Using PowerShell to allow user enablement

After a recent incident, I decided that I needed a way, independent of a user login to re-enable a disabled user account. To achieve this an EntraID app needs to be created with the appropriate permissions as I have detailed here:

Create an EntraID app to allow user enablement

If a user is disabled as shown above,

you’ll firstly need to set some variables to use in your script as shown above for the client ID and the tenant ID which where available when the EntraID app was created previously.

Next you’ll need to save the EntraID app password credential to another variable as shown above. At this point you will be prompted to enter the EntraID app password you have previously stored.

You can now connect to the Microsoft Graph using the command:

Connect-MgGraph -TenantId $tenantId -ClientSecretCredential $ClientSecretCredential

at which point you should be logged into the tenant as shown above.

The command to update the user account is:

update-mguser

which requires the following application permissions as shown.

These permissions were set in the EntraID app previously created.

if the command:

Update-MgUser -UserId “AdeleV@M365B067874.OnMicrosoft.com” –AccountEnabled

is now run we don’t receive any errors on the command line as shown above.

but when we check the user we see that it is unblocked and able to be logged into.

The benefit of using this method is that you are not dependent on any existing user account to unlock any account. You are logging into the tenant using the EntraID app created prior. Haveing just an ‘unlock’ app like this means it has a ‘least privilege’ function of just unlocking a user account. However, you will still need to take appropriate action to protect the EntraID app as it does not prompt for MFA.

Need to Know podcast–Episode 328

Microsoft has announced updates to Copilot for Microsoft 365 which they are calling Wave 2. In this episode I cover off some of these changes and what I feel will be most useful for people. A number of other products from Microsoft have also become generally available so listen alone for all the new on that plus everything happening at Microsoft for SMB.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-328-riding-wave-2/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

Microsoft 365 Copilot Wave 2: Pages, Python in Excel, and agents

The next phase of Microsoft 365 Copilot innovation

Microsoft 365 Copilot Wave 2: AI Innovations in SharePoint and OneDrive

Microsoft 365 Copilot | Copilot Pages

Announcing Copilot Pages for multiplayer collaboration

Copilot pages for IT Admins – Sep 2024 update

New Copilot enhancements help small and medium-sized businesses innovate

Microsoft 365 Copilot – Small Business Guide to Prepare your Data for Search

Update on Recall security and privacy architecture

Introducing Copilot in OneDrive: Now Generally Available

Microsoft Intune support for Apple Intelligence

Microsoft Entra Internet Access now generally available

The art and science behind Microsoft threat hunting: Part 3

Microsoft ignite

CIAOPS Brief 20240928

Update on Recall security and privacy architecture – https://blogs.windows.com/windowsexperience/2024/09/27/update-on-recall-security-and-privacy-architecture/

Introducing Copilot in OneDrive: Now Generally Available –

https://techcommunity.microsoft.com/t5/microsoft-onedrive-blog/introducing-copilot-in-onedrive-now-generally-available/ba-p/4253194

Storm-0501: Ransomware attacks expanding to hybrid cloud environments –

https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/

Case Study: Harnessing Copilot for Security in Defending Against Cyberthreats –

https://techcommunity.microsoft.com/t5/microsoft-security-copilot-blog/case-study-harnessing-copilot-for-security-in-defending-against/ba-p/4251623

Implementing a secure by default approach with Microsoft Purview and address oversharing –

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/implementing-a-secure-by-default-approach-with-microsoft-purview/ba-p/4251190

Microsoft Intune support for Apple Intelligence –

https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-support-for-apple-intelligence/ba-p/4254037

Microsoft is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms –

https://www.microsoft.com/en-us/security/blog/2024/09/25/microsoft-is-named-a-leader-in-the-2024-gartner-magic-quadrant-for-endpoint-protection-platforms/

Learn about the new Outlook for Windows –

https://www.youtube.com/playlist?list=PLXPr7gfUMmKxSob6H6MgRagqdNiUTg75e

After hours

Bill Gates talks new Netflix series, shares how he uses AI in his life – https://www.youtube.com/watch?v=qLBkqm8ctgg

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week

Create an EntraID app to allow user enablement

After a recent incident, I decided that it would be a good idea to have an EntraID app that I could use to re-enable a users inside a tenant if I needed. This will allow me to login to EntraID without being depended on a user account as I would be logging in using this app directly.

