Clatent

Technology | Fitness | Food

Entra

EntraFIDOFinder: New Web UI and Over 70 New Authenticators

by Leave a Comment

You read that right, over 70 new authenticators are now approved for Entra Attestation and have been add to the web ui and the PowerShell module! I knew they had to be holding back after these last few updates. Also I’ve updated the web UI and curious of your thoughts. I wanted to make it more modern and easier to view, especially the details window.

Here are a few of the new authenticators, but check the change log for the full list.

Android Authenticator

AAGUID: b93fd961-f2e6-462f-b122-82002247de78

Supported Interfaces:

InterfaceSupported
Biometric
USB
NFC
BLE

ATLKey Authenticator

AAGUID: 019614a3-2703-7e35-a453-285fd06c5d24

Supported Interfaces:

InterfaceSupported
Biometric
USB
NFC
BLE

Dapple Authenticator from Dapple Security Inc.

AAGUID: 6dae43be-af9c-417b-8b9f-1b611168ec60

Supported Interfaces:

InterfaceSupported
Biometric
USB
NFC
BLE

Deepnet SafeKey/Classic (FP)

AAGUID: e41b42a3-60ac-4afb-8757-a98f2d7f6c9f

Supported Interfaces:

InterfaceSupported
Biometric
USB
NFC
BLE

Deepnet SafeKey/Classic (USB)

AAGUID: b9f6b7b6-f929-4189-bca9-dd951240c132

Supported Interfaces:

InterfaceSupported
Biometric
USB
NFC
BLE

ellipticSecure MIRkey USB Authenticator

AAGUID: eb3b131e-59dc-536a-d176-cb7306da10f5

Supported Interfaces:

InterfaceSupported
Biometric
USB
NFC
BLE

Ensurity AUTH BioPro Desktop

AAGUID: 9eb85bb6-9625-4a72-815d-0487830ccab2

Supported Interfaces:

InterfaceSupported
Biometric
USB
NFC
BLE

Ensurity AUTH TouchPro

AAGUID: 50cbf15a-238c-4457-8f16-812c43bf3c49

Supported Interfaces:

InterfaceSupported
Biometric
USB
NFC
BLE

I’ve been working on better ways to see what keys have been added, removed, or modified, as well as approving valid vendors. It’s not perfected yet, but when I get closer, I’ll do a demo of it.

Let me know what you think of the new design and what functionality you wish it had. Also are there any keys you wish were attestation approved for Entra?

Where to get:
PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.22
Github: https://github.com/DevClate/EntraFIDOFinder/tree/main
Web UI: https://devclate.github.io/EntraFIDOFinder/Explorer/

Appreciate you taking the time and stay safe out there!

Did you know: SSPR/Password Reset Edition

by Leave a Comment

Did you know if you convert to the combined experience for SSPR and password reset, you can remove less secure phone, email, and text authentication? This is as long as you have Authenticator registered and higher methods allowed. See below for SSPR.

This works for SSPR and for password reset through My Sign-Ins.

The gotcha is if you have 2 methods required for SSPR, it will say your not registered for SSPR even if your enabled for it, but only have 1 method (Microsoft Authenticator) registered. As you can see below.

I would definitely recommend adding more secure options as well but at the minimum I’d use Authenticator or higher.

How do you keep your user protected in this situation?

Hope this quick tip was useful and have a great day!

EntraFIDOFinder now with over 50 new keys!

by Leave a Comment

I guess I should be careful what I ask for now.. Not sure if you saw, but when Microsoft first made this update it blew up my repo with over 100 issues due to all the changes and I assumed Microsoft had changed how they formatted their website, but they hadn’t. It was just from the new keys, vendors, and changes to current keys.

All of their basic info has been updated on the web and PowerShell module, but I haven’t put all the meta data in from the FIDO Alliance, as I’m looking for a way to fully automate it when new keys are added.

