Clatent

Technology | Fitness | Food

Security

Did you know: SSPR/Password Reset Edition

by Leave a Comment

Did you know if you convert to the combined experience for SSPR and password reset, you can remove less secure phone, email, and text authentication? This is as long as you have Authenticator registered and higher methods allowed. See below for SSPR.

This works for SSPR and for password reset through My Sign-Ins.

The gotcha is if you have 2 methods required for SSPR, it will say your not registered for SSPR even if your enabled for it, but only have 1 method (Microsoft Authenticator) registered. As you can see below.

I would definitely recommend adding more secure options as well but at the minimum I’d use Authenticator or higher.

How do you keep your user protected in this situation?

Hope this quick tip was useful and have a great day!

Why does my 365 Admin Audit Log sometime say it’s disabled, but other times enabled? Am I being compromised?

by Leave a Comment

Let me first start this off with I’m 99% sure you aren’t being compromised, but read on to see what I mean.

I first ran into this when I was running Maester and I saw that it said my test failed for having Unified Audit Log enabled. I then went to my Purview Portal and saw that it was enabled. Next I ran the command:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

And received this output:

UnifiedAuditLogIngestionEnabled : False

It got me worried, as why is the PowerShell version saying it failed, but the GUI isn’t. Honestly, I usually trust the PowerShell output before the GUI. Then I run the PowerShell command to set it to “True.”

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

And received this output:

WARNING: The command completed successfully but no settings of 'Admin Audit Log Settings' have been modified.

Are you scratching your head like I was? I thought, maybe it’s because on the portal it shows it’s enabled, it is seeing it there and not changing it. Why not put that in the warning message though?

I did a little research and found Audit Log Enable Disable | MSFT which is where this little gem is located

Important

Be sure to run the previous command in Exchange Online PowerShell. Although the Get-AdminAuditLogConfig cmdlet is also available in Security & Compliance PowerShell, the UnifiedAuditLogIngestionEnabled property is always False, even when auditing is turned on.

And that is when it clicks, I connect to ExchangeOnlineManagement first then IPPSSession which must be causing the issue! I then disconnect with “Disconnect-ExhangeOnline”, and reconnect using “Connect-ExchangeOnline.” Now for the moment of truth:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

UnifiedAuditLogIngestionEnabled : True

Success! But now the “why does this happen and why haven’t more people reported this?” I asked my buddy Sam Erde, had he seen this before? And he was perplexed as I was. Then he started digging a bit, and saw that you couldn’t use -NoClobber as it is from the same module.

The crazy part is, if you export both versions, they are the exact same code! What could it be? Is it how the IPPSSession connects to the API? If so, why not put a message saying you are connecting with IPPSSession, please disconnect and use connect-exchangeonline?

The mystery still continues, but I know Sam is working on a fix to handle this more consistently and hopefully have a fix shortly!

Have you been burned by this before?

Cliff notes version:

  • You weren’t compromised (unless you see it being changed in the logs and/or you ensure you are checking it correctly)
  • Make sure when checking for AuditLog is enabled through PS that your not using IPPSSession for the command
  • Sam Erde is working on a fix for Maester

Hope this saves you some headaches and have a great day!

EntraFIDOFinder Update

by Leave a Comment

June( v0.0.18) update is here and we skipped May as I could tell they were still making some changes so I didn’t push them to the PowerShell gallery. This month they removed 50+ keys as they were unapproved models, but there are still over 150 keys that are Entra Attestation capable!

How is your FIDO2 journey going? What are you wishing this module could do?

Appreciate all feedback and have a great day!

PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.18
GitHub: https://github.com/DevClate/EntraFIDOFinder
Web Version: https://devclate.github.io/EntraFIDOFinder/Explorer/

EntraFIDOFinder now with over 50 new keys!

by Leave a Comment

I guess I should be careful what I ask for now.. Not sure if you saw, but when Microsoft first made this update it blew up my repo with over 100 issues due to all the changes and I assumed Microsoft had changed how they formatted their website, but they hadn’t. It was just from the new keys, vendors, and changes to current keys.

All of their basic info has been updated on the web and PowerShell module, but I haven’t put all the meta data in from the FIDO Alliance, as I’m looking for a way to fully automate it when new keys are added.

