Script to Identify End Users who make connections to Azure AD using legacy TLS
1 TopicScript to Identify End Users who make connections to Azure AD using legacy TLS
$userName="email address removed for privacy reasons" $UPN = $userName Connect-AzureAD -AccountId $UPN ######### Secrets ######### $ApplicationId = 'xxxx' $ApplicationSecret = 'ckX8Q~D3FzCKVM0AGAAGTfY636yOouodsCkDvbkC' | ConvertTo-SecureString -Force -AsPlainText $TenantID = 'xxxx' $RefreshToken = 'xxxxxxxxxxxxxx' $UPN = "email address removed for privacy reasons" ######### Secrets ######### write-host "Generating token to log into Azure AD. Grabbing all tenants" -ForegroundColor Green $credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret) #Install-Module -Name PartnerCenter -AllowClobber -Scope CurrentUser #$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $RefreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $tenantID #$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID $azureToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://management.azure.com/user_impersonation' -ServicePrincipal -Tenant $tenantID $graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID Connect-AzureRmAccount -AccessToken $azureToken.AccessToken -GraphAccessToken $graphToken.AccessToken -AccountId $UPN -TenantId $TenantId #Connect-AzureAD -AadAccessToken $aadGraphToken.AccessToken -AccountId $UPN -MsAccessToken $graphToken.AccessToken -TenantId $tenantID | Out-Null $tenants = Get-AzureAdContract -All:$true Disconnect-AzureAD $LegacyAuth = foreach ($Tenant in $Tenants) { write-host "Processing tenant $($tenant.displayname)" $CustGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes "https://graph.microsoft.com/.default" -ServicePrincipal -Tenant $tenant.CustomerContextId $Header = @{ Authorization = "Bearer $($CustGraphToken.AccessToken)" } $VersionReport = (Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/reports/getEmailAppUsageVersionsUserCounts(period='D7')" -Headers $Header -Method get -ContentType "application/json") | ConvertFrom-Csv $LegacyClients = if ($versionreport.'Outlook 2007' -or $versionreport.'Outlook 2010' -or $versionreport.'Outlook 2013') { $VersionReport } $AppReports = (Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/reports/getEmailAppUsageAppsUserCounts(period='D7')" -Headers $Header -Method get -ContentType "application/json") | ConvertFrom-Csv $LegacyApplications = if ($AppReports.'Other For Mobile' -or $AppReports.'POP3 App' -or $AppReports.'SMTP App' -or $AppReports.'IMAP4 App' -or $AppReports.'Mail For Mac') { $AppReports } $UserDetails = (Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/reports/getEmailAppUsageUserDetail(period='D7')" -Headers $Header -Method get -ContentType "application/json") | ConvertFrom-Csv [PSCustomObject]@{ Tenant = $tenant.DisplayName LegacyClients = $LegacyClients LegacyApps = $LegacyApplications UserDetails = $UserDetails } } if ($LegacyAuth.LegacyClients -or $LegacyAuth.LegacyApps) { write-host "Unhealthy - Clients with legacy authenticaiton or Legacy clients have been detected" $LegacyAuth | Where-Object {$_.LegacyClients -ne $null -or $_.LegacyApps -ne $null} } $LegacyAuth | Export-Csv -Path .\LegacyAuthProtocolsReport.csv failing to obtain access token : error below New-PartnerAccessToken : AADSTS9002313: Invalid request. Request is malformed or invalid. Trace ID: 4b5fa431-b07b-40a4-84b3-db927e17ab00 Correlation ID: cbd243c5-9933-44b5-a424-45b1b64cf768 Timestamp: 2022-08-15 21:51:42Z At line:1 char:15 + ... zureToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Cre ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [New-PartnerAccessToken], MsalUiRequiredException + FullyQualifiedErrorId : Microsoft.Store.PartnerCenter.PowerShell.Commands.NewPartnerAccessToken please help me fix the script.1.1KViews0likes2Comments