User Profile
TomWechsler
MVP
Joined 5 years ago
User Widgets
Recent Discussions
Active Directory Advanced Threat Hunting - Tracing the cause of account lockouts and password errors
Dear Microsoft Active Directory friends, In this article we are going on a "search for clues" :-). In the life of an IT administrator, you have certainly often had to reset a user's password or remove an account lockout. Now the question arises on which system the account was locked or on which system the password was entered incorrectly. In order to determine this information with PowerShell, some preparations must be made. "Advanced Audit Policy Configuration" must be configured in the group policies. This article from Microsoft provides a good starting point: https://learn.microsoft.com/en-us/defender-for-identity/deploy/event-collection-overview In my example, I have adapted the Default Domain Controls Policy. Before we begin, here is some important information about MITRE techniques: Account Access Removal: https://attack.mitre.org/techniques/T1531/ User Account: https://attack.mitre.org/datasources/DS0002/ Brute Force: Password Spraying: https://attack.mitre.org/techniques/T1110/003/ Account lockouts are logged in the Windows event logs with the ID 4740. We will therefore focus on this event ID first. The start of the PowerShell script looks like this: #Prep work for lockouts, Account lockout Event ID $LockOutID = 4740 #Find the PDC (Get-ADDomain).PDCEmulator $PDCEmulator = (Get-ADDomain).PDCEmulator #Connect to the PDC Enter-PSSession -ComputerName $PDCEmulator #Query event log Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $LockOutID } #Parse the event and assign to a variable $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $LockOutID } #Examine some properties $events[0].Message #Regex? $events[0].Message -match 'Caller Computer Name:\s+(?<caller>[^\s]+)' $Matches.caller #Cool, but not as easy as: $events[0].Properties $events[0].Properties[1].Value #For all events: ForEach($event in $events){ [pscustomobject]@{ UserName = $event.Properties[0].Value CallerComputer = $event.Properties[1].Value TimeStamp = $event.TimeCreated } } #And we'll make that a function Function Get-ADUserLockouts { [CmdletBinding( DefaultParameterSetName = 'All' )] Param ( [Parameter( ValueFromPipeline = $true, ParameterSetName = 'ByUser' )] [Microsoft.ActiveDirectory.Management.ADUser]$Identity ) Begin{ $LockOutID = 4740 $PDCEmulator = (Get-ADDomain).PDCEmulator } Process { If($PSCmdlet.ParameterSetName -eq 'All'){ #Query event log $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $LockOutID } }ElseIf($PSCmdlet.ParameterSetName -eq 'ByUser'){ $user = Get-ADUser $Identity #Query event log $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $LockOutID } | Where-Object {$_.Properties[0].Value -eq $user.SamAccountName} } ForEach($event in $events){ [pscustomobject]@{ UserName = $event.Properties[0].Value CallerComputer = $event.Properties[1].Value TimeStamp = $event.TimeCreated } } } End{} } #Usage Get-ADUserLockouts #Single user Get-ADUser 'jesse.pinkman' | Get-ADUserLockouts Now we come to the incorrectly entered passwords. These events are logged in the Windows event logs with the ID 4625. #Prep work for bad passwords -Event ID $badPwId = 4625 #Get the events from the PDC $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $badPwId } #Correlate the logon types $LogonType = @{ '2' = 'Interactive' '3' = 'Network' '4' = 'Batch' '5' = 'Service' '7' = 'Unlock' '8' = 'Networkcleartext' '9' = 'NewCredentials' '10' = 'RemoteInteractive' '11' = 'CachedInteractive' } #Format the properties ForEach($event in $events){ [pscustomobject]@{ TargetAccount = $event.properties.Value[5] LogonType = $LogonType["$($event.properties.Value[10])"] CallingComputer = $event.Properties.Value[13] IPAddress = $event.Properties.Value[19] TimeStamp = $event.TimeCreated } } #Bring it all together in a function Function Get-ADUserBadPasswords { [CmdletBinding( DefaultParameterSetName = 'All' )] Param ( [Parameter( ValueFromPipeline = $true, ParameterSetName = 'ByUser' )] [Microsoft.ActiveDirectory.Management.ADUser]$Identity ) Begin { $badPwId = 4625 $PDCEmulator = (Get-ADDomain).PDCEmulator $LogonType = @{ '2' = 'Interactive' '3' = 'Network' '4' = 'Batch' '5' = 'Service' '7' = 'Unlock' '8' = 'Networkcleartext' '9' = 'NewCredentials' '10' = 'RemoteInteractive' '11' = 'CachedInteractive' } } Process { If($PSCmdlet.ParameterSetName -eq 'All'){ #Query event log $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $badPwId } }ElseIf($PSCmdlet.ParameterSetName -eq 'ByUser'){ $user = Get-ADUser $Identity #Query event log $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $badPwId } | Where-Object {$_.Properties[5].Value -eq $user.SamAccountName} } ForEach($event