Now to the part you really care about

New Vendors:

  • Android
  • Dapple Security
  • Eviden
  • Foongton
  • GSTAG
  • ID-One
  • IIST
  • Infineon Technologies AG
  • KeyVault
  • Ledger
  • Nitrokey
  • OneKey
  • Samsung
  • Securité Carte à Puce
  • TruU
  • Veridium
  • VeroCard
  • Vivokey
  • WinMagic
  • ZTPass

New Keys:

AAGUIDVendorDescription
eb3b131e-59dc-536a-d176-cb7306da10f5ellipticSecureellipticSecure MIRkey USB Authenticator
8da0e4dc-164b-454e-972e-88f362b23d59EvidenCardOS FIDO2 Token
46544d5d-8f5d-4db4-89ac-ea8977073fffFoongtonFoongtone FIDO Authenticator
773c30d9-5919-4e96-a4f5-db65e95cf890GSTAGGSTAG OAK FIDO2 Authenticator
7991798a-a7f3-487f-98c0-3faf7a458a04HID GlobalHID Crescendo Key V3
2a55aee6-27cb-42c0-bc6e-04efe999e88aHID GlobalHID Crescendo 4000
82b0a720-127a-4788-b56d-d1d4b2d82eacID-OneID-One Key
f2145e86-211e-4931-b874-e22bba7d01ccID-OneID-One Key
4b89f401-464e-4745-a520-486ddfc5d80eIISTIIST FIDO2 Authenticator
cfcb13a2-244f-4b36-9077-82b79d6a7de7Infineon Technologies AGUSB/NFC Passcode Authenticator
58b44d0b-0a7c-f33a-fd48-f7153c871352LedgerLedger Nano S Plus FIDO2 Authenticator
fcb1bcb4-f370-078c-6993-bc24d0ae3fbeLedgerLedger Nano X FIDO2 Authenticator
341e4da9-3c2e-8103-5a9f-aad887135200LedgerLedger Nano S FIDO2 Authenticator
2cd2f727-f6ca-44da-8f48-5c2e5da000a2NitrokeyNitrokey 3 AM
70e7c36f-f2f6-9e0d-07a6-bcc243262e6bOneKeyOneKey FIDO2 Bluetooth Authenticator
53414d53-554e-4700-0000-000000000000SamsungSamsung Pass
5343502d-5343-5343-6172-644649444f32Securité Carte à PuceESS Smart Card Inc. Authenticator
050dd0bc-ff20-4265-8d5d-305c4b215192ThaleseToken Fusion FIPS
10c70715-2a9a-4de1-b0aa-3cff6d496d39ThaleseToken Fusion NFC FIPS
c3f47802-de73-4dfc-ba22-671fe3304f90ThaleseToken Fusion NFC PIV Enterprise
146e77ef-11eb-4423-b847-ce77864e9411ThaleseToken Fusion NFC PIV
ba86dc56-635f-4141-aef6-00227b1b9af6TruUTruU Windows Authenticator
95e4d58c-056e-4a65-866d-f5a69659e880TruUTruU Windows Authenticator
5ea308b2-7ac7-48b9-ac09-7e2da9015f8cVeridiumVeridium Android SDK
6e8d1eae-8d40-4c25-bcf8-4633959afc71VeridiumVeridium iOS SDK
99ed6c29-4573-4847-816d-78ad8f1c75efVeroCardVeroCard FIDO2 Authenticator
d7a423ad-3e19-4492-9200-78137dccc136VivoKeyVivoKey Apex FIDO2
31c3f7ff-bf15-4327-83ec-9336abcbcd34WinmagicWinMagic FIDO Eazy – Software
970c8d9c-19d2-46af-aa32-3f448db49e35WinMagicWinMagic FIDO Eazy – TPM
f56f58b3-d711-4afc-ba7d-6ac05f88cb19WinMagicWinMagic FIDO Eazy – Phone
b7d3f68e-88a6-471e-9ecf-2df26d041edeYubicoSecurity Key NFC by Yubico
9ff4cc65-6154-4fff-ba09-9e2af7882ad2YubicoSecurity Key NFC by Yubico – Enterprise Edition (Enterprise Profile)
34f5766d-1536-4a24-9033-0e294e510fb0YubicoYubiKey 5 Series with NFC Preview
6ec5cff2-a0f9-4169-945b-f33b563f7b99YubicoYubiKey Bio Series – Multi-protocol Edition (Enterprise Profile)
8c39ee86-7f9a-4a95-9ba3-f6b097e5c2eeYubicoYubiKey Bio Series – FIDO Edition (Enterprise Profile)
