Clatent

Technology | Fitness | Food

PowerShell

v0.0.20 EntraFIDOFinder is out

by Leave a Comment

4 New keys have been added and a few changes in capabilities!

New Keys:

  • Hyper FIDO Pro NFC – 23195a52-62d9-40fa-8ee5-23b173f4fb52
  • Hyper FIDO Pro (CTAP2.1, CTAP2.0, U2F) – 6999180d-630c-442d-b8f7-424b90a43fae
  • DEMIA SOLVO Fly 80 R3 FIDO Card c – dda9aa35-aaf1-4d3c-b6db-7902fd7dbbbf
  • IDEMIA SOLVO Fly 80 R3 FIDO Card e – def8ab1a-9f91-44f1-a103-088d8dc7d681

Updated Keys:

  • Updated ‘NFC’ for AAGUID ‘3f59672f-20aa-4afe-b6f4-7e5e916b6d98’ from ‘✅’ to ‘❌’.
  • Updated ‘USB’ for AAGUID ‘b12eac35-586c-4809-a4b1-d81af6c305cf’ from ‘✅’ to ‘❌’.
  • Updated ‘NFC’ for AAGUID ‘b12eac35-586c-4809-a4b1-d81af6c305cf’ from ‘✅’ to ‘❌’.
  • Updated ‘NFC’ for AAGUID ‘9d3df6ba-282f-11ed-a261-0242ac120002’ from ‘✅’ to ‘❌’.
  • Updated ‘USB’ for AAGUID ’39a5647e-1853-446c-a1f6-a79bae9f5bc7′ from ‘❌’ to ‘✅’.
  • Updated ‘BLE’ for AAGUID ’39a5647e-1853-446c-a1f6-a79bae9f5bc7′ from ‘❌’ to ‘✅’.
  • Updated ‘USB’ for AAGUID ‘820d89ed-d65a-409e-85cb-f73f0578f82a’ from ‘❌’ to ‘✅’.
  • Updated ‘BLE’ for AAGUID ‘820d89ed-d65a-409e-85cb-f73f0578f82a’ from ‘❌’ to ‘✅’.

How have your FIDO2 implementations been going? Would love to hear your stories!

PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.20
GitHub: https://github.com/DevClate/EntraFIDOFinder

EntraFIDOFinder Update

by Leave a Comment

There haven’t been much changes the past couple months, but finally a biggish update happened where Microsoft has added 10 more keys that are Attestation capable.

Added Attestation capable keys:

  • Chipwon Clife Key | 930b0c03-ef46-4ac4-935c-538dccd1fcdb
  • HID Crescendo 4000 FIDO | aa79f476-ea00-417e-9628-1e8365123922
  • ID-One Key | 82b0a720-127a-4788-b56d-d1d4b2d82eac
  • ID-One Key | f2145e86-211e-4931-b874-e22bba7d01cc
  • VeridiumID Passkey Android SDK | 8d4378b0-725d-4432-b3c2-01fcdaf46286
  • VeridiumID Passkey iOS SDK | 1e906e14-77af-46bc-ae9f-fe6ef18257e4
  • VinCSS FIDO2 Fingerprint | 9012593f-43e4-4461-a97a-d92777b55d74
  • YubiKey 5 Series with NFC – Enhanced PIN | 662ef48a-95e2-4aaa-a6c1-5b9c40375824
  • YubiKey 5 Series with NFC – Enhanced PIN (Enterprise Profile) | b2c1a50b-dad8-4dc7-ba4d-0ce9597904bc
  • YubiKey 5 Series with NFC KVZR57 | 9eb7eabc-9db5-49a1-b6c3-555a802093f4

Are you requiring attestation? How has your implementation of FIDO2 keys been?

Don’t forget about the web version at: https://devclate.github.io/EntraFIDOFinder/Explorer/

Need the module?
– PowerShell: Install-PSResource EntraFIDOFinder
– PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.19
– GitHub: https://github.com/DevClate/EntraFIDOFinder

How to Delete Recurring Planner Tasks with PowerShell

by Leave a Comment

Are you using PowerShell and Microsoft Planner? I feel it doesn’t get the love it deserves, and to be honest, I hadn’t used PowerShell with Planner in a while, but wanted to get back into it. I first starting using the Microsoft.Graph.Planner and found some limitations that were possible if you used the Graph API directly. One of the things that stood out was you couldn’t call a Plan or Bucket by its real name, only by its ID. Yes, I could have added some logic to make it so, but realized that it also couldn’t remove recurring tasks. I thought it was going to be a quick fix, but found out hours later that wasn’t the case.. hence this post!

Let’s get into the process now.

First, we are going to go to planner.microsoft.cloud and click on the task you want or click on the plan, then on the task you want.

Once you are there you will find the ID in the URL

Below you will see in bold the “TaskId.” The “PlanId” is right after ‘plan/’. They will always be in these locations.