in $events){ [pscustomobject]@{ TargetAccount = $event.properties.Value[5] LogonType = $LogonType["$($event.properties.Value[10])"] CallingComputer = $event.Properties.Value[13] IPAddress = $event.Properties.Value[19] TimeStamp = $event.TimeCreated } } } End{} } #Usage Get-ADUserBadPasswords | Format-Table #Single account Get-ADUser administrator | Get-ADUserBadPasswords | Format-Table I hope that this information is helpful to you and that you have been given a good "little" foundation. This article/information is by no means complete and exhaustive. But I still hope that this information is helpful to you. Thank you for taking the time to read the article. Happy Hunting, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerActive Directory Advanced Threat Hunting - Compare GPOs with the Security Compliance Toolkit
Dear Microsoft Active Directory friends, Even in the age of digital transformation, group policy settings (still) play a crucial role in maintaining network security and compliance. Advanced Hunting, an advanced technique for monitoring and analyzing these settings, is an indispensable tool for administrators. This method makes it possible to gain in-depth insights into the configuration and security situation of Windows networks. By using specific tools and scripts, professionals can detect security vulnerabilities, identify configuration errors and ensure that all group policies meet the highest security and compliance requirements. This article introduces the concept of Advanced Hunting for Group Policy settings and how it can transform management and security in IT infrastructures. Do we now need additional software and/or expensive tools? No, all we need is a little time, curiosity and the "Security Compliance Toolkit", which Microsoft is making available to us free of charge (thanks to Microsoft at this point). But first let's take a closer look at the MITRE techniques and the relevant Windows Event IDs. Before we start analyzing the group policy settings. We start with a list of MITRE techniques: Domain Policy Modification https://attack.mitre.org/techniques/T1484/ Domain Policy Modification: Group Policy Modification https://attack.mitre.org/techniques/T1484/001/ Group Policy Discovery https://attack.mitre.org/techniques/T1615/ Domain Policy Modification: Domain Trust Modification https://attack.mitre.org/techniques/T1484/002/ Unsecured Credentials: Group Policy Preferences https://attack.mitre.org/techniques/T1552/006/ The Windows Event ID's for the MITRE techniques: Domain Policy Modification 4739(S): Domain Policy was changed https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4739 Group Policy Discovery Appendix L: Events to Monitor https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor Domain Policy Modification: Domain Trust Modification 4716(S): Trusted domain information was modified https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4716 Compare the Default Domain Controllers Policy with the security baselines using the Policy Analyzer! So that we can compare the Default Domain Controllers Policy, we create a backup: Security Compliance Toolkit and Baselinescan be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=55319 We need the necessary tools and baselines: Extract the files: From the Windows-Server-2022-Security-Baseline-FINAL folder, copy the following file: Paste the file in the Policy Analyzer folder: Open the Policy Analyzer: NOTE:If you have a low screen resolution you may not be able to see the bottom part of the application. It is important that you see the bottom part so that you can adjust the path to the policy rule sets (see red marker). Now we have to add the default domain controller policy: Click on the import button: Give it a name and then click on safe: Now you can compare the policy with the security baseline: HAPPY COMPARING! If you want to examine your Active Directory with PowerShell, you will find a "small" compilation of various PowerShell scripts in the following link: https://github.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/tree/main/PowerShell NOTE:Before using these scripts, make sure that you have the necessary authorizations. This should always be in writing. Although the scripts do not change any settings or manipulate the system, it is your responsibility how you use these scripts! I hope that this information is helpful to you and that you have been given a good "little" foundation. This article/information is by no means complete and exhaustive. But I still hope that this information is helpful to you. Thank you for taking the time to read the article. Happy Comparing and Hunting, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerAchieve higher security with certificate bindings - How it works!