24673149-6c86-42e7-98d9-433fb5b73296YubicoYubiKey 5 Series with Lightning
3a662962-c6d4-4023-bebb-98ae92e78e20YubicoYubiKey 5 FIPS Series with Lightning (Enterprise Profile)
20ac7a17-c814-4833-93fe-539f0d5e3389YubicoYubiKey 5 Series (Enterprise Profile)
b90e7dc1-316e-4fee-a25a-56a666a670feYubicoYubiKey 5 Series with Lightning (Enterprise Profile)
760eda36-00aa-4d29-855b-4012a182cdebYubicoSecurity Key NFC by Yubico Preview
fcc0118f-cd45-435b-8da1-9782b2da0715YubicoYubiKey 5 FIPS Series with NFC
ff4dac45-ede8-4ec2-aced-cf66103f4335YubicoYubiKey 5 Series
7b96457d-e3cd-432b-9ceb-c9fdd7ef7432YubicoYubiKey 5 FIPS Series with Lightning
97e6a830-c952-4740-95fc-7c78dc97ce47YubicoYubiKey Bio Series – Multi-protocol Edition (Enterprise Profile)
6ab56fad-881f-4a43-acb2-0be065924522YubicoYubiKey 5 Series with NFC (Enterprise Profile)
d2fbd093-ee62-488d-9dad-1e36389f8826YubicoYubiKey 5 FIPS Series (RC Preview)
4599062e-6926-4fe7-9566-9e8fb1aedaa0YubicoYubiKey 5 Series (Enterprise Profile)
d7781e5d-e353-46aa-afe2-3ca49f13332aYubicoYubiKey 5 Series with NFC
62e54e98-c209-4df3-b692-de71bb6a8528YubicoYubiKey 5 FIPS Series with NFC Preview
34744913-4f57-4e6e-a527-e9ec3c4b94e6YubicoYubiKey Bio Series – Multi-protocol Edition
ed042a3a-4b22-4455-bb69-a267b652ae7eYubicoSecurity Key NFC by Yubico – Enterprise Edition
3b24bf49-1d45-4484-a917-13175df0867bYubicoYubiKey 5 Series with Lightning (Enterprise Profile)
3124e301-f14e-4e38-876d-fbeeb090e7bfYubicoYubiKey 5 Series with Lightning Preview
9e66c661-e428-452a-a8fb-51f7ed088acfYubicoYubiKey 5 FIPS Series with Lightning (RC Preview)
ce6bf97f-9f69-4ba7-9032-97adc6ca5cf1YubicoYubiKey 5 FIPS Series with NFC (RC Preview)
2772ce93-eb4b-4090-8b73-330f48477d73YubicoSecurity Key NFC by Yubico – Enterprise Edition Preview
ad08c78a-4e41-49b9-86a2-ac15b06899e2YubicoYubiKey Bio Series – FIDO Edition
905b4cb4-ed6f-4da9-92fc-45e0d4e9b5c7YubicoYubiKey 5 FIPS Series (Enterprise Profile)
b415094c-49d3-4c8b-b3fe-7d0ad28a6bc4ZTPassZTPass SmartAuth
  • Updated Keys
    • Updated ‘NFC’ for AAGUID ’30b5035e-d297-4ff1-b00b-addc96ba6a98′ from ‘Yes’ to ‘No’.
    • Updated ‘Description’ for AAGUID ’83c47309-aabb-4108-8470-8be838b573cb’ from ‘YubiKey Bio Series (Enterprise Profile)’ to ‘YubiKey Bio Series – FIDO Edition (Enterprise Profile)’.
    • Updated ‘Description’ for AAGUID ‘5ca1ab1e-1337-fa57-f1d0-a117e71ca702’ from ‘Allthenticator App: roaming BLE FIDO2 Allthenticator for Windows, Mac, Linux, and Allthenticate door readers’ to ‘Allthenticator iOS App: roaming BLE FIDO2 Allthenticator for Windows, Mac, Linux, and Allthenticate door readers’.
    • Updated ‘Description’ for AAGUID ‘d8522d9f-575b-4866-88a9-ba99fa02f35b’ from ‘YubiKey Bio Series’ to ‘YubiKey Bio Series – FIDO Edition’.
    • Updated ‘Description’ for AAGUID ‘dd86a2da-86a0-4cbe-b462-4bd31f57bc6f’ from ‘YubiKey Bio FIDO Edition’ to ‘YubiKey Bio Series – FIDO Edition’.

