Clatent

Technology | Fitness | Food

Maester

Why does my 365 Admin Audit Log sometime say it’s disabled, but other times enabled? Am I being compromised?

by Leave a Comment

Let me first start this off with I’m 99% sure you aren’t being compromised, but read on to see what I mean.

I first ran into this when I was running Maester and I saw that it said my test failed for having Unified Audit Log enabled. I then went to my Purview Portal and saw that it was enabled. Next I ran the command:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

And received this output:

UnifiedAuditLogIngestionEnabled : False

It got me worried, as why is the PowerShell version saying it failed, but the GUI isn’t. Honestly, I usually trust the PowerShell output before the GUI. Then I run the PowerShell command to set it to “True.”

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

And received this output:

WARNING: The command completed successfully but no settings of 'Admin Audit Log Settings' have been modified.

Are you scratching your head like I was? I thought, maybe it’s because on the portal it shows it’s enabled, it is seeing it there and not changing it. Why not put that in the warning message though?

I did a little research and found Audit Log Enable Disable | MSFT which is where this little gem is located

Important

Be sure to run the previous command in Exchange Online PowerShell. Although the Get-AdminAuditLogConfig cmdlet is also available in Security & Compliance PowerShell, the UnifiedAuditLogIngestionEnabled property is always False, even when auditing is turned on.

And that is when it clicks, I connect to ExchangeOnlineManagement first then IPPSSession which must be causing the issue! I then disconnect with “Disconnect-ExhangeOnline”, and reconnect using “Connect-ExchangeOnline.” Now for the moment of truth:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

UnifiedAuditLogIngestionEnabled : True

Success! But now the “why does this happen and why haven’t more people reported this?” I asked my buddy Sam Erde, had he seen this before? And he was perplexed as I was. Then he started digging a bit, and saw that you couldn’t use -NoClobber as it is from the same module.

The crazy part is, if you export both versions, they are the exact same code! What could it be? Is it how the IPPSSession connects to the API? If so, why not put a message saying you are connecting with IPPSSession, please disconnect and use connect-exchangeonline?

The mystery still continues, but I know Sam is working on a fix to handle this more consistently and hopefully have a fix shortly!

Have you been burned by this before?

Cliff notes version:

  • You weren’t compromised (unless you see it being changed in the logs and/or you ensure you are checking it correctly)
  • Make sure when checking for AuditLog is enabled through PS that your not using IPPSSession for the command
  • Sam Erde is working on a fix for Maester

Hope this saves you some headaches and have a great day!

Custom Maester Tests: Validate Full Addresses Now and Cleaned Up Wording

by Leave a Comment

Added 3 new tests which I think the first two will be game changers. The first 2 are tests for validating locations, in which the user must have street, city, state, postal code, country, business phone, and company name the same as the valid location in the json. If you have 3 different addreses that your company uses, you can put each in there, and they are seen as 3 different addresses so it will only pass the location test if they have all the correct values for 1 location. The 2nd test is the same as the first, but I removed business phone in case your company doesn’t have standard for it for all employees. The last test is formatting for user email accounts that should be formatted as all lower case and its first name period last name. Also I cleaned up some of the wording in all the different tests to keep them as similar as possible. Feel free to change in your tests though!

ENTRA.UV.1010.L01 – All location information

  • Test-ContosoUsersAllowedLocations.ps1
  • Test-ContosoUsersAllowedLocations.Tests.ps1
  • Test-ContosoUsersAllowedLocations.md

ENTRA.UV.1010.L02 – All location information minus business phone

  • Test-ContosoUsersAllowedLocationsNoBusinessPhones.ps1
  • Test-ContosoUsersAllowedLocationsNoBusinessPhones.Tests.ps1
  • Test-ContosoUsersAllowedLocationsNoBusinessPhones.md

ENTRA.UF.1003.T03.Email – All lower case first name period last name

  • Test-ContosoUsersFormattingFirstLastLowerCase.ps1
  • Test-ContosoUsersFormattingFirstLastLowerCase.Tests.ps1
  • Test-ContosoUsersFormattingFirstLastLowerCase.md

Are there any other tests you’d like to see sooner than later?

GitHub: https://github.com/DevClate/Custom-Maester-Tests
Website: https://devclate.github.io/Custom-Maester-Tests/
Maester: https://maester.dev

Have a great day!

Now you can use your own company standards with Maester custom tests

by Leave a Comment

I thought checking to see if they were filled in or even formatted correctly wasn’t enough.. now you can config the validation.json file in the Validating folder with your company standards to make only those values pass. Here are the fields so far, and will be adding more!

  • ENTRA.UV.1001 – Company Name
  • ENTRA.UV.1002 – Street Address
  • ENTRA.UV.1003 – City
  • ENTRA.UV.1004 – State
  • ENTRA.UV.1005 – Postal Code
  • ENTRA.UV.1006 – Country
  • ENTRA.UV.1007 – Business Phone Number
  • ENTRA.UV.1008 – Job Title
  • ENTRA.UV.1009 – Department

Hope you like this new update and let me know if you run into any issues or want to see any other updates. Please don’t forget to star the repo and share to get the word out so more people can add theirs.

Have a great day!

GitHub: Custom Maester Tests
Website: Custom Maester Tests
Website: Offical Maester Website

If Maester couldn’t get any better…Custom Test Collection now available

by Leave a Comment

The time has finally come. I have created a public repository to store custom Maester tests for everyone. As well as a website for deeper understanding where needed. I haven’t seen anyone else do it yet, and worse case scenario, people can just use the ones that I create, but I envision others adding theirs to this too. Yes, you will have to create the function, test, and the markdown file (I and/or others can help), so that we can have a collection of tests that anyone can pick and choose which ones they want to add to their Maester and customize it to their needs. They don’t need to be 365 related either, as they could be checks for Windows 11 settings, server configs, or check that a certain OU should only has these mentioned users or computers and to make sure that doesn’t change.

This is still in its early stages and would love any feedback to make it better while still showing that it is a companion to Maester. I wanted to get the framework started to that we can start gaining the benefits from the repository while still making it easy to use.

I hope you are excited about this as I am, and we can create a large community collection of tests.

Please star and share the repo. Open issues for tests that you want to see and if you already have one or can make it, put that in the issue. Let’s make all our IT lives easier and safer.

Thank you for taking the time to read this and hope you find value in this and can share your knowledge as well.

Website: https://devclate.github.io/Custom-Maester-Tests/
GitHub: https://github.com/DevClate/Custom-Maester-Tests

I’m also working on a module for the Entra attribute fields that will fix any issues by either manually typing in the correct value or only allow company standard values.

365AutomatedLab and new companion module coming soon

by Leave a Comment

365AutomatedLab and new companion module coming soon

I promise I haven’t forgotten about 365AutomatedLab, but I’ll be honest after Microsoft made the announcement of no more new Dev tenants it hurt a bit as I know how useful they are on learning and testing features and PowerShell without hurting your production environment. 365AutomatedLab will still be used for people that have Dev tenants whether they are free or not, but you can use these functions in production as well.

Now about the new module, it hasn’t been released yet, but finishing cleaning it up to at least beta stage. I won’t say exactly what it does yet, but it is a companion to 365AutomatedLab in that it helps you keep your 365 tenant organized. A little teaser though, is that some of the parts will work with the amazing module Maester and if you don’t already use it, go install it now. Seriously, go do that and while that is downloading, think of ways you would like to see 365AutomatedLab improved.

Maester.dev – Test Automation Framework to keep control of your 365 security configuration
365AutomatedLab – Setup a 365 Tenant from an Excel Workbook

As always, thank you for taking the time and have a great day!