Category Archives: Powershell

Get Secretserver secret

Since we are using SecretServer as our credential store it is of great help to be able to get credentials directly from powershell. This is a small function that connects to secretserver webservices and retrieve a secret based on secred ID. The function will connect to the webservice as the signedin user or by a supplied credential or lastly by a predefined stored credential. To use stored credential I’am using functions from https://github.com/cunninghamp/PowerShell-Stored-Credentials .

Usually you would use the PS credential object directly. To get the password as text you could use it from the PSobject referring to the get networkcredential().


$cred=get-secretid -secretID 2007
$password_As_text=$cred.GetNetworkCredential().Password

Or if you need the password in clear text, displayed on screen, you could specify that as a an argument.

The function is made for my usage, so there is definitive roomfor improvement .


function Get-SecretID
{
param(
[parameter(ValueFromPipeline=$True)]
[int] $secretID,
[pscredential]$sscred,
[switch]$Cleartext
)

$where = 'https://secretserverdnsname/secretserver/winauthwebservices/sswinauthwebservice.asmx'

if($sscred -ne $null){
    $ws = New-WebServiceProxy -uri $where -Credential $sscred
}else{

  try{
    $ws = New-WebServiceProxy -uri $where -UseDefaultCredential -ErrorAction SilentlyContinue
    if($ws -eq $null){
      if (!(Test-Path Variable:\ssuser)){
        throw {
          Write-Host "No secretserver user specified or variable 'ssuser' defined.`nThis is to be used by 'get-storedcredential'"
        }
      }
        $credacc=Get-StoredCredential -UserName $ssuser
        $ws = New-WebServiceProxy -uri $where -Credential $credacc -ErrorAction SilentlyContinue
        if($ws -eq $null){throw{Write-host "Unable to connect to SecretServer"}}
    }
  }
  catch{

  }
}

$wsResult = $ws.GetSecret($secretId, $false, $null)
if($wsresult.errors -ne $null){
  $Cred=New-Object PSObject
  $Cred | add-member -NotePropertyName "Username" -NotePropertyValue $wsresult.errors
  $Cred | Add-Member -NotePropertyName "Password" -NotePropertyValue $wsresult.errors
 
  return $Cred
} else {
 
$u=$wsResult.Secret.Items[1].value.ToString()
$ep = ConvertTo-SecureString $wsResult.Secret.Items[2].value.ToString() -AsPlainText -Force
[pscredential]$Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $u,$ep
if($Cleartext){
  [psobject]$Cred=New-Object PSObject
    $Cred | add-member -NotePropertyName "Username" -NotePropertyValue $u
    $Cred | Add-Member -NotePropertyName "Password" -NotePropertyValue $wsResult.Secret.Items[2].value.ToString()
    $Cred | Add-Member -NotePropertyName "Domain" -NotePropertyValue $wsResult.Secret.Items[0].value.ToString()
  }
return $Cred
}
}

CSP access to tenants using powershell. Part 4

This is a small script that connects to partnercenter list all customers tenants and let you select one. When one is selected it connects to azuread and az for that customer.

All my credentials are stored in SecretServer . I use a web service request to get those credentials. I will show these modules in a later post.


import-module partnercenter

#$app = AppID + AppKey
$app=Get-SecretID -secretID xxxx
#rt = refreshtoken.
$rt=Get-SecretID -secretID yyyy
$refreshtoken=$rt.GetNetworkCredential().Password
$tid="'csp tenant directory id'"

   
   
#Connect PartnerCenter
$pcToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://api.partnercenter.microsoft.com -Credential $app -TenantId $tid
Connect-PartnerCenter -AccessToken $pcToken.AccessToken -ApplicationId $app.username -TenantId $tid

    $customers=get-partnercustomer | sort-object -Property name
    $counter=0
    foreach($cust in $customers){
        Write-Host "$($counter) - $($cust.Name) - $($cust.domain)"
        $counter++
    }
    $custid=Read-Host "Enter customer #"
    $customer=$customers[$custid]
    Write-host " Targeting : $($customer.name) - $($customer.Domain)"

$azureToken = New-PartnerAccessToken -Resource "https://graph.microsoft.com/" -Credential $app -RefreshToken $refreshtoken -TenantId $customer.CustomerId
$graphToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource "https://graph.windows.net/" -Credential $app -TenantId $customer.CustomerId  

Connect-Azuread -aadAccessToken $graphToken.AccessToken -msAccessToken $azureToken.AccessToken -TenantId $customer.CustomerId  -AccountId $app.username


$azure2Token = New-PartnerAccessToken -Resource https://management.azure.com/ -Credential $app -RefreshToken $refreshtoken -TenantId $customer.CustomerId
$graph2Token = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://graph.windows.net/ -Credential $app -TenantId $customer.CustomerId  

 Connect-AzAccount -AccessToken $azure2Token.AccessToken -GraphAccessToken $graph2Token.AccessToken -TenantId $customer.CustomerId  -AccountId $app.username

Use powershell to get external IP address

How can you get your external IP address from powershell? I use a simple script to query an external public web service. The service I’m using is hosted by ipinfo.io . I have created a small function that is placed in my powershell library. All my modules are loaded by using powershell profiles.

