Clatent

Technology | Fitness | Food

Security

October 15, 2024: Microsoft Azure and Admin Portal MFA Requirement

by Leave a Comment

Are you ready for October 15, 2024 where accessing Azure Portal, Entra admin, Intune admin, and 365 Admin center portals will require MFA? It’s less than a month away. It does look like you can push it out to March 2025 if you absolutely have to, but I wouldn’t recommend it unless you have an extreme case.

Below is a great link from Microsoft Learn to check out to see how you’ll be affected and how to plan for it if you haven’t made the necessary changes. If you need any help migrating or any questions regarding it, I’d be glad to help out.

Microsoft Mandatory MFA Requirement

Why did I get this email?

by Leave a Comment

Here’s the scenario…

An executive forwards an email to your ticketing system and asks why they are receiving it. Then sends another from the day before. There is a Microsoft 365 distribution list(DL) in both emails, but not one they would be on. What do you do?

Check and see if there are any tickets for that DL, and you see there haven’t been any tickets for that DL or even that person. You then check the DL, and indeed see they are in it…. but how?

PowerShell to the rescue! Have you ever used “Search-UnifiedAuditLog” which is a cmdlet for Exchange Online PowerShell? It is a great for one off investigations in 365, but here we will use it to find any admin activity for that user in the past week. Full disclosure, I’ve used it a handful of times and had never really dug into which was a mistake on my part. Knowing more of what it can do now would have saved me so much time on other resolutions where I had gone through the 365 portal. Don’t be me, start using this now and create your own functions as well Purview to save you time and headaches. Enable it now, as it can’t be backdated.

# See if you have it enabled
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

# If not enabled, run this
Enable-OrganizationCustomization

# Enable Audit logs - this can take up to 60 mins
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Hopefully you already have it enabled, or you enabled it right now and can wait for it to start ingesting the logs so when you do need it, it is available.

Back to our executive incident. How do we find out what happened. The quick way is to run:

# Check for all admin activity for named user
Search-UnifiedAuditLog -StartDate 2/1/2024 -EndDate 3/16/2024 -ObjectIds execuser@domain.com

And this is the way I originally did it to get the answer I needed. That’s it! Then you will see in “AuditData” which groups they were added/removed from and any operations that happened with the groups they are in. This broad search will show even more, but only mentioning parts related to this task. At the end of this post I’ll have a list of great resources on how to get granular on your searches.

Now you can see that another engineer accidentally added them(after confirming with engineer), and you can just remove them from the list. This is best case scenario, as if I hadn’t looked and just removed the executive without searching and asking the engineer, they could have been added by a compromised account seeing what kind of privileges they had.

There is a way clean up the audit data so it is easier to view, but that will be in a longer blog post coming soon. Again, I’ll have some links at the end to give you a head start. Honestly, this was only supposed to be a quick one liner post, that definitely grew, and I’ve spent more time than I would like to admit researching it. It has given me more ideas on how to use it and I’ll put together functions in a repository or possibly a module of most useful commands.

One function I’ll be creating is one to check to see if a user has changed their password recently, has multiple failed attempts, and/or if they have locked themself out. How nice would that be for you or your help desk if the function sees who submitted the ticket, runs the function then gives you that feedback? To go one step farther, if they aren’t blocked out, automatically send them the password reset portal to reset their password?

If you already use this, what scripts/functions have you created? I’d love to hear about them, and I can create a repository for us to keep them in one spot.

Useful Links:

Search-UnifiedAuditLog – Microsoft Learn Cmdlet
How it works – Services that support auditing
Detailed info – Detailed Microsoft Script

Hope this helps saving you from headaches and can’t wait to hear how you use it! Have a great day!

Module Monday July 31, 2023

by Leave a Comment

Well, here it is!  Module Monday, but this one is a module I’ve been working on for a bit and figured it’s time to put it out to the community for others to enjoy and improve. Have you had to test PowerShell scripts on your 365 tenant and really didn’t want to use your production environment, but wanted to keep the close as possible for testing accuracy? Then you’ll want 365AutomatedLab in your tool chest. It can also be used to add multiple users to an environment from an excel sheet or add multiple groups to a user per their title from an excel sheet. Hope you check it out and leave some feedback! So much I want to do with it and super excited about this project that I feel can help so many!