I know, it was a lot for me too! Which FIDO2 keys do you like the best? Feel free to message me if you rather not put it in the comments, but would love to hear your experiences.

PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.16
GitHub: https://github.com/DevClate/EntraFIDOFinder
Web Version: https://devclate.github.io/EntraFIDOFinder/Explorer/

Hope you enjoyed and have a great day!

If Maester couldn’t get any better…Custom Test Collection now available

by Leave a Comment

The time has finally come. I have created a public repository to store custom Maester tests for everyone. As well as a website for deeper understanding where needed. I haven’t seen anyone else do it yet, and worse case scenario, people can just use the ones that I create, but I envision others adding theirs to this too. Yes, you will have to create the function, test, and the markdown file (I and/or others can help), so that we can have a collection of tests that anyone can pick and choose which ones they want to add to their Maester and customize it to their needs. They don’t need to be 365 related either, as they could be checks for Windows 11 settings, server configs, or check that a certain OU should only has these mentioned users or computers and to make sure that doesn’t change.

This is still in its early stages and would love any feedback to make it better while still showing that it is a companion to Maester. I wanted to get the framework started to that we can start gaining the benefits from the repository while still making it easy to use.

I hope you are excited about this as I am, and we can create a large community collection of tests.

Please star and share the repo. Open issues for tests that you want to see and if you already have one or can make it, put that in the issue. Let’s make all our IT lives easier and safer.

Thank you for taking the time to read this and hope you find value in this and can share your knowledge as well.

Website: https://devclate.github.io/Custom-Maester-Tests/
GitHub: https://github.com/DevClate/Custom-Maester-Tests

I’m also working on a module for the Entra attribute fields that will fix any issues by either manually typing in the correct value or only allow company standard values.

Dec 23, 2024 – EntraFIDOFinder v0.0.14 is Out with New Features!

by Leave a Comment

It’s the second to last Monday of the year, so figured I’d release a new version of the EntraFIDOFinder before the end of the year. Here are the main additions.

New Features:

  • Using -AllProperties now gives you all of the basic information for the key(s), but also gives you all of the data from the FIDO Alliance as well
  • AAGUID can now be piped in, whether it is 1 key or 100 keys, it will take it
  • AAGUID can now be imported from a .CSV, .TXT, or .XLSX
  • Using -DetailedProperties you can now gain access to any of the regular or FIDO Alliance properties to create your output
  • Added a GitHub Action to directly copy the FIDO Alliance data and merge it into the JSON data and update where necessary
  • Web Version: You can click on a key and get more information, then there is a button inside it which will show you all of the data in JSON

I did some other cleanup and prepping for some future updates, but what do you think? Any other features we should add? Are there fields not in the standard that you think should be?

