OnedriveMapper v3.06 released!

Version 3.06 of OneDriveMapper has been released!

  • userLookupMode 6 added, which displays a full and customizable login form to the user which asks for username and password
  • added user login caching for userLookupMode 1 and 2, so the script won’t fail if the user is roaming away from a DC and the login is cached
  • fixed a reference to my test domain in Azure AD PassThrough (liebensraum.nl)
  • fixed a crash when ADFS denies the request in native mode (now properly falls back to IE auth mode if allowed)
  • first basic support for Azure AD SSO

Get the new version here

Enterprise Mobility Technical Checklist

Considering to move to an Anywhere, Anyplace, Anytime lightweight IT environment? Throwing out all local IT?

No more Domain Services, just AzureAD? Windows10, or any other mobile modern client? Here’s a short checklist I sometimes use for clients when assessing their intentions / plan:

  • Intune tenant created and policies have been set, including Conditional Access
  • All my non single MSI applications I want to deploy to my clients have been repackaged
  • All my application servers/services have been moved to SaaS or to RemoteApp or the like
  • My identities have been synchronized or copied to Azure AD
  • All users have an Intune or EMS license
  • I have enabled Azure AD automatic MDM enrollment
  • I have enabled Enterprise State Roaming in Azure AD
  • I have published my internal web sites using Azure Application Proxy and added these sites to Intune as Apps
  • DLP policies have been setup for any sensitive data types/locations in my company
  • Personal data has been migrated to Onedrive for Business
  • Group data has been moved to Office 365 Groups or Sharepoint Online

Just to get you started! 🙂

OnedriveMapper V3 public release

Dear OnedriveMapper users,

I’m finally convinced after the help of a large number of beta testers and other supporters that I can release OnedriveMapper V3 to the general public. I don’t expect it to work in all situations, things like MFA and Okta are not yet supported, but I believe it will benefit the majority.

OnedriveMapper V3 features a new authentication mode (‘native mode’), in which authentication takes mere seconds, improving mapping speed on average by a factor 10 or higher. In addition, OnedriveMapper can automatically switch between both authentication modes if one fails, making it far more robust.

Please check the full changelog to verify compatibility of the changes with your environment, and test carefully before deploying in production.

And thanks to those who provided me with Teamviewer access to their unique environments and/or feedback to help make OnedriveMapper the best free product to map your Onedrive for Business or Sharepoint Online libraries to a driveletter.

Get it here

ADFS SmartLink for OnedriveMapper

ADFS SmartLinks are very useful tools to get your user signed into a service super quickly. As of version 3.02, OnedriveMapper supports these links for both IE and Native authentication mode.

I wrote an article on how to create an ADFS smartlink for the Intune portal once, that should get you started, but point your smartlink to “https://{YOUR TENANT NAME}-my.sharepoint.com/_layouts/15/MySite.aspx?MySiteRedirect=AllDocuments”.

Then configure $adfsSmartLink in OnedriveMapper with your ADFS SmartLink. OnedriveMapper should then immediately get logged into Onedrive For Business, reducing logon delays by seconds or more depending on the auth method you’re using.

Onedrivemapper V3 beta

As of today, V3 of OnedriveMapper is in testing. It features an auto-updater and does native (no internet explorer) authentication.

The auto updater only works for OnedriveMapper Cloud beta testers, after beta OnedriveMapper Cloud will probably be a service where you can manage / control all OnedriveMapper settings as configurations for your organisation(s) centrally. OnedriveMapper Cloud comes as both a ps1 and msi version.

If you’d like to try OnedriveMapper Cloud, contact me.

Setting a Windows Cookie with Powershell (using InternetSetcookie in WinInet)

As I’m trying to improve OnedriveMapper, I’ve been looking into methods to avoid using Browser Emulation to authenticate with Office 365.

This wasn’t difficult, but storing the cookie posed a challenge. There are no available methods in Powershell to do so, thus I went searching until I ran into a post on Stackoverflow that shows how to store a cookie using C#

Since Powershell can eat C#, this ended up being my working code to set a persistent OS cookie from Powershell:


$source=@"
using System.Runtime.InteropServices;
using System;
namespace Cookies
{
    public static class setter
    {
        [DllImport("wininet.dll", CharSet = CharSet.Auto, SetLastError = true)]
        private static extern bool InternetSetCookie(string url, string name, string data);

        public static bool SetWinINETCookieString(string url, string name, string data)
        {
            bool res = setter.InternetSetCookie(url, name, data);
            if (!res)
            {
                throw new Exception("Exception setting cookie: Win32 Error code="+Marshal.GetLastWin32Error());
            }else{
                return res;
            }
        }
    }
}
"@

$compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters
$compilerParameters.CompilerOptions="/unsafe"

Add-Type -TypeDefinition $source -Language CSharp -CompilerParameters $compilerParameters

[DateTime]$dateTime = Get-Date
$dateTime.AddDays(1)
$str = $dateTime.ToString("R")

[Cookies.setter]::SetWinINETCookieString("https://cookieURL","cookieNAME","value;Expires=$str")

edit: don’t use the Get-Hotfix PS command before you run above code, for some reason it breaks things.

O365Undo updated for O365 Groups

O365Undo is a great script you can use to roll back actions of your user(s) in Office 365. Most likely, actions your user wasn’t aware of but were actually done by a CryptoLocker or by RansomWare.

These nasty virusses can cause havoc on your mapped or synced Sharepoint Online or Onedrive for Business libraries in the form of file level encryption or file name obfuscation.

This new version also protects Office 365 Groups.

Read more or download the script

Using Powershell to check a user’s tenant logon setting in Office 365 (without logging in)

I was interested in being able to see, for any given email, what type of authentication Microsoft requires for that user. This could be Office 365 (Azure AD) native, ADFS, etc.

Powershell can easily help you out:

Add-Type -AssemblyName System.Web
$uid = "YOUR EMAIL ADDRESS"
$uidEnc = [System.Web.HttpUtility]::HtmlEncode($uid)
$res = Invoke-WebRequest -Uri https://login.microsoftonline.com -SessionVariable cookies -Method Get -UseBasicParsing
$stsRequest = ($res.InputFields | where {$_.Name -eq "ctx"}).Value
$flowToken = ($res.InputFields | where {$_.Name -eq "flowToken"}).Value
$canary = ($res.InputFields | where {$_.Name -eq "canary"}).Value
$res = Invoke-WebRequest -Uri "https://login.microsoftonline.com/common/userrealm?user=$uidEnc&api-version=2.1&stsRequest=$stsRequest&checkForMicrosoftAccount=false" -WebSession $cookies -Method GET -UseBasicParsing

The response will contain a redirect to another authentication provider (ADFS) or Azure AD Native. This is an example JSON response:

{"NameSpaceType":"Managed","Login":"mymailaddress@domain.nl","DomainName":"lieben.nu","FederationBrandName":"Lieben Consultancy","TenantBrandingInfo":null,"cloud_instance_name":"microsoftonline.com"}

If you also wish to include Microsoft accounts, set the checkForMicrosoftAccount parameter in the second request to true

AzureAD Connect SSO
If you’re using AzureAD Connect SSO, you can use the above to check if this is correctly set in Office 365. The JSON response will contain a propert is_dsso_enabled, which will be set to True