Use Powershell to get LeakedCredentials from Azure using Graph

Leaked credentials listed from Azure using powershell and Microsoft Graph 
We need one Azure AD Premium X license to get this log.

Would it be nice to list all leakedcredentials using powershell?(or riskysignins or identiyriskevents). All of this could be achieved using powershell and REST api at Microsoft Graph. I have a scheduled task running to get this reports. Using a appilcation in Azure. All credentials are stored in SecretServer. First we need an Application Registration in Azure.

Application Registration list

The registered application. The home page URL can be any url, it is not used.

After we have created the AppReg. Add a password, app key. Combined with the application id this is our username and password.

Now it is time to give this app the required permissions from microsoft we can identify witch permissions are needed to run this query. https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/leakedcredentialsriskevent_get 

Permission required.
Some of the permissions set in Azure.
Remeber to click “Grant Permissions” after they are added.

Next would be to set the enterprise application to “user assignment required” and “Enabled for users to sign-in.” also “Hide it from users.

Settings of the Enterprise application.

Now we are ready to start with our powershell script.

$loginURL="https://login.microsoft.com"
$resource="https://graph.microsoft.com"
$l_tenantdomain="<domain>.onmicrosoft.com"
$l_ClientID ="<APPID>"
$l_ClientSecret="<APP password Key>"
    $body= @{grant_type="client_credentials";
    resource=$resource;
    client_id=$l_ClientID;
    client_secret=$l_ClientSecret
}
$oauth=Invoke-RestMethod -Method Post -Uri $loginURL/$l_tenantdomain/oauth2/token?api-version=1.0 -Body $body
if ($oauth.access_token -ne $null)
 {
      $headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"
      }
 # https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/leakedcredentialsriskevent_get
$url = "https://graph.microsoft.com/beta/leakedCredentialsRiskEvents"
$myReport = (Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url)
} else {
Write-Host "ERROR: No Access Token"
} 
($myReport.Content | ConvertFrom-Json).value |where-object {$_.riskeventstatus -eq "active"} | ft risk<em>,user

SfB : Server startup is being delayed because fabric pool manager is initializing.

Ran into a issue where Skype for  Business frontend service refused to start. It remained in starting for ages before giving up. In the event viewer the statement was : Server startup is being delayed because fabric pool manager is initializing. This event seemed to have something to do regarding pool, but this was a standardedition Skype for Business setup containing one frontend and one edge server.

Server startup is being delayed because fabric pool manager is initializing.

Many articles on Bing and Google explained how this could be a issue with the certificates on the server, but in our case the frontend server and edge server was happily replicating the topology. We started by trying to do as the event told us: 

Reset-CsPoolRegistrarState -poolfqdn <ourpool> -ResetType QuorumLossRecovery

But this also failed. For me it looked like there was something wrong with WindowsFabric. Compared with another SfB server and in taskmanager I could see fabric.exe running, but not on on the server with the issue.  Looking in eventviewer Microsoft/WindowsFabric Admin:

Windows Fabric Admin log

At first I tried to install Windows Fabric from SfB install media. But same error. Then we tried to uninstall and reinstall. This resulted in a more serious error. Now the server has lost its connections to the Fabric. So how do we fix this. My solution was to uninstall SfB frontend server module and then run the Deployment wizard to reinstall it with config from the management store. This worked perfect. The front end service started immediately. 

Upgrade to Skype for Business failed. Error 1603

Have done several upgrades from Lync 2013 to Skype for Business 2015, so this last one should be no different, but faith had other plans.

Installed topology builder on a new computer and prepared the upgrade process. But when a bit into the upgrade it failed.

