Access the Microsoft Graph with a script

In a recent article I showed how to connect to the Microsoft Graph in a web browser:

Using the Microsoft Graph Explorer

I also showed how you could do the same:

Using Interactive PowerShell

This article is going to focus on how you can do the same thing but directly via a script that won’t prompt you for credentials.

Before running this script you’ll need to follow the Using Interactive PowerShell article and set up an app in your Azure AD.

image

image

During that process you’ll need to record three things that will be used here:

1. Application ID

2. Tenant ID

3. Client secret

I borrowed the connection piece of this script from:

https://www.lee-ford.co.uk/getting-started-with-microsoft-graph-with-powershell/

which I found really handy in helping me understand all this. You can download my script from my GitHub repository here:

https://github.com/directorcia/Office365/blob/master/graph-connect.ps1

You’ll need to enter your own Application ID, Tenant ID and Client secret in the variables section. After that, all you need to do is run the script. The results for the query of /security/alerts will end up in a variable called $query which you can view. The actual content of the alerts you’ll find in $query.content.

image

This Graph connection script should now allow you to connect to the Microsoft Graph for a tenant and start running queries and returning values for entries in there. At the moment it only queries security alerts, but you can modify it to query anything in the Graph for your tenant.

MSP Microsoft Partner MFA request

I’m not a Managed Service Provider (MSP) but there are lot of them inside the CIAOPS Patron community so I understand the challenges they have. Their role is typically to provide managed of customers technology, including things like Microsoft 365 and Azure. To perform that role they will typically need global administrator access to the clients tenant. They may need this access across multiple tenants.

Best practices is always to ensure you secure global administrator access via Multi Factor Authentication (MFA). This means, when you log into an account you’ll be prompted to verify your identity using a second factor like a code from an app on a mobile device. As I have detailed previously:

Using multiple authenticator apps with a single Microsoft 365 user account

you can have multiple ‘tokens’ to verify an account. If you want all of these tokens to be unique the current Azure AD arrangements are:

“Your users can now have up to five devices across the Authenticator app, software OATH tokens, and hardware OATH tokens.”

per – https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Hardware-OATH-tokens-in-Azure-MFA-in-the-cloud-are-now-available/ba-p/276466

That arrangement is generally fine if only one person is logging into an account but is a problems if you an MSP.

Why? Because you’ll typically have multiple technicians all needing to potentially manage a customers account. You want them to do this from a single global administrator account, however you want each technician to use a different token when they login. That way, if a technicians device gets lost or a technician leaves you merely revoke that one unique token. So, in the case where an MSP needs more than 5 tokens (say 1 for MSP and 4 for technicians) there is going to be an issue. For example what happens when you have 7 technicians say? Yes, there are ways around this but they are messy, cumbersome and inefficient as well as being more insecure I would suggest.

The ask here then is for the ability to increase the amount of tokens beyond 5 for a single account. I would suggest that perhaps the best way to accomplish this is only via a unique PowerShell command and not via the GUI. I also however suggest that a better idea would be to have a new unique global admin role in a tenant, say called “Partner Global Administrator”, that would allow more than 5 tokens. No other administrator could have this enabled, only this unique account. I would also suggest that this unique “Partner Global Administrator” also only be available in tenants that use CSP program from Microsoft. Thus, if the MSP is a CSP partner they will see this special role in the tenant. They then run a PowerShell script if needed and the number of tokens available on that account is increased up to say 20.

I also think that there is number of other benefits that a special “Partner Global Administrator” role could provide but for this request I want to stick to allowing the number security tokens be increased beyond 5.

I believe this request will help the many MSPs globally who manage a significant number of tenants for customers. Making it easier for MSPs to be secure and manage multiple customers more efficiently is a win for everyone.

Using interactive PowerShell to access the Microsoft Graph

I recently published an article on how you can browse the Microsoft Graph directly from a web page here:

using the Microsoft Graph Explorer

The next step is to start working with the Microsoft Graph using PowerShell.

This article was recently published by Microsoft:

IT Pros can now easily connect to Microsoft Graph Security with the PowerShell Module!

and one of the confusing things I found where it talks about “Registering your application”, which you need to do successfully before you can run all the PowerShell commands.

Now if I find that confusing I’m sure others will also, as there is a bit of trick in setting it up correctly. So here is what you need to do, step by step, to actually get it all working.

SNAGHTML55ab07

Login to https://portal.azure.com using you Microsoft 365 credentials. Navigate to Azure Active Directory from the list of items on the left.

image

From the options available on the left select App registration (Preview).

image

From the pane on the right select New registration at the top of the page.

image

Give the new application a name. Here I have called it Graph. Next hit the Register button at the bottom.

image

You should now see the Overview of the app. On the right hand side save both the Application (client) ID and Directory (tenant) ID as you will need these later.

image

Here’s the bit that isn’t that clear in the existing documentation. Select the Authentication option from the menu and then on the right check the option

urn:ietf:wg:oauth:2.0:oob

From what I can work out, normally apps need to return to a location after using Azure AD authentication. However, because we will be using an interactive PowerShell session, the selected option will simply return there. Again, not really clear in the documentation I read.

