CSP access to tenants using powershell. Part 3

In this part 3 of CSP and powershell I will show how you can connect to azureAD of a customer tenant using your CSP app credentials and refreshtoken. This is almost the same procedure as we use to connect to az. We will start with the same variables as in part 2. Remember to keep your credential and secure, as it will give access to all your tenants.

$app=get-credential # Get AppID and Key for out partnecenter app. (created in part 1)
$refreshtoken = 'refreshtoken' # From part 1 or whenever we get a new one.
$CustomerTenantID= 'Azure directory object id'

Struggled for a while to get this to work. The important thing is the endpoints and when to use the customer tenant ID.

$azureToken = New-PartnerAccessToken -Resource "https://graph.microsoft.com/" -Credential $app -RefreshToken $refreshtoken -TenantId $CustomerTenantID
$graphToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource "https://graph.windows.net/" -Credential $app -TenantId $CustomerTenantID  

Connect-Azuread -aadAccessToken $graphToken.AccessToken -msAccessToken $azureToken.AccessToken -TenantId $CustomerTenantID  -AccountId $app.username

So now you can use get-azureaduser to get users from this customer tenant.

You could also use the MS online module msol to query for users, this module requires you to use tenantid as an argument.

In part 4 I will wrap this up in a simple script allowing you to select customer tenant.

CSP access to tenants using powershell. Part 2

In part 1 we created the Azure Enterprise App for Partnercenter and used this information to connect using powershell and connect-partnercenter. Now we will use this to connect to one of our customers tenants. First we will use AZ module and connect-azaccount. We will use the AZ module and the partnercenter module. So if those at not installed please install :

install-module az
install-module partnercenter

I will use the partnercenter module to request an accesstoken for azure.

$app=get-credential # Get AppID and Key for out partnecenter app. (created in part 1)
$refreshtoken = 'refreshtoken' # From part 1 or whenever we get a new one.
$CustomerTenantID= 'Azure directory object id'

Now we have all the required info to connect. The credentials should be stored securely!!!!

$azureToken = New-PartnerAccessToken -Resource https://management.azure.com/ -Credential $app -RefreshToken $refreshtoken -TenantId $CustomerTenantID

$grapToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://graph.windows.net/ -Credential $app -TenantId $CustomerTenantID  

Connect-AzAccount -AccessToken $azureToken.AccessToken -GraphAccessToken $graphToken.AccessToken -TenantId $CustomerTenantID  -AccountId $app.username

There. We are now connected to our azure of our customer. In next part we will connect to azureAD

CSP access to tenants using powershell. Part 1

A short explanation of how to access customer tenant using a CSP tenant SPN credential connectiong to AzureAD and AZ. Have been struggling for a while to manage all our customers tenants using powershell scripts. It can be complicated to organize all the credentials, tenant domain, tenant id’s password expiry.

First step is to be able to use powershell in the CSP tenants and access the partnercenter module. To get this started Microsoft has published a script to create the SPN required for this. https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model?view=partnercenterps-1.5 This script will help you create the SPN . When using the SPN for the first time you will have to consent it using an admin account. The “ConfigurePreconsent” argument adds the spn to the adminagents group, this result in the account being a global admin in the customer tenants. Next:

$credential = Get-Credential
$token = New-PartnerAccessToken -Consent -Credential $credential -Resource https://api.partnercenter.microsoft.com -TenantId 'Your Tenant Id'

This is to consent the spn and get the refresh token we will in further logins. TenantId is the ID of your partner tenant. First it asks for the credential of the newly created spn (appID and key), next it will require you to login and consent using a service account . In return you get a token. Remember to store the refresh token part in a secure place as this will be used in our next login.