Now to the part you really care about

New Vendors:

  • Android
  • Dapple Security
  • Eviden
  • Foongton
  • GSTAG
  • ID-One
  • IIST
  • Infineon Technologies AG
  • KeyVault
  • Ledger
  • Nitrokey
  • OneKey
  • Samsung
  • Securité Carte à Puce
  • TruU
  • Veridium
  • VeroCard
  • Vivokey
  • WinMagic
  • ZTPass

New Keys:

AAGUIDVendorDescription
eb3b131e-59dc-536a-d176-cb7306da10f5ellipticSecureellipticSecure MIRkey USB Authenticator
8da0e4dc-164b-454e-972e-88f362b23d59EvidenCardOS FIDO2 Token
46544d5d-8f5d-4db4-89ac-ea8977073fffFoongtonFoongtone FIDO Authenticator
773c30d9-5919-4e96-a4f5-db65e95cf890GSTAGGSTAG OAK FIDO2 Authenticator
7991798a-a7f3-487f-98c0-3faf7a458a04HID GlobalHID Crescendo Key V3
2a55aee6-27cb-42c0-bc6e-04efe999e88aHID GlobalHID Crescendo 4000
82b0a720-127a-4788-b56d-d1d4b2d82eacID-OneID-One Key
f2145e86-211e-4931-b874-e22bba7d01ccID-OneID-One Key
4b89f401-464e-4745-a520-486ddfc5d80eIISTIIST FIDO2 Authenticator
cfcb13a2-244f-4b36-9077-82b79d6a7de7Infineon Technologies AGUSB/NFC Passcode Authenticator
58b44d0b-0a7c-f33a-fd48-f7153c871352LedgerLedger Nano S Plus FIDO2 Authenticator
fcb1bcb4-f370-078c-6993-bc24d0ae3fbeLedgerLedger Nano X FIDO2 Authenticator
341e4da9-3c2e-8103-5a9f-aad887135200LedgerLedger Nano S FIDO2 Authenticator
2cd2f727-f6ca-44da-8f48-5c2e5da000a2NitrokeyNitrokey 3 AM
70e7c36f-f2f6-9e0d-07a6-bcc243262e6bOneKeyOneKey FIDO2 Bluetooth Authenticator
53414d53-554e-4700-0000-000000000000SamsungSamsung Pass
5343502d-5343-5343-6172-644649444f32Securité Carte à PuceESS Smart Card Inc. Authenticator
050dd0bc-ff20-4265-8d5d-305c4b215192ThaleseToken Fusion FIPS
10c70715-2a9a-4de1-b0aa-3cff6d496d39ThaleseToken Fusion NFC FIPS
c3f47802-de73-4dfc-ba22-671fe3304f90ThaleseToken Fusion NFC PIV Enterprise
146e77ef-11eb-4423-b847-ce77864e9411ThaleseToken Fusion NFC PIV
ba86dc56-635f-4141-aef6-00227b1b9af6TruUTruU Windows Authenticator
95e4d58c-056e-4a65-866d-f5a69659e880TruUTruU Windows Authenticator
5ea308b2-7ac7-48b9-ac09-7e2da9015f8cVeridiumVeridium Android SDK
6e8d1eae-8d40-4c25-bcf8-4633959afc71VeridiumVeridium iOS SDK
99ed6c29-4573-4847-816d-78ad8f1c75efVeroCardVeroCard FIDO2 Authenticator
d7a423ad-3e19-4492-9200-78137dccc136VivoKeyVivoKey Apex FIDO2
31c3f7ff-bf15-4327-83ec-9336abcbcd34WinmagicWinMagic FIDO Eazy – Software
970c8d9c-19d2-46af-aa32-3f448db49e35WinMagicWinMagic FIDO Eazy – TPM
f56f58b3-d711-4afc-ba7d-6ac05f88cb19WinMagicWinMagic FIDO Eazy – Phone
b7d3f68e-88a6-471e-9ecf-2df26d041edeYubicoSecurity Key NFC by Yubico
9ff4cc65-6154-4fff-ba09-9e2af7882ad2YubicoSecurity Key NFC by Yubico – Enterprise Edition (Enterprise Profile)
34f5766d-1536-4a24-9033-0e294e510fb0YubicoYubiKey 5 Series with NFC Preview
6ec5cff2-a0f9-4169-945b-f33b563f7b99YubicoYubiKey Bio Series – Multi-protocol Edition (Enterprise Profile)
8c39ee86-7f9a-4a95-9ba3-f6b097e5c2eeYubicoYubiKey Bio Series – FIDO Edition (Enterprise Profile)