Here are a couple sample outputs:

"50a45b0c-80e7-f944-bf29-f552bfa2e048", "973446ca-e21c-9a9b-99f5-9b985a67af0f" | Find-FIDOKey

Vendor      : ACS
Description : ACS FIDO Authenticator
AAGUID      : 50a45b0c-80e7-f944-bf29-f552bfa2e048
Bio         : No
USB         : Yes
NFC         : No
BLE         : No
Version     : FIDO 2.1 PRE
ValidVendor : Yes

Vendor      : ACS
Description : ACS FIDO Authenticator Card
AAGUID      : 973446ca-e21c-9a9b-99f5-9b985a67af0f
Bio         : No
USB         : No
NFC         : Yes
BLE         : No
Version     : FIDO 2.1 PRE
ValidVendor : Yes

"50a45b0c-80e7-f944-bf29-f552bfa2e048" | Find-FIDOKey -AllProperties
{
  "Vendor": "ACS",
  "Description": "ACS FIDO Authenticator",
  "AAGUID": "50a45b0c-80e7-f944-bf29-f552bfa2e048",
  "Bio": "No",
  "USB": "Yes",
  "NFC": "No",
  "BLE": "No",
  "Version": "FIDO 2.1 PRE",
  "ValidVendor": "Yes",
  "metadataStatement": {
    "legalHeader": "Submission of this statement and retrieval and use of this statement indicates acceptance of the appropriate agreement located at <https://fidoalliance.org/metadata/metadata-legal-terms/.">,
    "aaguid": "50a45b0c-80e7-f944-bf29-f552bfa2e048",
    "description": "ACS FIDO Authenticator",
    "authenticatorVersion": 10000,
    "protocolFamily": "fido2",
    "schema": 3,
    "upv": [
      {
        "major": 1,
        "minor": 1
      },
      {
        "major": 1,
        "minor": 0
      }
    ], and more data below

Here is a screenshot of the web version:

Thank you for taking the time to read this and using EntraFIDOFinder. This started out as a quick side project that grew a lot faster than I thought it would. I’ve learned a lot building the backend to this and even some of the front end. I can’t believe it’s almost at 1.2k downloads! Thank you!

PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.14
GitHub: https://github.com/DevClate/EntraFIDOFinder
Web Version: https://devclate.github.io/EntraFIDOFinder/Explorer/

Hope you have a great day!

GitHub Actions and PowerShell: The Underdog

by Leave a Comment

Remember how I mentioned how GitHub actions are underrated? I’m going to show at a high level how GitHub Actions with PowerShell can save you time and be more efficient.

What does it do?

  • Web scrapes website into PowerShell Object
  • Compares the web scrape to the json “database” file(FidoKeys.json) of all the keys
    • Matches by AAGUID
      • Adds to FidoKeys.json if doesn’t exit
      • Removes from FidoKeys.json if not in the web scrape anymore
    • If New key
      • Checks the first word in the description to see if that matches with the Valid Vendor List(Valid_Vendors.json) and if it matches adds the Vendor
        • If it doesn’t have a valid vendor it will create a GitHub issue for that vendor and key
    • If Existing key
      • Checks to see if any of the properties have changed and updates FidoKeys.json
    • If Missing key
      • If key is no longer in the web scrape, it removes it from FidoKeys.json
  • Updates Merge dates on FidoKeys.json
    • If it checks to see if there are any changes and there are no changes, it only updates databaseLastChecked
    • If it checks to see if there are any changes and there are changes, it updates databaseLastChecked and databaseLastUpdated
  • Creates GitHub Issues for Invalid Vendors
    • If a vendor isn’t in the valid_vendors.json list or if the vendor name is blank, it will automatically create a GitHub issue for that key and invalid vendor name
    • Assigns myself at the owner of the issue
  • Closes GitHub Issues for Valid Vendors
    • If a vendor now matches with a vendor name in valid_vendors.json, then it will automatically close the issue for the now valid vendor
  • Updates merge_log.md
    • It only updates the merge_log.md when a new change occurs from the previous check
  • Updates detailed_log.txt
    • This is written to every time, but if it is the same as previous check it will write “No changes detected during this run”

It does that automatically once every day, I could do it more, but didn’t think it was necessary. Best of all, this is all done for free. Since it is a public repository all GitHub actions are free. Today, I’ll go over the GitHub Action, but I’ll do another post to go into detail on the PowerShell script side.