$refreshToken = 'Enter the refresh token value here'
$credential = Get-Credential
$tenantId = 'Your Tenant Id'
$pcToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://api.partnercenter.microsoft.com -Credential $credential -TenantId $tenantId
Connect-PartnerCenter -AccessToken $pcToken.AccessToken -ApplicationId $appId -TenantId $tenantId

Here we connect to partnercenter. We got the $refreshtoken in the previous step. $credential is our appid and key returned from the script. $tenantid is the tenantid of the partner tenant. Returned from the connection is a new $pcToken. This $pcToken includes a new refresh token that we could store and use at next login, but the one we already got would still last for a default value of 90 days. We’ve had some issues it the MFA settings in the tenant allow the user to “not be asked for credentials in xx days” (So we always uncheck this box).

Part 2 will for the AZ connection to customer tenant.

Make sure you have the correct CSP for Your CA

Got some weird errors on our new Skype for Business server install. After a straight forward install users was unable to login from external and some issues regarding conferences. Skype services seemed to start but ended up running with unknown details when get-windowsservices. Also we had one error in the eventviewer on frontende server.

The most important clue was : CA_Failure: InternalError . So this pointed towards a certificate error. What could be wrong with the CA server (A windows server 2016 Enterprise Root CA).

This was the first time I have seen a ECDSA CSP used. Next was to verify S4B requirements. https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/requirements-for-your-environment/environmental-requirement

  • Encryption key lengths of 1024, 2048, and 4096 are supported. Key lengths of 2048 and greater are recommended.
  • The default digest, or hash signing, algorithm is RSA. The ECDH_P256, ECDH_P384, and ECDH_P521 algorithms are also supported.

Once again check CA configuration:

This CA was installed with the ECDSA_P256 CSP, We did not have the option to reinstall/migrate the CA to a supported version, so our workaround was to install a new standalone CA using RSA256 CSP and use this CA to issue certificates for Edge server internal and frontend certificate. (We published the new CA public key to clients using GPO).

After we assigned the new certificates and rebooted it all seems to work OK. The new certs are now RSA256

Powershell to get DirectAccess connection history.

This is a simple powershell to get data from the DirectAccess database. It reguired some serious Bing’ing (and google) to get the time field. You will have to configure reporting database in DirectAccess config. I used windows internal database.


$cs="server=$server;database=$database;Integrated Security=True;"
$connection=New-Object System.Data.SqlClient.SqlConnection

#$query="Select * from $table"
#$query="Select * from $database.INFORMATION_SCHEMA.TABLES"
$query="declare @start bigint=131277336299720000;select dateadd(mi,datediff(mi,getutcdate(),getdate()),([sessionstarttime]/864000000000.0-109207)) AS DATO,* from sessiontable join connectiontable on sessiontable.connectionid=connectiontable.connectionid where sessionstarttime >=@start"


$resulttable=New-Object System.Data.DataTable
$resulttable | Out-GridView

Use Powershell to get LeakedCredentials from Azure using Graph

Leaked credentials listed from Azure using powershell and Microsoft Graph 
We need one Azure AD Premium X license to get this log.

Would it be nice to list all leakedcredentials using powershell?(or riskysignins or identiyriskevents). All of this could be achieved using powershell and REST api at Microsoft Graph. I have a scheduled task running to get this reports. Using a appilcation in Azure. All credentials are stored in SecretServer. First we need an Application Registration in Azure.

Application Registration list

The registered application. The home page URL can be any url, it is not used.

After we have created the AppReg. Add a password, app key. Combined with the application id this is our username and password.

Now it is time to give this app the required permissions from microsoft we can identify witch permissions are needed to run this query. https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/leakedcredentialsriskevent_get 

Permission required.
Some of the permissions set in Azure.
Remeber to click “Grant Permissions” after they are added.

Next would be to set the enterprise application to “user assignment required” and “Enabled for users to sign-in.” also “Hide it from users.

Settings of the Enterprise application.

Now we are ready to start with our powershell script.