24673149-6c86-42e7-98d9-433fb5b73296YubicoYubiKey 5 Series with Lightning
3a662962-c6d4-4023-bebb-98ae92e78e20YubicoYubiKey 5 FIPS Series with Lightning (Enterprise Profile)
20ac7a17-c814-4833-93fe-539f0d5e3389YubicoYubiKey 5 Series (Enterprise Profile)
b90e7dc1-316e-4fee-a25a-56a666a670feYubicoYubiKey 5 Series with Lightning (Enterprise Profile)
760eda36-00aa-4d29-855b-4012a182cdebYubicoSecurity Key NFC by Yubico Preview
fcc0118f-cd45-435b-8da1-9782b2da0715YubicoYubiKey 5 FIPS Series with NFC
ff4dac45-ede8-4ec2-aced-cf66103f4335YubicoYubiKey 5 Series
7b96457d-e3cd-432b-9ceb-c9fdd7ef7432YubicoYubiKey 5 FIPS Series with Lightning
97e6a830-c952-4740-95fc-7c78dc97ce47YubicoYubiKey Bio Series – Multi-protocol Edition (Enterprise Profile)
6ab56fad-881f-4a43-acb2-0be065924522YubicoYubiKey 5 Series with NFC (Enterprise Profile)
d2fbd093-ee62-488d-9dad-1e36389f8826YubicoYubiKey 5 FIPS Series (RC Preview)
4599062e-6926-4fe7-9566-9e8fb1aedaa0YubicoYubiKey 5 Series (Enterprise Profile)
d7781e5d-e353-46aa-afe2-3ca49f13332aYubicoYubiKey 5 Series with NFC
62e54e98-c209-4df3-b692-de71bb6a8528YubicoYubiKey 5 FIPS Series with NFC Preview
34744913-4f57-4e6e-a527-e9ec3c4b94e6YubicoYubiKey Bio Series – Multi-protocol Edition
ed042a3a-4b22-4455-bb69-a267b652ae7eYubicoSecurity Key NFC by Yubico – Enterprise Edition
3b24bf49-1d45-4484-a917-13175df0867bYubicoYubiKey 5 Series with Lightning (Enterprise Profile)
3124e301-f14e-4e38-876d-fbeeb090e7bfYubicoYubiKey 5 Series with Lightning Preview
9e66c661-e428-452a-a8fb-51f7ed088acfYubicoYubiKey 5 FIPS Series with Lightning (RC Preview)
ce6bf97f-9f69-4ba7-9032-97adc6ca5cf1YubicoYubiKey 5 FIPS Series with NFC (RC Preview)
2772ce93-eb4b-4090-8b73-330f48477d73YubicoSecurity Key NFC by Yubico – Enterprise Edition Preview
ad08c78a-4e41-49b9-86a2-ac15b06899e2YubicoYubiKey Bio Series – FIDO Edition
905b4cb4-ed6f-4da9-92fc-45e0d4e9b5c7YubicoYubiKey 5 FIPS Series (Enterprise Profile)
b415094c-49d3-4c8b-b3fe-7d0ad28a6bc4ZTPassZTPass SmartAuth
  • Updated Keys
    • Updated ‘NFC’ for AAGUID ’30b5035e-d297-4ff1-b00b-addc96ba6a98′ from ‘Yes’ to ‘No’.
    • Updated ‘Description’ for AAGUID ’83c47309-aabb-4108-8470-8be838b573cb’ from ‘YubiKey Bio Series (Enterprise Profile)’ to ‘YubiKey Bio Series – FIDO Edition (Enterprise Profile)’.
    • Updated ‘Description’ for AAGUID ‘5ca1ab1e-1337-fa57-f1d0-a117e71ca702’ from ‘Allthenticator App: roaming BLE FIDO2 Allthenticator for Windows, Mac, Linux, and Allthenticate door readers’ to ‘Allthenticator iOS App: roaming BLE FIDO2 Allthenticator for Windows, Mac, Linux, and Allthenticate door readers’.
    • Updated ‘Description’ for AAGUID ‘d8522d9f-575b-4866-88a9-ba99fa02f35b’ from ‘YubiKey Bio Series’ to ‘YubiKey Bio Series – FIDO Edition’.
    • Updated ‘Description’ for AAGUID ‘dd86a2da-86a0-4cbe-b462-4bd31f57bc6f’ from ‘YubiKey Bio FIDO Edition’ to ‘YubiKey Bio Series – FIDO Edition’.

