Script to Identify End Users who make connections to Azure AD using legacy TLS

beralfrancis · ‎Aug 16 2022

$userName="email address removed for privacy reasons"

$UPN = $userName

Connect-AzureAD -AccountId $UPN

######### Secrets #########
$ApplicationId = 'xxxx'
$ApplicationSecret = 'ckX8Q~D3FzCKVM0AGAAGTfY636yOouodsCkDvbkC' | ConvertTo-SecureString -Force -AsPlainText
$TenantID = 'xxxx'
$RefreshToken = 'xxxxxxxxxxxxxx'
$UPN = "email address removed for privacy reasons"
######### Secrets #########
write-host "Generating token to log into Azure AD. Grabbing all tenants" -ForegroundColor Green
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)
#Install-Module -Name PartnerCenter -AllowClobber -Scope CurrentUser
#$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $RefreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $tenantID
#$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID

$azureToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://management.azure.com/user_impersonation' -ServicePrincipal -Tenant $tenantID
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID

Connect-AzureRmAccount -AccessToken $azureToken.AccessToken -GraphAccessToken $graphToken.AccessToken -AccountId $UPN -TenantId $TenantId

#Connect-AzureAD -AadAccessToken $aadGraphToken.AccessToken -AccountId $UPN -MsAccessToken $graphToken.AccessToken -TenantId $tenantID | Out-Null

$tenants = Get-AzureAdContract -All:$true
Disconnect-AzureAD
$LegacyAuth = foreach ($Tenant in $Tenants) {
write-host "Processing tenant $($tenant.displayname)"
$CustGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes "https://graph.microsoft.com/.default" -ServicePrincipal -Tenant $tenant.CustomerContextId
$Header = @{
Authorization = "Bearer $($CustGraphToken.AccessToken)"
}
$VersionReport = (Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/reports/getEmailAppUsageVersionsUserCounts(period='D7')" -Headers $Header -Method get -ContentType "application/json") | ConvertFrom-Csv
$LegacyClients = if ($versionreport.'Outlook 2007' -or $versionreport.'Outlook 2010' -or $versionreport.'Outlook 2013') {
$VersionReport
}
$AppReports = (Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/reports/getEmailAppUsageAppsUserCounts(period='D7')" -Headers $Header -Method get -ContentType "application/json") | ConvertFrom-Csv

$LegacyApplications = if ($AppReports.'Other For Mobile' -or $AppReports.'POP3 App' -or $AppReports.'SMTP App' -or $AppReports.'IMAP4 App' -or $AppReports.'Mail For Mac') {
$AppReports
}
$UserDetails = (Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/reports/getEmailAppUsageUserDetail(period='D7')" -Headers $Header -Method get -ContentType "application/json") | ConvertFrom-Csv

[PSCustomObject]@{
Tenant = $tenant.DisplayName
LegacyClients = $LegacyClients
LegacyApps = $LegacyApplications
UserDetails = $UserDetails
}

}

if ($LegacyAuth.LegacyClients -or $LegacyAuth.LegacyApps) {
write-host "Unhealthy - Clients with legacy authenticaiton or Legacy clients have been detected"
$LegacyAuth | Where-Object {$_.LegacyClients -ne $null -or $_.LegacyApps -ne $null}
}

$LegacyAuth | Export-Csv -Path .\LegacyAuthProtocolsReport.csv

failing to obtain access token : error below
New-PartnerAccessToken : AADSTS9002313: Invalid request. Request is malformed or invalid.
Trace ID: 4b5fa431-b07b-40a4-84b3-db927e17ab00
Correlation ID: cbd243c5-9933-44b5-a424-45b1b64cf768
Timestamp: 2022-08-15 21:51:42Z
At line:1 char:15
+ ... zureToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Cre ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-PartnerAccessToken], MsalUiRequiredException
+ FullyQualifiedErrorId : Microsoft.Store.PartnerCenter.PowerShell.Commands.NewPartnerAccessToken

please help me fix the script.

Harm_Veenstra · ‎Aug 17 2022

Are you running this as an MSP for a company that is in your MS Partner center? You have a lot of things commented about but not everything.

beralfrancis · ‎Aug 17 2022

Yes , i am collecting data for a MSP

Script to Identify End Users who make connections to Azure AD using legacy TLS

Script to Identify End Users who make connections to Azure AD using legacy TLS

Re: Script to Identify End Users who make connections to Azure AD using legacy TLS

Re: Script to Identify End Users who make connections to Azure AD using legacy TLS

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Script to Identify End Users who make connections to Azure AD using legacy TLS

Script to Identify End Users who make connections to Azure AD using legacy TLS

Re: Script to Identify End Users who make connections to Azure AD using legacy TLS

Re: Script to Identify End Users who make connections to Azure AD using legacy TLS