The first step in that process is to navigate to EntraID as an administrator in the Azure portal and select App registrations from the menu on the left and then New registration on the right as shown above.

Simply give the app a name and select Register as shown above.

When you will then be taken to new app overview page as shown above. Take a moment to record the:

– Application (client ID)

– Object ID

– Directory tenant ID

Next, select Certificates & secrets from the menu on the left as shown above.

Select New client secret on the right as shown above.

Give the secret a name and select the duration for that secret from the list available as shown.

Take a moment to copy this secret as this is the only time that it will be available. If you don’t take a copy here you’ll need to generate a new secret.

From the menu on the left select API permissions as shown above. Then select Add a permission on the right.

Select the option for the Microsoft Graph as shown.

Select Application permissions.

Add the following permissions:

– User.ManageIdentities.All

– User.EnableDisableAccount.All

– User.ReadWrite.All

– Directory.ReadWrite.All

Select Grant admin consent.

Select Yes in the dialog that appears.

You should now see all the permissions have been consented to as shown above.

The EntraID app has now been created and is ready for use. This will used to login to with PowerShell and then enable any disabled user.

Excluding a user from Attack Disruption

After a recent incident, I decide to take a look at how I could exclude certain attacks from being automatically disable by Attack Disruption. More to understand how to disable this if I wanted rather than making it a standard setting as I think have automated Attack Disruption is a good thing.

To prevent Microsoft Defender XDR from automatically disabling accounts with automated attack disruption, you can configure exclusions within the Defender XDR settings. Here’s a general guide based on the information available:

1. Navigate to Settings in the Microsoft Security portal.

2. Select Microsoft Defender XDR as shown above.

3. Select the Identity automated response option under the Automated section at the bottom of the page

4. On the right select the +Add user exclusion button to add a user you wish to exclude. That use should then appear in the list.

It’s important to note that while configuring exclusions can prevent automatic account disabling, it should be done with caution to ensure that it does not compromise your organization’s security posture. Always consider the potential risks and consult with your security team before making changes to the automated response settings.

For a detailed understanding and step-by-step instructions, you may refer to the documentation and resources provided by Microsoft, such as the Microsoft 365 Defender portal and Microsoft Learn articles on automatic attack disruption.

Configure automatic attack disruption capabilities in Microsoft Defender XDR – Microsoft Defender XDR | Microsoft Learn

Automated response exclusions – Microsoft Defender for Identity | Microsoft Learn

My kingdom for a global admin login

I had an experience recently in which I was unable to access a non-production tenant as a Global administrator. For some reason Defender decided that one of the Global Admins for the tenant had been compromised and an automated action had disabled that account per below:

I am still not 100% sure why this happened (investigations ongoing) but I was now blocked from accessing the tenant using an account that I used regularly. No worries I thought, I’ll just use my break glass account, which I did. I soon discovered, much to my dismay, that I had minimised the security level of my break glass so much that it wasn’t a global admin or possess the rights to unlock the account which had been disabled

So now I couldn’t get into my normal account and my break glass account didn’t have the permissions to re-enable the original disabled account. The next challenge was that I could only remember these two accounts inside the tenant. Although there were others in there I couldn’t remember their details as I never really used them.

I now needed to get Microsoft on the job as I couldn’t easily find a way to reenable the account. To this I needed to raise a ticket in the tenant. Problem was that typically, only admin can raise a support request in the tenant but I didn’t have access to any admin accounts. I therefore raised a support ticket in another tenant and provided all the details for the original tenant.

A few hours later I got a call from Microsoft about my issue and I explained what had happened and was informed that they would need to cancel the original ticket I had created and raise a new one for the right tenant. With that done, a while later I got a call from the Microsoft 365 Data Protection Team. These are the people who can give you access to your environment if it has been lost. Feeling better that the right people were now on the job I provided the Microsoft contact will all the details and we had a shared screen session where I demonstrated how I no longer had access. I was told that I would receive an update in 24 hours.

The next call from the Microsoft 365 Data Protection Team asked me about the domains and the other global admin I had in that tenant. I said I wasn’t sure as I didn’t use those regularly I simply used the account that was now locked. The Microsoft 365 Data Protection Team told me that to get the account unlocked I needed to prove that I was the legitimate owner of the tenant. The way they wanted me to achieve this was to add a TXT record in 3 of the domains I had pointing to the tenant in question.

