User Profile
StevenRPF
Brass Contributor
Joined Mar 18, 2021
User Widgets
Recent Discussions
Hyper-V Cluster Failover Event viewer log showing SMB traffic connect to quorum disk network share
Hi, To tweak my SIEM, I need to correlate smb network traffic between Hyper-V servers and witness disk stored on a network share on another server. I'm searching a log who tell me the Hyper-V is connecting to the witness disk (on network shared drive) for doing something ... probably I will be able to correlate and put exception when this happens and the SMB traffic between Hyper-V and the other server to stop always receive this alert. Any cues would be appreciated! ThanksRe: Get MFAStatus with API
VasilMichev Ok! My token variable have something in it. Then I assume that this part is working ... After that, I retry this part of the code $tokenResponse = Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Body $tokenBody $accessToken = $tokenResponse.access_token # Retrieve all users in the tenant $users = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft.com/v1.0/users" -Headers @{Authorization = "Bearer $accessToken"} # Loop through each user and retrieve their MFA status foreach ($user in $users.value) { $userId = $user.id $mfaStatus = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userId/authentication/Methods" -Headers @{Authorization = "Bearer $accessToken"} $mfaEnabled = $mfaStatus.value | Where-Object {$_.state -eq "enabled"} Write-Output "$($user.displayName) - MFA Enabled: $($mfaEnabled -ne $null)" } and I got this error : Invoke-RestMethod : Le serveur distant a retourné une erreur : (403) Interdit. Au caractère Ligne:5 : 10 + $users = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft. ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation : (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand Thanks again to help me, that's really appreciate ... by the way, if you have another way to achieve my goal, I'm open! 🙂Re: Get MFAStatus with API
yes I grand admin consent ... and I grand all permission specified above : UserAuthenticationMethod.Read.All or UserAuthenticationMethod.ReadWrite.All (for Microsoft Graph API v1.0) OR AuthenticationMethod.Read.All or AuthenticationMethod.ReadWrite.All (for Microsoft Graph API beta) User.Read.All or User.ReadWrite.All (for Microsoft Graph API v1.0) OR Directory.Read.All or Directory.ReadWrite.All (for Microsoft Graph API beta) Can I check some log in Azure Admin Center or other way to check if my request are accepted? To be sur client ID password are ok? Is this normal I got nothing when I past in the token decoder? Thanks againRe: Get MFAStatus with API
To be honnest, this code is from ChatGPT! 🙂 You understand that I'm not a professionnal in powershell!! 🙂 I tried you modification and same error at same line .... like if I have an authorization problem. Can you give me a cue to check if my authentication and permission are good with the API? THanksGet MFAStatus with API
Hi, I'm trying to get a report for the MFA status for all my tenant users. # Replace the values in the following variables with your own $clientId = "your_client_id_here" $clientSecret = "your_client_secret_here" $tenantId = "your_tenant_id_here" # Authenticate using Microsoft Graph API $tokenBody = @{ Grant_Type = "client_credentials" Scope = "https://graph.microsoft.com/.default" Client_Id = $clientId Client_Secret = $clientSecret } $tokenResponse = Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Body $tokenBody $accessToken = $tokenResponse.access_token # Retrieve all users in the tenant $users = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft.com/v1.0/users" -Headers @{Authorization = "Bearer $accessToken"} # Loop through each user and retrieve their MFA status foreach ($user in $users.value) { $userId = $user.id $mfaStatus = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userId/authentication/strongAuthenticationMethods" -Headers @{Authorization = "Bearer $accessToken"} $mfaEnabled = $mfaStatus.value | Where-Object {$_.state -eq "enabled"} Write-Output "$($user.displayName) - MFA Enabled: $($mfaEnabled -ne $null)" } I got this script but I'm always getting an error when I'm trying to execute it ... error is : Line | 17 | $users = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft. … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the | operation.","innerError":{"date":"2023-03-28T00:21:46","request-id":"d929a2d8-ca16-44b4-af0b-4d514c15ea78","client-request-id":"d929a2d8-ca16-44b4-af0b-4d514c15ea78"}}} In my API permission, I've double check to be sur all permission are ok : UserAuthenticationMethod.Read.All or UserAuthenticationMethod.ReadWrite.All (for Microsoft Graph API v1.0) OR AuthenticationMethod.Read.All or AuthenticationMethod.ReadWrite.All (for Microsoft Graph API beta) User.Read.All or User.ReadWrite.All (for Microsoft Graph API v1.0) OR Directory.Read.All or Directory.ReadWrite.All (for Microsoft Graph API beta) I've check again my clientID-clientSecret-TenanID and seems to be good : How to be sure this is OK? Any log in AzureAD to check if at least my script is able to authenticate? Thanks in advance!Export list users never loged in