Dear Microsoft Entra friends, In this article I would like to take a closer look at the subject of certificate affinity binding. So that even more security can be applied during authentication. Let's start with a few links to the Microsoft documentation pages. Overview of Microsoft Entra certificate-based authentication: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication How to configure Microsoft Entra certificate-based authentication: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication Microsoft Entra certificate-based authentication technical deep dive: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication-technical-deep-dive What does it mean "Achieve higher security with certificate bindings"? Microsoft Entra ID, formerly known as Azure Active Directory, is a cloud identity and access management solution that controls application access and protects identities. The term “Achieve higher security with certificate bindings” refers to a feature of Microsoft Entra ID that enhances user authentication security. This feature is part of the certificate-based authentication (CBA) process. Certificate bindings refer to the methods used to bind a certificate to a user’s identity, enhancing the security of the authentication process. There are seven supported methods for certificate bindings. These methods are considered high-affinity if they’re based on identifiers that can’t be reused, such as Subject Key Identifiers or SHA1 Public Key. This way, Microsoft Entra ID provides a secure and efficient way for users to authenticate and access applications. Let's examine achieve higher security with certificate bindings. Object Identifiers (OID): First we look at the certificate template on the certificate server (sorry some print screens are in German). Here we see the details of the Object Identifiers (OID). Add a new rule: Configure an additional rule in the Entra ID Admin Center and use the same Object Identifiers (OID) value here as in the certificate template. Subject Key Identifier (SKID): The certificate was issued on the user's system. We obtain the subject key identifier (SKID) from this certificate. We need this value in the Entra ID Admin Center to assign it to a person. The same person for whom the certificate was issued on the system (in my case it is Tina Fluenza). Authorization info: In the Entra ID Admin Center, we now set the value of the Subject Key Identifier (SKID) for the user in the properties. Note: Please pay attention to the syntax (X509:\<SKI\>a8052e8485eb17d865ba5d5ff0f7b326234f2860) Entra ID Sign-In Logs: "Tina Fluenza" has now registered on the portal https://myapps.microsoft.com and selected the certificate during the application process. This information can be found in the Entra ID Admin Center in the sign-in logs. With the confirmation of MFA by the claim in the token. HAPPY BINDING! I hope this information was helpful to you. I would like to thank you for your interest and for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechslerDevice filter in the conditional access policies
Dear Microsoft Entra Friends, What is your experience with the device filter in the conditional access policies (Microsoft Entra ID)? The values of the attributes are not correct and therefore the policy is not processed correctly. This is confirmed in a "What If" test. Kind Regards, Tom WechslerMicrosoft Intune Management - Connect securely to Intune with Microsoft Graph and PowerShell!
Dear Microsoft Intune friends, In this article I will show you how to create a "secure" connection to Microsoft Intune with Microsoft Graph and PowerShell! In this example, we use an app registration in Microsoft Entra ID and a certificate created on the local machine. Create and export the certificate. I use Visual Studio Code and PowerShell 7. $certName = 'IntuneGraphAppCert' $cert = New-SelfSignedCertificate -Subject "CN=$certName" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -NotAfter (get-date).AddYears(1) Export-Certificate -Cert $cert -FilePath "C:\certs\$certName.cer" Note: The certificate is created in the local certificate store and exported to the folder C:\certs. The certificate is valid for one year. Create an app registration in Microsoft Azure AD. 1. Go to the Azure portal and create a new app registration in Azure AD. 2. Give the app a name and notice the following. 4. Go to the API permissions and add the following permissions (These serve only as an example). 5. Do not forget to grant admin consent. 6. Go to the certificate and secrets and upload the certificate. Back inVisual Studio Code and PowerShell! 