Security

EntraFIDOFinder Update

October 9, 2024 by ClaytonT Leave a Comment

October 15, is less than a week away for the MFA requirement on certain 365 Apps. Please make sure you are all set by then. Make sure to go through all your accounts, especially those old ones that you rarely ever touch, and see if you still need it or what is the best way to protect it now. For some you will be able to delete and others you will need something such as a cert, FIDO2 key, or Windows Hello for Business. For those that will need a FIDO2 key, I’ve pulled from Microsoft Learn the current Attestation capable FIDO2 keys that are compatible with Entra. The database may say that it was last updated September 30, 2024, but I reviewed it today(Oct 9th) and the list still hasn’t changed. Once they do update it, I’ll update mine as well as show the changes.

With that said, I’ve now created a function called Show-FIDODbVersion that will show you what your current version is, and if you use Show-FIDODbVersion -NewestVersion, it will show you the newest version out. Would you rather me, show the difference as soon as you run Show-FIDODbVersion if there is or do you want them seperate?

Also working on automating the update process so that it can be checked daily with minimal intervention.

Are there any other features you’d like to see? I’m going to be adding at least vendor links and I’ve been trying to find pricing, but more than a handful of them do not even show pricing and not sure how valuable it will be if only a few of the vendors have pricing. How critical is cost to you?

I hope EntraFIDOFinder has been useful for you, and I can’t believe it has over 100 downloads already. I wasn’t even going to publish this, but figured there was someone else out there that didn’t want to just look at a static website and scroll through, so that is why I created the module and the interactive webpage.

PowerShell Gallery: EntraFIDOFinder
GitHub: EntraFIDOFinder
EntraFIDOFinder Explorer

Enjoy your day and get secure!

GitHub Copilot Password Warning

October 4, 2024 by ClaytonT Leave a Comment

Did you know that GitHub Copilot is now sensing hard coded credentials and giving you a warning? It’s not perfect, but even if something looks like hard coded creds it will flag it, as on another script I had, it contained numbers that looked like they could be private, and it gave me a warning about it. Honestly, I rather find more potentials credentials then not. That’s it for today, hope you have a great day!

EntraFIDOFinder: Web Version now available

October 2, 2024 by ClaytonT Leave a Comment

Yes, I know it may seem counter productive to make a web version of it, but I wanted to have an interactive web version so that it is easier for people to use then Microsoft’s version. The data is the same as the PowerShell version and will be updated at the same time as they are pulling from the same source.

Functionality:

Search by Vendor
Filter by USB, NFC, BIO, and BLE

Web Version: EntraFIDOFinder
PowerShell Version: EntraFIDOFinder

Let me know what you think, and have a great day!

EntraFIDOFinder – New PowerShell Module

September 30, 2024 by ClaytonT Leave a Comment

After so much interest from my post on Friday, I figured I’d do one better and make a PowerShell module that does it for you. So now you will be able to find which FIDO2 keys are attestation compatible with Entra right from your terminal. In the very near future I will have individual functions for exporting to Excel, CSV, Markdown, and PDF, but know a lot of people like to customize that themselves. I even put a few quick pointers on GitHub for it too, but will be doing tutorials shortly as well.

I’m still cleaning up the GitHub, but it is in the PowerShell Gallery and on GitHub at the links below.

You are able to search by Brand and/or device type such as USB, NFC, BLE, or BIO. These values are all parameter validated so if you do not see a brand that you have, then currently it is not compatible. Here is also the original link I shared on Friday Microsoft Learn FIDO2 Hardware Attestation.

Let me know what you think and do you find it useful. There are a few other features I want to add, but open to any other suggestions or do you think it is good as is?

And don’t forget the mid Oct deadline is coming up quickly for Entra admin portals, good luck!

PowerShell Gallery: EntraFIDOFinder
GitHub: EntraFIDOFinder

Why did I get this email?

March 25, 2024 by ClaytonT Leave a Comment

Here’s the scenario…

An executive forwards an email to your ticketing system and asks why they are receiving it. Then sends another from the day before. There is a Microsoft 365 distribution list(DL) in both emails, but not one they would be on. What do you do?

Check and see if there are any tickets for that DL, and you see there haven’t been any tickets for that DL or even that person. You then check the DL, and indeed see they are in it…. but how?

PowerShell to the rescue! Have you ever used “Search-UnifiedAuditLog” which is a cmdlet for Exchange Online PowerShell? It is a great for one off investigations in 365, but here we will use it to find any admin activity for that user in the past week. Full disclosure, I’ve used it a handful of times and had never really dug into which was a mistake on my part. Knowing more of what it can do now would have saved me so much time on other resolutions where I had gone through the 365 portal. Don’t be me, start using this now and create your own functions as well Purview to save you time and headaches. Enable it now, as it can’t be backdated.

# See if you have it enabled
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

# If not enabled, run this
Enable-OrganizationCustomization

# Enable Audit logs - this can take up to 60 mins
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Hopefully you already have it enabled, or you enabled it right now and can wait for it to start ingesting the logs so when you do need it, it is available.

Back to our executive incident. How do we find out what happened. The quick way is to run:

# Check for all admin activity for named user
Search-UnifiedAuditLog -StartDate 2/1/2024 -EndDate 3/16/2024 -ObjectIds execuser@domain.com

And this is the way I originally did it to get the answer I needed. That’s it! Then you will see in “AuditData” which groups they were added/removed from and any operations that happened with the groups they are in. This broad search will show even more, but only mentioning parts related to this task. At the end of this post I’ll have a list of great resources on how to get granular on your searches.

Now you can see that another engineer accidentally added them(after confirming with engineer), and you can just remove them from the list. This is best case scenario, as if I hadn’t looked and just removed the executive without searching and asking the engineer, they could have been added by a compromised account seeing what kind of privileges they had.

There is a way clean up the audit data so it is easier to view, but that will be in a longer blog post coming soon. Again, I’ll have some links at the end to give you a head start. Honestly, this was only supposed to be a quick one liner post, that definitely grew, and I’ve spent more time than I would like to admit researching it. It has given me more ideas on how to use it and I’ll put together functions in a repository or possibly a module of most useful commands.

One function I’ll be creating is one to check to see if a user has changed their password recently, has multiple failed attempts, and/or if they have locked themself out. How nice would that be for you or your help desk if the function sees who submitted the ticket, runs the function then gives you that feedback? To go one step farther, if they aren’t blocked out, automatically send them the password reset portal to reset their password?

If you already use this, what scripts/functions have you created? I’d love to hear about them, and I can create a repository for us to keep them in one spot.

Useful Links:

Search-UnifiedAuditLog – Microsoft Learn Cmdlet
How it works – Services that support auditing
Detailed info – Detailed Microsoft Script

Hope this helps saving you from headaches and can’t wait to hear how you use it! Have a great day!

Module Monday March 20, 2023

March 20, 2023 by ClaytonT Leave a Comment

Hope you had a great weekend, and are ready for today’s Module Monday. Are you using Duo security? Or looking at Duo for your company? Then you need this module. It’s called DuoSecurity.

Why not automate the process of onboarding/terminating employees or removing old phone authenticators? What about reporting on who is in which groups, how many phones they have, or filtering event logs?

So many more things to automate with this module and make your life easier as well as make your company more secure.

If you have used this module before, let me know how you are using it.

PowerShell Gallery:
Duo Security

GitHub:
Duo Security