Alex Ø. T. Hansen

11/07/2018

PowerShell – Microsoft Graph API

Need to connect to Microsoft Graph with PowerShell? The following PowerShell script does just that (pretty easily)!

So what is Microsoft Graph API?

“Microsoft Graph is a Microsoft developer platform that connects multiple services and devices. Initially released 2015, the Microsoft Graph builds on Office 365 APIs and allows developers to integrate their services with Microsoft products, including Windows, Office 365, and Azure. At its Build 2017 conference, Microsoft announced it would use the Microsoft Graph to bring new functionality and connectivity between Windows and other OS platforms, including Android and iOS.” –Wikipedia

The following script have a function called “Get-GraphAPIAccessToken” (line 127 in the code below) which have two optional options available.

Credential
- If you don’t want to get an login prompt, when connecting to the API. Then use:
  -Credential (Create-PSCredential -Username “admin@contoso.onmicrosoft.com” -Password “AdminPasswordHere”)
ClientID
- If you need to use a registered application in Azure AD, specify the application id. Otherwise it will use a well-known value that are registered with Azure AD. An example would be:
  -ClientID 3b7e46ca-4495-410f-9691-f90793f0f666

There are some requirements before you can run the code, which is:

You need an valid internet connection (duuuh?!).
The script leverages AzureRM and the script will try to install it, but if it fails you can use “Install-Module AzureRM -SkipPublisherCheck -AllowClobber -Force -Confirm:$false;” to install it.

#Requires -Version 3.0
<#

    .SYNOPSIS
    Connect to Microsoft Graph API.

    .DESCRIPTION
    Get an access token from Microsoft Graph API.

    .PARAMETER

    .EXAMPLE

    .NOTES
    Author: Alex Ø. T. Hansen
    Date: 11-07-2018
    Last Updated: 11-07-2018

#>

################################################
<# Function - Start #>

#Create credentials.
Function Create-PSCredential
{
    [cmdletbinding()]	
		
    Param
    (
        [Parameter(Mandatory=$true, HelpMessage="Please provide a valid username, example 'user@contoso.onmicrosoft.com'.")]$Username,
        [Parameter(Mandatory=$true, HelpMessage="Please provide a valid password, example 'MyPassw0rd!'.")]$Password
    )

    #Convert the password to a secure string.
    $SecurePassword = $Password | ConvertTo-SecureString -AsPlainText -Force;

    #Convert $Username and $SecurePassword to a credential object.
    $Credential = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $Username,$SecurePassword

    #Return the credential object.
    Return $Credential;
}

#Get Microsoft Graph API access token.
Function Get-GraphAPIAccessToken
{
    [cmdletbinding()]

    Param
    (        
        [Parameter(Mandatory=$false)][PSTypeName('Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential')]$Credential,
        [Parameter(Mandatory=$false)][string]$ClientID = "1950a258-227b-4e31-a9cf-717495945fc2",
        [Parameter(Mandatory=$true)][string]$RedirectURI,
        [Parameter(Mandatory=$true)][string]$ResourceURI,
        [Parameter(Mandatory=$true)][string]$Authority
    )

    #Retrieves authentication tokens from services and gets address of the authority to issue token.
    $AuthenticationContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $Authority;

    #If the credential is set.
    If($Credential)
    {
        #Get token with username and password in $Credential.
        $AuthenticationResult = $AuthenticationContext.AcquireToken($ResourceURI, $ClientID, $Credential);
    }
    Else 
    {     
        #Prompt user for credentials.
        $AuthenticationResult = $AuthenticationContext.AcquireToken($ResourceURI, $ClientID, $RedirectURI, [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Always)
    } 
    
    #Return the token.
    Return $AuthenticationResult.AccessToken;
}

#Check if the module is installed.
Function Check-Module
{
    [cmdletbinding()]

    Param
    (        
        [Parameter(Mandatory=$true)][string]$Name
    )

    #If the module exist.
    If(Get-Module -ListAvailable -Name $Name)
    {
        Return $true;
    }
    Else
    {
        Return $false;
    }
}

<# Functions - End #>
################################################
<# Input - Start #>

#URI.
$RedirectURI = "urn:ietf:wg:oauth:2.0:oob";
$ResourceURI = "https://graph.microsoft.com";
$Authority = "https://login.microsoftonline.com/common";

<# Input - End #>
################################################
<# Main - Start #>

#If the module AzureRM isn't installed.
If(!(Check-Module -Name AzureRM))
{
    Write-Output "Module: Installing 'AzureRM'";

    #Install the module.
    Install-Module AzureRM -SkipPublisherCheck -AllowClobber -Force -Confirm:$false;
}
Else
{
    Write-Output "Module: 'AzureRM' already installed.";
}

#Get access token.
Write-Output "Token: Getting Microsoft Graph API access token.";
$AccessToken = Get-GraphAPIAccessToken -RedirectURI $RedirectURI -ResourceURI $ResourceURI -Authority $Authority;

<# Main - End #>
################################################

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

#Requires -Version 3.0

.SYNOPSIS

Connect to Microsoft Graph API.