1. Install the Microsoft.Graph. Install-Module -Name Microsoft.Graph -Verbose -Force -AllowClobber 2. Import the Microsoft.Graph module. Import-Module Microsoft.Graph 3. Create some variables. $TenantId = '77e01716-a6a2-4f99-b864-xxxxxxxxxxxx' $AppId = '5c14b994-2290-4f84-9069-xxxxxxxxxxxx' $certName = 'IntuneGraphAppCert' $Cert = Get-ChildItem -Path 'Cert:\CurrentUser\My' | Where-Object { $_.Subject -eq "CN=$CertName" } 4. Connect to Microsoft Graph. Connect-MgGraph -TenantId $TenantId -ClientId $AppId -Certificate $Cert 5. We check the permissions. (Get-MgContext).Scopes HAPPY CONNECTING!! I am fully aware that this is only as good as the physical machine is secured. However, I would like to share my experiences with you. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechslerMicrosoft Entra ID: Advanced Threat Hunting - AzureADRecon and Microsoft Sentinel
Dear Microsoft Entra ID Friends: This article is about collecting information with the AzureADRecon tool. We use this information to investigate a hypothesis and start the hunt with the help of Microsoft Sentinel. I always start with a list ofMITRE ATT&CK techniques. Initial Access: Drive-by Compromise https://attack.mitre.org/techniques/T1189/ Exploit Public-Facing Application https://attack.mitre.org/techniques/T1190/ External Remote Services https://attack.mitre.org/techniques/T1133/ Phishing https://attack.mitre.org/techniques/T1566/ Phishing: Spearphishing Link https://attack.mitre.org/techniques/T1566/002/ Valid Accounts https://attack.mitre.org/techniques/T1078/ Execution: Command and Scripting Interpreter https://attack.mitre.org/techniques/T1059/ Persistence: Account Manipulation https://attack.mitre.org/techniques/T1098/ Create Account https://attack.mitre.org/techniques/T1136/ Office Application Startup https://attack.mitre.org/techniques/T1137/ Credential Access: Brute Force https://attack.mitre.org/techniques/T1110/ Discovery: Permission Groups Discovery https://attack.mitre.org/techniques/T1069/ We start by collecting the information with the AzureADRecon tool. Note: The AzureADRecon tool is provided by Prashant Mahajan (@prashant3535), thanks for that! https://github.com/adrecon/AzureADRecon Installing: Download the tool, the easiest way is to save the .zip file right away. Note: Attention: It is possible that the antimalware program reacts during the download!! If you have git installed, you can start by cloning the repository: git clone https://github.com/adrecon/AzureADRecon.git If you downloaded the tool using a zip file, extract the zip file and place it in a location that you can easily find again. If you cloned the repository, a folder was created directly.Now launch PowerShell or Windows Terminal, whichever you prefer, and navigate to the extract/clone folder. In order to get started we need one more prerequisite, in my case the PowerShell AzureAD module. However, you are welcome to work with the Microsoft Graph, but this requires additional preparations afterwards. Install the AzureAD Module: Install-Module AzureAD -Verbose -Force -Allowclobber Don't forget we need to adjust the execution policy in PowerShell! Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser Note: In order to work with this tool, you need to work with an account that has sufficient rights in Entra ID. To run AzureADRecon (will prompt for credentials): PS C:\AzureADRecon-master> .\AzureADRecon.ps1 However, you can also work with variables first. PS C:\AzureADRecon-master> $username = "your user principal name" PS C:\AzureADRecon-master> $passwd = ConvertTo-SecureString "your password" -AsPlainText -Force PS C:\AzureADRecon-master> $creds = New-Object System.Management.Automation.PSCredential ($username, $passwd) PS C:\AzureADRecon-master> .\AzureADRecon.ps1 -Credential $creds Note: To get the report as a spreadsheet, Excel must be installed on the system. The report is created in the same folder: Now open the report and start the investigation and analysis! User Stats: Users: Directory Roles: Directory Roles Members: Devices: Advanced Hunting with Microsoft Sentinel! Now we have detailed information from the Microsoft client. The information was not collected just like that, but because there was a suspicion. Now we continue with advanced hunting in Microsoft Sentinel. In Microsoft Sentinel, we can directly access the incidents from the overview. List of incidents: View full incident details: Now the deep dive into the incident: Investigate each incident: HAPPY INVESTIGATING! I am of course fully aware that this is not a complete and conclusive investigation. My aim in this article was to "give"/describe a good starting point. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechslerActive Directory Hunting - Set up advanced monitoring with Sysmon and the Security Onion!