I'm trying to use this script I've found on the internet : #Set admin UPN $UPN = 'email address removed for privacy reasons' #Time range $startDate = (Get-Date).AddDays(-30).ToString('MM/dd/yyyy') $endDate = (Get-Date).ToString('MM/dd/yyyy') #We are looking for accounts that are active - not deactivated $allUsers = @() $allUsers = Get-MsolUser -All -EnabledFilter EnabledOnly | Select UserPrincipalName #We search $loggedOnUsers = @() $loggedOnUsers = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations UserLoggedIn, PasswordLogonInitialAuthUsingPassword, UserLoginFailed -ResultSize 5000 #Create the list $inactiveInLastSixMonthsUsers = @() $inactiveInLastSixMonthsUsers = $allUsers.UserPrincipalName | where {$loggedOnUsers.UserIds -NotContains $_} #We get a result Write-Output "The following users have no logged in for the last 180 days:" #written to the screen Write-Output $inactiveInLastSixMonthsUsers #Export list to CSV $inactiveInLastSixMonthsUsers $inactiveInLastSixMonthsUsers > "C:\Temp\InactiveUsers.csv" dont know why, but this command never return any data in the variable : $loggedOnUsers = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations UserLoggedIn, PasswordLogonInitialAuthUsingPassword, UserLoginFailed -ResultSize 5000 When I check other variable, I get info, but this one never return anything. I tried with different option and nothing ... that's where my problem is. Any suggestion would be appreciate, or if you have another solution to find all users in the tenant that never loged in, that's what I need! Thanks!Phishing Campain Connectors and filters
Hi, I'm trying to setup a phishing campain with a third party company, and they ask me to create a connector and rules set. What I've done. Connector authorize TLS encrypted email from 2 specified IP addresse I've created 2 rules I joined in attachment to that message. The third party company tried to send me a test and the email is blocked. Do you know where I can see why the email is blocked? something else I have to do to permit email from that third party company? Thanks for any suggestion!Teams control bar cannot be hidden
Hi, During meeting, if you share something or check other windows in your computer, you got the little Teams windows to view the speaker. In that little windows, we have the control bar at the bottom. (check the picture below). I'm searching on MAC and PC how to hide temporary this bar to see completely the video from the speaker ... I've done a lot of research and impossible to hide this bar. Sometime, this bar is in the face of the speaker when his camera dont have a good adjustment. With Zoom, this bar is hidden automatically and appear when the mouse pass over ... is there a way to do that with Teams? Thanks!Exploit Protection block Teams call to Win32k.sys
Hi, Is it normal than almost all PC in our business have this warning in eventviewer : Microsoft-Windows-Security-Mitigations EventID: 10 Le processus « \Device\HarddiskVolume2\Users\JoeBlo\AppData\Local\Microsoft\Teams\current\Teams.exe » (PID 18152) a été empêché d'effectuer des appels système à Win32k.sys. It is strange that a Microsoft App dont have right to call their process?!?! Anyone can explain me please? ThanksSharepoint list threshold error limit 5000 items versus export from 3rd party software Fastfield
Hi, I know there's a way to bypass this problem like explained in this article : https://support.microsoft.com/en-us/office/manage-large-lists-and-libraries-b8588dae-9387-48c2-9248-c24122f07c59?ui=en-us&rs=en-us&ad=us Modern view isn't an option and create index too because my problem isn't when I'm trying to view the list in sharepoint, but when I tried to connect an 3rd party API (Fastfield Mobile form) to a list that contain more than 5000 items. I supposed this 3rd party software use the classic system, but I cant manage that. I'm the tenant administrator, then access to Admin Center. Is there a powershell line that can help me to increase this value for a specific list or for the whole Tenant? Or, anyone have an idea? I'm really stuck! Thanks in advance!GPO MSI deployment SRV2012 to user without admin rights
Hi, I'm trying to deploy nxlog-ce-2.10.2150.msi to all computers on my AD. I success with 7zip but not Nxlog because user have to be local admin to install. Anyone have a tutorial to guide me how to do that? Do I really need a 3rd party app like PDQdeploy to do that? Is there any simple way to deploy any application to a windows 10 computer without admin right? By this time where cybersecurity is really important, I dont understand why it is so complicated ... or maybe I'm just ignorant? Thanks for any suggestions!