$l_ClientID ="<APPID>"
$l_ClientSecret="<APP password Key>"
    $body= @{grant_type="client_credentials";
$oauth=Invoke-RestMethod -Method Post -Uri $loginURL/$l_tenantdomain/oauth2/token?api-version=1.0 -Body $body
if ($oauth.access_token -ne $null)
      $headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"
 # https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/leakedcredentialsriskevent_get
$url = "https://graph.microsoft.com/beta/leakedCredentialsRiskEvents"
$myReport = (Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url)
} else {
Write-Host "ERROR: No Access Token"
($myReport.Content | ConvertFrom-Json).value |where-object {$_.riskeventstatus -eq "active"} | ft risk<em>,user

SfB : Server startup is being delayed because fabric pool manager is initializing.

Ran into a issue where Skype for  Business frontend service refused to start. It remained in starting for ages before giving up. In the event viewer the statement was : Server startup is being delayed because fabric pool manager is initializing. This event seemed to have something to do regarding pool, but this was a standardedition Skype for Business setup containing one frontend and one edge server.

Server startup is being delayed because fabric pool manager is initializing.

Many articles on Bing and Google explained how this could be a issue with the certificates on the server, but in our case the frontend server and edge server was happily replicating the topology. We started by trying to do as the event told us: 

Reset-CsPoolRegistrarState -poolfqdn <ourpool> -ResetType QuorumLossRecovery

But this also failed. For me it looked like there was something wrong with WindowsFabric. Compared with another SfB server and in taskmanager I could see fabric.exe running, but not on on the server with the issue.  Looking in eventviewer Microsoft/WindowsFabric Admin:

Windows Fabric Admin log

At first I tried to install Windows Fabric from SfB install media. But same error. Then we tried to uninstall and reinstall. This resulted in a more serious error. Now the server has lost its connections to the Fabric. So how do we fix this. My solution was to uninstall SfB frontend server module and then run the Deployment wizard to reinstall it with config from the management store. This worked perfect. The front end service started immediately. 

Upgrade to Skype for Business failed. Error 1603

Have done several upgrades from Lync 2013 to Skype for Business 2015, so this last one should be no different, but faith had other plans.

Installed topology builder on a new computer and prepared the upgrade process. But when a bit into the upgrade it failed.

Error: Error returned while installing OcsCore.msi(Feature_LocalMgmtStore), code 1603. Error Message: A fatal error occurred during installation. For more details please consult log at C:\Users\paupav\AppData\Local\Temp\Add-OcsCore.msi-Feature_LocalMgmtStore-[2018_10_17][14_05_11].log

As most people know a MSI error of 1603 tells us as much as “An error occurred”. Tried do some reboots and retried, but nothing helped. With no idea of what could possibly be wrong, I was browsing for ideas or hints the usual places: Eventviewer, Windows explorer (free diskspace, files and folders), services, policies, and finally  windows update settings and history.  One clue (except that is was error 1603) there was 1 SfB update installed (probably because I selected the installer to check for updates). Thougt it was strange that there should be one update since I has not yet managed to install any SfB software. 

So simple. Uninstalled the update , rebooted and the upgrade from now on went flawless.

List Exchange mailboxes with forwarding rules

Simple list of all mailboxes and rules. Displays more info if one of them contains a forwarding rule:

$mb=Get-Mailbox | Sort-Object -Property displayname
$t2=0;$t=($mb).count;$mb| ForEach-Object {write-host $t2"\"$t " " $_.displayname;$t2++;get-inboxrule -mailbox $_.alias| ForEach-Object {if($_.description -like "*forward*"){write-host $_.description -foregroundcolor red}}}

No connectivity with any of Web Conferencing Servers.

This event started to appear every 20 seconds or so. The Skype for Business servers had recently been patched. In the patch list was updates to .Net framework. Included in these patches is a security update that resolves an security bypass feature. https://support.microsoft.com/en-us/help/4014510/description-of-the-security-and-quality-rollup-for-the-net-framework-4 . To solve this all I had to do was add the required registry key : HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319          –   DWORD: RequireCertificateEKUs=0 and restart the “Skype for Business Server Web Conferencing” service.  The fix can be applied to Lync server 2013 as well.

-MS Stuff-