Dear Active Directory friends, This article is about setting up advanced monitoring for an Active Directory infrastructure. In order to then be able to carry out an extended hunt. In order for information to be examined quickly and efficiently, I believe it is essential to store the information centrally. This is where Security Onion comes in (The tool is free of charge!). But before information can be examined, advanced logging (in this example, with domain controllers) must be set up. The following article from the Microsoft documentation is a great starting point. Configure Windows Event collection: https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection Now it's time to install and configure Security Onion. On the website of Security Onion Solutions there is a really great documentation for installation and configuration. The hardware requirements are addressed and everything needed to get an instance up and running. Note: Here you can find the information about the installation and configuration: https://docs.securityonion.net/en/2.4/ Use the new Security Onion 2.4 Note:If you are still using the Winlogbeat agent, you should first uninstall it before installing the new agent. Stop the service - should be removed after uninstall Uninstall old agents if necessary The status of the Security Onion After the installation of the Security Onion, it is now time to set up the agent (Elastic Agent) on all systems (that are to be monitored). First, check the status of the Security Onion. At the console:sudo so-status With the browser The firewall settings But before we start with the installation of the agent. We first need to adjust the Security Onion firewall settings so that the agent can communicate with the Security Onion. Download the agent Install the agent (elevated rights) Accept warning and install the agent The installation starts The installation is complete Check the service Now it's time to install Sysmon. You can get the tool directly from the Sysinternals website: https://live.sysinternals.com/ I have downloaded the file Sysmon64.exe. Sysmon is very detailed in its default configuration. But you can define which information is important for you. I have used the following configuration file: https://github.com/SwiftOnSecurity This configuration file is from @SwiftOnSecurity (many thanks here!) Afterwards the installation is done as follows:sysmon64.exe -i sysmon-config.xml When you access the file for the first time, you still have to accept the license terms. Install Sysmon on every system where you want to collect additional information. Note: You can automate the installation of the Elastic Agent and Sysmon very well with a group policy object. If you have made all preparations you can now call the URL to your Security Onion (as defined by you during the installation) and check if the information has arrived. All systems with the Fleet Agents Here is an example of an advanced hunt! HAPPY MONITORING! I realize that this was not necessarily spectacular. It was simply important for me to share my experience with you. Nevertheless, I hope that this article was helpful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechslerMicrosoft Entra ID Continuous access evaluation and how it works!
Dear Microsoft Entra ID Friends, In this article, we take a closer look at Microsoft Entra ID continuous access evaluation. What is Microsoft Entra ID Continuous access evaluation (CAE)? https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation How should CAE support us? Microsoft Entra ID continuous access evaluation is a feature that helps to improve the security and resilience of cloud applications. It allows Microsoft Entra ID to issue access tokens that are valid for a longer time, but can be revoked immediately if there is a change in the user account or the tenant policy. This way, applications can enforce the latest security policies without relying on the expiration of the access tokens. For example, if an administrator disables a user account or changes the IP address range for accessing the application, the existing access tokens for that user will be invalidated and the user will have to reauthenticate with Microsoft Entra ID. This reduces the risk of unauthorized access and also reduces the number of token requests, which makes the application more resilient to network issues. Build resilience by using Continuous Access Evaluation https://learn.microsoft.com/en-us/entra/architecture/resilience-with-continuous-access-evaluation Revoke access in (near) real time with Continuous Access Evaluation Continuous Access Evaluation (CAE) allows Microsoft Entra applications to subscribe to critical events that can then be evaluated and enforced. CAE includes evaluation of the following events: User account deleted or disabled Password for user changed MFA enabled for user Administrator explicitly revokes a token Elevated user risk detected Let's examine CAE on the example of a connection with Microsoft Graph. Lets start with the following scenario: In the PowerShell ISE we create a connection with Microsoft Graph and in the background we record it all with the Fiddler tool. In the Fiddler tool we copy the access token: Now we can decode the access token on the web page https://jwt.ms/: We can see that the access token is valid for approximately 24 hour: With the fiddler tool we can see that the microsoft graph is continous access evaluation aware: Now lets generate an event that will revoke the access token: Back in the PowerShell ISE we can see that the access token is no longer valid (Request for re-authentication): In the Fiddler tool we can see that the access token is no longer valid: The exact info from Fiddler: I realize that this was not necessarily spectacular. It was simply important for me to share my experience with you. Nevertheless, I hope that this article was helpful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechslerPart 8 - Manage Azure and Microsoft 365 with the Microsoft Graph PowerShell SDK!