That seemed easy enough and I was emailed the details to enter into the DNS for each domain. Basically it was a TXT record that needed to be added. I soon discovered that this would be a problem as two of the requested domains had their DNS records actually inside the tenant and managed by the same Microsoft 365 tenant I was locked out of. Thus, I couldn’t add the requested records for 2 of the 3 domains requested. All I could now do was point this out to the Microsoft 365 Data Protection Team and again wait for a response.

In the meantime I decided that I needed to extract as much configuration information from the tenant as I possible and in the process I realised that I had an Azure AD app that I could use to gain access. After logging in using the app credentials I determined that that too did not have sufficient permissions to enable the original but it did have enough permissions for me to gather information about users and domains to give me a far better idea of how the tenant was configured.

When the Microsoft 365 Data Protection Team finally made contact again, and given that I couldn’t set the required DNS records they basically had me share my screen and then use the camera to show my face along with some photo id that they could take a screen shot of to verify I was who I said I was. However, this needed to be signed off by another party inside Microsoft before my issues could be addressed.

Finally, a few hours later Microsoft again reached out and reset the password on one of the existing Global administrators, rather then re-enabling the account that had been locked and had me log into that other account which I managed to do successfully. At this point the Microsoft 365 Data Protection Team’s job was complete and they could close the ticket on this matter.

With global administrator access I now made sure I documented theses details and enabled the original break glass account to have the appropriate permissions plus take some addition steps to ensure this would not happen again.

Here are the lessons I learned from this experience and share:

Regularly test that you have access to your break glass account and verify it has the permissions required to enable accounts and reset passwords.
If you do need to get Microsoft’s assistance regaining control of your tenant it should be via the Microsoft 365 Data Protection Team that you need to get to assist you.
Try and avoid having the DNS for the domains inside the tenant. Being able to change DNS records is going to be the initial way the Microsoft 365 Data Protection Team verify you are indeed the legitimate owner of the domain if you need to unlock access. If the DNS records can only be changed from inside the tenant you have lost access to, another verification method will be required.
Ensure you have documented both the domains and users inside the tenant and know which ones are global administrators and which are active.
Avoid having expired domains inside your Microsoft 365 tenant as these can be used to verify your identity.
Do not expect the re-establishment of access to be a quick process it will probably take at least one week or more as it needs to go through a standard process of verification that the request is legitimate. In my case, due to the challenges with verifying I was the legitimate owner of the tenant, it took about 2 weeks from the actual incident.

I thank Microsoft for coming to me rescue with this account and fully acknowledge that they shouldn’t have needed to and I should have taken more care managing the tenant in question. I have learned a lot from this experience and hope by sharing this publicly that others will also and avoid the pain that I had to go through.

CIAOPS Brief 20240921

Important changes to the Windows enrollment experience coming soon

https://techcommunity.microsoft.com/t5/intune-customer-success/important-changes-to-the-windows-enrollment-experience-coming/ba-p/4246689

Secure architecture design – How Defender for Office 365 protects against EchoSpoofing

https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/secure-architecture-design-how-defender-for-office-365-protects/ba-p/4225358

Learn how the Windows update process will be improved during OOBE and what you need to do to prepare.

Inside Microsoft’s Cybercrime Center | Microsoft campus tour –

https://www.youtube.com/watch?v=kHArmtKHAv8

New Copilot enhancements help small and medium-sized businesses innovate –

https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/new-copilot-enhancements-help-small-and-medium-sized-businesses/ba-p/4238667

Microsoft 365 Copilot Wave 2: Pages, Python in Excel, and agents –

https://www.microsoft.com/en-us/microsoft-365/blog/2024/09/16/microsoft-365-copilot-wave-2-pages-python-in-excel-and-agents/

The next phase of Microsoft 365 Copilot innovation –

https://news.microsoft.com/m365-copilot-Sept-2024/

Microsoft 365 Copilot Wave 2: AI Innovations in SharePoint and OneDrive –

https://techcommunity.microsoft.com/t5/microsoft-365-copilot/microsoft-365-copilot-wave-2-ai-innovations-in-sharepoint-and/ba-p/4245159