This simple function uses rest. Usage is simple : get-mypublicip . Could easily be uses in script (get-mypublicip).ip .


function get-mypublicip{
    Write-Verbose "Resolving external IP"
    try {
        $ipaddr = Invoke-RestMethod http://ipinfo.io/json #| Select-Object -ExpandProperty ip
        }
    catch {
        throw "Can't get external IP Address. Quitting."
        }
    if ($ipaddr -eq $null) { throw "Can't get external IP Address. Quitting." }
    Write-Verbose "External IP is $ipaddr"
    return $ipaddr
}

CSP access to tenants using powershell. Part 3

In this part 3 of CSP and powershell I will show how you can connect to azureAD of a customer tenant using your CSP app credentials and refreshtoken. This is almost the same procedure as we use to connect to az. We will start with the same variables as in part 2. Remember to keep your credential and secure, as it will give access to all your tenants.


$app=get-credential # Get AppID and Key for out partnecenter app. (created in part 1)
$refreshtoken = 'refreshtoken' # From part 1 or whenever we get a new one.
$CustomerTenantID= 'Azure directory object id'

Struggled for a while to get this to work. The important thing is the endpoints and when to use the customer tenant ID.


$azureToken = New-PartnerAccessToken -Resource "https://graph.microsoft.com/" -Credential $app -RefreshToken $refreshtoken -TenantId $CustomerTenantID
$graphToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource "https://graph.windows.net/" -Credential $app -TenantId $CustomerTenantID  

Connect-Azuread -aadAccessToken $graphToken.AccessToken -msAccessToken $azureToken.AccessToken -TenantId $CustomerTenantID  -AccountId $app.username

So now you can use get-azureaduser to get users from this customer tenant.

You could also use the MS online module msol to query for users, this module requires you to use tenantid as an argument.

In part 4 I will wrap this up in a simple script allowing you to select customer tenant.

CSP access to tenants using powershell. Part 2

In part 1 we created the Azure Enterprise App for Partnercenter and used this information to connect using powershell and connect-partnercenter. Now we will use this to connect to one of our customers tenants. First we will use AZ module and connect-azaccount. We will use the AZ module and the partnercenter module. So if those at not installed please install :


install-module az
install-module partnercenter

I will use the partnercenter module to request an accesstoken for azure.


$app=get-credential # Get AppID and Key for out partnecenter app. (created in part 1)
$refreshtoken = 'refreshtoken' # From part 1 or whenever we get a new one.
$CustomerTenantID= 'Azure directory object id'

Now we have all the required info to connect. The credentials should be stored securely!!!!


$azureToken = New-PartnerAccessToken -Resource https://management.azure.com/ -Credential $app -RefreshToken $refreshtoken -TenantId $CustomerTenantID

$grapToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://graph.windows.net/ -Credential $app -TenantId $CustomerTenantID  

Connect-AzAccount -AccessToken $azureToken.AccessToken -GraphAccessToken $graphToken.AccessToken -TenantId $CustomerTenantID  -AccountId $app.username

There. We are now connected to our azure of our customer. In next part we will connect to azureAD

CSP access to tenants using powershell. Part 1

A short explanation of how to access customer tenant using a CSP tenant SPN credential connectiong to AzureAD and AZ. Have been struggling for a while to manage all our customers tenants using powershell scripts. It can be complicated to organize all the credentials, tenant domain, tenant id’s password expiry.

First step is to be able to use powershell in the CSP tenants and access the partnercenter module. To get this started Microsoft has published a script to create the SPN required for this. https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model?view=partnercenterps-1.5 This script will help you create the SPN . When using the SPN for the first time you will have to consent it using an admin account. The “ConfigurePreconsent” argument adds the spn to the adminagents group, this result in the account being a global admin in the customer tenants. Next:


$credential = Get-Credential
$token = New-PartnerAccessToken -Consent -Credential $credential -Resource https://api.partnercenter.microsoft.com -TenantId 'Your Tenant Id'

This is to consent the spn and get the refresh token we will in further logins. TenantId is the ID of your partner tenant. First it asks for the credential of the newly created spn (appID and key), next it will require you to login and consent using a service account . In return you get a token. Remember to store the refresh token part in a secure place as this will be used in our next login.