.DESCRIPTION

Get an access token from Microsoft Graph API.

.PARAMETER

.EXAMPLE

.NOTES

Author: Alex Ø. T. Hansen

Date: 11-07-2018

Last Updated: 11-07-2018

################################################

<# Function - Start #>

#Create credentials.

Function Create-PSCredential

{

[cmdletbinding()]

Param

(

[Parameter(Mandatory=$true, HelpMessage="Please provide a valid username, example 'user@contoso.onmicrosoft.com'.")]$Username,

[Parameter(Mandatory=$true, HelpMessage="Please provide a valid password, example 'MyPassw0rd!'.")]$Password

)

#Convert the password to a secure string.

$SecurePassword = $Password | ConvertTo-SecureString -AsPlainText -Force;

#Convert $Username and $SecurePassword to a credential object.

$Credential = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $Username,$SecurePassword

#Return the credential object.

Return $Credential;

}

#Get Microsoft Graph API access token.

Function Get-GraphAPIAccessToken

{

[cmdletbinding()]

Param

(

[Parameter(Mandatory=$false)][PSTypeName('Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential')]$Credential,

[Parameter(Mandatory=$false)][string]$ClientID = "1950a258-227b-4e31-a9cf-717495945fc2",

[Parameter(Mandatory=$true)][string]$RedirectURI,

[Parameter(Mandatory=$true)][string]$ResourceURI,

[Parameter(Mandatory=$true)][string]$Authority

)

#Retrieves authentication tokens from services and gets address of the authority to issue token.

$AuthenticationContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $Authority;

#If the credential is set.

If($Credential)

{

#Get token with username and password in $Credential.

$AuthenticationResult = $AuthenticationContext.AcquireToken($ResourceURI, $ClientID, $Credential);

}

Else

{

#Prompt user for credentials.

$AuthenticationResult = $AuthenticationContext.AcquireToken($ResourceURI, $ClientID, $RedirectURI, [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Always)

}

#Return the token.

Return $AuthenticationResult.AccessToken;

}

#Check if the module is installed.

Function Check-Module

{

[cmdletbinding()]

Param

(

[Parameter(Mandatory=$true)][string]$Name

)

#If the module exist.

If(Get-Module -ListAvailable -Name $Name)

{

Return $true;

}

Else

{

Return $false;

}

<# Functions - End #>

################################################

<# Input - Start #>

#URI.

$RedirectURI = "urn:ietf:wg:oauth:2.0:oob";

$ResourceURI = "https://graph.microsoft.com";

$Authority = "https://login.microsoftonline.com/common";

<# Input - End #>

################################################

<# Main - Start #>

#If the module AzureRM isn't installed.

If(!(Check-Module -Name AzureRM))

{

Write-Output "Module: Installing 'AzureRM'";

#Install the module.

Install-Module AzureRM -SkipPublisherCheck -AllowClobber -Force -Confirm:$false;

}

Else

{

Write-Output "Module: 'AzureRM' already installed.";

}

#Get access token.

Write-Output "Token: Getting Microsoft Graph API access token.";

$AccessToken = Get-GraphAPIAccessToken -RedirectURI $RedirectURI -ResourceURI $ResourceURI -Authority $Authority;

<# Main - End #>

################################################

When you have an access token, you can use the following example which gets the current user profile details:

$ApiUrl = "https://graph.microsoft.com/v1.0/me";
$Response = (Invoke-RestMethod -Headers @{Authorization = "Bearer $AccessToken"} -Uri $ApiUrl -Method Get);

#Show reponse.
Return ($Response);

$ApiUrl = "https://graph.microsoft.com/v1.0/me";

$Response = (Invoke-RestMethod -Headers @{Authorization = "Bearer $AccessToken"} -Uri $ApiUrl -Method Get);

#Show reponse.

Return ($Response);

Get the Azure AD users:

$ApiUrl = "https://graph.microsoft.com/v1.0/users"
$Users = Invoke-RestMethod -Headers @{Authorization = "Bearer $AccessToken"} -Uri $ApiUrl -Method Get

#Show reponse.
Return ($Users).Value;

$ApiUrl = "https://graph.microsoft.com/v1.0/users"

$Users = Invoke-RestMethod -Headers @{Authorization = "Bearer $AccessToken"} -Uri $ApiUrl -Method Get

#Show reponse.

Return ($Users).Value;

Send an e-mail (need an Exchange license on the user):

$Recipient = "xyz@contoso.com";

$Body = @"
{
    "message" : {
       "subject": "E-mail through API",
       "body" : {
           "contentType": "Text",
           "content": "Pretty cool stuff, right?!"
           },
      "toRecipients": [
       {
       "emailAddress" : {
           "address" : "$Recipient"
           }
       }
       ]
    }
}
"@;

$ApiUrl = "https://graph.microsoft.com/v1.0/me/sendMail";
Invoke-RestMethod -Headers @{Authorization = "Bearer $AccessToken"} -Uri $ApiUrl -Method Post -Body $Body -ContentType application/json;

$Recipient = "xyz@contoso.com";

$Body = @"

{

"message" : {

"subject": "E-mail through API",

"body" : {

"contentType": "Text",

"content": "Pretty cool stuff, right?!"