You don’t need to make any other changes on the page but ensure you now select Save in the top left.

image

Next, select the Certificates and secrets option on the left. On the pane that appears on the right select + New client secret.

image

Give the secret a name and an expiry period and select Add.

image

You should then see you new secret and the actual value of that secret to the right as shown above. You will need to copy this secret value and keep it secure. treat it like a password.

You will see a banner across the top of the pane telling you that this is only time you get to see the value of the secret in the clear. After you navigate away, you’ll no longer be able to simply copy and paste the complete entry, so do it now and save the secret somewhere secure as you will need it down the track.

image

Now select API permissions on the left. You should see text Microsoft Graph is hyperlinked, so select this. This means your app already has some basic access to the Microsoft Graph, here just user read right. If the Microsoft Graph entry isn’t visible for some reason you can select the + Add a permission button at the top and then select Microsoft Graph from the following page. Hopefully however, the Microsoft Graph hyperlink will already be there.

image

There are two boxes at the top of the page. Ensure the left hand (Delegated permissions) one is selected first.

image

Scroll through the list of permissions in the bottom section until you find the heading SecurityEvents and expand it as shown.

image

Select both options as shown:

SecurityEvents.Read.All

SecurityEvents.ReadWrite.All

Once these options have been select, press the Update permissions at the bottom of the page.

image

You’ll be returned to the permission summary page as shown. You should now see the additional permissions you added displayed. You will however note a warning icon next to them as well as a banner across the top informing you that you need to consent to these. We’ll do that shortly, however we want to add some more permissions, so again select the hyperlinked text Microsoft Graph.

image

This time ensure the box on the right (Application permissions) is selected.

In essence, think of the box on the left (Delegated permissions) as permission for interactive sessions like typing commands into the PowerShell manually. that requires a user to login each time. The right box (Application permissions) however, is going to allow operations without the need for an interactive user login. Thus, we can run a PowerShell script and not be prompted for login. thus, while we are in here it is a good idea to set up both sets of permissions to give you the flexibility later.

 image

As before, scroll through the list of permissions below. Locate the SecurityEvents heading, expand this and select:

SecurityEvents.Read.All

SecurityEvents.ReadWrite.All

Once selected, press the Update permissions button at the bottom of the page to save the changes.

image

You are again returned to the summary page where you should see all the permissions added. You should see permissions of type Delegated and Application for the security events. A set for each.

image

If you scroll to the bottom of the page you should see a Grant consent section as shown. Select the Grant admin consent for tenant button below. This means all users will have the permissions you just created. If you don’t do this, then they will have to consent the first time they access the Microsoft Graph using this method.

image

You should see the above prompt asking you to confirm that you will be consenting for all users in the tenant. Select Yes to continue.

image

In a few moments, your permission screen should show all green as shown above.

image

As a final check in the portal, select the Owners option on the left and ensure the appropriate users are listed here. These people will basically have the permissions to edit the application settings, like what has just been configured.

Now you can run an elevated PowerShell window and type:

install-module microsoftgraphsecurity

Once that has installed successfully you can run:

get-graphsecurityalert

image

Because this is an interactive PowerShell session you’ll need to login to the tenant. A login prompt will appear as shown, however be careful here. You enter your user login AND the Application ID from the app just created in the Azure AD portal here. That is the really long string of digits in the Overview part of the application you just added in Azure AD NOT the user password!

image

You’ll then be prompted for the user password and MFA if configured

image

If all of that is good then you should get results as shown above. Now you can continue on with your interactive PowerShell session and all the great stuff in the microsoftgraphsecurity module. Yeah!

The main trick is selecting the urn:ietf:wg:oauth:2.0:oob option as the Redirect URI when configuring the app.

You may have noticed that we have used the Application ID here but not the Application secret. That is because this is an interactive session where the user is required to login in first. if we don’t want to be prompted for a login we need to use the Application secret. That process will be covered in an up coming article so stay tuned.


Need to Know podcast–Episode 204

I’m back from MVP Summit and we have a huge amount of news to cover off in this episode. You’ll hear about the latest in Office 365 ATP, Windows Virtual Desktop, the new Microsoft Edge Browser and so much more. So much in fact that we had to hold a lot of material off until our next episode. However, don’t fear, you’ll get the most important stuff right here, so tune in and let us know what you think.

