credential was also give rights to the Log Analytics instance all VMs reported to which enables queries to be run.
Now the access was available the next step was the actual PowerShell to gather the required information. A storage account was created that would be used to store the output of the execution which would be a basic execution report and two JSON files that contained custom objects representing the VM state and Azure subscription information.
The basic PowerShell flow is as follows:
To actually run the PowerShell I used Azure Automation which not only provided a resilient engine to run the code but capabilities such as credentials which could securely store the identity that was used removing any need to hardcode it in the script itself. The schedule capability was used to trigger the runbook (the container for the PowerShell in Azure Automation) to right daily at 11pm.
At this point in an Azure Storage account was a report and two JSON files with one of them, the VM state JSON file, the most useful which enabled all information to be queried easily however the goal was to have it more easily digestible which meant PowerBI and ideally getting the data more easily available to everyone, e.g. Teams along with a notification that the nights execution was successful.
The solution was to use a Logic App (created by Ali Mazaheri, https://blogs.msdn.com/alimaz) which enables activities to be chained together using various connectors which include Azure Storage, Teams and SharePoint. The Logic App was designed with a recurrence trigger (but could also trigger based on object creations and other triggers) and to then perform the following:
A great feature of Logic Apps is that they are implemented by adding the built-in connectors or your own API apps, Azure Functions and then graphically laying out the flow using conditions, branches and those connectors by passing output as an input for next connectors and in this case some custom expressions. Below is the key content of the Logic App (as an alternative we could have also used Azure Functions and EventGrid to achieve the same goal).
The final step was the Power BI portion to read in the file from SharePoint and provide a visualization of the data contained in the JSON. David Browne created this powerful dashboard that enabled various visualizations of the data and easy access to change the criteria of the data contained.
The Power BI Service can connect directly to SharePoint Online to read the files. Power Query in Power BI is used to identify the latest data files, convert them from JSON to a tabular format and to clean the data. The data is then loaded into an in-memory Tabular Model hosted by Power BI and configured for daily refresh.
I recently deployed a new WSUS server on Windows Server 2016 but the console would crash, the WSUS engine had crashed and it turns out the problem is it runs out of memory. Make sure your WSUS server had at least 8GB of memory then perform the following:
Problem should be fixed!