Dear Microsoft Azure and Microsoft 365 Friends, This article continues with the topic Microsoft Graph PowerShell SDK. Part 1 to 7 can be found here: https://techcommunity.microsoft.com/t5/windows-powershell/part-1-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3300352 https://techcommunity.microsoft.com/t5/windows-powershell/part-2-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3302366 https://techcommunity.microsoft.com/t5/windows-powershell/part-3-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3339696 https://techcommunity.microsoft.com/t5/windows-powershell/part-4-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3409310 https://techcommunity.microsoft.com/t5/windows-powershell/part-5-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3442453 https://techcommunity.microsoft.com/t5/windows-powershell/part-6-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3923379 https://techcommunity.microsoft.com/t5/windows-powershell/part-7-manage-azure-and-microsoft-365-with-the-microsoft-graph/td-p/3924070 This article is now about doing some tasks with the Microsoft Graph. We work in Microsoft Teams, create a new team, channel, and add a member as an owner. Create a new Team: #Core Connection for Managing Teams $scopes = @( "Team.Create" "TeamSettings.ReadWrite.All" "TeamsTab.ReadWrite.All" "TeamsTab.Create" "TeamMember.ReadWrite.All" "Group.ReadWrite.All" "GroupMember.ReadWrite.All" ) Connect-MgGraph -Scopes $scopes #Retrieve Microsoft 365 Group and Team $group = Get-MgGroup -Filter "DisplayName eq 'Cardano'" Get-MgTeam -TeamId $group.Id #Create a New Team New-MgTeam -AdditionalProperties @{ "email address removed for privacy reasons" = "https://graph.microsoft.com/v1.0/teamsTemplates('standard')"; "displayName" = "Ethereum"; "description" = "Ethereum Team"; } #List the new Microsoft Team $group = Get-MgGroup -Filter "DisplayName eq 'Ethereum'" Get-MgTeam -TeamId $group.Id Create a new Channel in the new Team: #Create a Team Channel $group = Get-MgGroup -Filter "DisplayName eq 'Ethereum'" $team = Get-MgTeam -TeamId $group.Id $channelname = "Traders" $channeldescription = "Ethereum Traders" $channel = New-MgTeamChannel -TeamId $team.Id -DisplayName $channelname -Description $channeldescription #List the new Team Channel Get-MgTeamChannel -TeamId $team.Id -ChannelId $channel.Id Add a member to the new team as an owner: #Retrieve User Details $email = "email address removed for privacy reasons" $user = Get-MgUser -UserId $email #Retrieve Team and Add an Owner $group = Get-MgGroup -Filter "DisplayName eq 'Ethereum'" $team = Get-MgTeam -TeamId $group.Id $ownerproperties = @{ "@odata.type" = "#microsoft.graph.aadUserConversationMember"; "email address removed for privacy reasons" = "https://graph.microsoft.com/beta/users/" + $user.Id } $role = "owner" New-MgTeamMember -TeamId $team.Id -Roles $role -AdditionalProperties $ownerproperties #Retrieve Team Member and Owner for the Team Get-MgTeamMember -TeamId $team.Id | Select-Object -Property Roles,DisplayName Update some properties: #Lets update some properties $params = @{ MemberSettings = @{ AllowCreateUpdateChannels = "true" #<TrueOrFalse> } MessagingSettings = @{ AllowUserEditMessages = "true" #<TrueOrFalse> AllowUserDeleteMessages = "false" #<TrueOrFalse> } FunSettings = @{ AllowGiphy = "true" #<TrueOrFalse> GiphyContentRating = "moderate" #<ModerateOrStrict> } } Update-MgTeam -TeamId 97d4ea74-1b57-4457-b172-182d7a5d5aa5 -BodyParameter $params So that's it again for part 8, we'll see you again in the next part! A little preview, in the next part we'll Converting Existing PowerShell Scripts. See you soon. I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechslerPart 7 - Manage Azure and Microsoft 365 with the Microsoft Graph PowerShell SDK!