I know, it was a lot for me too! Which FIDO2 keys do you like the best? Feel free to message me if you rather not put it in the comments, but would love to hear your experiences.

PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.16
GitHub: https://github.com/DevClate/EntraFIDOFinder
Web Version: https://devclate.github.io/EntraFIDOFinder/Explorer/

Hope you enjoyed and have a great day!

EntraFIDOFinder March Update

by Leave a Comment

We are in March, and looks like no new major changes. I may have to start sending this update out later in the week, as I’m wondering if Microsoft hasn’t updated their page yet.

Some things I did notice were that a few of the YubiKey names slightly changed on the FIDO Alliance database, but haven’t changed on Microsoft side, so I need to wait before I change them on mine so I don’t keep getting errors if it doesn’t match up with Microsoft.

Although, these won’t show up on Microsoft’s website, 3 Yubico keys have received L2 certification now.

  • dd86a2da-86a0-4cbe-b462-4bd31f57bc6f – YubiKey Bio FIDO Edition
  • 58276709-bb4b-4bb3-baf1-60eea99282a7 – YubiKey Bio Series – Multi-protocol Edition 1VDJSN
  • 90636e1f-ef82-43bf-bdcf-5255f139d12f – YubiKey Bio Series – Multi-protocol Edition

I’ll keep an eye out and see if Microsoft updates their naming for the few and see if any other features change, but for now, that is all. No new PowerShell module version until Microsoft puts out an update or features are added, but did add the L2 certifications to the web version.

PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.15
GitHub: https://github.com/DevClate/EntraFIDOFinder
Web Version: https://devclate.github.io/EntraFIDOFinder/Explorer/

Have a great day!

Custom Maester Tests: Validate Full Addresses Now and Cleaned Up Wording

by Leave a Comment

Added 3 new tests which I think the first two will be game changers. The first 2 are tests for validating locations, in which the user must have street, city, state, postal code, country, business phone, and company name the same as the valid location in the json. If you have 3 different addreses that your company uses, you can put each in there, and they are seen as 3 different addresses so it will only pass the location test if they have all the correct values for 1 location. The 2nd test is the same as the first, but I removed business phone in case your company doesn’t have standard for it for all employees. The last test is formatting for user email accounts that should be formatted as all lower case and its first name period last name. Also I cleaned up some of the wording in all the different tests to keep them as similar as possible. Feel free to change in your tests though!

ENTRA.UV.1010.L01 – All location information

  • Test-ContosoUsersAllowedLocations.ps1
  • Test-ContosoUsersAllowedLocations.Tests.ps1
  • Test-ContosoUsersAllowedLocations.md

ENTRA.UV.1010.L02 – All location information minus business phone

  • Test-ContosoUsersAllowedLocationsNoBusinessPhones.ps1
  • Test-ContosoUsersAllowedLocationsNoBusinessPhones.Tests.ps1
  • Test-ContosoUsersAllowedLocationsNoBusinessPhones.md

ENTRA.UF.1003.T03.Email – All lower case first name period last name

  • Test-ContosoUsersFormattingFirstLastLowerCase.ps1
  • Test-ContosoUsersFormattingFirstLastLowerCase.Tests.ps1
  • Test-ContosoUsersFormattingFirstLastLowerCase.md

Are there any other tests you’d like to see sooner than later?

GitHub: https://github.com/DevClate/Custom-Maester-Tests
Website: https://devclate.github.io/Custom-Maester-Tests/
Maester: https://maester.dev

Have a great day!