"toRecipients": [

{

"emailAddress" : {

"address" : "$Recipient"

}

]

}

"@;

$ApiUrl = "https://graph.microsoft.com/v1.0/me/sendMail";

Invoke-RestMethod -Headers @{Authorization = "Bearer $AccessToken"} -Uri $ApiUrl -Method Post -Body $Body -ContentType application/json;

For more usage examples, Microsoft have create an repository on GitHub.

Alex Ø. T. Hansen

05/07/2018

SCCM – Create Device Collections Based On Security Groups

I’m back again, with a quick how-to on SCCM.

Have you ever needed to create device collections based on security groups (user accounts) in Active Directory? -Well look no further!
You can use the following WQL in a collection.
Only thing you need to change is the SMS_R_User.UserGroupName=”CONTOSO\\mysecuritygroup”.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client
from SMS_R_System
JOIN SMS_UserMachineRelationship ON  SMS_R_System.Name=SMS_UserMachineRelationship.ResourceName
JOIN SMS_R_User ON  SMS_UserMachineRelationship.UniqueUserName = SMS_R_User.UniqueUserName
WHERE   SMS_UserMachineRelationship.Types=1  AND   SMS_R_User.UserGroupName="CONTOSO\\mysecuritygroup"

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client

from SMS_R_System

JOIN SMS_UserMachineRelationship ON SMS_R_System.Name=SMS_UserMachineRelationship.ResourceName

JOIN SMS_R_User ON SMS_UserMachineRelationship.UniqueUserName = SMS_R_User.UniqueUserName

WHERE SMS_UserMachineRelationship.Types=1 AND SMS_R_User.UserGroupName="CONTOSO\\mysecuritygroup"

Alex Ø. T. Hansen

18/06/2018

SCCM – Cloud Management Gateway and Cloud Distribution Point

The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional infrastructure. You also don’t need to expose your on-premises infrastructure to the internet.

A cloud-based distribution point is a System Center Configuration Manager distribution point that is hosted in Microsoft Azure. The following information is intended to help you learn about configurations and limitations for using a cloud-based distribution point.

In this step-by-step guide, I will demonstrate how to configure and establish a Cloud Management Gateway (CMG) and Cloud Distribution Point (CDP) in SCCM and Azure.

In order to walk you through the entire process of setting up the Cloud Management Gateway and Cloud Distribution Point features, I am going to break this down into 6 parts.

Overview
Certificates
Azure Service
Cloud Management Gateway
Cloud Distribution Point
Log Files

Alex Ø. T. Hansen

19/05/2018

PowerShell – Intune Local Administrator Password Solution (iLAPS)

If you have devices that is connected to an on-premise, you would certainly configure the Local Administrator Password Solution (LAPS), which allows unique password for each local administrator across the enterprise network.

Unfortunately this method only works when you have on-premise devices, but what about Azure AD Joined machines? – A short answer is “no”.

LAPS takes advantage of 2 attributes in the local Active Directory, these attributes are not available in Azure AD.

Therefor I have created a small application that mimic the same behavior for Azure AD devices, which I call “iLAPS” for Intune Local Administrator Password Solution.

Alex Ø. T. Hansen

17/05/2018

PowerShell – Symmetric Encryption

You can use this PowerShell function to encrypt/decrypt data with a secret key.

I re-wrote the functions from Travis Gan, for a better overview and also added comments to the code.

Use free of charge!

Alex Ø. T. Hansen

16/05/2018

PowerShell – Azure Storage Using REST API

Yo! I’m back again. This time I have been playing around with Azure Table Storage.

Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema less design. Because table storage is schema less, it’s easy to adapt your data as the needs of your application evolve. Access to Table storage data is fast and cost-effective for many types of applications, and is typically lower in cost than traditional SQL for similar volumes of data.

You need to create a storage account in an Azure subscription and generate a shared access signature, prior before using the code below.

I created some lightweight functions that allows you to insert and get data from a table with PowerShell, using REST API.

Alex Ø. T. Hansen

15/05/2018

PowerShell – Invoke-Ping

Just wrote a small PowerShell function that can output ping results to a file including timeouts and unreachable information. This is not something the native Test-NetConnection cmdlet can do (prove me wrong?) unfortunately.

Use the function free of charge.

Alex Ø. T. Hansen

07/05/2018

Intune – The sync could not be initiated (0x82ac019e)

Recently I had a few users that couldn’t initiate a sync on their Windows device to Microsoft Intune.

The error was “The sync could not be initiated (0x82ac019e)“, luckily the solution is easy.

Alex Ø. T. Hansen

06/05/2018

Ethical Hacking – Aircrack-ng

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic.

In this post I will go through the basic usage and some examples of some different attacks.

In these examples we are using Kali Linux as a operating system.

This post is part of a series called “Ethical Hacking”.

Alex Ø. T. Hansen

02/05/2018

Ethical Hacking – Wireless

In this post I will go through the vocabulary around the wireless technologies. I will also show tools you can use to test in your own environment.

This post is part of a series called “Ethical Hacking”.