$refreshToken = 'Enter the refresh token value here'
$credential = Get-Credential
$tenantId = 'Your Tenant Id'
$pcToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://api.partnercenter.microsoft.com -Credential $credential -TenantId $tenantId
Connect-PartnerCenter -AccessToken $pcToken.AccessToken -ApplicationId $appId -TenantId $tenantId

Here we connect to partnercenter. We got the $refreshtoken in the previous step. $credential is our appid and key returned from the script. $tenantid is the tenantid of the partner tenant. Returned from the connection is a new $pcToken. This $pcToken includes a new refresh token that we could store and use at next login, but the one we already got would still last for a default value of 90 days. We’ve had some issues it the MFA settings in the tenant allow the user to “not be asked for credentials in xx days” (So we always uncheck this box).

Part 2 will for the AZ connection to customer tenant.

List Exchange mailboxes with forwarding rules

Simple list of all mailboxes and rules. Displays more info if one of them contains a forwarding rule:

$mb=Get-Mailbox | Sort-Object -Property displayname
$t2=0;$t=($mb).count;$mb| ForEach-Object {write-host $t2"\"$t " " $_.displayname;$t2++;get-inboxrule -mailbox $_.alias| ForEach-Object {if($_.description -like "*forward*"){write-host $_.description -foregroundcolor red}}}

S4B – Error preparing forest.

Was installing a Skype for Business server the other day, and the simple task of preparing the forest failed. I am always on the alert when doing Active Directory forest wide tasks as prepare schema and prepare forest, so it is not fun to see error messages during these tasks.

prepareforestWhat now. It is no good feeling to see “Unrecoverable” and “You cannot retry this operation”. But I had to retry, and then there was a slight different error message.

prepareforest2I’ve had errors before, and at those cases the simple thing to do was to change from  “Local domain” to “Domain FQDN” in the “Universal Group Location” dialog box.

prepareforest3

This time there was nothing but lots of scary errors.

I know this domain has several trusts configured, so it looks like the wizard get confused of where to  put these groups. Next step was to run prepare forest from PowerShell so that I was able to provide all this information to the command.

Enable-CsAdForest -GroupDomain s4b.local -GroupDomainController s4b-dc1.s4b.local -GlobalCatalog s4b-dc1.s4b.local

And finally success. The command completed without warnings and errors.

Forwarding email in Exchange

One common question from users are “How can I forward my email to my home mail?” or from a manager “How can we forward his/her mail to the external address?”. In fact in Exchange there is several possibilities, but most of them requires some administrator involvement. For users to forward their own email an administrator would have to allow it.

Users could define a forward using outlook. This requre the administartor to allow it. The administrator will have to set “AutoForwardEnabled” on “Remote Domain” : Set-remotedomain “*” -AutoForwardEnabled $true . This will ofcourse enable this for all users. They will be enables to send to det remote domain defined or all.

As an administrator you could create an exchange contact and sett this as forwarding on the mailbox in the EMC. Mailbox properties and mailbox features -> Mail flow ->delivery options: forward_emc1

forward_emcHere you can select an allready created Mail contact.

It can also be done from PowerShell, here you have one more option.forwardingaddress forwardanddeliverHer we can specify either a contact or a smtp address, but you can not use both at the same time.

set-mailbox demouser -forwardingsmtpaddress ex.demo@dom.ex -delivertomailboxandforward $true

This will sett forwarding for mailbox with alias demouser to ex.demo@dom.ex , and also deliver mail to both the forwarding address and the mailbox. One thing to notice is that for this to work you will have to add “dom.ex” as a remote domain in exchange.

 

 

IMAP disabled in Exchange 2013 ServerComponentState.

IMAP was enabled on the Exchange  server and had been used for a long time. One day the Exchange server’s IP subnet was placed in a Active Directory site without any Domain Controllers. Of course  Exchange the services stopped running after a while. When We managed to get it back to its original site and rebooted, everything looked OK.  But IMAP did not work. The Client software gave us the error “Invalid filed description”.

Tried to run “Test-ImapConnectivity” , error stated Authentication Failed . Verified account by successfully logging on to OWA. Reset password to be sure, same error.

Continue reading IMAP disabled in Exchange 2013 ServerComponentState.