Dear Microsoft Azure and Microsoft 365 Friends, This article continues with the topic Microsoft Graph PowerShell SDK. Part 1 to 6 can be found here: https://techcommunity.microsoft.com/t5/windows-powershell/part-1-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3300352 https://techcommunity.microsoft.com/t5/windows-powershell/part-2-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3302366 https://techcommunity.microsoft.com/t5/windows-powershell/part-3-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3339696 https://techcommunity.microsoft.com/t5/windows-powershell/part-4-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3409310 https://techcommunity.microsoft.com/t5/windows-powershell/part-5-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3442453 https://techcommunity.microsoft.com/t5/windows-powershell/part-6-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3923379 This article is about connecting to Microsoft Teams. Remember: Connections to the Microsoft Graph are protected by one or more permission scopes. Service Scopes: Exchange Online Mail and Calendar SharePoint Online Files and Sites Microsoft Teams (Focus in this article) Teams, Settings, Tabs and Members Teams Delegated Permissions: Team.ReadBasic.All Read the names and descriptions of teams, on behalf of the signed-in user Team.Create Create teams, on behalf of the signed-in user Teams Application Permissions: Team.ReadBasic.All Get a list of all teams, without a signed-in user Team.Create Create teams, without a signed-in user Teamwork.Migrate.All Creating and managing resources for migration to Microsoft Teams Team Delegated Settings Permissions: TeamSettings.Read.All Read team settings, on behalf of the signed-in user TeamSettings.ReadWrite.All Read and change all team settings, on behalf of the signed-in user Team Application Settings Permissions: TeamSettings.Read.All Read team settings, without a signed-in user TeamSettings.ReadWrite.All Read and change all team settings, without a signed-in user Team Delegated Tabs Permissions: TeamsTab.Read.All Allows reading Teams apps that are installed for the signed-in user, and in all teams the user is a member of TeamsTab.ReadWrite.All Allows reading, installing, upgrading, and uninstallation of Teams apps, on behalf of the signed-in user and for teams the user is a member of TeamsTab.Create Allows creation of tabs in any team in Microsoft Teams, on behalf of the signed-in user Team Application Tabs Permissions: TeamsTab.Read.All Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user TeamsTab.ReadWrite.All Read and write tabs in any team in Microsoft Teams, without a signed-in user TeamsTab.Create Allows creation of tabs in any team in Microsoft Teams, without a signed-in user Team Delegated Member Permissions: TeamMember.Read.All Read the members of teams, on behalf of the signed-in user TeamMember.ReadWrite.All Add and remove members from teams, on behalf of the signed-in user Team Application Member Permissions: TeamMember.Read.All Read the members of all teams, without a signed-in user TeamMember.ReadWrite.All Add and remove members from all teams, without a signed-in user Connecting to Microsoft Teams: #Install into the Current User Scope Install-Module Microsoft.Graph -Scope CurrentUser #Verify the Installation Get-InstalledModule Microsoft.Graph #If needed Import-Module Microsoft.Graph #Connection for Creating a Team $scopes = @("Team.Create") Connect-MgGraph -Scopes $scopes #Connection for Configuring Team Settings $scopes = @("TeamSettings.ReadWrite.All") Connect-MgGraph -Scopes $scopes #Connection for Configuring Team Tabs $scopes = @("TeamsTab.Create","TeamsTab.ReadWrite.All") Connect-MgGraph -Scopes $scopes #Connection for Managing Team Members $scopes = @("TeamMember.ReadWrite.All") Connect-MgGraph -Scopes $scopes #Core Connection for Managing Teams $scopes = @( "Team.Create" "TeamSettings.ReadWrite.All" "TeamsTab.ReadWrite.All" "TeamsTab.Create" "TeamMember.ReadWrite.All" "Group.ReadWrite.All" "GroupMember.ReadWrite.All" ) Connect-MgGraph -Scopes $scopes #Did it work? $group = Get-MgGroup -Filter "DisplayName eq 'Cardano'" Get-MgTeam -TeamId $group.Id So that's it again for part 7, we'll see you again in the next part! A little preview, in the next part we'll perform some online tasks with the Microsoft Graph. See you soon. I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on Github! https://github.com/tomwechsler