Error: Error returned while installing OcsCore.msi(Feature_LocalMgmtStore), code 1603. Error Message: A fatal error occurred during installation. For more details please consult log at C:\Users\paupav\AppData\Local\Temp\Add-OcsCore.msi-Feature_LocalMgmtStore-[2018_10_17][14_05_11].log

As most people know a MSI error of 1603 tells us as much as “An error occurred”. Tried do some reboots and retried, but nothing helped. With no idea of what could possibly be wrong, I was browsing for ideas or hints the usual places: Eventviewer, Windows explorer (free diskspace, files and folders), services, policies, and finally  windows update settings and history.  One clue (except that is was error 1603) there was 1 SfB update installed (probably because I selected the installer to check for updates). Thougt it was strange that there should be one update since I has not yet managed to install any SfB software. 

So simple. Uninstalled the update , rebooted and the upgrade from now on went flawless.

List Exchange mailboxes with forwarding rules

Simple list of all mailboxes and rules. Displays more info if one of them contains a forwarding rule:

$mb=Get-Mailbox | Sort-Object -Property displayname
$t2=0;$t=($mb).count;$mb| ForEach-Object {write-host $t2"\"$t " " $_.displayname;$t2++;get-inboxrule -mailbox $_.alias| ForEach-Object {if($_.description -like "*forward*"){write-host $_.description -foregroundcolor red}}}

No connectivity with any of Web Conferencing Servers.

This event started to appear every 20 seconds or so. The Skype for Business servers had recently been patched. In the patch list was updates to .Net framework. Included in these patches is a security update that resolves an security bypass feature. https://support.microsoft.com/en-us/help/4014510/description-of-the-security-and-quality-rollup-for-the-net-framework-4 . To solve this all I had to do was add the required registry key : HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319          –   DWORD: RequireCertificateEKUs=0 and restart the “Skype for Business Server Web Conferencing” service.  The fix can be applied to Lync server 2013 as well.

S4B – Error preparing forest.

Was installing a Skype for Business server the other day, and the simple task of preparing the forest failed. I am always on the alert when doing Active Directory forest wide tasks as prepare schema and prepare forest, so it is not fun to see error messages during these tasks.

prepareforestWhat now. It is no good feeling to see “Unrecoverable” and “You cannot retry this operation”. But I had to retry, and then there was a slight different error message.

prepareforest2I’ve had errors before, and at those cases the simple thing to do was to change from  “Local domain” to “Domain FQDN” in the “Universal Group Location” dialog box.

prepareforest3

This time there was nothing but lots of scary errors.

I know this domain has several trusts configured, so it looks like the wizard get confused of where to  put these groups. Next step was to run prepare forest from PowerShell so that I was able to provide all this information to the command.

Enable-CsAdForest -GroupDomain s4b.local -GroupDomainController s4b-dc1.s4b.local -GlobalCatalog s4b-dc1.s4b.local

And finally success. The command completed without warnings and errors.

Unable to create a new Skype meeting from Outlook.

When trying to create a new Skype meeting from Outlook we get the message “The request failed. Please try again. Make sure that you are signed in to Skype for Business.” skype

First solution was to clear outlook name cache. This solves the problem for a short while.

A better workaround is to disable outlook the use of UCAddin.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Lync\AddinPreference]
“RecipientResolutionMode”=dword:00000002

Then close and restart Lync/S4B. This is a “bug” in a windows update to the Skype client.

 

Lync Licensed user is not showing up in Lync Admin Center

Some users was missing in Office 365 Skype admin center. I verified that they had a Skype license plan assigned. Tried to remove and readd – did not help. These users are replicated from on premise to cloud using Azure AD sync. Turned out these users had previously been Lync enabled on on premise Lync server. Compared all ActiveDirectory attributes, and the only one that make any sense was msRTCSIP-DeploymentLocator. msrtcdeployment

The attribute did not have any value that I reacted to when I first saw it, But I cleared the value and ran a sync to O365.

msrtcdeployment2Cleared it by opening the Attribute and pressed Clear button.

After the sync to Azure the user finally appeared in O365 Skype Admin Center.

 

-MS Stuff-