Category Archives: Security

Automation, AzureAD, Identity, Powershell, Security

Guest report & cleanup new features

August 18, 2023 JosL 2 Comments

My script / runbook to automatically report on stale Guests and clean them up has received some updates

Exclusion Groups

Guests in Exclusion groups will never be deleted, even if they are in an Inclusion Group

Inclusion Groups

Guests in Inclusion Groups will be deleted if they meet the age requirements, all guests not in an inclusion group will be ignored

ReadOnly mode

Will pretend to delete guests are per configured settings, but won’t actually delete anything

download from git: https://gitlab.com/Lieben/assortedFunctions/-/blob/master/get-AzureAdInactiveGuestUsers.ps1?ref_type=heads

AzureAD, Identity, Powershell, Security

Programmatically grant admin consent to a service principal

May 29, 2023 JosL Leave a comment

Most articles and e.g. az module commands allow you to do an admin consent on an application object.

However, Service Principals have the same option in the Azure Portal:

In my scenario I have control over both the hosting tenant of this multi-tenant app registration, so I could use the requiredResourceAccess property to read all Oauth2permissiongrants and approleAssignments from the source app registration to re-apply it to the service principal in the consuming tenant.

The result is similar to consenting through the admin portal but does not require user interaction / is fully headless, ideal for when you’re adding scopes/roles to an application and don’t want to have to do a manual reconsent in all managed tenants.

Here’s the code to to programmatic admin consent:

https://gitlab.com/Lieben/assortedFunctions/-/blob/master/grant-adminConsentForServicePrincipal.ps1

It requires DelegatedPermissionGrant.ReadWrite.All and AppRoleAssignment.ReadWrite.All graph permissions for the calling principal (user or application).

If you don’t have access to the source tenant (e.g. multi tenant), you can also simply create a hashtable with the required permissions (manual definition or export from the application manifest).

Automation, Azure, Powershell, Security

Easily get access token for Azure Management API

May 4, 2023 JosL Leave a comment

Wrote this little snippet that assumes a logged in session (Connect-AzAccount) and easily/quickly produces an auth header.

function get-azRMAccessHeader(){
    $profile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
    $context = Get-AzContext
    $client = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($profile)

    $header = @{
        "Authorization" = "Bearer $($client.AcquireAccessToken((Get-AzContext).Tenant.TenantId).AccessToken)"
    }
    return $header
}

Automation, AzureAD, EMS, Intune, Security

LeanLAPS support

April 22, 2023 JosL Leave a comment

As Microsoft has just released LAPS for Azure AD and hybrid joined devices, the usecase for LeanLAPS is more or less gone. This means I will no longer actively develop and/or support LeanLAPS from now on.

Microsoft’s solution also doesn’t rely on proactive remediations, thus lowering the high bar to entry that P2 licensing caused.

AzureAD, Exchange Online, Identity, Microsoft Teams, Office 365, Security

Dynamic membership rule for Teams Room accounts

April 17, 2023 JosL Leave a comment

Teams Room accounts are usually excluded from conditional access. To do so, they have to be in a security group, which of course we don’t want to do manually.

Most companies choose to use a naming standard and simply use that as a rule to create an exclusion group. This is easy to circumvent, I can create a guest user / get invited with the right name et voila zero CA policies!

A better way is to identify the accounts based on their assigned licenses, e.g. Teams Rooms Basic (6af4b3d6-14bb-4a2a-960c-6c902aad34f3). This, however, is not supported as an Azure AD group membership rule as this is stored in the AssignedLicenses property which will throw an “Unsupported Property” error.

The assignedPlans property however does contain the GUID we need.

The following Azure AD Group dynamic membership rule only matches users that have a Teams Room Basic, Teams Room Standard or Teams Room Pro license:

(
	(
		user.assignedPlans -any (
			assignedPlan.servicePlanId -eq "8081ca9c-188c-4b49-a8e5-c23b5e9463a8"
			-and 
			assignedPlan.capabilityStatus -eq "Enabled"
		)
	) -or 
	(
		user.assignedPlans -any (
			assignedPlan.servicePlanId -eq "ec17f317-f4bc-451e-b2da-0167e5c260f9"
			-and 
			assignedPlan.capabilityStatus -eq "Enabled"
		)
	) -or 
	(
		user.assignedPlans -any (
			assignedPlan.servicePlanId -eq "92c6b761-01de-457a-9dd9-793a975238f7"
			-and 
			assignedPlan.capabilityStatus -eq "Enabled"
		)
	)
) -and not (
	user.assignedPlans -all (assignedPlan.servicePlanId -eq "")
)

if you want to do something similar for other licenses, here are the options/combinations:

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/enterprise-users/licensing-service-plan-reference.md

Liebensraum