<https://planner.cloud.microsoft/webui/plan/1L__9CleiAwPwqMXDEPEALPQKPa9/view/board/task/1Peq3A7__1EXqot27RoV53QYBZuS?tid=26my427d-m317-83y1-63r0-4suv1pe421y8>

Next we will create a $TaskId variable, where you will put the TaskId inside of it

$TaskId = "1Peq3A7__1EXqot27RoV53QYBZuS"

Before we go farther, lets connect to Microsoft Graph (beta) with these scopes

Connect-MgGraph -Scopes 'Tasks.ReadWrite','Group.ReadWrite.All'

Then you’ll want to get the Task information and save it to the $Task variable to use later. This is important as this will store the ETAG value that you will need to delete the task, as this value changes anytime something changes with that task.

$task = Invoke-MgGraphRequest -Uri "<https://graph.microsoft.com/beta/planner/tasks/$taskId>"

Now here is the fun part, there is no way as of right now to delete a recurring meeting in one call. The best way I found to do it is to first cancel the recurrence then delete it. After doing more research I found later on that it does say you have to ‘$null’ out “Schedule” from Microsoft Learn. I figured it out the hard way when I was using “Developer Tools” to see the API requests it was doing on each click.

Let’s cancel the recurrence, first we have to build out the body to null out schedule and we do that like below.

$body = @{
    recurrence = @{
        schedule = $null
    }
} | ConvertTo-Json -Depth 3

After the body, we create the the “Header” for the request. We do that by below. This is very important because if you don’t Graph won’t know the exact task you are trying to change.

$headers = @{ 
    "If-Match" = $task.'@odata.etag'
    "Content-Type" = "application/json"
}

Now that we have TaskID, Body, and Header we can update(PATCH) the recurring task to a non recurring task.

Invoke-MgGraphRequest -Method PATCH -Uri "<https://graph.microsoft.com/beta/planner/tasks/$taskId>" -Body $body -Headers $headers

Perfect, you have canceled the recurring task and can now delete it. This may seem repetitive, but as of right now it’s the only way to do it. You have to get the task information again because it will now have a new ETAG, and will fail if you try to use the previous one.

$task = Invoke-MgGraphRequest -Uri "<https://graph.microsoft.com/beta/planner/tasks/$taskId>"

And we will have to put the updated ETAG in the header

$headers = @{ 
    "If-Match" = $task.'@odata.etag'
    "Content-Type" = "application/json"
}

We could have done this part in the beginning, but didn’t want to throw too much at you in the beginning, but here we will create the URI as a variable to make the API request shorter and easier to read.

$Uri = "<https://graph.microsoft.com/beta/planner/tasks/$taskId”>

The moment is finally here, where we actually get to delete the task…

Invoke-MgGraphRequest -uri $Uri -Method Delete -Headers $Headers

That’s it! Now go back to planner and confirm that is has been deleted.

Congrats on deleting your first recurring task! Below, I’ve put the whole script so you can see it all together and you can update the TaskId then run it to to delete recurring tasks.

If you’re interested in learning more about Planner and PowerShell, stay tuned as I may have some ideas to make using them together even easier.

$taskId = "1Peq3A7__1EXqot27RoV53QYBZuS"

$task = Invoke-MgGraphRequest -Uri "<https://graph.microsoft.com/beta/planner/tasks/$taskId>"

# Cancel the recurrence by setting schedule to null
$body = @{
    recurrence = @{
        schedule = $null
    }
} | ConvertTo-Json -Depth 3

$headers = @{ 
    "If-Match" = $task.'@odata.etag'
    "Content-Type" = "application/json"
}

Invoke-MgGraphRequest -Method PATCH -Uri "<https://graph.microsoft.com/beta/planner/tasks/$taskId>" -Body $body -Headers $headers

$task = Invoke-MgGraphRequest -Uri "<https://graph.microsoft.com/beta/planner/tasks/$taskId>"

$headers = @{ 
    "If-Match" = $task.'@odata.etag'
    "Content-Type" = "application/json"
}

$Uri = "<https://graph.microsoft.com/beta/planner/tasks/$taskId”>

Invoke-MgGraphRequest -uri $uri -Method Delete -Headers $headers

Let me know if you have any questions or feedback, have a great day!

Why does my 365 Admin Audit Log sometime say it’s disabled, but other times enabled? Am I being compromised?

by Leave a Comment

Let me first start this off with I’m 99% sure you aren’t being compromised, but read on to see what I mean.

I first ran into this when I was running Maester and I saw that it said my test failed for having Unified Audit Log enabled. I then went to my Purview Portal and saw that it was enabled. Next I ran the command:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

And received this output:

UnifiedAuditLogIngestionEnabled : False

It got me worried, as why is the PowerShell version saying it failed, but the GUI isn’t. Honestly, I usually trust the PowerShell output before the GUI. Then I run the PowerShell command to set it to “True.”

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

And received this output:

WARNING: The command completed successfully but no settings of 'Admin Audit Log Settings' have been modified.

Are you scratching your head like I was? I thought, maybe it’s because on the portal it shows it’s enabled, it is seeing it there and not changing it. Why not put that in the warning message though?

I did a little research and found Audit Log Enable Disable | MSFT which is where this little gem is located

Important

Be sure to run the previous command in Exchange Online PowerShell. Although the Get-AdminAuditLogConfig cmdlet is also available in Security & Compliance PowerShell, the UnifiedAuditLogIngestionEnabled property is always False, even when auditing is turned on.