Microsoft 365 Copilot | Copilot Pages –

https://www.youtube.com/watch?v=oxxqw0E7Io8

Announcing Copilot Pages for multiplayer collaboration –

https://techcommunity.microsoft.com/t5/microsoft-365-copilot/announcing-copilot-pages-for-multiplayer-collaboration/ba-p/4242701

Copilot pages for IT Admins – Sep 2024 update –

https://techcommunity.microsoft.com/t5/microsoft-365-copilot/copilot-pages-for-it-admins-sep-2024-update/ba-p/4241521

New alerts for Windows updates in Microsoft Intune –

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/new-alerts-for-windows-updates-in-microsoft-intune/ba-p/4248278

Microsoft Entra Internet Access now generally available –

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/microsoft-entra-internet-access-now-generally-available/ba-p/3922547

IDC study on partner profitability with Microsoft AI –

https://partner.microsoft.com/en-US/blog/article/AI-value-for-partners

Microsoft 365 Copilot – Small Business Guide to Prepare your Data for Search –

https://www.youtube.com/watch?v=w9WkpoUMdzQ

Microsoft Copilot agents and extensibility for developers explained –

https://www.youtube.com/watch?v=cpZl2-mlB74

Microsoft 365 Copilot | Copilot agents in SharePoint –

https://www.youtube.com/watch?v=kW0REEAnsEI

5 ways IT departments can get started with low-code and AI –

https://www.microsoft.com/en-us/microsoft-copilot/blog/copilot-studio/5-ways-it-departments-can-get-started-with-low-code-and-ai/

Consolidating update management for enterprises –

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/consolidating-update-management-for-enterprises/ba-p/4246896

Russian election interference efforts focus on the Harris-Walz campaign –

https://blogs.microsoft.com/on-the-issues/2024/09/17/russian-election-interference-efforts-focus-on-the-harris-walz-campaign/

After hours

Driving The World’s Smallest Car | Top Gear Classic – https://www.youtube.com/watch?v=L91sA4-H9c0

Editorial

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week

CIAOPS Brief 20240908

Security mitigation for the Common Log Filesystem (CLFS) –

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/security-mitigation-for-the-common-log-filesystem-clfs/ba-p/4224041#

Tips for running your business in the cloud –

https://www.youtube.com/watch?v=TCmIwkDS_88

SharePoint Roadmap Pitstop: August 2024 –

https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/sharepoint-roadmap-pitstop-august-2024/ba-p/4234818

Microsoft Security Exposure Management Graph: Prioritization is the king –

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-security-exposure-management-graph-prioritization-is/ba-p/4160316

MFA enforcement for Microsoft Entra admin center sign-in coming soon –

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/mfa-enforcement-for-microsoft-entra-admin-center-sign-in-coming/ba-p/4230849

Hunting with Microsoft Graph activity logs –

https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/hunting-with-microsoft-graph-activity-logs/ba-p/4234632

Title Improved user experience for Dictate in new Outlook for Windows and Outlook for the web –

https://techcommunity.microsoft.com/t5/microsoft-365-insider-blog/improved-user-experience-for-dictate-in-new-outlook-for-windows/ba-p/

OneNote Copilot now supports inked notes –

https://insider.microsoft365.com/en-us/blog/onenote-copilot-now-supports-inked-notes

How energy firms power the world with secure Microsoft technologies –

https://www.microsoft.com/en-us/industry/blog/energy-and-resources/2024/08/29/how-energy-firms-power-the-world-with-secure-microsoft-technologies/

Automatically summarize Word documents with Copilot –

https://techcommunity.microsoft.com/t5/microsoft-365-insider-blog/automatically-summarize-word-documents-with-copilot/ba-p/4231202

What’s New in Copilot | August 2024 –

https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/what-s-new-in-copilot-august-2024/ba-p/4226565

Windows news you can use: August 2024 –

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-news-you-can-use-august-2024/ba-p/4230093

Title North Korean threat actor Citrine Sleet exploiting Chromium zero-day – https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/

The art and science behind Microsoft threat hunting: Part 3 –

https://www.microsoft.com/en-us/security/blog/2024/08/28/the-art-and-science-behind-microsoft-threat-hunting-part-3/

Customer Service: Embed Copilot for Service into Microsoft 365 – https://www.youtube.com/watch?v=sr857daYOEQ

After hours

Mark Rober vs Dude Perfect- Ultimate Robot Battle – https://www.youtube.com/watch?v=P4gNS0Iiu0Q

Editorial

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week