{"id":804,"date":"2018-11-01T12:45:51","date_gmt":"2018-11-01T11:45:51","guid":{"rendered":"http:\/\/www.vatland.no\/?p=804"},"modified":"2018-11-01T12:46:02","modified_gmt":"2018-11-01T11:46:02","slug":"use-powershell-to-get-leakedcredentials-from-azure-using-graph","status":"publish","type":"post","link":"https:\/\/www.vatland.no\/index.php\/use-powershell-to-get-leakedcredentials-from-azure-using-graph\/","title":{"rendered":"Use Powershell to get LeakedCredentials from Azure using Graph"},"content":{"rendered":"\n\n\n
\"\"
Leaked credentials listed from Azure using powershell and Microsoft Graph 
We need one Azure AD Premium X license to get this log.<\/figcaption><\/figure>\n\n\n\n

Would it be nice to list all leakedcredentials using powershell?(or riskysignins or identiyriskevents). All of this could be achieved using powershell and REST api at Microsoft Graph. I have a scheduled task running to get this reports. Using a appilcation in Azure. All credentials are stored in SecretServer. First we need an Application Registration in Azure.<\/p>\n\n\n\n

\"\"
Application Registration list

<\/figcaption><\/figure>\n\n\n\n
\"\"
The registered application. The home page URL can be any url, it is not used.<\/figcaption><\/figure>\n\n\n\n

After we have created the AppReg. Add a password, app key. Combined with the application id this is our username and password.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Now it is time to give this app the required permissions from microsoft we can identify witch permissions are needed to run this query. https:\/\/developer.microsoft.com\/en-us\/graph\/docs\/api-reference\/beta\/api\/leakedcredentialsriskevent_get <\/p>\n\n\n\n

<\/p>\n\n\n\n

\"\"
Permission required.
<\/figcaption><\/figure>\n\n\n\n
\"\"
Some of the permissions set in Azure.
Remeber to click “Grant Permissions” after they are added.<\/figcaption><\/figure>\n\n\n\n

Next would be to set the enterprise application to “user assignment required” and “Enabled for users to sign-in.” also “Hide it from users.<\/p>\n\n\n\n

