Script to report tenant directory activity

I have created a script that uses the Microsoft Graph to report directory activity for the tenant as shown above. You’ll find it here:

https://github.com/directorcia/Office365/blob/master/graph-diraudit-get.ps1

along with the documentation here:

https://github.com/directorcia/Office365/wiki/Report-directory-activity-in-a-tenant

You will need to have the Microsoft Graph PowerShell module installed and up to date.

The first time you run the script you maybe prompted to login to your tenant and then you may also be asked to provide permissions This script requires:

AuditLog.Read.All
Directory.Read.All

which you may need to consent to the first time.

After the script executes you should see an output as shown above showing the logging service, activity, result, operation, category and time stamp.

You can also use the –csv command line option to put the results to a CSV file in the parent directory.

Script to report tenant signins

I have created a script that uses the Microsoft Graph to report signins for the tenant as shown above. You’ll find it here:

https://github.com/directorcia/Office365/blob/master/graph-signins-get.ps1

along with the documentation here:

https://github.com/directorcia/Office365/wiki/Get-tenant-signins

You will need to have the Microsoft Graph PowerShell module installed and up to date.

The first time you run the script you maybe prompted to login to your tenant and then you may also be asked to provide permissions This script requires:

AuditLog.Read.All
Directory.Read.All

which you may need to consent to the first time.

After the script executes you should see an output as shown above showing the Client App used, IP Address, is an interactive login and the user principal name.

You can also use the –csv command line option to put the results to a CSV file in the parent directory.

Entra Global Secure Access client for iOS now in preview

In it’s simplest form, think of Entra Global Secure Access as a full time secure VPN to resources like Microsoft 365 services such as SharePoint, Exchange, Teams, etc as well as to on premises resources and finally to Internet web sites.

Entra Global Secure Access does this on iOS via a Microsoft Defender app on the device and configuration via Intune. You can now try this out by following:

Global Secure Access client for iOS (preview)

The Entra Global Secure Access service requires a paid subscription as well as Entra ID P1 or P2 (i.e. it is Microsoft 365 Business Premium compatible). When you have enabled the client you will see in Defender:

Screenshot of the iOS Microsoft Defender dashboard.

Unfortunately, the preview as yet doesn’t support the Internet traffic forwarding, which other clients do. Hopefully, that is not far away as that will really make this a killer product in my books.

I have been using Entra Global Secure access on all my Windows and Android devices for quite a while now without issues and look forward to seeing the iOS client fully mature.

New Secure Score report script

I have created a new script that uses the modern Microsoft Graph method to report all the Secure Score items and rather than me explaining what the script does I’ll turn it over to Github Copilot.

<Enter Github Copilot>

This PowerShell script, mggraph-ssdescpt-get.ps1, is designed to interact with the Microsoft Graph API to retrieve and display secure score results. Here’s a step-by-step explanation of its operation and function:

Start Transcript:

start-transcript “..\mggraph-ssdescpt-get.txt”

This line starts recording all commands and their output to a transcript file.
Check Microsoft Graph Connection:

try {

    $context = get-mgcontext -ErrorAction Stop

}

catch {

    write-host -foregroundcolor $errormessagecolor “Not connected to Microsoft Graph. Please connect to Microsoft Graph first using connect-mggraph`n”

if ($prompt) {stop-transcript}

exit

}

if (-not $context) {

    write-host -foregroundcolor $errormessagecolor “Not connected to Microsoft Graph. Please connect to Microsoft Graph first using connect-mggraph`n”

if ($prompt) {stop-transcript}

exit

}

write-host -foregroundcolor $processmessagecolor “Connected to Microsoft Graph”

write-host ” – Connected account =”,$context.Account,”`n”

if ($prompt) { pause }

This block checks if the Microsoft Graph module is installed and if the user is connected to Microsoft Graph. If not, it prompts the user to connect and exits the script.
Set API Endpoint and Method:

$uri = “https://graph.microsoft.com/beta/security/securescores”

$method = “GET”

write-host -foregroundcolor $processmessagecolor “Run Graph API Query”

The script sets the URI for the Microsoft Graph API endpoint to retrieve secure scores and specifies the HTTP method as GET.
Invoke API Request:

$query = Invoke-MgGraphRequest -Uri $URI -method $method -ErrorAction Stop

This line sends a request to the Microsoft Graph API to get secure score results.
Process and Display Results:

$names = $query.value[0].controlscores          # get the most current secure score results

$item = 0

write-host -foregroundcolor $processmessagecolor “Display results`n”

foreach ($control in $names) {

    $item++

    write-host -foregroundcolor green -BackgroundColor Black “`n*** Item”, $item, “***”

    write-host “Control Category     : “, $control.controlCategory

    write-host “Control Name         : “, $control.controlName

    write-host “Control Score        : “, $control.Score

    write-host “Control Description : “, $control.Description

    write-host “Control On           : “, $control.on

    write-host “Implementation status: “, $control.implementationstatus

    write-host “Score in percentage : “, $control.scoreinpercentage

    write-host “Last synced          : “, $control.lastsynced

    write-host “`n”

if ($prompt) { pause }

}

The script extracts the secure score results from the API response and iterates through each control score, displaying detailed information about each control.
Complete Script:

write-host -foregroundcolor $systemmessagecolor “`nScript Completed`n”

if ($prompt) {stop-transcript}

Finally, the script indicates completion and stops the transcript if the $prompt variable is set.