Let’s start from the beginning. We first have to name the GitHub Action so we will use “Main Entra Merge” in this case as this is for the Main branch and is merging keys for Entra.

name: Main Entra Merge

Then we have to determine when it will run. What I like to do in the beginning is always have a “workflow_dispatch:” as this will always allow you to test it manually and you don’t have to wait for any other triggers. Then in this case I have it run at midnight, and anytime there is a push or pull request to the main branch

on:
  workflow_dispatch:
  schedule:
    - cron: '0 0 * * *'
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

Next, we have to define what OS do we want to run on. I usually only use ubuntu-latest unless I have a real use to use Mac or Windows, as if I remember right, Windows is 3 times the cost to run in Actions, and Mac is 9 times. I know it’s free for me, but why use resources that aren’t needed. You can as well uses different versions of Ubuntu too (GitHub Runners). Also you need to have “jobs:” and then the name of the job or it won’t work. Also spacing is very important with Yaml. It has burned me a few times.

jobs:
  merge-fido-data:
    runs-on: ubuntu-latest

The workflow begins by checking out the repository to the runner using the actions/checkout@v4 action. This step ensures that all necessary files and scripts are available for subsequent steps.

- name: Checkout repository
  uses: actions/checkout@v4
  with:
    fetch-depth: 0
    ref: main

Next, it installs the PSParseHTML PowerShell module, which is essential for parsing HTML content in the scripts that follow.

- name: Install PSParseHTML Module
  shell: pwsh
  run: Install-Module -Name PSParseHTML -Force -Scope CurrentUser

The workflow runs a series of custom PowerShell scripts that perform data validation and merging:

  • Validation Scripts: Test-GHValidVendor.ps1 and Test-GHAAGUIDExists.ps1 ensure that the vendor information and AAGUIDs are valid.
  • Data Export and Merge: Export-GHEntraFido.ps1 exports data from Microsoft Entra, and Merge-GHFidoData.ps1 merges it with existing data.
- name: Run Merge-GHFidoData Script
  shell: pwsh
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    GITHUB_REPOSITORY: ${{ github.repository }}
  run: |
    Import-Module PSParseHTML
    . ./Scripts/Test-GHValidVendor.ps1
    . ./Scripts/Test-GHAAGUIDExists.ps1
    . ./Scripts/Export-GHEntraFido.ps1
    . ./Scripts/Merge-GHFidoData.ps1
- name: Read Environment Variables
 shell: bash
 run: |
 if [ -f ./Scripts/env_vars.txt ]; then
 echo "Setting environment variables from env_vars.txt"
 cat ./Scripts/env_vars.txt >> $GITHUB_ENV
 else
 echo "env_vars.txt not found."
 fi

For transparency, the workflow outputs the values of key environment variables, aiding in debugging and verification. This could be removed, but leaving for now for testing.

- name: Debug - Display ISSUE_ENTRIES, KEYS_NOW_VALID, and VENDORS_NOW_VALID Environment Variables
 shell: bash
 run: |
 echo "ISSUE_ENTRIES: $ISSUE_ENTRIES"
 echo "KEYS_NOW_VALID: $KEYS_NOW_VALID"
 echo "VENDORS_NOW_VALID: $VENDORS_NOW_VALID"

Utilizing actions/github-script@v6, the workflow runs a JavaScript script that automates issue creation and closure based on validation results.