Podcast recording done using Microsoft Teams

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-204-the-prodigal-host-returns/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

CIAOPS Patron Program

New Edge Browser – https://blogs.windows.com/msedgedev/2019/04/08/microsoft-edge-preview-channel-details/

Shared Computer Access comes to M365 Business – https://blog.ciaops.com/2019/03/19/microsoft-365-business-adds-shared-computer-activation-sca-rights/

New Office 365 ATP licenses – https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description

Office 365 ATP Automated response – https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Bolster-efficiency-of-security-teams-with-new-Automated-Incident/ba-p/392773

Window Virtual Desktop now in public preview – https://azure.microsoft.com/en-au/blog/windows-virtual-desktop-now-in-public-preview-on-azure/?WT.mc_id=reddit-social-marouill

Getting Started with Windows Virtual Desktop – https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Getting-started-with-Windows-Virtual-Desktop/ba-p/391054

25% of Phishing email bypass Office 365 default security – https://www.bleepingcomputer.com/news/security/25-percent-of-phishing-emails-bypass-office-365-default-security/

Your approach to Office 365 needs to change – https://www.loryanstrant.com/2019/04/03/your-approach-to-office-365-administration-needs-to-change/

CIAOPS Techwerks 5–Melbourne May 10

bw-car-vehicle

Hot on the heels of a successful CIAOPS Techwerks 4 in Perth in April, Techwerks 5 will move to Melbourne on Friday the 10th of May. The course is limited to 15 people and you can sign up and reserve your place now! You reserve a place by send me an email (director@ciaops.com) expressing you interest.

The content of these events is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. So far, the greatest votes are for deeper dives into Intune, security and PowerShell configuration and scripts, however that isn’t finalised until the day.

Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.

The cost to attend is:


Patron Level Price inc GST
Gold Enterprise Free
Gold $ 33
Silver $ 99
Bronze $176
Non Patron $399

To learn more about the benefits of the CIAOPS Patron program visitwww.ciaopspatron.com.

To register, simply email me – director@ciaops.com and I’ll take care of everything from there.

The CIAOPS Techwerks events are run regularly in major Australian capital cities, so if you can’t make this one or you aren’t in Perth on that date, stay tuned for more details and announcements soon. If you are interested in signing up please contact me via emails (director@ciaops.com) and I can let you know all the details as well as answer any questions you may have about the event.

I hope to see you there.

Need to Know podcast–Episode 203

We catch you up with everything in the Microsoft Cloud and then spend some time talking about the new certifications that have just become available from Microsoft for both Microsoft 365 and Azure. I share some of my experiences and thought around doing these exams and their value to all IT Professionals going forward. We’ll be covering more about certifications down the track but this one should get you thinking about which one you should do!

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-203-certifications/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

Patron Community

Azure opens datacenters in Africa

Microsoft announces Azure Sentinel

Introducing Microsoft Threat Experts

Get the latest Microsoft Security Intelligence report

Teams V Slack

Connect to Office 365 PowerShell via GUI

MS-100 Certification

MS-101 Certification

CIAOPS Techwerks 4–Perth April 12

bw-car-vehicle

The next instructor lead, all day, technical whiteboarding workshop session I’ll be doing on Microsoft Cloud Technologies (Office 365, Microsoft 365, Azure, Intune, Windows 10, etc) will be held in Perth on Friday April 12th, 2019. The course is limited to 15 people and you can sign up and reserve your place now!

The content of these events is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. So far, the greatest votes are for deeper dives into Intune, security and PowerShell configuration and scripts, however that isn’t finalised until the day.

Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.

The cost to attend is:

Patron Level

Price inc GST

Gold Enterprise Free
Gold $ 33
Silver $ 99
Bronze $ 176
Non Patron $ 399

To learn more about the benefits of the CIAOPS Patron program visit www.ciaopspatron.com.

To register, simply email me – director@ciaops.com and I’ll take care of everything from there.

The CIAOPS Techwerks events are run regularly in major Australian capital cities, so if you can’t make this one or you aren’t in Perth on that date, stay tuned for more details and announcements soon. If you are interested in signing up please contact me via emails (director@ciaops.com) and I can let you know all the details as well as answer any questions you may have about the event.

I hope to see you there.

Need to Know podcast–Episode 202

The Microsoft Ignite tour has been to town so Brenton and I share our thoughts on attending the event. We wrap up what we believed to be the best sessions and overall take aways from the premier Microsoft IT Professional conference in Australia for 2019. We also cover off a few of the important updates from the Microsoft Cloud to make sure that you don’t miss anything in the meantime. I also share my thoughts on using the Kaizala app during the conference with the CIAOPS Patron community which is great lead in for our interview this episode – Parveen Maloo who is the Senior Product Marketing Manager for Kaizala. Sit back and enjoy something about a product you probably never knew Microsoft had.

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-202-kaizala/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

@praveen_maloo

CIAOPS Patron Program

BRK3610 – Layers of Office 365 communication

Sessions from Ignite The Tour – Sydney

Step 4: Set conditional access policies: top 10 actions to secure your environment

Microsoft authenticator app now sends security notifications

Windows Update for Business and the retirement of SAC-T 

Microsoft begs you to stop using Internet Explorer 

Microsoft Kaizala

Microsoft Kaizala – Tech Community

Microsoft Kaizala – Feedback