In summary, this script connects to Microsoft Graph, retrieves secure score data, and displays detailed information about each control score in the console.

Output

use the –prompt command line option to pause output.

Bulk senders insight in Exchange Online

If you navigate to

https://security.microsoft.com/senderinsights

you should see the above Bulk senders insight console. You can also get to this if you select an Exchange Online anti spam policy like so:

and scrolling down the dialog that appears on the right and selecting Edit spam threshold and properties as shown above.

and then scroll up to the top of the dialog as shown above.

You can read more about this capability here:

https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-senders-insight

You can adjust the sliders on the left and then select the Simulate button to report on the emails that would be caught by this new level before actually applying to the policy. The list below will also show those that have been caught so you know exactly which emails would be caught if this change was made to the BCL level in a spam policy setting.

This now a handy way to fine tune the BCL settings inside Exchange Online antispam policies.

Using PowerShell to allow user enablement

After a recent incident, I decided that I needed a way, independent of a user login to re-enable a disabled user account. To achieve this an EntraID app needs to be created with the appropriate permissions as I have detailed here:

Create an EntraID app to allow user enablement

If a user is disabled as shown above,

you’ll firstly need to set some variables to use in your script as shown above for the client ID and the tenant ID which where available when the EntraID app was created previously.

Next you’ll need to save the EntraID app password credential to another variable as shown above. At this point you will be prompted to enter the EntraID app password you have previously stored.

You can now connect to the Microsoft Graph using the command:

Connect-MgGraph -TenantId $tenantId -ClientSecretCredential $ClientSecretCredential

at which point you should be logged into the tenant as shown above.

The command to update the user account is:

update-mguser

which requires the following application permissions as shown.

These permissions were set in the EntraID app previously created.

if the command:

Update-MgUser -UserId “AdeleV@M365B067874.OnMicrosoft.com” –AccountEnabled

is now run we don’t receive any errors on the command line as shown above.

but when we check the user we see that it is unblocked and able to be logged into.

The benefit of using this method is that you are not dependent on any existing user account to unlock any account. You are logging into the tenant using the EntraID app created prior. Haveing just an ‘unlock’ app like this means it has a ‘least privilege’ function of just unlocking a user account. However, you will still need to take appropriate action to protect the EntraID app as it does not prompt for MFA.

Create an EntraID app to allow user enablement

After a recent incident, I decided that it would be a good idea to have an EntraID app that I could use to re-enable a users inside a tenant if I needed. This will allow me to login to EntraID without being depended on a user account as I would be logging in using this app directly.

The first step in that process is to navigate to EntraID as an administrator in the Azure portal and select App registrations from the menu on the left and then New registration on the right as shown above.

Simply give the app a name and select Register as shown above.

When you will then be taken to new app overview page as shown above. Take a moment to record the:

– Application (client ID)

– Object ID

– Directory tenant ID

Next, select Certificates & secrets from the menu on the left as shown above.

Select New client secret on the right as shown above.

Give the secret a name and select the duration for that secret from the list available as shown.

Take a moment to copy this secret as this is the only time that it will be available. If you don’t take a copy here you’ll need to generate a new secret.

From the menu on the left select API permissions as shown above. Then select Add a permission on the right.

Select the option for the Microsoft Graph as shown.

Select Application permissions.

Add the following permissions:

– User.ManageIdentities.All

– User.EnableDisableAccount.All

– User.ReadWrite.All

– Directory.ReadWrite.All

Select Grant admin consent.

Select Yes in the dialog that appears.

You should now see all the permissions have been consented to as shown above.

The EntraID app has now been created and is ready for use. This will used to login to with PowerShell and then enable any disabled user.

Excluding a user from Attack Disruption

After a recent incident, I decide to take a look at how I could exclude certain attacks from being automatically disable by Attack Disruption. More to understand how to disable this if I wanted rather than making it a standard setting as I think have automated Attack Disruption is a good thing.

To prevent Microsoft Defender XDR from automatically disabling accounts with automated attack disruption, you can configure exclusions within the Defender XDR settings. Here’s a general guide based on the information available:

1. Navigate to Settings in the Microsoft Security portal.

2. Select Microsoft Defender XDR as shown above.

3. Select the Identity automated response option under the Automated section at the bottom of the page

4. On the right select the +Add user exclusion button to add a user you wish to exclude. That use should then appear in the list.

It’s important to note that while configuring exclusions can prevent automatic account disabling, it should be done with caution to ensure that it does not compromise your organization’s security posture. Always consider the potential risks and consult with your security team before making changes to the automated response settings.

For a detailed understanding and step-by-step instructions, you may refer to the documentation and resources provided by Microsoft, such as the Microsoft 365 Defender portal and Microsoft Learn articles on automatic attack disruption.

Configure automatic attack disruption capabilities in Microsoft Defender XDR – Microsoft Defender XDR | Microsoft Learn

Automated response exclusions – Microsoft Defender for Identity | Microsoft Learn