And that is when it clicks, I connect to ExchangeOnlineManagement first then IPPSSession which must be causing the issue! I then disconnect with “Disconnect-ExhangeOnline”, and reconnect using “Connect-ExchangeOnline.” Now for the moment of truth:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

UnifiedAuditLogIngestionEnabled : True

Success! But now the “why does this happen and why haven’t more people reported this?” I asked my buddy Sam Erde, had he seen this before? And he was perplexed as I was. Then he started digging a bit, and saw that you couldn’t use -NoClobber as it is from the same module.

The crazy part is, if you export both versions, they are the exact same code! What could it be? Is it how the IPPSSession connects to the API? If so, why not put a message saying you are connecting with IPPSSession, please disconnect and use connect-exchangeonline?

The mystery still continues, but I know Sam is working on a fix to handle this more consistently and hopefully have a fix shortly!

Have you been burned by this before?

Cliff notes version:

  • You weren’t compromised (unless you see it being changed in the logs and/or you ensure you are checking it correctly)
  • Make sure when checking for AuditLog is enabled through PS that your not using IPPSSession for the command
  • Sam Erde is working on a fix for Maester

Hope this saves you some headaches and have a great day!

EntraFIDOFinder Update

by Leave a Comment

June( v0.0.18) update is here and we skipped May as I could tell they were still making some changes so I didn’t push them to the PowerShell gallery. This month they removed 50+ keys as they were unapproved models, but there are still over 150 keys that are Entra Attestation capable!

How is your FIDO2 journey going? What are you wishing this module could do?

Appreciate all feedback and have a great day!

PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.18
GitHub: https://github.com/DevClate/EntraFIDOFinder
Web Version: https://devclate.github.io/EntraFIDOFinder/Explorer/

New version of EntraFIDOFinder is out now

by Leave a Comment

Now with over 15 new keys! It was a little slow last month, but this month they made up with adding 6 new Vendors too. For the module, most of the enhancements were on the backend, where I created a function to reorganize any keys that weren’t following the standard configuration. This happens when a new key is added, I haven’t figured a way yet to automatically pull the FIDO Alliance data so that it shows correctly. Also I added a Pester test to make sure the key JSON file is in the correct format and using the correct values.

Microsoft changed on the backend how they showed their “Yes” or “No” on the back end, so I had to adjust my code to look for check mark or an x, as well as changed the JSON validation for that as well. If you use JSON, and haven’t used schemas, I highly recommend you doing it as it will make catching or avoiding issues much easier and quicker.

Here are the database changes:

New Vendors:

  • Deepnet
  • GoldKey
  • SafeKey
  • SHALO
  • T-Shiled
  • VeridiumID

New Keys:

AAGUIDVendorDescription
c89e6a38-6c00-5426-5aa5-c9cbf48f0382ACSFIDO Authenticator NF
b9f6b7b6-f929-4189-bca9-dd951240c132DeepnetSafeKey/Classic (USB)
b12eac35-586c-4809-a4b1-d81af6c305cfDeepnetSafeKey/Classic (NFC)
e41b42a3-60ac-4afb-8757-a98f2d7f6c9fDeepnetSafeKey/Classic (FP)
78ba3993-d784-4f44-8d6e-cc0a8ad5230eFeitianePass FIDO-NFC(CTAP2.1, CTAP2.0, U2F)
39589099-9a75-49fc-afaa-801ca211c62aFeitianePass FIDO-NFC (Enterprise Profile) (CTAP2.1, CTAP2.0, U2F)
0db01cd6-5618-455b-bb46-1ec203d3213eGoldKeySecurity Token
c4ddaf11-3032-4e77-b3b9-3a340369b9adHIDCrescendo Fusion
57235694-51a5-4a4d-a81a-f42185df6502SHALOSHALO AUTH
7787a482-13e8-4784-8a06-c7ed49a7aaf4SwissbitiShield Key 2
e400ef8c-711d-4692-af46-7f2cf7da23adSwissbitiShield Key 2 Enterprise
5eaff75a-dd43-451f-af9f-87c9eeae293eSwissbitiShield Key 2 FIPS Enterprise
817cdab8-0d51-4de1-a821-e25b88519cf3SwissbitiShield Key 2 FIPS
882adaf5-3aa9-4708-8e7d-3957103775b4T-ShieldTrustSec FIDO2 Bio and client PIN version
8d4378b0-725d-4432-b3c2-01fcdaf46286VeridiumIDPasskey Android SDK
1e906e14-77af-46bc-ae9f-fe6ef18257e4VeridiumIDPasskey iOS SDK

Hope you enjoyed this update and have a great day! Don’t forget to star the repo and if you have an enhancement or issue, please create a GitHub Issue or discussion.

Are there any features you wish EntraFIDOFinder had? Would you like a function to just download or view the key database without updating the module?

GitHub: https://github.com/DevClate/EntraFIDOFinder
PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.17
Web Version: https://devclate.github.io/EntraFIDOFinder/Explorer/