I’ll be doing some blog posts and video tutorials in the near future. Any preferences?

Thanks to Andrew Pla for the extra push 😆

https://github.com/DevClate/365AutomatedLab

Read-Only Friday 365 Developer Program

by Leave a Comment

Want to have some fun with Office 365, but don’t want to mess up your production environment? Or what about being able to try out scripts and not having to brace yourself as you run them and hope they don’t clear out all your data? Now you can do whatever you want with the Microsoft 365 Dev Center.

That is right, up to 25 E5 licensed users at your disposal for 90 days and will be renewed as long as you are using it. They will even create 16 users for you, mail traffic, and more. This isn’t just for PowerShell, this all aspects of 365.

Awesome, right? Here are few examples:

  1. You could copy up to 25 of your current users and import them into this Developer tenant and test scripts see exactly how it would work with your information. Think of those times where you test a script with fictional users and your script works perfect, but once you put it into production, your script fails because one username had a character that your test data didn’t have. Now your spending unnecessary time trying to figure out what went wrong when it worked perfectly in proof of concept.
  2. You want to test new features or policies, but you don’t want to enable them in your production environment, as your not 100% sure how it will react to your environment. Configure this test environment how your current tenant is then enable those features or policies you want to test. Much safer to test in the dev environment, then do it in production and all of a sudden your users can’t access critical resources or anything at all!
  3. Your boss wants you do a proof of concept on how to streamline the onboarding process and to make it as simple as possible for the organization. It is recommended that you use Sharepoint and Teams as the company already uses both and are familiar. Instead of using your production environment, you can do this all in the dev tenant without affecting anything in production. You can even invite key players in this project to login and test it with you. Now you don’t have to worry about a teams alert that you setup for when a new hire has been added to AD or Microsoft Entra ID spamming a your production channel because your script or flow errored.

These are just a few scenarios that the 365 Dev tenant can be useful, but there are so many more. I’m barely scratching the surface, and hope you sign up right away for this if you haven’t already. It is free, if you administer or develop 365, you need this.

I hope you found this helpful, and if you have any questions, I’d be glad to help out in anyway I can.

Sign up for the Microsoft 365 Dev Center

One-Liner Wednesday March 29, 2023

by 2 Comments

Can you believe it’s Wednesday already? I can’t either, week is flying by. Could it be the excitement of the PowerShell + Devops Global Summit coming up in a few weeks? Quite possibly! If you haven’t gotten your ticket yet, I highly recommend it. With that said, these next 3 weeks I’ll be highlighting speakers and topics from the summit.

Today’s one-liner is a great one for troubleshooting from Jeff Hicks. He will be heading the Onramp program for attendees who are just getting into IT. It is such a great program and wished it was around when I was getting into IT!

Get-WinEvent -FilterHashtable @{Logname = 'System';Level=1} -MaxEvents 10 | sort-Object ProviderName,TimeCreated

What this one-liner does is searches the System Event Log for the last 10 “Critical” events. Then sorts them by the Provider name and date/time. You could change the level for “lesser” events if needed. Also if you need to check on a remote computer you can add the -ComputerName parameter, but remember that it only takes 1 computer at a time. If you need to connect to multiple computers, you can use ForEach to reach out to all computers needed.

Hope this one-liner helps you out and hope to see you at the PowerShell + DevOps Summit!

Jeff Hicks:
Blog

PowerShell + DevOps Global Summit:
Global Summit

Microsoft Learn:
Get-WinEvent

Module Monday March 20, 2023

by Leave a Comment

Hope you had a great weekend, and are ready for today’s Module Monday. Are you using Duo security? Or looking at Duo for your company? Then you need this module. It’s called DuoSecurity.

Why not automate the process of onboarding/terminating employees or removing old phone authenticators? What about reporting on who is in which groups, how many phones they have, or filtering event logs?

So many more things to automate with this module and make your life easier as well as make your company more secure.

If you have used this module before, let me know how you are using it.

PowerShell Gallery:
Duo Security

GitHub:
Duo Security