\"\"
Settings of the Enterprise application.
<\/figcaption><\/figure>\n\n\n\n

Now we are ready to start with our powershell script.<\/p>\n\n\n

\n$loginURL="https:\/\/login.microsoft.com"\n$resource="https:\/\/graph.microsoft.com"\n$l_tenantdomain="&lt;domain&gt;.onmicrosoft.com"\n$l_ClientID ="&lt;APPID&gt;"\n$l_ClientSecret="&lt;APP password Key&gt;"\n    $body= @{grant_type="client_credentials";\n    resource=$resource;\n    client_id=$l_ClientID;\n    client_secret=$l_ClientSecret\n}\n$oauth=Invoke-RestMethod -Method Post -Uri $loginURL\/$l_tenantdomain\/oauth2\/token?api-version=1.0 -Body $body\nif ($oauth.access_token -ne $null)\n {\n      $headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"\n      }\n # https:\/\/developer.microsoft.com\/en-us\/graph\/docs\/api-reference\/beta\/api\/leakedcredentialsriskevent_get\n$url = "https:\/\/graph.microsoft.com\/beta\/leakedCredentialsRiskEvents"\n$myReport = (Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url)\n} else {\nWrite-Host "ERROR: No Access Token"\n} \n($myReport.Content | ConvertFrom-Json).value |where-object {$_.riskeventstatus -eq "active"} | ft risk&lt;em&gt;,user\n<\/pre><\/pre>\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Would it be nice to list all leakedcredentials using powershell?(or riskysignins or identiyriskevents). All of this could be achieved using powershell and REST api at Microsoft Graph. I have a scheduled task running to get this reports. Using a appilcation in Azure. All credentials are stored in SecretServer. First we need an Application Registration in … Continue reading Use Powershell to get LeakedCredentials from Azure using Graph<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[59],"class_list":["post-804","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-powershell"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":false,"jetpack-related-posts":[{"id":899,"url":"https:\/\/www.vatland.no\/index.php\/csp-access-to-tenants-using-powershell-part-2\/","url_meta":{"origin":804,"position":0},"title":"CSP access to tenants using powershell. Part 2","author":"Atle","date":"September 20, 2019","format":false,"excerpt":"In part 1 we created the Azure Enterprise App for Partnercenter and used this information to connect using powershell and connect-partnercenter. Now we will use this to connect to one of our customers tenants. First we will use AZ module and connect-azaccount. We will use the AZ module and the\u2026","rel":"","context":"In "Azure"","block_context":{"text":"Azure","link":"https:\/\/www.vatland.no\/index.php\/category\/azure\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":902,"url":"https:\/\/www.vatland.no\/index.php\/csp-access-to-tenants-using-powershell-part-3\/","url_meta":{"origin":804,"position":1},"title":"CSP access to tenants using powershell. Part 3","author":"Atle","date":"September 23, 2019","format":false,"excerpt":"In this part 3 of CSP and powershell I will show how you can connect to azureAD of a customer tenant using your CSP app credentials and refreshtoken. This is almost the same procedure as we use to connect to az. We will start with the same variables as in\u2026","rel":"","context":"In "Azure"","block_context":{"text":"Azure","link":"https:\/\/www.vatland.no\/index.php\/category\/azure\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":875,"url":"https:\/\/www.vatland.no\/index.php\/csp-access-to-tenants-using-powershell-part-1\/","url_meta":{"origin":804,"position":2},"title":"CSP access to tenants using powershell. Part 1","author":"Atle","date":"September 18, 2019","format":false,"excerpt":"A short explanation of how to access customer tenant using a CSP tenant SPN credential connectiong to AzureAD and AZ. Have been struggling for a while to manage all our customers tenants using powershell scripts. It can be complicated to organize all the credentials, tenant domain, tenant id's password expiry.\u2026","rel":"","context":"In "Azure"","block_context":{"text":"Azure","link":"https:\/\/www.vatland.no\/index.php\/category\/azure\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":914,"url":"https:\/\/www.vatland.no\/index.php\/csp-access-to-tenants-using-powershell-part-4\/","url_meta":{"origin":804,"position":3},"title":"CSP access to tenants using powershell. Part 4","author":"Atle","date":"September 24, 2019","format":false,"excerpt":"This is a small script that connects to partnercenter list all customers tenants and let you select one. When one is selected it connects to azuread and az for that customer. All my credentials are stored in SecretServer . I use a web service request to get those credentials. I\u2026","rel":"","context":"In "Azure"","block_context":{"text":"Azure","link":"https:\/\/www.vatland.no\/index.php\/category\/azure\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":990,"url":"https:\/\/www.vatland.no\/index.php\/get-tenantlistindb-from-previous-post\/","url_meta":{"origin":804,"position":4},"title":"Get-tenantlistindb (from previous post)","author":"Atle","date":"January 8, 2021","format":false,"excerpt":"Now that we have our tenants listed in a database table, listing them is quite easy. Added a switch that allow you to also list deleted\/removed tenants. [cc language=\"powershell\"] function get-tenantlistindb { param( [switch]$all ) $SQLInstance = \"localhost\\SQLExpress\" $SQLDatabase = \"Microsoft365\" $sqlqr = \"select * from [Microsoft365].[dbo].[tenants]\" if (-not $all)\u2026","rel":"","context":"In "Azure"","block_context":{"text":"Azure","link":"https:\/\/www.vatland.no\/index.php\/category\/azure\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":957,"url":"https:\/\/www.vatland.no\/index.php\/hash-tables-in-powershell\/","url_meta":{"origin":804,"position":5},"title":"Hash tables in powershell","author":"Atle","date":"March 23, 2020","format":false,"excerpt":"We all have the need to store data in some kind of arrays. I use hashtables a lot. Preferred use is as a lookup table, I can use 'contains' instead of looping through each item or reference an object by name instead of index number. Lookup table for licenses is\u2026","rel":"","context":"In "CSP"","block_context":{"text":"CSP","link":"https:\/\/www.vatland.no\/index.php\/category\/csp\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/posts\/804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/comments?post=804"}],"version-history":[{"count":16,"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/posts\/804\/revisions"}],"predecessor-version":[{"id":833,"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/posts\/804\/revisions\/833"}],"wp:attachment":[{"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/media?parent=804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/categories?post=804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/tags?post=804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}