  • Creates Issues: For any data discrepancies found.
  • Closes Issues: If previously reported issues are now resolved.
  • Assigns Issues: Automatically assigns issues to DevClate for certain labels.
- name: Close Fixed Issues and Create New Issues
      uses: actions/github-script@v6
      with:
        github-token: ${{ secrets.GITHUB_TOKEN }}
        script: |
          const issueEntriesRaw = process.env.ISSUE_ENTRIES || '';
          const issueEntries = issueEntriesRaw.split('%0A').map(entry => decodeURIComponent(entry)).filter(entry => entry.trim() !== '');
          if (issueEntries.length === 0) {
            console.log('No new issue entries found.');
          } else {
            for (const entry of issueEntries) {
              const parts = entry.split('|');
              if (parts.length < 2) {
                console.error(`Invalid entry format: ${entry}`);
                continue;
              }
              const [issueTitle, issueBody, issueLabel] = parts;
              console.log(`Processing issue: ${issueTitle}`);
              const { data: issues } = await github.rest.issues.listForRepo({
                owner: context.repo.owner,
                repo: context.repo.repo,
                state: 'open',
                labels: 'auto-generated',
              });
              const existingIssue = issues.find(issue => issue.title === issueTitle);
              if (!existingIssue) {
                const assignees = [];
                if (issueLabel === 'InvalidVendor' || issueLabel === 'DuplicateEntry') {
                  assignees.push('DevClate');
                }
                await github.rest.issues.create({
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  title: issueTitle,
                  body: issueBody,
                  labels: issueLabel ? ['auto-generated', issueLabel] : ['auto-generated'],
                  assignees: assignees,
                });
                console.log(`Issue created: ${issueTitle}`);
              } else {
                console.log(`Issue already exists: ${issueTitle}`);
              }
            }
          }

          // Close issues for keys (AAGUIDs) that are now valid
          const keysNowValidRaw = process.env.KEYS_NOW_VALID || '';
          const keysNowValid = keysNowValidRaw.split('%0A').map(entry => decodeURIComponent(entry)).filter(entry => entry.trim() !== '');
          if (keysNowValid.length === 0) {
            console.log('No keys have become valid.');
          } else {
            console.log('Keys that are now valid:', keysNowValid);
            for (const aaguid of keysNowValid) {
              const { data: issues } = await github.rest.issues.listForRepo({
                owner: context.repo.owner,
                repo: context.repo.repo,
                state: 'open',
                labels: ['auto-generated', 'InvalidVendor'],
                per_page: 100,
              });
              for (const issue of issues) {
                if (issue.title.includes(aaguid)) {
                  await github.rest.issues.update({
                    owner: context.repo.owner,
                    repo: context.repo.repo,
                    issue_number: issue.number,
                    state: 'closed',
                    state_reason: 'completed',
                  });
                  await github.rest.issues.createComment({
                    owner: context.repo.owner,
                    repo: context.repo.repo,
                    issue_number: issue.number,
                    body: `The vendor for key with AAGUID '${aaguid}' is now valid. This issue is being closed automatically.`,
                  });
                  console.log(`Closed issue for key with AAGUID: ${aaguid}`);
                }
              }
            }
          }

The workflow extracts the newest entries from merge_log.md and detailed_log.txt and appends them to the GitHub Actions summary for easy access.

- name: Display Merge Log
  shell: bash
  run: |
    # Extract and format logs

Configuring Git ensures that any commits made by the workflow are properly attributed.

- name: Configure Git
  run: |
    git config --global user.name 'D--ate'
    git config --global user.email 'c---@--t.com'

Finally, the workflow commits the changes made to the data and logs, pushing them back to the main branch.

- name: Commit changes
 run: |
 git add Assets/FidoKeys.json merge_log.md detailed_log.txt
 git commit -m "Update Fidokeys.json, merge_log.md, and detailed_log.txt" || echo "No changes to commit"

- name: Push changes
 uses: ad-m/github-push-action@v0.6.0
 with:
 github_token: ${{ secrets.GITHUB_TOKEN }}
 branch: main

And that’s it! It’s completely ok to not fully understand it, but wanted to give you a quick breakdown on how it works in case you have a project that you are working on or have been holding off because you didn’t know this is possible. If you have any tips, I’d be glad to talk as well as I’m always open for improvement and learning new ideas.

If you want to see this in action check out https://github.com/DevClate/EntraFIDOFinder

I do have a PowerShell module that works with this and allows you to find/filter which FIDO2 Keys are Entra Attestation approved, that can be downloaded there or on the PowerShell Gallery

And I even made an interactive website as well at https://devclate.github.io/EntraFIDOFinder/Explorer/

I will be doing a breakdown of the PowerShell of this in part 2!

Hope this was helpful and have a great day!